Remove CRBR Encryptor virus (Restore encrypted files)

The CRBR Encryptor is a ransomware infection, that developed to encrypt the personal files found on infected PC using RSA-2048 key (AES 256-bit encryption method), appending random few letters extension to all encrypted documents, photos and music. Once the encryption process is done, it will open a ransom note offering decrypt all users documents, photos and music if a payment is made. We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to recover your personal files for free using free utilities like ShadowExplorer and PhotoRec.

The CRBR Encryptor virus offers to make a payment in Bitcoins to get a key to decrypt photos, documents and music. Important to know, currently not possible to decrypt your documents, photos and music without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can restore all photos, documents and music! If you do not want to pay for a decryption key, then you have a chance to recover encrypted photos, documents and music.

Use the step-by-step guide below to remove the ransomware infection itself and try to recover encrypted files.

What is CRBR Encryptor ransomware

CRBR Encryptor is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses RSA encryption method to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music.

When the ransomware virus infects a computer, it uses system directories to store own files. To run automatically whenever you turn on your PC system, CRBR Encryptor ransomware infection creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.

Immediately after the launch, the ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.wot, .p7b, .zi, .vcf, .bik, .ztmp, .wmd, .wmf, .wsh, .snx, .dba, .wps, .wbz, .pst, .wri, .xlsx, .arw, .flv, .pef, .wbmp, .hplg, .wn, .icxs, .pptx, .zif, .xlsx, .ybk, .z3d, .wp6, .odm, .bc6, .map, .yal, .xmind, .r3d, .1, .wpb, .mdbackup, .zdc, .wpg, .zip, .p7c, .xf, .eps, .upk, .xmmap, .xml, .1st, .xpm, .wmo, .xar, .slm, .itm, .ws, .rim, .syncdb, .pem, .ntl, .mddata, .svg, .wpa, .psk, .xll, .odc, .wdp, .mcmeta, .lvl, .rw2, .rwl, .sid, .mlx, .pak, .wcf, .nrw, .hkdb, .sr2, .srf, .wav, .lrf, .avi, .wpw, .doc, .vtf, .pdf, .wdb, .rb, .bar, .z, wallet, .3dm, .raf, .cdr, .wb2, .desc, .xlk, .fpk, .kf, .wgz, .2bp, .odt, .xbplate, .w3x, .psd, .asset, .erf, .ibank, .mp4, .accdb, .arch00, .0, .xxx, .fos, .x, .wsd, .re4, .jpg, .zdb, .der, .blob, .srw, .wma, .rar, .jpeg, .xls, .wpd, .wmv, .wire, .fsh, .vfs0, .xlsm, .wps, .mef, .dbf, .mov, .wma, .wbk, .sb, .ff, .tax, .js, .xls, .rgss3a, .gdb, .tor, .dwg, .bkf, .iwd, .xlgc, .cfr, .wp7, .sav, .mpqge, .qdf, .wm, .rofl, .crt, .ptx, .xyw, .p12, .orf, .cer, .ysp, .xy3, .wpd, .3ds, .d3dbsp, .xdb, .indd, .epk, .wpl, .pdd, .css, .ppt, .bc7, .pkpass, .ltx, .wmv, .dcr, .t12, .bsa, .iwi, .yml, .itl, .das, .xld, .menu, .mrwref, .pfx, .txt, .zw

Once a file is encrypted, its extension modified to random few letters. Next, the ransomware creates a file named “_R_E_A_D___T_H_I_S___”. This file contain guide on how to decrypt all encrypted photos, documents and music. An example of the tutorial is:

CRBR Encryptor

Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!

The only way to decrypt your files is to receive the private key and decryption program.
To receive the private key and decryption program go to any decrypted folder,
inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions
how to decrypt your files.

If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below:

1. Download “Tor Browser” from https://www.torproject.org/ and install it.
2. In the “Tor Browser” open your personal page here:
http://p27dokhpz2n7nvgr.onion/
Note! This page is available via “Tor Browser” only.

The CRBR Encryptor virus actively uses scare tactics by showing a threatening message on the desktop. It is trying to force the user of the infected personal computer, do not hesitate to pay a ransom, in an attempt to recover their documents, photos and music.

How to decrypt your files

Currently there is no available solution to decrypt all encrypted files for free. The ransomware virus repeatedly tells the victim that uses a strong encryption algorithm with 2048-bit key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the CRBR Encryptor ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.

There is absolutely no guarantee that after pay a ransom to the makers of the CRBR Encryptor virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.

How to remove CRBR Encryptor virus

Most often it’s not possible to remove the CRBR Encryptor virus manually. For that reason, our team created several removal solutions which we have combined in a detailed instructions below. Therefore, if you have the CRBR Encryptor virus on your computer and are currently trying to have it deleted then feel free to follow the tutorial below in order to resolve your problem. Some of the steps below may require you to exit the web-site. So, please read the instructions carefully, after that bookmark or print it for later reference.

Use Zemana Anti-malware to get rid of CRBR Encryptor ransomware

Zemana Anti-malware highly recommended, because it can scan for security threats such CRBR Encryptor ransomware infection, adware and other malicious software which most ‘classic’ antivirus applications fail to pick up on. Moreover, if you have any CRBR Encryptor removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.

