Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need to know what to delete in pc infected with CTB-Locker

  • This topic is locked This topic is locked
1 reply to this topic

#1 rickylane


  • Members
  • 1 posts
  • Local time:10:59 PM

Posted 23 June 2015 - 06:37 PM

I believe I became infected on 6/21/15.  I remember looking at email from Big Lots, Swanson Products and Komando.com. I read the information guide on CTB-locker.  I checked some rtfs and the file type was changed to nfrbbmh.  I went to the Task Scheduler and deleted a job that pointed to a application file in the %TEMP% file which I also deleted.  My questions are

  Can I delete everything in the %TEMP% file.  Is it all Unnecessary?

  I used CCleaner, Malwarebytes (free version) and Windows Defender.  They identified no viruses.

  How can I delete the Ransom Screen?  I did delete 2 files in the Document library.


I did the above on 6/22/15 and on 6/23/15, I got the Ransom Screen and see that the entries are back in the Document library.  I got into my pc using safe mode to read more on this issue and post.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,771 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:59 PM

Posted 23 June 2015 - 07:21 PM

A repository of all current knowledge regarding this infection is provided by Grinler (aka Lawrence Abrams), in this topic: CTB Locker and Critroni Ransomware Information Guide and FAQ

Unfortunately there is no fix tool and no known method to retrieve the private key that can be used to decrypt your files without paying the ransom. With dual infections, that means paying both ransoms. Brute forcing the decryption key is not a realistic option.

CTB Locker will attempt to delete all Shadow Volume Copies when you first start any executable so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do. You may may even be able to use file recovery software such as R-Studio or Photorec to recover some of your original files.

There is also an ongoing discussion in this topic: CTB Locker Ransomware Support & Discussion.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that support topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users