Severity scale  
  (99/100)

CTB Locker virus. How to Remove? (Uninstall Guide)

removal by - -   Also known as Curve-Tor-Bitcoin Locker, CTB-Locker | Type: Ransomware
12

About CTB Locker - another member from the family of crypto malware:

CTB Locker virus (also found under a title of CTB-Locker ransomware) is a crypto-type [1] malware, which started attacking PC users in the middle of July 2014. It is almost identical to Cryptowall virus, Cryptolocker, Cryptorbit, Critroni, etc., so if you have ever heard about any of these parasites, you will know what this ransomware is used for. Basically, it is designed for encrypting specific data files and then making people pay for their decryption. In most of the cases, people who want to recover the access to their photos, videos and other files are asked to pay $120. However, sometimes CTB Locker ransomware demands $24 or less. Of course, this ransom should be paid in a form of Bitcoins [2]. If you think that your PC has already infected by CTB Locker virus, the first thing that you should notice is that you cannot reach your files anymore. Also, you may start seeing a warning message explaining you the whole thing and asking to pay a fine. In this case, you should immediately scan your computer with a reputable anti-spyware program because the sooner you do that, the larger amount of files you could save. Unfortunately, this virus can hardly be noticed before it starts showing its notification that reports about encrypted data and asks to pay a ransom. That's why you should always have an updated anti-spyware installed on your computer that could easily help you to prevent infections like this one. For that we highly recommend using Reimage.


A picture showing CTB_Locker warning message

UPDATE 1: CTB-Locker was renewed at the beginning of 2015. After this, virus asks to pay 3 BTC or about $2774 for giving people an opportunity to recover the connection to their files. Also, it includes "free decryption" service, an extended deadline (96 hours) to pay the fine and an option that allows changing the language of the ransom message. At the moment of writing, victims can switch from English to Dutch, German and Italian [3]. An interesting thing is that this new version of CTB Locker allows people to select 5 different files for a free decryption. This option is called "Test Decryption" and is presumably given to convince users that this service is not invented. Nevertheless, you should NEVER pay this ransom and support scammers. Just scan your computer with a reliable anti-spyware and remove CTB Locker virus. Then, you should download one of these programs that are given down below to recover the connection to your files.

UPDATE 2: It seems that 2016 can be called the year of CTB Locker. According to the latest news, hackers have started using this virus to attack websites. Beware that "CTB Locker for websites" can easily replace your original index page to the affected webpage. Also, it can encrypt all scripts, documents, photos, databases and other important files, and start displaying its warning on the main page of the affected website. According to the latest reports, CTB-Locker virus can hold the site for as long as it makes its owner pay a ransom. To unlock it and decrypt encrypted files, a victim of this ransomware has to pay a ransom of $150 or £100. Also, CTB Locker lets its victim see how the decryption process works and provides 2 decryption keys to unlock two random files. The latest its victim is British Association for Counseling & Psychotherapy website [4]. People can't reach this domain, which now shows a detailed guide explaining how the owner of this site has to pay the fine and get encrypted files back. Of course, money is what scammers are expecting to get. To avoid a need to pay a ransom for hackers, you should create A BACKUP for your OS and the most important data.

UPDATE 3: According to the latest news, CTB-Locker has started spreading with the help of a new system called RAUM. This newly-presented strategy is used to infect the most popular torrent files with ransomware, an infamous Dridex, Pony and similar malware that is launched right after the malicious torrent file is installed on the system. If infected with CTB Locker, you will discover that your files with these extensions are encrypted: .ai, .cdr, .doc, .docx, .eps, .jpg, .xls, .ppt, .psd, .pdf, etc. RAUM [5] is believed to work as a pay-per-install system that tracks torrent users first to find out which torrent files are the most popular ones among them. Next, it infects these files with malware and uses hacked accounts to upload the malicious content on the system. Security researchers have already discovered that hackers have been using Pirate Bay and Extra Torrent sites. Make sure you stay away from these domains to protect yourself and your files.

