Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, April 17, 2015

How to Remove HELP_RESTORE_FILES.txt Virus and Restore Encrypted Files

Tell your friends:
It's no great secret only known to tech boffins or IT experts that the more time we spend online, the more chances we have of being infected by HELP_RESTORE_FILES.txt ransom virus (ransomware) which is very similar to the CryptoLocker ransomware. As anti-virus software gets increasingly sophisticated, so to do the yin to their yang: ransomware. It's an endless cat and mouse game between good and evil – with us poor unfortunate internet uses stuck in the middle as unwilling pawns. What that really means for us is that we need to increasingly be on our guard if we are to prevent ourselves from falling victim to an infection or attack.

The problem is that with there being so many different varieties of malware that it can be hard to know what we need to do to stay safe online. Malware is created for different end purposes and has different traits and ways of operating so the best thing you can do to protect yourself is – as well as installing a great anti-virus program – to learn as much as possible about the different types. And in this instance, that is ransomware.

Ransomware is a strange one: one minute it's everywhere, the next no one is talking about it – but one thing is for sure, it will rear its ugly head again at some point in the not too distant future. So, stay safe and learn a little more about ransomware now and give yourself a better chance of avoiding it the next time it's doing the rounds.

A closer look at HELP_RESTORE_FILES.txt ransom virus

So what actually is ransomware? No prizes for guessing that it is a type of software program which has been designed to hold you – or more specifically your files or even your computer's operating system – to ransom. Your data will be kidnapped and held hostage until you cough up some of your hard earned cash for its release. HELP_RESTORE_FILES.txt and other files have been identified only by a few anti-virus engines as malicious: TROJ_CRYPTESLA.CAG, Win32:Crypt-RXH [Trj], Win32/Filecoder.EM, Trojan.Agent.ED. Once installed, it encrypts your files, changes your desktop image and displays a red encryptor window saying "Your personal files are encrypted". It installs itself for autorun at Windows startup, so you will get this message every time you turn on your computer. It also drops a few text files called HELP_RESTORE_FILES.txt with information on how to pay the ransom and restore your files. The text file reads:

All your documents, photos, databases and other important files have been encrypted
with strongest encryption RSA-2048 key, generated for this computer.

Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.

If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.

Open [edited] or [edited] in your browser.
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid misprints.
Follow the instructions on the server.

If you have problems with gates, use direct connection:
1. Download Tor Browser from [edited]
2. In the Tor Browser open the [edited]
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid misprints.
Follow the instructions on the server.

What is more, HELP_RESTORE_FILES.txt ransom virus preforms some HTTP requests and connects to TOR hidden services through Tor2Web. It even creates an alternative data stream.

Okay, I definitely want to avoid this happening to me. How do I get infected?

This is something that ransomware does actually have in common with its other malware buddies. You will either become infected by downloading an app or program that has HELP_RESTORE_FILES.txt ransomware bundled with it, if you've visited an infected website, or if you open an attachment or click on a link that has been sent via email or in a chat app in a deliberate attempt to infect you.

What will happen if I've been infected by this ransomware?

First of all you'll find that you are not able to open a specific document, program or file; they've been held to ransom. Of course, just like in the story books of our childhoods, the kidnapper will then send you a ransom letter which is just a plain text document HELP_RESTORE_FILES.txt. Rather than being written in blood or cut out of a newspaper, this ransom note will be in the form of an email or displayed on your computer's screen.

So what do you do? Try not to panic – and definitely do NOT pay any money unless you don't have a choice and those files are very very important to you. In order to retrieve at least some of your files and remove this ransom virus from your computer, please follow the steps in the removal guide below. If you backup your files regularly then there won't be any difficulties. If you don't have any backups then you can try Windows previous file version tool or Shadow Explorer. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing ransom virus and related malware:

Before restoring your files from shadow copies, make sure HELP_RESTORE_FILES.txt virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by ransom virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.