1. Please download Zemana anti malware on your computer from the link below.
   
   

   Zemana AntiMalware
   159451 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your web browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
3. When the download is finished, please close all software and open windows on your PC. Next, start a file named Zemana.AntiMalware.Setup.
4. This will start the “Setup wizard” of Zemana anti malware onto your PC. Follow the prompts and do not make any changes to default settings.
5. When the Setup wizard has finished installing, the antimalware will run and show the main window.
6. Further, click the “Scan” button for checking your personal computer for the CRBR Encryptor ransomware virus and other known infections. This process can take some time, so please be patient. While the tool is scanning, you can see how many objects and files has already scanned.
7. Once the scan is finished, it’ll display a list of all items detected by this utility.
8. Next, you need to click the “Next” button to start cleaning your system. Once the procedure is complete, you may be prompted to restart the PC system.
9. Close the Zemana Anti-Malware and continue with the next step.

Run Malwarebytes to remove CRBR Encryptor ransomware virus

We suggest using the Malwarebytes Free which are completely clean your machine of the virus. The free tool is an advanced malware removal application developed by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It’s able to help you delete ransomware infections, potentially unwanted programs, malicious software, adware, toolbars, ransomware and other security threats from your system for free.

Download Malwarebytes by clicking on the link below and save it to your Desktop.

When the download is complete, close all applications and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed in the following example.

When the installation starts, you will see the “Setup wizard” which will help you install Malwarebytes on your computer.

Once installation is finished, you will see window as displayed in the figure below.

Now click the “Scan Now” button for scanning your personal computer for the CRBR Encryptor ransomware virus and other malicious software. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the tool is checking, you can see how many objects and files has already scanned.

When it completes the scan, it will display you the results. In order to get rid of all threats, simply press “Quarantine Selected” button.

The Malwarebytes will start removing CRBR Encryptor virus related files, folders, registry keys. Once disinfection is complete, you may be prompted to reboot your computer.

The following video explains steps on how to delete ransomware infection and other malware with Malwarebytes Anti-malware.

Scan your computer and remove CRBR Encryptor ransomware virus with KVRT

The KVRT tool is free and easy to use. It can scan and remove ransomware like CRBR Encryptor, malware, PUPs and ad-supported software in Firefox, Chrome, IE and Edge web-browsers. KVRT is powerful enough to find and get rid of malicious registry entries and files that are hidden on the PC system.

Download Kaspersky virus removal tool (KVRT) from the following link and save it directly to your Microsoft Windows Desktop.

When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as shown in the following example.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the CRBR Encryptor ransomware and other malicious software. This procedure may take some time, so please be patient. While the utility is checking, you can see number of objects it has identified either as being malicious software.

When the system scan is complete, the results are displayed in the scan report as on the image below.

Make sure all dangerous entries are ‘selected’ and click on Continue to start a cleaning procedure.

Recovering files encrypted with CRBR Encryptor ransomware

In some cases, you can restore files encrypted by CRBR Encryptor ransomware infection. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.

Restore your files with ShadowExplorer

If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.

Download ShadowExplorer from the link below. Save it on your Desktop. This tool is available for Windows Vista, Windows 7, Windows 8 and Windows 10.

After the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and choose Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.

Start ShadowExplorerPortable. You will see the a window as displayed on the screen below.

From the first drop down list you can select a drive that contains encrypted files, from the second drop down list you can select the date that you wish to recover from. 1 – drive, 2 – restore point, as on the image below.

Righ-click entire folder or any one encrypted file and select Export, as displayed on the image below.

It will display a prompt that asking whether you would like to restore a file or the contents of the folder to.

Recover your files with PhotoRec

Before a file is encrypted, the CRBR Encryptor ransomware infection makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore programs such as PhotoRec.

Download PhotoRec on your MS Windows Desktop by clicking on the following link.

Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as shown in the following example.

Select a drive to recover as shown in the figure below.

You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown below.

Press File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.

Next, click Browse button to select where restored photos, documents and music should be written, then click Search.

Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed in the following example.

All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.

How to prevent your PC from becoming infected by CRBR Encryptor virus?

Most antivirus applications already have built-in protection system against the virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.

Run CryptoPrevent to protect your computer from CRBR Encryptor ransomware

Download CryptoPrevent on your Windows Desktop from the following link.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the install is complete, you will be displayed a window where you can choose a level of protection, as displayed in the following example.

Now click the Apply button to activate the protection.

How does your personal computer get infected with CRBR Encryptor ransomware infection

The CRBR Encryptor virus is distributed through the use of spam emails. Below is an email that is infected with a ransomware like CRBR Encryptor ransomware.

Once this attachment has been opened, this virus will be opened automatically as you do not even notice that. The CRBR Encryptor ransomware infection will start the encryption process. When this process is complete, it will open the usual ransom instructions like above on _R_E_A_D___T_H_I_S___.

To sum up

Once you have finished the few simple steps above, your machine should be clean from CRBR Encryptor virus and other malware. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the tutorial does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help.

1. Download HijackThis from the link below and save it to your Desktop.
   
   

   HijackThis download
   4160 downloads
   Version: 2.0.5
   Author: OpenSource
   Category: Security tools
   Update: November 7, 2015
   
2. Double-click on the HijackThis icon. Next click “Do a system scan only” button.
3. Once the scan is finished, the scan button will read “Save log”, click it. Save this log to your desktop.
4. Create a Myantispyware account here. Once you’ve registered, check your e-mail for a confirmation link, and confirm your account. After that, login.
5. Copy and paste the contents of the HijackThis log into your post. If you are posting for the first time, please start a new thread by using the “New Topic” button in the Spyware Removal forum. When posting your HJT log, try to give us some details about your problems, so we can try to help you more accurately.
6. Wait for one of our trained “Security Team” or Site Administrator to provide you with knowledgeable assistance tailored to your problem with the CRBR Encryptor ransomware.