Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


CTB-Locker keeps comping back (I Think)

  • This topic is locked This topic is locked
1 reply to this topic

#1 Shattered_


  • Members
  • 5 posts
  • Local time:08:29 PM

Posted 23 March 2015 - 09:06 AM

2 computers in my network got infected, that's bad. Luckilly I got backups, so the files are no problem.

The problem is deleting the infection from the computers. It seems that the infection is still present, because I see a folder with a random string in the %temp% folder after a reboot. These folder contains 2 files, an executable and a .JAR file.

Also, the message that my files are locked keeps returning (not every time, but most of the time).


What I've did:

- Deleted everything in %temp%, and every job in C:\Windows\Tasks

- Scan with malwarebytes (it did find the file with the random name).

- ESET Online Scanner (it did find the file with the random name).

- System Repair (day before the infection and 5 days before the infection).


-> Reboot, it's back :/.


Is it really not going away?

After a few scans with MalwareBytes and ESET, the message that I should pay the guys isn't coming back anymore. But still, I see the files with the random name appearing in my %temp% folder. I Can't delete these, because they are in use by AutoStarter.exe. When I close this process, I can delete the file. When I reboot, it's back.

So its copying frome somewhere else .. :/. Is there a tool that can delete this infection forever, or is there a manual way?


Everytime I scan with ESET Online, I'll find: Win32/Filecoder.DA (Trojan Horse).


I've tried almost everything that I can find on the internet.

Edited by Shattered_, 23 March 2015 - 09:14 AM.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,907 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:29 PM

Posted 23 March 2015 - 06:05 PM

:welcome: to Bleeping Computer.

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CTB Locker (Critroni) does and provide information for how to deal with it. At this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

More information in these articles:CTB Locker changes the extension of encrypted files and renames them with a .CTBL, or .CTB2 extension. Some victims have reported extensions changed to .XTBL.

The newest variants of CTB Locker typically typically appends encrypted data files with a 6-7 length extension consisting of random characters. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. Compounding matters, the newer CTB-Locker infection has been seen in combination with KEYHolder, Torrent Locker (fake Cryptolocker) or Cryptowall ransomware. Unfortunately, there is still no known method of decrypting your files without paying the ransom and with dual infections, that means paying both ransoms. Unfortunately, there is still no known method of decrypting your files without paying the ransom and with dual infections, that means paying both ransoms.

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users