Remove CTB-Locker

What is CTB-Locker?

CTB-Locker, also known as Critroni, is a hazardous ransomware application that can affect all Windows systems and encrypt your files. You may have gotten infected by this malware while visiting corrupted websites. The ransomware is installed by a Trojan. It is very good at staying hidden as the program creates a file with random digits and runs a process that is called Adobe Flash Player 10.3 r183. When the computer user sees this process he or she may just think that they have downloaded and installed a program used to watch online videos, however, that is not the case. CTB-Locker presents you with a notification that states your files have been encrypted and that you need to pay the cyber criminals in order restore access to those files. We do not recommend following these instructions. Instead, you should terminate CTB-Locker yourself.


How does CTB-Locker work?

As soon as CTB-Locker enters your system, it starts encrypting your files. It may affect you documents, photos, audio and other types of files. All encrypted files have their extension changed to CTB or CTB2. The ransomware then creates a file that contains the instructions from the cyber criminals. According to these instructions, the computer user must pay the so-called ransom in Bitcoins using an online money transfer system. Otherwise, the files are lost forever. The message also claims that the computer user has only 72 hours to complete the transaction.

The encryption method used by CTB-Locker is unique to this infection and is called elliptical curve cryptography. Once the malware is done encrypting your files, it also disables explorer.exe which is a file that makes it possible to interact with the interface of your PC. Your desktop background is also changed to a file stored in %MyDocuments%\AllFilesAreLocked<userid>.bmp that also contains the instructions of how to make the payment. This, however, is a temporary symptom. As soon as you restart your computer, it goes back to normal. However, every time that you do, the ransomware will copy itself under a new name in the %Temp% folder and also create a new task scheduler job that launches on login. That is why you may find a number of copies of the same file under different names.

You can see the full list of the encrypted files in %MyDocuments%\<random>.html file. Unfortunately, unless you have a back up, you may not be able to regain access to them. If your files are not backed up, you may try using a file recovery software like R-Studio or Photorec which can help you restore some of your files. Paying the cyber criminals for the decryption key is the last resort and we would recommend doing so as it is rather doubtful that they will keep their promise and present you with it. What you should do now is eliminate CTB-Locker from your computer.

How to remove CTB-Locker?

In order to remove CTB-Locker manually you have to delete all executable files from the %Temp% folder and clean the hidden job in the Task Scheduler. However, we do no recommend doing so if you do not have advanced computer knowledge. Which is why we suggest that after you restart your PC, you download and install a reliable anti-malware utility that will help you get rid of CTB-Locker and keep your system safe in the future. It will scan your computer, detect the threat and remove CTB-Locker completely. As you can see, it is very important to have a powerful malware prevention and removal tool installed on your PC so that you can surf the Web safely and be sure that your system and your personal data is protected at all times.


18 thoughts on “Remove CTB-Locker

  1. Anonymous

    Re: How can I decrypt files after CryptoLocker virus
    Posted: 13-Oct-2014 | 8:43AM • Permalink

    It seems that the infection is a new variant of TorrentLocker which is a copycat and posing as CryptoLocker.

    Before 11th September this infection was using an easy to decrypt XOR encryption method.
    The tool to decrypt this variant is found here: (link is external)

    Unfortunately, some researchers decided to publicly blog about this encryption method, which caused the malware developer to change the encryption to a much stronger and unbreakable decryption using AES. Due to this change, Nathan Scott’s TorrentLocker decrypter (link is external) no longer works on this infection.

  2. Anjan Sanku

    I got CTB Locker and please anyone who can help me avoiding CTB Locker kindly give me a call +91 9967799318 Mr. Anjan Sanku

  3. ctb-locker victim

    for recovering encrypted files..remove your hdd and conect it to a machine with linux operating system….you will be able to recover all your files.

    1. youngpadawan

      why not just using live image linux, no need to connected your HDD to another Computer or HDD running linux, if that’s the case. There’s CD/DVD or USB live image to be used.

  4. Rana

    Why not to start using Linux? No trojans, no viruses…. and having a little bit of knowledge you can make system very safe… No need for antivirus, antispyware and so on… Money saver….

    1. youngpadawan

      every system or I just say OS has vulnerabilities to destructive program, you can say virus, malware or trojan, but in linux they not automatically run like Windows did.

  5. wazir ahmad fushanji

    My computer has gotten CTB-locker could you please help me because I have private documents it would be your so kind…


    Bonjour, Moi c’est olivier kouakou je vous ecrit de la côte d’ivoire. Mon ordinateur a pri un CTB. s’il vous plais aidez moi à resoudre ce problème


Leave a Reply to Rana Cancel reply