Malware: Affected all pdf files (CTB Locker?)
Posted on 2015-02-05
A client with a Win XP machine has problems with their accounts system (a UK software called Pegasus Opera). However when my colleague who supports it looked more closely at the accounts system and the machine realised that all PDFs had been compromised with an added set of random characters on the file extension. e.g. filename.pdf.ajajnhe (the same set of characters on all PDFs).
However don't know what state the accounts system is in. Won't start. I don;t know anythign about how it works. At one point client told me he had seen error message referring to CTB-Locker (CBT?), the ransomware, though no messages demanding money have appeared (yet). I have ran Malwarebytes, twice, it has found about 30 or so items each time. I've ran CCleaner. I've read articles saying to do these in safe mode? Will also run McAfee Stinger. Lots and lots about CTB (cbt) on Web but many solutions require downloading other (dodgy?) programs. Found this MS article, but in essence it is just saying to do a restore from a backup, rather than any repair attempt?
So, in summary, I have two related problems here, to sort out the actual malware (and hopefully the accounts sytem) then recover the PDFs.
All suggestions welcomed.