Profiles in PC Poisoning, Part 3

In the previous post, I detailed the removal of the CTB-Locker Trojan from my father's computer with Malwarebytes Anti-Malware. Up to this point I haven't been very specific about the damage that CTB-Locker left in its wake - I'll get into that today.

Encryption prototype

CTB-Locker encrypted hundreds of files on my father's computer. For example, CTB-Locker converted a Byron.wps file to a Byron.wps.xyz file.

The Byron.wps document was created by the word processor module of Microsoft Works, which was discontinued by Microsoft several years ago. Besides Microsoft Works, both Microsoft Word and Notepad can open a .wps file; in the latter case most of the file will be unintelligible but the original .wps content will be present therein and can be extracted if desired.

Now, what about the Byron.wps.xyz file? As it happens, there is a recognized .xyz file format, but it has nothing to do with word processing. An attempt to open Byron.wps.xyz with Microsoft Works throws the following error:

Works cannot open "C:\Documents and Settings\Owner\Desktop\Byron.wps.xyz". The file may be in use by another application, the file format may not be supported by any of the installed converters, or the file may be corrupt.

The file can be opened with Microsoft Word or Notepad but the content is complete gobbledygook in both cases. (BTW, subtracting the .xyz extension from the file name does not give a readable file, in case you were wondering.)

C: damage

In the computer's Local Disk (C:) volume, CTB-Locker mainly targeted two folders:
(1) C:\Documents and Settings\Owner\My Documents\
Most of the affected files in the My Documents\ folder were in fact doubly encrypted, as detailed below.
(2) C:\Program Files\

My Documents\

• 170 .wps documents were converted to 153 .wps.jkffbil.xyz files, 10 .wps.bqtuzhl.xyz files, and 7 .wps.xyz files. Also, a .docx document was converted to a .docx.xyz file and 4 .txt documents were converted to 2 .txt.jkffbil.xyz files and 2 .txt.bqtuzhl.xyz files.

.jkffbil? .bqtuzhl? What seems to have happened is the computer was initially hit with two different CTB-Locker infections and then after applying that video procedure to the computer a remnant of one or both infections (or maybe even a third, separate infection) later reared its ugly head and .xyz-ed (1) the .jkffbil-ed and .bqtuzhl-ed files and (2) whatever was missed the first time around - at least these are the conclusions I draw from inspecting the Created:/Modified:/Accessed: fields on the General tab of the Properties pane for a variety of encrypted and unencrypted files.

• 100 .jpg images, including all those in the My Pictures\ subfolder, were converted to 88 .jpg.jkffbil.xyz files, 7 .jpg.bqtuzhl.xyz files, and 5 .jpg.xyz files.

• 25 .pdf files were converted to .pdf.jkffbil.xyz files.

• 4 .zip packages were converted to 2 .zip.jkffbil.xyz files and 2 .zip.bqtuzhl.xyz files.

• In the My Music\ subfolder, 2 .itl iTunes libraries were converted to .itl.xyz files and 2 .itdb iTunes databases were converted to .itdb.xyz files.

• In the My Videos\ subfolder, a .flv video was converted to a .flv.xyz file.

• Lastly and least, there are 338 .png.xyz files and 4 .css.xyz files in RegCure Pro\ and SpeedyPC\ subfolders that really shouldn't be on my father's computer in the first place.

Program Files\

• 384 files were converted to 272 .jkffbil files and 112 .bqtuzhl files; all of these files are singly encrypted. Affected file formats: .cer, .doc, .eps, .jpg, .js, .mdf, .pdf, .ppt, .rtf, .txt, .xls, and .zip.

Etc.

• There are 9 encrypted files in the C:\Documents and Settings\Owner\Desktop\ folder and 20 encrypted files in the hidden C:\Documents and Settings\Owner\Application Data\ and C:\Documents and Settings\Owner\Templates\ folders. Affected file formats: .air, .dbf, .doc, .docx, .jpg, .js, .pdf, .ppt, .rtf, .txt, .wb2, .wps, .xls, .xlsx, and .zip.

