_HELP_instructions virus is an expression applied to various ransomware variants that encrypt files, adds new extensions to file names, and insists that the victim pay a ransom in order to obtain a key which will help recover encrypted files. _HELP_instructions is the file name associated with this type of ransomware. Once the ransomware has encrypted files on the computer it infects it will leave a file named _HELP_instructions.txt, _HELP_instructions.jpg, and/or _HELP_instructions.html in every folder and Windows desktop.
The _HELP_instructions.txt or _HELP_instructions.html files are ransom notes that explain what happened to the files and how to pay the ransom to obtain a special decryption key. If the ransomware leaves a .jpg file it will load it to the background of Windows desktop.
A specific variant of ransomware associated with this file is PowerWare. When PowerWare ransomware is initially installed, the associated executable file will extract and execute a PowerShell script located at %USERPROFILE%\AppData\Local\Temp\Quest Software\PowerGUI\51daca6d-6a9a-44c8-9717-f8cc5c68d10e\fixed.ps1. Once the PowerShell script is executed, the ransomware will begin to encrypt data on all drives and add the .locky extension to the encrypted file names.
Another ransomware that uses this file name for a ransom note is Zepto ransomware. This ransomware encrypts, changes the entire file name, and adds the .zepto extension to the file name. This ransomware will usually leave a number in the string of the note such as 01_HELP_instructions.html or 11_HELP_instructions.jpg.
Ransomware associated with the _HELP_instructions file is usually dispersed by malicious email attachments. The email content employs social engineering in order to trick unsuspecting victims into downloading a file under the guise that it is something it is not. Once the file is manually executed by the user ransomware will begin to advance on the computer system and carry through it’s various functions.
It is not recommended to pay ransomware authors to decrypt your files. Instead you can use programs like Shadow Explorer, PhotoRec, or Recuva to restore corrupted files.
Aliases: _HELP_instructions virus, _HELP_instructions ransomware
_HELP_instructions.html .locky .zepto
hxxp://bobbavice[.]top/RY.exe hxxp://p6y5jnjxpfiibsyx.tor2web[.]org hxxp://p6y5jnjxpfiibsyx.onion[.]to hxxp://p6y5jnjxpfiibsyx.onion[.]cab hxxp://p6y5jnjxpfiibsyx.onion[.]link
_HELP_instructions ransomware removal guide
UPDATE: A new decryptor has been written for PowerWare (.locky) ransomware that can be found here: https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py
1. Download and Install Recuva by Pirform.
2. Run the program and start the Recuva Wizard.
3. Select All Files and click Next.
4. Select a file location. Click I’m not sure to search everywhere on your computer.
5. Click Start.
6. Select All Files with your mouse and click the Recover button. If you cannot restore your files with Recuva we recommend to try using Shadow Explorer to restore your files.
7. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.
8. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.
9. Once the Malwarebytes scan is complete click the Remove Selected button.
10. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.
11. Download and Install HitmanPro by Surfright to perform a second-opinion scan.
12. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
13. Once the HitmanPro scan is complete click the Next button.
14. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
15. Click the Reboot button.
16. Download and Install CCleaner by Piriform to cleanup junk files, repair your registry, and manage settings that may have been changed.
17. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.
18. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.
19. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.
The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.
Real-time security software
Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.
Common Online Guidelines
- Backup your computer and personal files to an external drive or online backup service
- Create a restore point on your computer in case you need to restore your computer to a date before infection
- Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
- Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
- If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
- Avoid torrents and P2P clients
- Do not open email messages from senders you do not know
