.CRAB Virus Removal Guide
.CRAB Virus Description and Removal Instructions:
Malware Category: Ransomware
.CRAB Virus, GandCrab V3 Ransomware or GANDCRAB 3 is a new version of the Crypto-Ransomware virus GandCrab. .CRAB Virus targets PCs running Windows OS. Every file that has been encrypted will have its extension changed to: .CRAB. Unfortunately, still, there is no way of decrypting the files encrypted by .CRAB Virus.
The distribution of .CRAB Virus is related to installing different third-party toolbars, all kinds of free software, files from P2P networks and torrents, random clicking on ads, pop-up windows, banners, or even downloading attached files from your personal e-mail inbox or other file sharing applications, bogus flash player and fake video software for viewing online content.
When running, .CRAB Virus will start encrypting certain types of files stored on local or mounted network drives using a RSA-2048 bit public-key cryptography, with the private key stored only on a control server.
.CRAB Virus will create CRAB-DECRYPT.txt and put a shortcut to it in every folder where a file was encrypted. Those files contain instructions explaining how to pay the ransom. For the victims to pay the ransom, the virus sends them to a webpage where they can enter their personal code and access the payment page. This page can be accessed through TOR client:
The payment is in Bitcoins, which is untraceable.
When .CRAB Virus is initiated on the computer, it will inject deep into the system infecting Explorer.exe and svchost.exe, modify the registry to start with Windows, and disable the Automatic Repair feature. Once active, it will start the process of encrypting files. These types of ransomware are very hard to detect. Nevertheless, the virus will show its presence after the encryption finishes.
.CRAB Virus will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control servers. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!
*Please note that, still, there is no way of decrypting the files encrypted by .CRAB Virus. The infection may also delete all your Restore points. Thus, the only way to restore will be by using a backup copy.
How To Remove:
There is an automatic removal, using specialized software suite like SpyHunter (recommended for novice users and fast removal), or manual removal method (recommended for experts), using your own skills to remove the infection.
Automatic .CRAB Virus Removal:
We recommend using SpyHunter Malware Security Suite.
You can download and install SpyHunter to detect .CRAB Virus and remove it.
SpyHunter will automatically scan and detect all threats present on your system.
Learn more about SpyHunter, or if you want to check out the Install Instructions. SpyHunter`s free diagnosis offers free scans and detection. You can remove the detected files, processes and registry entries manually, by yourself, or to purchase the full version to perform an automatic removal and also to receive free professional help for any malware related queries by the technical support department.
*Note that the removal of the virus will NOT decrypt your files. Still, there is no way of decrypting the files encrypted by .CRAB Virus.
Manual .CRAB Virus Removal:
*Please note that you should proceed at your own risk. Some incorrectly taken actions might lead to loss of data or destroy your system. Therefore, the manual removal is strongly recommended for experts only. For everyday users, SpywareTechs.com recommends using SpyHunter or any other reputable security solution.
1. Remove .CRAB Virus by Restoring Your System to a Previous State:
1. Restart your PC into Safe Mode with Command Prompt. To do that, turn your machine off and then start it up again. Then, when the first POST screen appears (white text), start tapping the F8 key repeatedly.
***For Windows 8/10:
If you are using Windows 8/10, you need to hold the Shift button and tap the F8 key repeatedly, this should load the new advanced “recovery mode”, where you can choose the advanced repair options to show up. On the next screen, you will need to click on the Troubleshoot option, then select Advanced Options and select Windows Startup Settings. Click on the Restart button, and you should now be able to see the Advanced Boot Options screen.
2. Use the arrow keys on your keyboard to select the option “Safe Mode with Command Prompt” and hit “Enter”.
3. When the command prompt loads, type the following:
Windows XP: C:\windows\system32\restore\rstrui.exe and press Enter
Windows Vista/7/8/10: C:\windows\system32\rstrui.exe and press Enter
4. System Restore should start up. You will see a list of restore points. Try use a restore point created just before the date and time the problem occurred. When System Restore completes, start your computer in Windows normal mode and scan your computer using anti-spyware software like SpyHunter.
When System Restore completes, start your PC in Normal mode. Then, perform a scan using an anti-spyware software like SpyHunter, as there could still be some infections left on your system.
*Please note that your files may remain encrypted, depending on whether your System Files Protection is set to recover only system settings or the system settings along with the previous version of the files.
2. Files and Registry entries associated with GandCrab V3 Ransomware:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “[randomname]” = “%AppData%\Microsoft\[randomname].exe”