• Outside of the C:\Documents and Settings\Owner\ folder, 2 .wma audio clips were converted to .wma.xyz files and 4 .jpg images were converted to 2 .jpg.jkffbil.xyz files and 2 .jpg.bqtuzhl.xyz files in the C:\Documents and Settings\All Users\Shared Documents\ folder.

D: damage

Twice in the past - about five months ago and in 2012 - the Address Book\, Desktop\, Favorites\, and My Documents\ subfolders of the C:\Documents and Settings\Owner\ folder were copied to the computer's Recovery (D:) volume. Without exception, all of the encrypted C:\Documents and Settings\Owner\Desktop\ and C:\Documents and Settings\Owner\My Documents\ files were also encrypted in the D: volume although not necessarily in the same way, e.g., some of the .jkffbil.xyz files appear as .bqtuzhl.xyz files and vice versa.

Undamaged

• The following file types were left alone: .bak backups, .bmp images, .dat data files, .db databases, .dll libraries, .exe executables, .htm and .html and .xml Web documents, .mp3 audio files, .wav audio files, and .xlr Microsoft Works spreadsheets (not a complete list).

• Gratifyingly, the C:\WINDOWS\ folder was left untouched.

In search of a key

I found a "How to remove CTB Locker Virus" article whose Stage 3 : Unlocking files that were encrypted by CTB Locker section suggests that a Panda Ransomware Decrypt program might be able to decrypt CTB-Locker-encrypted files and provides a link thereto. My attempts to decrypt a small group of encrypted files with Panda Ransomware Decrypt are not worth discussing to any extent: suffice it to say that they didn't work.

To my understanding, file decryption tools are target-specific, i.e., a program that unlocks files encrypted by a specific type of ransomware will generally be useless for files encrypted by other types of ransomware. As of this writing and as far as I am aware, no one has written a program that can decrypt files encrypted by CTB-Locker.

Subsequently, I decided to see if I could re-obtain the affected data on my father's computer via a file recovery approach, which did prove somewhat successful, and I'll tell you about it in the following entry.

Profiles in PC Poisoning, Part 2

Let's get back now to our ongoing discussion of my father's computer and its CTB-Locker ransomware infection. As noted in the previous post, the protocol provided by this "REMOVE CTB-Locker" YouTube video didn't pan out very well. What next?

Go to the root

It occurs to me that I may be able to return the computer to a pre-infection state via Windows' System Restore feature. I go to the System Configuration Utility and click the button on the General tab (see the first screenshot in the next section). An alert( ) message pops up:

System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator.

When it rains, it pours, huh? I go to my iMac to research the message, and come across a helpful Microsoft Community page on which "A. User" states:

Unless you disabled [System Restore] on purpose, the chances are good that your system has a malicious software infection. ... You need to fix the immediate problem of [System Restore] not working [vis-à-vis running System Restore itself], then scan your system for malicious software when you are done.

A. User goes on to recommend Malwarebytes and SUPERAntiSpyware programs for the removal of malicious software.

We'll get back to System Restore later in the post, but for now let's see where this gets us, shall we?

Under the knife

I download installers for CCleaner (go here to download the ccsetup*.exe executable on a Macintosh) and Malwarebytes Anti-Malware and write them to a CD on my computer. My attempts to copy the installers to my father's computer either generate a fusillade of errors or cause the system to hang, depending on the computer's boot state.

On my father's computer and in Selective Startup mode per the settings shown below - the
Load Startup Items
checkbox is unchecked because all of those items have been disabled via the Startup tab -



a second attempt to download the CCleaner installer is successful (I'm pretty sure that first download attempt was in Normal Startup mode, but I can't remember); installing and running CCleaner subsequently proceed without incident.

