Severity scale:  

CTB Locker virus. How to remove? (Uninstall guide)

removal by Jake Doevan - -   Also known as Curve-Tor-Bitcoin Locker, CTB-Locker | Type: Ransomware

About CTB Locker – another member from the family of crypto malware:

CTB Locker virus (also found under a title of CTB-Locker ransomware) is a crypto-type [1] malware, which started attacking PC users in the middle of July 2014. It is almost identical to Cryptowall virus, Cryptolocker, Cryptorbit, Critroni, etc., so if you have ever heard about any of these parasites, you will know what this ransomware is used for. Basically, it is designed for encrypting specific data files and then making people pay for their decryption. In most of the cases, people who want to recover the access to their photos, videos and other files are asked to pay $120. However, sometimes CTB Locker ransomware demands $24 or less. Of course, this ransom should be paid in a form of Bitcoins [2]. If you think that your PC has already infected by CTB Locker virus, the first thing that you should notice is that you cannot reach your files anymore. Also, you may start seeing a warning message explaining you the whole thing and asking to pay a fine. In this case, you should immediately scan your computer with a reputable anti-spyware program because the sooner you do that, the larger amount of files you could save. Unfortunately, this virus can hardly be noticed before it starts showing its notification that reports about encrypted data and asks to pay a ransom. That’s why you should always have an updated anti-spyware installed on your computer that could easily help you to prevent infections like this one. For that we highly recommend using Reimage.

A picture showing CTB_Locker warning message

UPDATE 1: CTB-Locker was renewed at the beginning of 2015. After this, virus asks to pay 3 BTC or about $2774 for giving people an opportunity to recover the connection to their files. Also, it includes “free decryption” service, an extended deadline (96 hours) to pay the fine and an option that allows changing the language of the ransom message. At the moment of writing, victims can switch from English to Dutch, German and Italian [3]. An interesting thing is that this new version of CTB Locker allows people to select 5 different files for a free decryption. This option is called “Test Decryption” and is presumably given to convince users that this service is not invented. Nevertheless, you should NEVER pay this ransom and support scammers. Just scan your computer with a reliable anti-spyware and remove CTB Locker virus. Then, you should download one of these programs that are given down below to recover the connection to your files.

UPDATE 2: It seems that 2016 can be called the year of CTB Locker. According to the latest news, hackers have started using this virus to attack websites. Beware that “CTB Locker for websites” can easily replace your original index page to the affected webpage. Also, it can encrypt all scripts, documents, photos, databases and other important files, and start displaying its warning on the main page of the affected website. According to the latest reports, CTB-Locker virus can hold the site for as long as it makes its owner pay a ransom. To unlock it and decrypt encrypted files, a victim of this ransomware has to pay a ransom of $150 or £100. Also, CTB Locker lets its victim see how the decryption process works and provides 2 decryption keys to unlock two random files. The latest its victim is British Association for Counseling & Psychotherapy website [4]. People can’t reach this domain, which now shows a detailed guide explaining how the owner of this site has to pay the fine and get encrypted files back. Of course, money is what scammers are expecting to get. To avoid a need to pay a ransom for hackers, you should create A BACKUP for your OS and the most important data.

UPDATE 3: According to the latest news, CTB-Locker has started spreading with the help of a new system called RAUM. This newly-presented strategy is used to infect the most popular torrent files with ransomware, an infamous Dridex, Pony and similar malware that is launched right after the malicious torrent file is installed on the system. If infected with CTB Locker, you will discover that your files with these extensions are encrypted: .ai, .cdr, .doc, .docx, .eps, .jpg, .xls, .ppt, .psd, .pdf, etc. RAUM [5] is believed to work as a pay-per-install system that tracks torrent users first to find out which torrent files are the most popular ones among them. Next, it infects these files with malware and uses hacked accounts to upload the malicious content on the system. Security researchers have already discovered that hackers have been using Pirate Bay and Extra Torrent sites. Make sure you stay away from these domains to protect yourself and your files.

