Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jpeg and videos converted to XTBL


  • This topic is locked This topic is locked
7 replies to this topic

#1 johnfrank88

johnfrank88

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 03 March 2015 - 03:26 AM

Greetings!
A friend of mine got maybe a trojan, he did a fresh install of windows but his pictures and videos converted to xtbl extension. I searched but i couldnt find something to help him. Is there a way of getting these photos back? They are his family moments so any help will be great!
Thanks in advance, John

BC AdBot (Login to Remove)

 


#2 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:02:38 PM

Posted 03 March 2015 - 04:12 AM

Hi johnfrank88, I just did a Google search on XTBL but most of the results look like they're in Russian.  Once place did say that it looked like it could be another new ransomware, but not one I've come across before.

 

I'd suggest backing those files up in case a decrypter can be built for it - don't just delete them.

 

Did a ransom note come up, do you know?  Or did he reformat Windows while he detected the trojan but without identifying or removing it?

 

Are there other photos on his drive which are still in .jpg format?

 

Quite possibly your friend reformatted Windows while the trojan was still active, but hadn't got to the point of popping the ransom note up yet?

 

Edit: Sources:

http://www.cybertechhelp.com/forums/showthread.php?t=227030

Prognosis currently not looking good.

 

http://trmalwarefix.freeforums.net/thread/216/crypto-locker-tipi-versiyon-duyurular

But this one is in Turkish by the looks of things.


Edited by Angoid, 03 March 2015 - 04:13 AM.

Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#3 johnfrank88

johnfrank88
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 03 March 2015 - 04:45 AM

Hey Angoid, thanks for the response! Yeap as he told me there were pop ups but after the format the pc is ok. All the pictures changed even the windows samples in Pictures folder. He did also a scan with AntiMalware and deleted some infected files.

I will try to translate the turkish page when i get back home

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:38 AM

Posted 03 March 2015 - 06:27 AM

Did you find any ransom note? These infections are created to alert victims and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 johnfrank88

johnfrank88
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 03 March 2015 - 06:31 AM

The computer now is formated.. My friend just give me the photos if i could retrieve them. So the only i have is a hard disk with .xtbl photos

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:38 AM

Posted 03 March 2015 - 06:52 AM

The search hits I checked indicated this infection may be a new variant of CTB Locker (Critroni, Onion).

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 meidian

meidian

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 25 March 2015 - 11:49 PM

I did the same problem with this. I thougt the virus just convert the jpeg and video files. but then I realized the virus attack almost all of my file. So re-installed my windows from windows 7 to windows 8. I want to ask:

1. If I re-install my windows, did the virus gone?

2. Is the virus that convert file to XTBL and CTBL are the same one?

 

Thank you



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:38 AM

Posted 26 March 2015 - 04:46 AM

Please repost any questions and comments in the discussion topic link I provided above. CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion

Thanks
The BC Staff


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users