Anyway, here is my batch file I created that copies all files from an encrypted drive but excludes the encrypted extensions and the DECRYPT_INSTRUCTIONS files. I created this because our online backup (from before the infection) is 24 days old, and I wanted to copy over the newly created files since the infection, and exclude the encrypted files. Another way to go would be to simply delete all encrypted file extensions and then copy all files, but I've seen encrypted folders with DECRYPT_INSTRUCTIONS that have subfolders (and unencrypted .jpg) that don't have the DECRYPT_INSTRUCTIONS, so either it stopped at a certain folder, or it has some other bug that stops on really long paths. Perhaps it purposefully doesn't go after paths greater than 255 characters to prevent filesystem corruption?
robocopy d:\data\FileShare\EncryptedFileShare e:\data\cleandriveshare\ /E /MT:1 /R:10 /W:2 /TS /FP /LOG+:d:\robocopy-exclusions.log /V /TEE /XFDECRYPT_INSTRUCTION.HTML /XF INSTALL_TOR.URL /XF DECRYPT_INSTRUCTION.TXT /XF*.odt /XF *.ods /XF *.odp /XF *.odm /XF *.odc /XF *.odb /XF *.doc /XF *.docx /XF*.docm /XF *.wps /XF *.xls /XF *.xlsx /XF *.xlsm /XF *.xlsb /XF *.xlk /XF *.ppt/XF *.pptx /XF *.pptm /XF *.mdb /XF *.accdb /XF *.pst /XF *.dwg /XF *.dxf /XF*.dxg /XF *.wpd /XF *.rtf /XF *.wb2 /XF *.mdf /XF *.dbf /XF *.psd /XF *.pdd /XF*.pdf /XF *.eps /XF *.ai /XF *.indd /XF *.cdr /XF *.dng /XF *.3fr /XF *.arw /XF*.srf /XF *.sr2 /XF *.mp3 /XF *.bay /XF *.crw /XF *.cr2 /XF *.dcr /XF *.kdc /XF*.erf /XF *.mef /XF *.mrw /XF *.nef /XF *.nrw /XF *.orf /XF *.raf /XF *.raw /XF*.rwl /XF *.rw2 /XF *.r3d /XF *.ptx /XF *.pef /XF *.srw /XF *.x3f /XF *.lnk /XF*.der /XF *.cer /XF *.crt /XF *.pem /XF *.pfx /XF *.p12 /XF *.p7b /XF *.p7c /XF*.jpg /XF *.png /XF *.jfif /XF *.jpeg /XF *.gif /XF *.bmp /XF *.exif /XF*.txt REM /E is copy subdirectories. /MAXAGE is the maximum age of the modification time for files to be copied.REM /MT is the number of threads. /R is number of retries on failure. /W is time between retries.REM /TS is list timestamps in log. /FP Displays full pathnames of files in the output log.REM /LOG+ appends output to a log file. /V is verbose output.REM /XF will exclude an exact filename or wildcard.REM /TEE will log to the cmd console, for when the /LOG command is used, it's not output to the user, only to the log.
Edited by Budapest, 14 November 2014 - 03:57 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest