CTB Locker

Hello,

My computer was infected with "CTB-Locker". It says all of my personal files are encrypted and I must pay a ransom to decrypt.

Please help me to remove this "CTB-Locker" from my computer and to restore my files. Thank you

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
You should start by running MBAM in Safe Mode with Networking.

Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
  
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)
  

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Hello Dave,

The computer I am using to reply to you is not infected. I will have to go to that computer and will try to connect with you. Thank you

Hello Dave,

Please give me until Wednesday to access the infected computer. Thank you for your help.

I will be here. Take your time.

Thank you very much!

Hello Dave,

I am now at the PC that was infected by CTB-Locker.

I am trying to use your instruction to clean up, but I believe further help is needed.

Thank you!

Tran

Can you run the scans?

Hello Dave,

I ran all the scans (Adwcleaner, antimalware, junk removal, security check)

There are no virus detected. The files encrypted by CTB-Locker have a file extension "ormmqme" right next to the regular extension. For example, it looks like this picture.jpg.ormmqme". All the files that have such extension are useless, that ia, it can not be open by the program used to create it.

Below are the logs from the scan:

ADWCLEANER LOG:

# AdwCleaner v4.202 - Logfile created 29/04/2015 at 16:17:27
# Updated 23/04/2015 by Xplode
# Database : 2015-04-27.1 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Vu - HI-8DBADD13280B
# Running from : C:\Documents and Settings\Vu\Desktop\CLEANUP\adwcleaner_4.202.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Documents and Settings\Vu\Application Data\Mozilla\Firefox\Profiles\cr9uk1km.default\searchplugins\bingp.xml
File Deleted : C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.JS.ormmqme

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKCU\Software\Local AppWizard-Generated Applications

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v9.0.1 (en-US)


-\\ Google Chrome v42.0.2311.90

[C:\Documents and Settings\Vu\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Vu\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Documents and Settings\Vu\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : fcfenmboojpjinhpgggodefccipikbpd

*************************

AdwCleaner[R0].txt - [4175 bytes] - [29/04/2015 16:02:12]
AdwCleaner[R1].txt - [3334 bytes] - [29/04/2015 16:15:01]
AdwCleaner[S0].txt - [4333 bytes] - [29/04/2015 16:02:54]
AdwCleaner[S1].txt - [3301 bytes] - [29/04/2015 16:17:27]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3360  bytes] ##########

JUNK REMOVAL LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.6 (04.28.2015:1)
OS: Microsoft Windows XP x86
Ran by Vu on Wed 04/29/2015 at 16:22:46.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\\{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\WINDOWS\wininit.ini



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\Vu\Application Data\mozilla\firefox\profiles\cr9uk1km.default\minidumps [1 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/29/2015 at 16:26:18.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SECURITY CHECK LOG:

Results of screen317's Security Check version 1.00  
Windows XP Service Pack 3 x86  
Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!  
Please wait while WMIC is being installed.display Name Symantec AntiVirus
Corporate Edition

Antivirus out of date!  
`````````Anti-malware/Other Utilities Check:`````````
CCleaner    
Adobe Flash Player 17.0.0.169  
Adobe Reader XI  
Mozilla Firefox (9.0.1)
Google Chrome (41.0.2272.118)
Google Chrome (42.0.2311.90)
````````Process Check: objlist.exe by Laurent````````  
Malwarebytes Anti-Malware mbamservice.exe  
Malwarebytes Anti-Malware mbam.exe  
Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 26% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

The log shows that your AV is out-of-date. If you are not going to renew your subscription you will need to download and install an AV from the list below. Don't use MSE because in XP it not kept up to date. I like Comodo or Avast.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) MicroSoft Security Essentials  All versions and all languages.
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
*****************************************************
Please make a note to yourself to defrag your hard drive soon. Don't defrag if your hard drive is a Solid State drive.
Were you able to run MBAM?