Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware infection. (wibbibjj.exe, ctb2, Critroni)

  • This topic is locked This topic is locked
2 replies to this topic

#1 MindBlight


  • Members
  • 1 posts
  • Local time:06:58 AM

Posted 04 September 2014 - 06:17 PM

My comp was recently infected with a virus that turned out to be some version of ransomware. The virus encrypted all my .zip, txt, jpg, ect., files on my computer and wanted me to pay them bitcoins to unlock them. It added a .ctb2 extension on them all which is attributed to a Critroni or CTB Locker variant of these nasty buggers.


I did some googling and it seems that no one was able to decrypt any of the files without paying the ransom for the decryption key (other than some fancy security firm or a tank of researchers, neither of which i have or can afford). I also couldn’t find any successful stories of the files being decrypted even if one did pay. So I made my peace with my personal files and let the clock run out.


While i have no idea how it got on my comp, whether i downloaded some bogus file or opened an infected email, i did notice a strange process running in my task manager that i never seen before called wibbibjj.exe. I noticed this file before the attack happened and was immediately suspicious but after googling i found no match.....which made me even more suspicious. The only reason i can think of now is that the file was just a random generation of letters. In any case, i started ending the process in my task manager and ran AVG, but it didn't find anything suspicious. Not too long after my computer froze up, blue screened and on restart the pop-up message with a counter appeared giving me 72 hours...or blah blah blah. The unmovable pop-up message was directly connected to this mysterious wibbibjj.exe file in my processes now.


This was last week; today AVG actually recognized wibbibjj.exe on startup and "protected" me. After the attack i tried downloading HitmanPro as suggested in some forums but none of the applications(32,64,86) would run from my comp and running them from a USB would make HitmanPro think my trial version was over so i wasn't able to remove any malware it found. I ran AVG scan and it found some "generic.trojan this-and-that but no wibbibjj.exe" so i have no idea if it removed anything associated to this ransomeware business.


Now, I understand i can't get my files back but I would appreciate any suggestions on how to permanently remove anything left over from this virus and future prevention from them. I really would like to avoid wiping my HD or having 6 different anti-virus programs running, but if that’s the case then so be it. Also i can't really afford to be paying 25-40$ for these programs monthly so any free solutions would also be preferable.

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 39,926 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:58 AM

Posted 08 September 2014 - 07:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 nasdaq


  • Malware Response Team
  • 39,926 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:58 AM

Posted 12 September 2014 - 08:55 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users