Before you start reading this article, please be informed that this tool is only for advanced users and there are already a couple of detections (8/43) on VirusTotal flagging this tool as suspicious or generic. I can vouch that it is a false detection and not a virus. RansomHelper is a tiny tool coded by Xylitol, who is an expert in reversing and analyzing malware, to help him save time when analyzing ransomware. A ransomware is another kind of malware where upon running, it locks up your computer and asking the user to pay in order to obtain an unlock code. The ransomware automatically runs whenever Windows is booted up and even in Safe Mode, making it difficult to remove the malware. Since a ransomware kills the explorer.exe process and then locks up the screen showing only a page with instructions on how to pay, it could be troublesome to analyze the malware.
The beautiful thing about RansomHelper is when it is running, pressing the X and Y key a couple of times will put it on top of any top most window. For example, a ransomware is at the top most window where no program can be over it. RansomHelper can easily bypass this restriction and allows you to easily open explorer, regedit, task manager or any programs that you select from there. It can even kill processes and enable disabled regedit, task manager and command prompt. Those features are quite common on some malware removal tools and here is actually what I really want to show you. If you look at RansomHelper user interface, there is a text box that shows Lock (CTRL+F). Positioning the mouse cursor to any other window will automatically update the handle ID and title.
This unique feature allows you to move any unmovable windows by moving the mouse cursor to the window to get the handle ID and then press CTRL+F. You can now move the windows by dragging the mouse. When you’ve moved the window to the location that you want, simply press CTRL+F to unlock the window. During testing, I found that you can even move the Desktop! I don’t know about you but I personally has never seen any software that can do this. Here is a video presentation on RansomHelper which is able to help you understand better on the purpose of this tool.