Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, July 11, 2015

How to Remove HELP_DECRYPT Virus and Restore Encrypted Files

Tell your friends:
HELP_DECRYPT.HTML, HELP_DECRYPT.TXT and HELP_DECRYPT.PNG files belong to the CryptoWall 3.0 ransomware. If all your files have a random extension (ie: .xnldzbl) appended on the end of the legit extension (ie: DOC, EXE etc) and you see HELP_DECRYPT files in every directory then your computer is infected with ransomware. Your files were encrypted and you can only get them back by paying the ransom or using backups. If you don't have backups you can still use data recovery tools listed below and hope for the best. We are all well aware of the many dangers associated with the numerous types of malicious software, or malware. From spyware and adware to Trojan Horses and Potentially Unwanted Programs we have to be on guard against all of these attackers. However, one type of malware might have passed you by as it never seems to garner the same publicity as the others, chiefly because it seems to come and go in waves, and that is ransomware. However regardless of whether or not it is a constant threat, you definitely need to know of its existence, as this is one unpleasant threat that you really do want to keep a watchful eye out for.

HELP_DECRYPT has a few different names and you may also come across the terms crypto-virus, cryptoware, crypto-Trojan or crypto-worm, regardless of what this malware is called, what YOU need to know is what it can do and how you should react if it has infected your computer.

HELP_DECRYPT infects your computer by taking advantage of your curiosity

The majority of ransomware is disseminated by email. More specifically, in files that are attached to messages. These spam emails will either look like a tempting special offer that you simply can't miss out on, or they may come via a friend or acquaintance in your contact list that has been hacked. The attachment is carrying the HELP_DECRYPT virus and once you have clicked on the file, video clip or document to open it, it will install itself on your PC.

Some variants if this ransomware may also attack you if you have been unlucky enough to visit a compromised website that has been infected with it.

How do you lower the chances of being infected by HELP_DECRYPT virus? Well unfortunately it is not possible to know in advance whether a website has been compromised but you can definitely be proactive when it comes to emails (and instant messenger chat windows that come with links embedded in them). We've been told it a thousand times, but it is shocking the amount of people who still can't resist opening emails – and even attachments – that come from an unknown sender.

What does HELP_DECRYPT do to your computer?

It has been created to extort money from you. It's as simple as that. And to increase the chances of you giving in to its demands it needs to give you the most cause for alarm that it possibly can.

If you're under attack from this ransom virus your files or documents will be held hostage and you will receive a ransom note, either by email or in a pop-up window that is asking for an amount of money in return for the release of your data or files. The release normally comes in the form of a code that tells you you'll be able to use it in order to unlock your file or files. However, not all of these codes actually work so handing over the ransom is no indication you will even get your files back.

What should I do if I've been infected?

It's easy to say, but try not to panic. And whatever you do, don't pay the ransom unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer, Recuva and some other specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur,

Step 1: Removing HELP_DECRYPT and related malware:

Before restoring your files from shadow copies, make sure HELP_DECRYPT is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by HELP_DECRYPT virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

THANK YOU SOOOOOO MUCH!!!!!! Your directions brought all my sons baby pictures back for me!

Mohammad said...

unfortunately , it foesn't work for me.the shadow explorer seems to be unable to read my D: Drive! it can read C: though!

I have formatted the C: after I found out about the malware.
now so many files are Still Encrypted!

I Still Need Help

Anonymous said...

I just got the same virus and was wondering if you have have any luck? Have you paid the attackers the ransom? I did and I still have not heard from them. It's been about 18 hours. I just got the same virus and was wondering if you have have any luck? Have you paid the attackers the ransom? I did and I still have not heard from them. It's been about 18 hours

Anonymous said...

We just got this virus through an email attachment pretending to be a resume. The email was very ambiguous with bad grammar. We should have known better than to open the doc attached.

That said, it was fairly easy to remove with the aid of malwarebytes and then running a search on C:\ for any filename containing HELP_DECRYPT. This brought up over 900 files. After deleting them all and using windows restore to the previous day (before infection) a lot of the files were still encrypted and unusable. We downloaded Shadow Explorer and used it to restore specific files and folders. This was helpfully to an extent, but not all files were recoverable (not sure why).

Luckily, it doesn't appear that we lost anything important at this point, although I'm still in the process of going through directories with freshly modified dates to see if anything still needs to be restored or deleted.

Offe said...

I have got the virus now. But I cant get rid of the Crypted files :(

Anonymous said...

Does this virus continue to compromise files, or is this a one-time encryption? I don't want to continue working on this computer if it will continue to compromise work or can compromise others.

Admin said...

It's usually a one time encryption. However, it can be bundled with other malware, so I highly recommend you removing malware from your computer if you want to continue working on it.

Anonymous said...

Thanks for the help!!!! Shadow Explorer worked just fine xD

Anonymous said...

I scanned my laptop and found 3,622 I delete those all before moving forward?

Admin said...

Yes, delete those files.

Anonymous said...

I downloaded and opened Shadow Explorer, and nothing came up. it's blank. Does that mean it won't work for me?

Admin said...

If Shadow Explorer comes up blank it means it can't find shadow copies and unfortunately won't work for you.

林志扬和袁丽萍的爱情故事 said...

Hi , this solution is meaning if the server doesn't turn on shadow copies feature at before affected it was no solution can retrieve back my file right ?

Admin said...

Yes, you are right.

Anonymous said...

I haven't backed up my computer in a long time,
it also infected my camera's memory card, how do I recover the pics from my memory card?