Ransomware .help - How to remove

“.help” is a symptom of a malware infection. If your pictures, documents, and other items got renamed end with the extension “.help”, then your computer must have been infected with ransomware. .help is a file extension that’s used by various ransomware viruses, including the Phobos cryptovirus.

As ransomware, .help uses cryptography to edit files on the computers that it infects. It’s a form of online extortion. As a result, the .help virus is detected as malicious by most professional anti-malware tools.

About “.help” ransomware:

Classification Ransomware.
Effects of the “.help” ransomware Your data is locked by the ransomware, unable to be opened,

the locked files have their names changed, including the second extension “.help”.

How to recover your data Restore data from backups,

use forensic tools, such as data recovery programs,

repair files that can be repaired,

wait for a free decryption tool.

How to remove “.help” ransomware Use antivirus programs, such as Spyhunter, to find and remove all malware from your computer,

reset your passwords,

protect your remote desktop connection.

How to recognize .help ransomware

.help ransomware can be first recognized by the “.help” extension that’s attached to the names of the locked files.

It might look like this:


Or it might be something more complicated, such as:

document.doc.id-[random].[email address].help

The original names are left, the new string with the email address and your unique id is appended to them. The id and the email address are normal for Phobos ransomware.

You’ll also notice that the files can’t be opened anymore – not just because they’ve been renamed. The ransomware, .help, edits the internal data of the files and makes them impossible to read. It basically corrupts them.

The .help virus creates a ransom note, for instance, info.hta, info.txt, or readme.txt files that include a message from its creators. The message is a ransom note instructing you to pay a ransom (send money to the cybercriminals behind the .help ransomware) if you want to have your files fixed.

.help ransomware is not new. This Phobos variant has been released a few times, providing various email addresses:

Of course, there are other Phobos variants besides .help: Frendi, Adame, Acton, etc. .help is only one of many ransomware viruses.

Sources of infection

So, how did .help ransomware infect your computer in the first place?

To avoid any future problems it’s good to review a few ways that .help and other  Phobos ransomware makes its way onto computers so that the infections aren’t repeated. That’s a strong possibility, by the way – whether you pay the criminals or not, if you were targeted manually and leave your security as vulnerable as it was, the distributors of .help might try again in a few weeks.

Weak RDP security

If your RDP or other means of remote desktop access is vulnerable, it will be used to infect your network – not just with .help or other ransomware, but also with spyware, backdoors, and other nasty malware. Remote desktop connection is hacked in manual attacks, where the criminals pick their targets, as well as by automated attacks. Here are a few potential vulnerabilities:

  • Weak username and password (or none at all!).
  • The ability for anyone on the internet to attempt to connect at any time.
  • Outdated RDP with known security exploits that allow malicious code to be executed even without logging in.

These RDP security issues are easy to fix, but a lot of people don’t until after a serious attack.

Malicious email attachments

Infected emails can also be used to spread .help and other malware. They can be targeted and crafted to trick a specific person. Or they can be generic, sent in bulk. These phishing emails either have an infected file attached, or they have a link to download the file from. Targeted phishing emails can be especially dangerous because they are often very convincing.

File download sites

Infected files can also be found uploaded on pirating websites, including torrenting sites and file upload sites. Cracks and keygens, cracked programs, and completely fake files and installers might be infected. This is a threat to not just businesses but individual PC users, too. Piracy is dangerous, as it’s used often as a medium for malware to spread.

No doubt that ransomware distributors look for new ways to spread their infections. There are some crypto-extortionists who actually see themselves as some twisted version of security experts, “showing” people the flaws in their systems and collecting the payment for their “consultation”.

.help ransomware, ransom note

Why .help is so harmful

The .help virus encrypts your files in order to break them, essentially holding your data for ransom.

The encryption used by Phobos is both fast and secure. The only way to reverse it is to know the encryption algorithm and to have the decryption key which is unique to each and every victim.

Besides breaking data, .help ransomware might also install adware viruses, miners, and other malicious programs. The people behind .help ransomware want to make money and so they do whatever they think will make a profit.

How to recover your files

Like most modern ransomware, .help deletes shadow copies to prevent you from recovering your files. Any victim who doesn’t have backups set up is potentially going to lose all of their data. Backups are the best defense against cryptoviruses because they ensure that, even if the virus succeeds, you still have your files.

Even if you don’t have a backup with all your files, maybe some of them were saved in the cloud? Maybe they were mailed to other people and you can re-download them?

Because of how secure the .help encryption is, there is no free decrypter available. But you can keep an eye out for it. Maybe the creators of Phobos will retire and release a master key? Maybe they’ll get arrested?

You might consider paying the criminals. They generally ask for a few thousand dollars for the files, they might adjust the price depending on the target. Some of the distributors do restore the files, some take the money and do nothing. So, if you think about paying, know that there is a very real possibility that you’ll lose your .help-locked files and your money.

Data recovery might yield some results, too. Recovery programs can bring back deleted data, provided that it hasn’t been overwritten yet.

Also, you might be able to manually repair some of the .help files as you would corrupted files. With a lot of time and dedication, you can rescue some of the data that .help ransomware encrypted. This is only possible because modern ransomware viruses skip portions of your files, allowing them to be rescued.

How to remove .help ransomware

But, for now, .help continues to encrypt new files and starts itself every time you turn the computer on. It needs to be removed as soon as possible. Else, the only way to stop .help is to turn your computer off and keep it that way, eliminating the virus from the disk without booting it.

Some ransomware infections delete themselves after they’re done, but even if your version of .help did, there are still the other malicious programs that it might have brought with.

The virus should be deleted either manually or automatically. Any competent anti-malware tool (such as Spyhunter) would be able to find .help and the other malicious files and delete them.

Remember to secure your RDP, install security updates, watch your pirating habits, change your passwords to something very complex, and set up file backups. Be ready for a ransomware attack and you’ll save yourself a lot of grief.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Ransomware .help encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Ransomware .help has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Ransomware .help

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ransomware .help . You can check other tools here.  

Step 3. Restore Ransomware .help affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ransomware .help tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Ransomware .help encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *