Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need Complete List Of Extensions Encrypted with Cryptowall 2.0

  • This topic is locked This topic is locked
1 reply to this topic

#1 nintendo1889


  • Members
  • 15 posts
  • Gender:Male
  • Local time:11:14 AM

Posted 14 November 2014 - 02:07 PM

The server just deleted my long post. It said "Your secure key, used to verify you are posting the topic, did not match the one submitted. Please go back, reload the form, and try again." Used the back arrow, and the post was gone. That's what I get for using IE!?@#?!@?!#@?!@#
Anyway, here is my batch file I created that copies all files from an encrypted drive but excludes the encrypted extensions and the DECRYPT_INSTRUCTIONS files. I created this because our online backup (from before the infection) is 24 days old, and I wanted to copy over the newly created files since the infection, and exclude the encrypted files. Another way to go would be to simply delete all encrypted file extensions and then copy all files, but I've seen encrypted folders with DECRYPT_INSTRUCTIONS that have subfolders (and unencrypted .jpg) that don't have the DECRYPT_INSTRUCTIONS, so either it stopped at a certain folder, or it has some other bug that stops on really long paths. Perhaps it purposefully doesn't go after paths greater than 255 characters to prevent filesystem corruption?
robocopy d:\data\FileShare\EncryptedFileShare 
e:\data\cleandriveshare\ /E  /MT:1 /R:10 /W:2 /TS /FP 
/LOG+:d:\robocopy-exclusions.log /V /TEE /XFDECRYPT_INSTRUCTION.HTML /XF 
*.odm /XF *.odc /XF *.odb /XF *.doc /XF *.docx /XF*.docm /XF *.wps /XF *.xls 
/XF *.xlsx /XF *.xlsm /XF *.xlsb /XF *.xlk /XF *.ppt/XF *.pptx /XF *.pptm 
/XF *.mdb /XF *.accdb /XF *.pst /XF *.dwg /XF *.dxf /XF*.dxg /XF *.wpd /XF 
*.rtf /XF *.wb2 /XF *.mdf /XF *.dbf /XF *.psd /XF *.pdd /XF*.pdf /XF *.eps 
/XF *.ai /XF *.indd /XF *.cdr /XF *.dng /XF *.3fr /XF *.arw /XF*.srf /XF 
*.sr2 /XF *.mp3 /XF *.bay /XF *.crw /XF *.cr2 /XF *.dcr /XF *.kdc /XF*.erf 
/XF *.mef /XF *.mrw /XF *.nef /XF *.nrw /XF *.orf /XF *.raf /XF *.raw 
/XF*.rwl /XF *.rw2 /XF *.r3d /XF *.ptx /XF *.pef /XF *.srw /XF *.x3f /XF 
*.lnk /XF*.der /XF *.cer /XF *.crt /XF *.pem /XF *.pfx /XF *.p12 /XF *.p7b 
/XF *.p7c /XF*.jpg /XF *.png /XF *.jfif /XF *.jpeg /XF *.gif /XF *.bmp /XF 
*.exif /XF*.txt REM /E is copy subdirectories. /MAXAGE is the 
maximum age of the modification time for files to be copied.REM /MT is the 
number of threads. /R is number of retries on failure. /W is time between 
retries.REM /TS is list timestamps in log. /FP Displays full pathnames of 
files in the output log.REM /LOG+ appends output to a log file. /V is 
verbose output.REM /XF will exclude an exact filename or wildcard.REM 
/TEE will log to the cmd console, for when the /LOG command is used, it's not 
output to the user, only to the log.

Edited by Budapest, 14 November 2014 - 03:57 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest

BC AdBot (Login to Remove)



#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,606 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:14 AM

Posted 15 November 2014 - 01:59 PM

A repository of all current knowledge regarding CryptoWall & CryptoWall 2.0 is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall & CryptoWall 2.0 does and provide information for how to deal with it and possibly decrypt/recover your files. Cryptowall typically deletes all Shadow Volume Copies with vssadmin.exe so that you cannot restore your files form the Shadow Volumes. At this time there is no fix tool for CryptoWall.

CryptoWall 2.0 uses its own TOR gateways...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users