UPDATE 4: CTB-Locker has become a target of amateur hackers who have made a version of CTB-Faker -- a program which looks like CTB-Locker but is not the actual infection [6]. A ransom note that this fake ransomware drops on the infected computers looks identical to the original virus version and notifies the victim that his/her computer has been infected with CTB-Locker and they have to pay 50 USD to recover their files. However, for the data encryption CTB-Faker utilizes WinRAR functionalities, which is an easier and simpler way to achieve file encryption. The targeted files are simply compressed and stored in an archive protected with a password that hackers have selected. Luckily, experts have already managed to dig up a vulnerability in this virus and disclosed this password -- the virus-generated archives can be unlocked using the p4w1q3x5y8z code. However not all imposters can be decontaminated that easily. 2017 can bring programs that are equally dangerous to their malicious counterparts and may corrupt the system just as bad. So, we can only advice you to be careful out there!  

 the second picture of ctb locker

How can CTB Locker infect my computer?

CTB Locker is mostly spread using misleading emails. They can be set to claim that you have to confirm your purchases, approve payments, etc. Of course, once the victim is tricked into downloading a fake attachment, PC is infected with this ransomware. Besides, you should be very careful with annoying pop-ups offering you to update such programs as Java or Flash Player because they can also lead you to CTB Locker infiltration. As soon as this virus enters the system, it immediately drops its own files and then scans the system for specific files. After discovering required files it blocks them using an elliptical curve cryptography. When infected with CTB Locker ransomware, you can loose files with such extensions:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx, etc

By the way, it seems that this virus is also capable of communicating with its Command and Control server over the TOR and following its commands. If you use Windows XP, Windows Vista, Windows 7 and 8, you should be especially careful because at the moment of writing this virus is capable of infecting only those systems. If you think that your PC is hijacked and your files are encrypted, you can check them by opening the %MyDocuments%\.html file. Unfortunately, you won't be capable to recover those files without paying a ransom. If you are infected, jump to the next page to know more about CTB Locker virus removal.

File recovery after CTB Locker infiltration:

Unfortunately, but if you are infected with CTB-Locker ransomware and you don't have a backup of your important data, there is no guarantee that you will get a chance to recover it. Of course, you can try to pay the ransom, but there is no guarantee that hackers will give you a right decryption key. To decrypt your affected files, you can try running such tools as Kaspersky virus-fighting utilities, Photorec or R-Studio, but we cannot give you any guarantee that they will work for you.

That's why we highly recommend thinking about the prevention of such infections. To prevent a need to remove CTB Locker from your computer, you can use Reimage or Malwarebytes Anti Malware, which can stop this virus before it enters your computer. Besides, don't forget to think about the backup (it should be done as frequently as possible). Finally, you can try USB external hard drives, CDs, DVDs, Google Drive, Dropbox, Flickr and other solutions. It is also recommended to make sure that all your open shares are available only for the necessary user groups or authenticated users.

CTB Locker removal:

If you are desperate, and you need a guide that could help you to remove CTB Locker virus from your computer, you are in a right place. If it has already hijacked your system, you should disconnect your computer from the Internet ASAP. Unfortunately, but we cannot give you a CTB Locker decrypter yet because it is just in a development stage. However, you should follow a step-by-step guide given below and finish the elimination of this ransomware.

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall CTB Locker virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall CTB Locker virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2017-01-23 02:59)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2017-01-23 02:59)
Hitman Pro
Webroot SecureAnywhere AntiVirus

References

CTB Locker virus screenshot
The example of CTB Locker snapshot

Method 1. Remove CTB Locker using Safe Mode with Networking

In case CTB Locker blocks your antivirus and you cannot run the system scan to remove it, please follow the instructions we provide below.

Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Safe Mode with Networking from the list
Select 'Safe Mode with Networking'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Select 'Enable Safe Mode with Networking'
Step 2: Remove CTB Locker

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CTB Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Method 2. Remove CTB Locker using System Restore

Another method which can be used to decontaminate the virus and run the antivirus is presented here:

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Command Prompt from the list
Select 'Safe Mode with Command Prompt'
Windows 10 / Windows 8
  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Select 'Enable Safe Mode with Command Prompt'
Step 2: Restore your system files and settings
  • Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
  • Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
  • When a new window shows up, click Next and select your restore point that is prior the infiltration of CTB Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
  • Now click Yes to start system restore. Click 'Yes' and start system restore
Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CTB Locker removal is performed successfully.
Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CTB Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by CTB Locker, you can use several methods to restore them:

Our recommendations on Data Recovery Pro application

To learn how to use Data Recovery Pro and recover your files automatically, check out the guide indicated below:

Useful tips how to use the Windows Previous Versions feature

Windows Previous Versions feature operation instructions are presented below. However, before you try to recover your files using this technique, make sure that you have enabled System Restore function some time before the ransomware attack. Otherwise, this data recovery method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select "Properties" and go to "Previous versions" tab;
  • Here, check each of available copies of the file in "Folder versions". You should select the version you want to recover and click "Restore".