UPDATE 4: CTB-Locker has become a target of amateur hackers who have made a version of CTB-Faker — a program which looks like CTB-Locker but is not the actual infection [6]. A ransom note that this fake ransomware drops on the infected computers looks identical to the original virus version and notifies the victim that his/her computer has been infected with CTB-Locker and they have to pay 50 USD to recover their files. However, for the data encryption CTB-Faker utilizes WinRAR functionalities, which is an easier and simpler way to achieve file encryption. The targeted files are simply compressed and stored in an archive protected with a password that hackers have selected. Luckily, experts have already managed to dig up a vulnerability in this virus and disclosed this password — the virus-generated archives can be unlocked using the p4w1q3x5y8z code. However not all imposters can be decontaminated that easily. 2017 can bring programs that are equally dangerous to their malicious counterparts and may corrupt the system just as bad. So, we can only advice you to be careful out there!  

 A website, which was affected by CTB Locker ransomware

How can CTB Locker infect my computer?

Questions about CTB Locker virus

CTB Locker is mostly spread using misleading emails. They can be set to claim that you have to confirm your purchases, approve payments, etc. Of course, once the victim is tricked into downloading a fake attachment, PC is infected with this ransomware. Besides, you should be very careful with annoying pop-ups offering you to update such programs as Java or Flash Player because they can also lead you to CTB Locker infiltration. As soon as this virus enters the system, it immediately drops its own files and then scans the system for specific files. After discovering required files it blocks them using an elliptical curve cryptography. When infected with CTB Locker ransomware, you can loose files with such extensions:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx, etc

By the way, it seems that this virus is also capable of communicating with its Command and Control server over the TOR and following its commands. If you use Windows XP, Windows Vista, Windows 7 and 8, you should be especially careful because at the moment of writing this virus is capable of infecting only those systems. If you think that your PC is hijacked and your files are encrypted, you can check them by opening the %MyDocuments%\.html file. Unfortunately, you won’t be capable to recover those files without paying a ransom. If you are infected, jump to the next page to know more about CTB Locker virus removal.

File recovery after CTB Locker infiltration:

Unfortunately, but if you are infected with CTB-Locker ransomware and you don’t have a backup of your important data, there is no guarantee that you will get a chance to recover it. Of course, you can try to pay the ransom, but there is no guarantee that hackers will give you a right decryption key. To decrypt your affected files, you can try running such tools as Kaspersky virus-fighting utilities, Photorec or R-Studio, but we cannot give you any guarantee that they will work for you.

That’s why we highly recommend thinking about the prevention of such infections. To prevent a need to remove CTB Locker from your computer, you can use Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes, which can stop this virus before it enters your computer. Besides, don’t forget to think about the backup (it should be done as frequently as possible). Finally, you can try USB external hard drives, CDs, DVDs, Google Drive, Dropbox, Flickr and other solutions. It is also recommended to make sure that all your open shares are available only for the necessary user groups or authenticated users.

CTB Locker removal:

If you are desperate, and you need a guide that could help you to remove CTB Locker virus from your computer, you are in a right place. If it has already hijacked your system, you should disconnect your computer from the Internet ASAP. Unfortunately, but we cannot give you a CTB Locker decrypter yet because it is just in a development stage. However, you should follow a step-by-step guide given below and finish the elimination of this ransomware.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.
CTB Locker virus snapshot
The example of CTB Locker

To remove CTB Locker virus, follow these steps:

Remove CTB Locker using Safe Mode with Networking

In case CTB Locker blocks your antivirus and you cannot run the system scan to remove it, please follow the instructions we provide below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove CTB Locker

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete CTB Locker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove CTB Locker using System Restore

Another method which can be used to decontaminate the virus and run the antivirus is presented here:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of CTB Locker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that CTB Locker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove CTB Locker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by CTB Locker, you can use several methods to restore them:

Our recommendations on Data Recovery Pro application

To learn how to use Data Recovery Pro and recover your files automatically, check out the guide indicated below:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by CTB Locker ransomware;
  • Restore them.

Useful tips how to use the Windows Previous Versions feature

Windows Previous Versions feature operation instructions are presented below. However, before you try to recover your files using this technique, make sure that you have enabled System Restore function some time before the ransomware attack. Otherwise, this data recovery method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer usage instructions:

ShadowExplorer can only be used in cases where ransomware does not delete Volume Shadow Copies of the files. In case you are infected with CTB Locker version which keeps these files in tact, you may try these instructions:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from CTB Locker and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages