My kids acquired the CTB locker infection. We got the ransom message and then we tried some things to get rid of it. We don't really care about locked files because we don't have data files on this computer. First, we went into the picture folder. We tried to open some of the sample pics that come w/windows 7. The file we tried to open had odd extensions which we removed. After removing/changing the extensions the file opened w/out a problem....not what I consider to be encrypted....but what do I know? My husband suggested removing the user account in question, which I *apparently* did. However, though the user account no longer shows up, when I tried to make a new account w/that same user name...that didn't show up either!
Then I came here to BC, which I should have done in the first place, and I see that you are supposed to locate the %Temp% folder and remove exe's from it....how do I access this if I can't access that user's account anymore....if I should be able to find it in the admin acct...it's not showing up!
I went here and tried to follow instructions to get rid of it:
What should you do when you discover your computer is infected with CTB Locker
If you discover that your computer is infected with CTB Locker you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CTB Locker is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove the infection from your computer so that it no longer starts when you login to Windows.
To manually remove the infection you would need to remove any executables from the %Temp% folder and then clean the hidden job in the Windows Task Scheduler. This remove the main infection, but will not restore your encrypted files.
**Forgot to add (not sure if this matters) , after we deleted user folder we did a restore where you return to an earlier date....I should say we *tried* to do this but according to windows, the restore failed.
Edited by thekidshaveavirus, 10 July 2015 - 12:14 PM.