Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

We are locked in CTB!


  • Please log in to reply
37 replies to this topic

#1 thekidshaveavirus

thekidshaveavirus

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 11:06 AM

Hello.

 

My kids acquired the CTB locker infection.  We got the ransom message and then we tried some things to get rid of it.  We don't really care about locked files because we don't have data files on this computer.  First, we went into the picture folder.  We tried to open some of the sample pics that come w/windows 7.  The file we tried to open had odd extensions which we removed.  After removing/changing the extensions the file opened w/out a problem....not what I consider to be encrypted....but what do I know?  My husband suggested removing the user account in question, which I *apparently* did. However, though the user account no longer shows up, when I tried to make a new account w/that same user name...that didn't show up either!

 

Then I came here to BC, which I should have done in the first place, and I see that you are supposed to locate the %Temp% folder and remove exe's from it....how do I access this if I can't access that user's account anymore....if I should be able to find it in the admin acct...it's not showing up!  

 

I went here and tried to follow instructions to get rid of it: 

 

What should you do when you discover your computer is infected with CTB Locker

If you discover that your computer is infected with CTB Locker you should immediately scan your computer with an anti-virus or anti-malware program. Unfortunately, most people do not realize CTB Locker is on their computer until it displays the ransom note and your files have already been encrypted. The scans, though, will at least detect and remove the infection from your computer so that it no longer starts when you login to Windows.

To manually remove the infection you would need to remove any executables from the %Temp% folder and then clean the hidden job in the Windows Task Scheduler. This remove the main infection, but will not restore your encrypted files.

 

 

Any suggestions?

 

Thanks!

 

**Forgot to add (not sure if this matters) , after we deleted user folder we did a restore where you return to an earlier date....I should say we *tried* to do this but according to windows, the restore failed.


Edited by thekidshaveavirus, 10 July 2015 - 12:14 PM.


BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 10 July 2015 - 11:10 AM

Hello,

 

Please download TFC from OldTimer and save it to your desktop.

 

How to use TFC:

 

 

-Download TFC and run it as Administrator.

-Click Start to start cleaning process.

-If asks you to reboot, do it .

 

NOTE: If your desktop disappears, don't panic, it's normal .

 

If there's log, you can post it here.

 

If problem still exists, ask here for help because I don't have privilege to help you and you cannot post here FRST logs.

 

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/


Edited by Firehouse, 10 July 2015 - 11:47 AM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:50 PM

Posted 10 July 2015 - 12:01 PM

Hello,

Can you navigate to C:\Users and see which folders are in there?

#4 thekidshaveavirus

thekidshaveavirus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 12:08 PM

Thank-you so much Firehouse!  I ran TFC.  We had over 6000mb of temp files removed...maybe this is normal?  I then went to the task scheduler to find hidden tasks.  When I arrived there I received this message:

 

An error has occurred for task IFsbkxm.  Error message:  Specified name is not valid. 

 

I have no idea what that meant.  Found no hidden files in the task scheduler.

 

Do you know if AVG can detect CTB ?  Maybe a virus check will tell me if we are still locked in?



#5 thekidshaveavirus

thekidshaveavirus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 12:11 PM

Hello,

Can you navigate to C:\Users and see which folders are in there?

Hello.  Yes, I've been there.  The user folder that I deleted has gone and the new folder (with same name) that I created subsequently is there but it doesn't show up on the user  "page" where you log in.



#6 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 10 July 2015 - 12:11 PM

Wow, that's a lot of temp files :) Yes it's normal one of my friends had 18GB (never did a maintenance).

 

Scan with Zemana Antimalware

 

Download Zemana Antimalware and install it on your system.

 

Under Scan type choose Full Scan and let the tool scan system.

 

If malware is found click Next to remove it and let the tool restart your computer.

 

If no malware is found , that's it .

 

NOTE: Leave actions at default unless you know what are you doing .


Edited by Firehouse, 10 July 2015 - 12:13 PM.


#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:50 PM

Posted 10 July 2015 - 12:14 PM

Hello.  Yes, I've been there.  The user folder that I deleted has gone and the new folder (with same name) that I created subsequently is there but it doesn't show up on the user  "page" where you log in.

How did you create a new account? Via User Accounts from Control Panel, or some other method?

#8 thekidshaveavirus

thekidshaveavirus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 12:40 PM

Alex,

 

I went to computer>users>new folder.  I wondered if I needed to make a bookmark in order for it to be visible on the user log in page but my husband said it should just appear w/the rest of the users as it is in the user folder!   Did I do something wrong?

 

 



#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:50 PM

Posted 10 July 2015 - 12:44 PM

Hi there,

That is... well, not the correct way to create a new account. :)

Please delete the folder you just created, as it is useless.

To create a new user account, please click the Start orb => Control Panel => User Accounts => Manage another account => Create a new account.

This procedure will create everything that is essential for a proper user account.

Let me know how it goes.

Regards,
Alex

#10 thekidshaveavirus

thekidshaveavirus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 01:01 PM

Aha!  It worked!  Thanks so much Alex!  ...but just out of interest....why does one have the option of creating a new folder in the user folder.....and why doesn't it work :scratchhead: ?



#11 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 10 July 2015 - 01:12 PM

Is CTB gone ?

#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:50 PM

Posted 10 July 2015 - 01:29 PM

Is CTB gone ?

Most ransomware typically delete themselves after they have done encrypting the machine's data and leave behind the ransom notes, so cleaning up is easy. The real problem is the encrypted files.

Aha!  It worked!  Thanks so much Alex!  ...but just out of interest....why does one have the option of creating a new folder in the user folder.....and why doesn't it work :scratchhead: ?

If you look into a properly created user profile (which is the sub-folders inside the Users folder) then you will see that there is a lot more than just creating a folder. Not to mention all the registrations necessary to make the user profile complete. :)

Do you have any other questions?

#13 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 PM

Posted 10 July 2015 - 01:41 PM

Ok,TFC was enough :)

#14 thekidshaveavirus

thekidshaveavirus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 10 July 2015 - 03:00 PM

Firehouse,

 

No, I followed your advice and went to Zemana.  The reason I haven't gotten back to you is that....if I understand how this works....Zemana is cloud based which requires the internet?  We are in the middle of nowhere and have an EXTREMELY SLOW!!! connection and it appears that after almost 2 hrs we have moved through only about 5% of the files!  Not sure if this slows it down but the computer appears to be loaded w/adware stuff....this is crazy!  Where are my kids going online?!

 

Anyway, I will let you know if we were successful when it's finished....maybe in a week's time :thumbup2:

 

Thanks for your help!



#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:50 PM

Posted 10 July 2015 - 03:03 PM

Since Zemana is cloud based it is not a good choice for slow internet connections.

Use this instead.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users