ShadowExplorer usage instructions:

ShadowExplorer can only be used in cases where ransomware does not delete Volume Shadow Copies of the files. In case you are infected with CTB Locker version which keeps these files in tact, you may try these instructions:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go thru the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select "Export". You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CTB Locker and other ransomwares, use a reputable anti-spyware, such as Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Jake Doe
Jake Doe - Life is too short for wasting your time on viruses

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Removal guides in other languages


Information updated:

Comments on CTB Locker virus

0
0
descarcons
does anybody know how to decrypt the files??! please help! i have removed the virus but i need to get my files back!
0
0
Severine
SpyHunter removed this virus, thanks GOD! However, my files are left encrypted, however, I am not going to pay the CTB Locker ransom. Theres no way I am supporting these cyber criminals. Screw them!
0
0
maahnaz
hi, Im from iran.my personal pictures are encrypted with the CTB locker.i use the method1 for windows7 and i inestall spyhunter4 and scan my computer. it found 78 threats. and need to " fix threats". and that need to be registry with credit card. unfortunately i dont have a credit card. what can i do? please help me.
1
0
Scott
I am a professional photographer. A few weeks ago my computer was attacked by CTB-LOCKER the one with the black screen and code KEY. Proven Data Recovery has been able to identify the VARIENT of the virus I have. It is - RSA-2048 CTB-Locker encryption virus.
They want 2,600 for the decryption of 300 image files that this virus has encrypted on a SD CARD. The computer still reads close to 900mb of data on the card and I have been told by multiple sources that there is a chance my images are still there, but I have had no luck and its going to take me quite some time to come up with this money so in mean time I am exploring other options and learning more about computers and code than I would otherwise have never cared to.
It angers me to no end that people can actually even do this. That they can hurt total strangers in this away. Hurt their jobs. Effect their lives just for the sake of doing so and then dangle our data in front of us so we freak out and jump. I refuse to pay this RANSOM and it is frustrating to no end that the supposed GOOD GUYS want WAY THE HELL MORE!! Its very backwards to me and does not seem right. It is almost impossible to get a simple strait answer from people in this area and there is a lot of double talk and I have bad a couple people remote access my computer and I see them try things even I have tried.
The files that are blocked were never on my hard drive. I didnt even have time to make a hard copy. One moment they were find and the next they were encrypted. I have done 2 system restored and a factory restore and computer has updated protection but the files remain locked on my card.
Is there any effective decryption for CTB-LOCKER - RSA-2048 CTB-Locker encryption virus
What are the odds? Is it even worth saving all this money for these people? He did ID the variant. Even that came as a shock. Its all I have to go on. Maybe, if you think you have a solution for me of course I would be willing to work put pay arrangement but I would need to see at lest SOME proof. Maybe do one or two that I can see. There are 300 on the card and I am really quite desperate for this material, or to be told convincingly and enough times that all hop is lost. I am not at that point yet.
Thanks for your time
Sincerely

Scott Str8onthe8@yahoo.com
0
1
Jeffrey
CTB encrypts everything it can find. It would be good to correct that in the instructions above. We were able to reverse the virus by rolling back (Rollback Rx) - similar to Windows system restore.
0
0
johndoe
First of all people the virus can be removed from your computer and your files can be recovered there are hidden under a folder not visible to you at the time. Although he is informative on the history of viruses. Think about it. if you were trying to actually help with this isssue.. Name the program that your using . give credit to the developers of the software by naming them since its really them who did it not you. your just telling people you found a program that works and passing of as a IT specialist.
0
0
Mel
One of my friends connected his iPhone to my laptop to play songs thru iTunes. I suspect he had infected files on his phone that got moved to my laptop - which now has CTB Locker.

Malwarebytes "discovered" a lot of files, but did not eradicate CTB Locker.
0
0
FRAJ
Please Help me how to save my encrypted file please help me 8801840317337
0
0
vikas
Dear sir, My pc was infected with ctb-locker and my file became encrypted. then I formated my hdd drive and I thought the virus may clean. but unfortunately after reinstallation of windows my files in my D drive was the still encrypted. Now the solution you posted in this page is not applicable in my newly installed windows OS. What will be the solution for my case???and my all data loss , solution data recovery , help me


A beneficial advise my be highly appreciated.
Best regards
More comments »

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)