Also Known As: Cryptowall 4.0 virus
Distribution: Low
Damage level: Severe

HELP_YOUR_FILES virus removal instructions


Recently, a new version of CryptoWall ransomware has been released. This is not the first update to this ransomware - cyber criminals have released a fourth version also known as HELP_YOUR_FILES ransomware. This new file-encrypting malware not only changes the extensions of files stored on the computer, but also changes the names to prevent victims recognizing them (example of an encrypted file name: '8354no9f.7gt8'). After HELP_YOUR_FILE has encrypted victim data, it demands payment of a $700 (1.79 Bitcoins) ransom. If the user does not pay within a given time frame, the ransom doubles to $1400 or 1400 (3.58 BTC). Information about the payment (time frame, consequences of not paying the ransom, attempts to decrypt using third party software, step-by-step payment instructions, etc.) is stored in HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.TXT, and HELP_YOUR_FILES.HTML files, which are generated in each directory containing encrypted data.

HELP_YOUR_FILES uses the RC4 encryption method. As with the previous versions of CryptoWall, this ransomware infiltrates Explorer.exe, and then deletes all Shadow Volume Copies, disables System Restore, and turns off Windows Startup Repair using bcdedit. Although the ransomware is easy to remove, decrypting affected files without paying the ransom is impossible - the key required for decryption is stored on HELP_YOUR_FILES command-and-control servers, which are managed by cyber criminals. The only way to solve this problem is to restore your data from a backup.

HELP_YOUR_FILES decrypt instructions

The existence of computer viruses such as HELP_YOUR_FILES, CTB Locker, CryptoLocker, TeslaCrypt, and CryptorBit presents a strong case for maintaining regular backups of your files. Paying the ransom supports the malicious business of cyber criminals. Furthermore, there is no guarantee that the files will ever be decrypted. Be aware that HELP_YOUR_FILES is distributed using malicious email messages with bogus attachments - zipped files supposedly containing resumes, shipping information, etc, The attachments are JavaScript files that (when executed) download other infectious executable files, storing them in a Windows %Temp% folder and then running them. Most ransomware viruses are distributed using fake downloads (for example, torrents, fake software updates, etc.). For this reason, be cautious when downloading files from untrusted sources. Use a legitimate anti-virus or anti-spyware suite and keep all installed applications up-to-date.

HELP_YOUR_FILES ransomware additional information regarding data encryption:

Additional information about the files encrypted by HELP_YOUR_FILES ransomware


Cannot you find the files you need? Is the content of the files that you have watched not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Congratulations!!! You have become a part of large community of CryptoWall. If you are reading this text that means that the software CryptoWall has removed from your computer.
What is encryption? Encryption is a reversible transformation of information in order to connect it from unauthorised persons but providing at the same time access to it for authorised users. To become an authorised user and make the process truly reversible i.e to be able to decrypt your files you need to have a special private key. In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place. I almost understood but what do I have to do? The first thing you should do is to read the instructions to the end. Your files have been encrypted with the CryptoWall software; the instructions that you find in folders with encrypted files are not viruses, they are you helpers. After reading this text 100% of people turn to a search engine with the word CryptoWall where you’ll find a lot of thoughts, advice and instructions. Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore you files with the third-party tools can be fatal for encrypted files. The fact that changing data within the encrypted files (as 100% of software to restore files do this, except the special decryption software) you break damage to the files and it will be impossible to decrypt the files. This is the same as to collect a mosaic when some mosaics items were lost, broken or not put in its place - the picture will not emerge, the software to restore the files will not be able to lay down the picture, and ruin it completely and irreversibly. Use the software to restore files can ruin your files forever, only through your fault. Remember that any intervention of the extraneous software to restore files encrypted with the CryptoWall software may be the point on no return. In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product. After purchasing the software package you can: 1.Decrypt all your files. 2. Work with your documents. 3. View your photos and other media content. 4. Continue your habitual and comfortable work at the computer. If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.
What do you have to do with these addresses? If you browse the instructions in TXT format (if you have instructions in HTML (the file that has an icon of your Internet browser) then for the sake of simplicity it is better to run it). Additional information: Instructions to restore your files are only in the folders where you have encrypted files. For your convenience the instructions are made in three files formats - html, txt and png. Unfortunately, antivirus companies cannot protect and moreover restore your files but they make things worse removing the instructions to restore encrypted files. The instructions are not malware, they have informative nature only, so any claims on the absence of any instructions files you can send to your antivirus company. CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. This project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place. If you oversee this text in the Internet and understand that something is wrong with your files and you have no instructions to restore files, contact your antivirus support. Remember that the worst has already happened and now the further life of your files depends directly in your determination and speed of your actions.

HELP_YOUR_FILES ransom payment instructions:

Payment instructions provided by HELP_YOUR_FILES ransomware

Samples of infected email messages proliferating HELP_YOUR_FILES ransomware:

Spam messages generated by HELP_YOUR_FILES ransomware (sample 1) Spam messages generated by HELP_YOUR_FILES ransomware (sample 2) Spam messages generated by HELP_YOUR_FILES ransomware (sample 3) Spam messages generated by HELP_YOUR_FILES ransomware (sample 4) Spam messages generated by HELP_YOUR_FILES ransomware (sample 5) Spam messages generated by HELP_YOUR_FILES ransomware (sample 6)

Here's a screenshot of user's desktop after HELP_YOUR_FILES ransomware is done encrypting data:

help your files ransomware desktop

HELP_YOUR_FILES ransomware removal:

Instant automatic removal of Cryptowall 4.0 virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Cryptowall 4.0 virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click the "Troubleshoot" button, then click the "Advanced options" button. In the advanced option screen click on "Startup settings". Click the "Restart" button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the HELP_YOUR_FILES virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the HELP_YOUR_FILES ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining HELP_YOUR_FILES files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of HELP_YOUR_FILES are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by HELP_YOUR_FILES you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as HELP_YOUR_FILES.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises such attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove HELP_YOUR_FILES ransomware: