Como remover CTB-Locker e descriptografar arquivos .CTBL

What is CTB-Locker?

CBT Locker (or Curve-Tor-BitCoin Locker, or Critroni) is a ransomware that was released in June 2014 and has been operating till present. The ransomware targets Windows systems and is able to infect all versions of the OS released up to now.

What marks CBT-Locker out from other ransomware viruses is the encryption algorithm, which is ECC (Elliptic Curve Cryptography) instead of common RSA or AES codes. This encryption methods is more complicated and thus makes decryption next to impossible. The scanning for matching files is performed on all drive letters including removable storage devices. After the encryption CBT-Locker changes files extensions to .ctb or ctb2 for older versions of the virus or to a random extension in a current version.


After the encryption comes the notification with a brief description of the situation and the instructions of payment. To make sure that user will get the message the ransomware adds a text file on desktop, in every folder, as well as it changes a victim’s wallpaper. Usually it states that a user has 96 hours to transfer 0.2 BitCoins, otherwise the ransomware will be eliminated together with the decryption code.

Ainda, we don’t recommend to rush to pay the ransom, as there are some tricks that you may perform first to remove CTB-Locker and restore your files.

CTB-Locker for Websites

In the beginning of 2016 a new version of CTB-Locker was released. This time cybecriminals chose websites as their aim. The ransomware first changes site’s original index.php and encrypts the information found on the site, including databases, scripts and documents. This time for the encryption key CTB-Locker demands 4 BitCoins. There is no expiration date for this ransomware, so it holds site as hostage until the ransom is paid. To avoid this you need to always have backups for your OS and all data.

How CTB-Locker got installed on your computer

According to the majority of reports, CTB-Locker is transported via infected emails. The subject and body of these messages may state that you have been sent a parcel, that you need to confirm a purchase or pay a tax. Recently these messages began to offer Windows 10 upgrade. The malicious file is attached to the email and contains a dangerous code. Once the attachment is opened, it installs the ransomware.

Symptoms of CTB-Locker infection

É difícil não notar ransomware, uma vez que muitas vezes tem um dos processos responsável por exibir uma mensagem de notificação. Esta janela bloqueia a tela deixando as alternativas mínimas de usuário. além de, alguns arquivos ficarão inacessíveis, como em muitos casos ransomware criptografa-los para exasperar o efeito assustar.

How to remove CTB-Locker?

Para certificar-se de que o adware não reaparecerá, you need to delete CTB-Locker completely. Para isso, você precisa remover os arquivos e entradas do Registro do ransomware. Devemos avisá-lo que a realização de alguns dos passos pode exigir habilidades acima da média, por isso, se você não se sente experiente o suficiente, você pode aplicar a ferramenta de remoção automática.
Norton download grátis

Performing an antimalware scan with Norton would automatically search out and delete all elements related to CTB-Locker. It is not only the easiest way to eliminate CTB-Locker, mas também o mais seguro eo mais assegurando.

Steps of CTB-Locker manual removal

Reinicie o Windows em modo de segurança

Para Windows 7, 8, XP and Vista:

  1. Restart the system
  2. While computer is rebooting press F8 several times
  3. In the appeared list of options choose Safe Mode

Para Windows 10:

  1. In the Start menu click on the power button
  2. Hold Shift and choose Restart
  3. Choose Troubleshoot
  4. In the Advanced Options choose Startup Settings
  5. Click Restart
  6. Select Enter Safe Mode With Networking

Delete files and registry entries added by CTB-Locker

Agora você vai ser capaz de atingir as funções e arquivos necessários. Para eliminar a actividade ransomware, você precisa encontrar todos os seguintes itens e excluí-los.

Remove CTB-Locker files and folders:

%MyDocuments%\DecryptAllFiles [USER ID].txt
%MyDocuments%\AllFilesAreLocked [USER ID].bmp
Documents and Settings\[USER]\Application Data\[RANDOM].exe
Documents and Settings\[USER]\Local Application Data\[RANDOM].exe

Remove CTB-Locker registry entries:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Security
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Components Update
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\mnvexhd
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{379B0208-4815-4A89-A2FE-2B8C6C6252D9}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{379B0208-4815-4A89-A2FE-2B8C6C6252D9}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E076ED8D-7900-4AAA-B4A6-953642011552}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A5538D18-5F5D-43EA-AFF1-A92F8D8DB134}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D1AC317-1966-4101-9F9E-7EBDC03AB61B}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{11C834B9-E673-4F9C-90BB-0E4FFA51F25E}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{11C834B9-E673-4F9C-90BB-0E4FFA51F25E}
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%MyDocuments%\AllFilesAreLocked [USER ID].bmp"

Restore the files encrypted by CTB-Locker

Use a ferramenta descriptografar

Infelizmente, currently the tool able to decrypt the files infected by CTB-Locker is not released yet. Você pode tentar aplicar com os métodos descritos abaixo, Contudo, they might not work with the latest versions of CTB-Locker.

Restaurar o sistema

  1. Initiate the search for ‘system restore
  2. Clique sobre o resultado
  3. Choose the date before the infection appearance
  4. Siga as instruções na tela

Rolar os arquivos de volta para a versão anterior

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Deixe uma resposta

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *