1 of 3
Danger level 9
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Connects to the internet without permission

CTB-Faker Ransomware

CTB-Faker Ransomware is an infection that does not need your permission to enter the computer. Even though it usually sneaks onto computers secretly, there is no doubt that you will quickly notice if this copycat version of CTB-Locker Ransomware enters your system because all the files you store in the C:\Users folder will be moved to a password-protected ZIP archive. Unfortunately, they will be deleted from their original places, which means that the only copy left for you is the one locked in the archive. Unlike other well-known ransomware infections, CTB-Faker Ransomware does not encrypt files; however, there is no doubt that it moves all those files to the archive just because it seeks to obtain money from users. We understand that personal files are very valuable and you are considering paying money; however, we believe that there might be a way to crack the password and thus gain access to files free of charge. Before you use a free tool you download from the web, you need to remove CTB-Faker Ransomware from your computer fully. The only thing you need to keep is the archive Users.zip located in %SystemDrive%. It contains all your files.

Once CTB-Faker Ransomware finishes moving files with such extensions as .exe, .mp3, .wav, .mp4, .avi, .zip, .rar, .iso, .7z, .cab, .dat, and .data from C:\Users to the file archive, the Your personal files are encrypted.txt file is created and help.exe is launched to display a window with the ransom note (it is located in %ALLUSERSPROFILE%\untitled.png or %ALLUSERSPROFILE%\Application Data\untitled.png (if you use Windows XP)). This window cannot be removed, but, luckily, it does not cover the entire screen, which means that you could access your Desktop. The ransom note informs users that all the personal files are encrypted, which we know is not true. Also, it says that users need to pay the ransom of $50 within 7 days and then send an email to miley@openmailbox.org (or help@openmailbox.org if you encounter another version of this threat). It might seem that the quickest and the easiest way to get the password for unlocking the ZIP archive is to make a payment, especially when the amount of money required is not huge; however, you should know that specialists working at pcthreat.com do not agree with you. According to researchers working at pcthreat.com, it is very likely that a password-cracking tool will help you to get a password free of charge. Therefore, you should not hurry to pay money to cyber criminals. Even if you do, you might not get anything in return.

Researchers have noticed that people who infect their computers with CTB-Faker Ransomware tend to visit adult websites. Many users report that they have noticed the presence of the ransomware infection after clicking on the link found in one of the profiles. Talking more specifically, users get the ZIP file when they click on this link. This archive contains the executable file which, once a user extracts it, starts moving files. In other words, CTB-Faker Ransomware enters the computer. If this infection is really inside, your files will be moved out from their original places, and you will detect several new files, for example, help.exe, startup.exe, and restore.exe. Also, this infection will create an entry in the Run registry key to launch with Windows after the system restart. Of course, only more experienced users will see these changes; however, we are sure that it is impossible not to notice that the ransomware has sneaked onto the computer.

Before we start explaining to you how to delete CTB-Faker Ransomware, we want to inform you that you can encounter another version of this threat too. Yes, it is very likely that several different versions of this infection exist and might sneak onto your PC without your permission in the future. As they are all distributed the same, we suggest being very careful, i.e. do not visit questionable adult websites. On top of that, you should acquire the security tool and enable it if you wish to feel safe 24/7/365.

To remove CTB-Faker Ransomware from your computer fully, you should follow our step-by-step instructions that can be found below the article. On the other hand, you can delete it automatically. You just need to scan the system with a reliable scanner. Not all the tools available for download on the web are trustworthy. Some of them only pretend to be good, so we suggest using SpyHunter, if you want to be sure that you use an effective and trustworthy scanner.

CTB-Faker Ransomware manual removal guide

  1. Open the Windows Explorer (Win+E).
  2. Enter %ALLUSERSPROFILE% in the box and tap Enter.
  3. Find and remove the following files: help.exe, startup.exe, and restore.exe.
  4. Go to %ALLUSERSPROFILE%\Application Data (if you use Windows XP) and remove files listed in the 3rd step.
  5. Remove untitled.png from %ALLUSERSPROFILE% or %ALLUSERSPROFILE%\Application Data.
  6. Locate and remove Your personal files are encrypted.txt from %SystemDrive%.
  7. Tap Win+R and type regedit in the box. Click OK.
  8. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  9. Find the Value help.exe with the Value data C:\ProgramData\help.exe.
  10. Right-click on it and select Delete.
  11. Empty the Recycle bin.
  12. Restart your computer.
Download Spyware Removal Tool to Remove* CTB-Faker Ransomware
  • Quick & tested solution for CTB-Faker Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.