An attempt to download the Malwarebytes Anti-Malware installer from Malwarebytes itself in Selective Startup mode throws a "Secure Connection Failed" error; fortunately, I am able to download the installer from c|net. I am unable to install Malwarebytes Anti-Malware in Selective Startup mode; a malwarebytes anti-malware won't install Google search leads me to a "Cleanup Malware Using Malwarebytes" .pdf whose What To Do If Malwarebytes Won’t Install Or Won’t Run section instructs the user to install Malwarebytes Anti-Malware in SAFE MODE (not SAFE MODE WITH NETWORKING), i.e.:



I boot the computer into its /SAFEBOOT-MINIMAL mode. Installation of Malwarebytes Anti-Malware is successful and I scan the computer with it: 6 threats are detected, and I remove them. I boot the computer into its /SAFEBOOT-NETWORK* mode and then update the program's database(s) and run a custom scan per the Running Malwarebytes section of the .pdf: this time 62 threats are found and I get rid of them too. Gratifyingly, the latter scan serves to return the computer to operational normalcy, the encrypted files notwithstanding.

*The What To Do If Malwarebytes Won’t Install Or Won’t Run section says that after the /SAFEBOOT-MINIMAL scan you can go directly to Normal Startup mode and should then do a second, custom scan; I strongly recommend that the second scan be carried out in /SAFEBOOT-NETWORK mode in order to keep any remnants of your infection(s) at bay while you are cleaning up your computer. Upon subsequently returning your computer to Normal Startup mode or a Selective Startup variant thereof, however, you should indeed scan it again to make sure everything's OK. If I recall correctly, a third, Selective Startup scan of my father's computer did detect one last threat.

A word on screenshots

The screenshots in this post were taken via the procedure outlined on this page, with one important detour: on my father's computer I launched the Paint program by opening mspaint.exe with the Run command as the computer's Start → Programs → Accessories menu does not have a Paint selection.

System Restore, revisited

Once the computer is clean, I re-enable System Restore via the Registry Editor-based "Method 2" detailed on this page ("Method 1" is not applicable because, contra a note near the bottom of the page, the Home Edition of Windows XP does not have a Group Policy Editor).

I go to Start → Programs → Accessories → System Tools → System Restore and am hit with a confirm( ) box whose message reads, System Restore has been turned off. Do you want to turn on System Restore now? I click the box's button and am taken to the System Restore tab of the System Properties tool:



I uncheck the
Turn off System Restore on all drives
checkbox: this enables the button, which I click, and then I click . I return to System Restore and am greeted by a "Welcome to System Restore" window; I click the button at the bottom of the window in order to
Restore my computer to an earlier time.
System Restore then displays a "Select a Restore Point" window showing a single restore point that is a year into the future and a related July 2016 calendar that cannot be moved forward or backward.



As it happens, turning System Restore off deletes its restore points, so System Restore wouldn't have been able to help me in the first place. Was this disabling action part of the CTB-Locker 'payload'? I don't know.

---

Now, what about those encrypted files? We'll take stock of what we've got in the following entry.

Profiles in PC Poisoning, Part 1

About a month and a half ago, my father walked into my room and asked me to take a look at his computer: "I can't do anything with it." Sure enough, something was slowing his computer down to the point that it took several minutes to process a mouse click - if it responded at all (i.e., if the system didn't hang). With some major-league perseverance I have been able to largely nurse his computer back to health: believe me when I tell you that this is the most exasperating thing I have had to deal with in my entire life.

My father's computer has a 1.39-GHz processor and 736 MB of RAM, which is not so different than the 2.4-GHz processor and 1 GB of RAM that my own computer has. But that's where the similarities end. I have an Intel iMac that runs OS X 10.6.8 whereas he has a Compaq 5017m that runs Windows XP Home Edition Service Pack 3. At this point you are thinking, "Windows XP? Dude, just get a new computer already." Yeah, yeah, we'll get to that: I am acutely aware that Microsoft pulled the plug on its XP support a little over a year ago. Be that as it may, a Compaq running XP is what I had to work with; moreover, there was an 'archival' aspect to its cleanup that appealed to me.

Low-hanging fruit

So, I trudge over to Google, run a windows xp troubleshooting slow search, and decide to try some of the things recommended by a "How to Speed Up a Windows XP Computer" wikiHow article.

I go to the computer's Add or Remove Programs Control Panel and throw out all of the Apple stuff - iTunes, QuickTime, a Bonjour program I am unfamiliar with, a Software Update application - and then get rid of RealPlayer. I reason, "If he wants to listen to music or watch a movie, he can do that with the Windows Media Player that is built into XP." I access the Add or Remove Programs panel via the My Computer pointer in the upper-left-hand corner of the desktop - this is a lot easier than getting to it via the Start menu.

I use the Disk Cleanup utility to
(a) delete temporary files,
(b) empty the Recycle Bin, and
(c) compress what can be compressed
for the C: volume. The Disk Cleanup utility can be launched by opening cleanmgr.exe with the Run command, which I access via a &Run... pointer on the desktop.

I defragment the C: and D: volumes via the Disk Defragmenter utility, which can be launched by opening dfrg.msc with the Run command.

I disable all of the system's Startup Items via the Startup pane of the System Configuration Utility, which can be launched by opening msconfig with the Run command.

None of this has any noticeable effect on the computer's performance.

Hitting the iceberg

The wikiHow article recommends
(1) a CCleaner program for the removal of unnecessary files and
(2-4) Spyware Blaster, AVG, and Avira programs for the removal of spyware and/or viruses.
An initial attempt to download CCleaner causes the browser (Firefox) to crash. AVG 2015 is installed already on the computer: a "Scan now" operation turns up nothing.

I wonder, "If worse comes to worse, can I copy programs onto the hard disk via a CD?" In the course of trying to mount one of my old CDs via the F: drive I am suddenly confronted with a screen very similar to the one shown in the image below:



Uh-oh. My father's computer is infected with a ransomware program - specifically, a trojan named CTB-Locker - that has encrypted various files on the computer and will leave them encrypted unless a ransom payment is tendered within 96 hours. Clicking the button does display a list of encrypted files, most of which are in the computer's My Documents folder(s). I do not proceed to the 'payment page': whatever the payment is, I'm not going to pay it.

What doesn't work (for me at least)

I go to my iMac to research CTB-Locker on the Web, and come across a "How do I REMOVE CTB-Locker ransomware (Free removal guide!)" YouTube video. The video gives the following procedure for getting rid of CTB-Locker:
(1) Reboot the computer into its safe mode.
(2) Go to the Temp folder, show its hidden files, and then delete everything in it.
(3) Go to the My Documents folder and delete the "Decrypt All Files" .bmp image that should be residing there.

• I put my father's computer into its safe mode by launching the System Configuration Utility, checking the
/SAFEBOOT
checkbox in the Boot Option menu on the BOOT.INI tab, clicking , clicking , and restarting the computer.

• In this case, the Temp folder refers to the C:\Documents and Settings\Owner\Local Settings\Temp\ folder (vis-à-vis the C:\WINDOWS\Temp\ folder), which can be opened by opening %temp% with the Run command.

I clear out the Temp folder. There are two "Decrypt All Files" .bmp images in the My Documents folder and I delete both of them. I go back to the System Configuration Utility, check the
Normal Startup - load all device drivers and services
radio button in the Startup Selection menu on the General tab, and restart the computer. After the boot the ransom screen is gone but the computer still runs excruciatingly slowly. Without getting into the details another ransom screen emerges with a vengeance a few hours later - if I recall correctly, this is triggered by an attempt to surf the Web.

---

It would seem that the video procedure cures symptoms of the CTB-Locker infection and not the infection itself, but I don't know for sure; in any case, stronger medicine is clearly required. So, what do I use to clean up my father's computer, and how exactly do I do it? All will be revealed in our next episode.