Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, November 3, 2015

How to Remove HELP_YOUR_FILES Virus and Restore Encrypted Files

Tell your friends:
HELP_YOUR_FILES.TXT, HELP_YOUR_FILES.HTML, and HELP_YOUR_FILES.PNG belong to the new variant of the CryptoWall ransomware. If all your files have random extensions (ie: 0hrpfndfq.p5r or d0prg.m4) appended on the end of the legit extension (ie: DOC, XLS, PDF, EXE etc) and you see HELP_YOUR_FILES files in every directory then your computer is infected with ransomware. It doesn't take a genius or a technical hotshot to know that there are an ever increasing plethora of malicious software programs lurking in the darkest reaches of the internet that are used by cyber criminals to manipulate us into handing over our data or details. Our bank accounts and our identities can be at serious risk – and so too can our actual computers. Protecting yourself when you're online is now more important than ever before.

One type of malware that you really do need to educate yourself about - even though it is not quite as infamous as some of its cousins - is something called ransomware. But don't be fooled into thinking that even though it's not talked about as much as adware or spyware that you can ignore its very existence. Believe me when I say that ransomware is definitely something that poses a very real threat to all of us and it is definitely something that you do not want on your PC.

What is HELP_YOUR_FILES ransomware?

HELP_YOUR_FILES will attack you in a few different ways. As with many types of malware it might be hidden in an attachment sent via a spam email. Other variants of this ransomware programs are upping their game and moving with the times by hiding in links that are sent in an instant messenger app. Yet others follow the tried and tested route of being packaged with another software program or app that the ransomware has infected. Last but not least, if you have paid a visit to a website that has been compromised by the malware then you will also unfortunately be put at risk. CryptoWall ransomware seems to be the most commonly delivered payload by the Angler EK. At the moment, it's possibly the most active and sophisticated exploit kit. Once installed, it injects code into explorer.exe or svchost.exe processes and disables system restore. Unfortunately, it can delete Volume Shadow Copies too.

When you think about it, if it seems that if every time you are online that you are at risk, then you wouldn't really be exaggerating – and this of course makes it of paramount importance why you need to not only protect yourself with firewalls and anti-viruses but to also proactively make sure you are using best practices when it comes to working or playing on the internet.

Being extremely careful when you open email attachments or click on links is crucial, even if you do know the sender – who's to say that your friend or colleague hasn't had their email or messenger app hacked?

What HELP_YOUR_FILES ransom virus can do

As the name suggests, it will kidnap your files, encrypt them so that you are unable to access them and then demand a ransom for their release. The ransom note will be left on your computer in the form of an HTML file or text/image files and will tell you in no uncertain terms how much you have to pay, and by what method, if you ever want to see your files again. HELP_YOUR_FILES.HTML ransom note:

Cannot you find the files you need?
Is the content of your files that you have watched not readable?
It is normal because the files' names, as well as the data in your files have been encrypted.

You have become a part of large community CryptoWall.

As you can see, it claims to be a part of the CryptoWall family. And it probably is because certain elements are clearly copied from previous CryptoWall variants. The note will tell you that once you have paid you will be sent a code that will allow you to decrypt your documents. However, this is not a guarantee and there are countless examples of people having handed over their hard earned cash only to be sent a big fat nothing in return.

What should I do if I've been infected?

It's easy to say, but try not to panic. And whatever you do, don't pay the ransom unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer, Recuva and some other specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files. If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.

Written by Michael Kaur,

Step 1: Removing HELP_YOUR_FILES and related malware:

Before restoring your files from shadow copies, make sure HELP_YOUR_FILES is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by HELP_YOUR_FILES virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.