Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ListCWall.exe


  • Please log in to reply
15 replies to this topic

#1 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 08 April 2015 - 09:03 AM

ListCWall.exe includes only files on the OS drive, although any drive connected, such as an external drive, will also be affected. Is there a way to list encrypted files on the External drive?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:20 PM

Posted 08 April 2015 - 09:13 AM

From the ListCWall download:
 

When CryptoWall infects your computer it will encrypt your data and store a list of these encrypted files in your Windows Registry.


It means that either ListCWall only list the files that are on the C: drive (Windows drive) and ignore the other drives letter listed (D:, E:, etc.), or that CryptoWall doesn't append the files it encrypts from other external media (D:, E:, etc) in that Registry key, only the ones from the C: (Windows) drive. Interesting in knowing the answer to that one too.

Edit: Or it creates another Registry key to append the files from external drives and ListCWall doesn't include it. What else ...

Edited by Aura., 08 April 2015 - 09:14 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 08 April 2015 - 02:13 PM

This is all the information Grinler provided in his last update about ListCwall.
 

We have released version 1.3.0 of ListCwall with additional features coded by The Pugilist. This new version adds some extra features that will be very useful or enterprise environment or IT professionals. These advanced features that are useful for consultants and enterprise environments. These flag are described below and should be used from an Elevated Command Prompt:

The -h flag will list the help file for ListCwall.
The -q flag will surpress the output of the ListCwall program.
The -m flag will backup the files by moving them to a default folder of %Desktop%\ListCWall_Backup or to a user specified folder. This flag can be used with the -b flag to specify a different backup folder.
The -c flag will backup the files by copy them to a default folder of %Desktop%\ListCWall_Backup or to a user specified folder. This flag can be used with the -b flag to specify a different backup folder.
The -b flag will allow you to specify the specific backup folder you would like to use.
The -l flag will allow you to specify a custom log file rather than the default one of %Desktop\ListCwall.txt.

Finally, we have added the ComputerName and UserName of the person running the tool. This is useful in situations where you do not know the computer that has the CryptoWall infection. If you add ListCwall to a domain login script, you will be able to see the logs that are made and what computers they came from.

More information and example usage can be found here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#list

ListCWall Tool by Grinler, Post #899
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 JSntgRvr

JSntgRvr

    Master Surgeon General

  • Topic Starter

  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 08 April 2015 - 07:47 PM

I don't believe it is the tool as it reads the information from the registry.  I do have a client, however, that his/her files in the external drive were encrypted, but the ListCWall.txt does not show these files.

 

I just wonder if CryptoWall, also lists the encrypted files in drives, other than the main drive somewhere? Some of the flags above can be used to move these to a backup, or delete, as the user may prefer.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 08 April 2015 - 08:08 PM

Off hand, I don't recall anyone asking that question or I would have put that info in my notes. However, the discussion topic is so long I could have missed it. Your best bet would be to ask Grinler directly in the CryptoWall topic where he explained the tool. He has been very busy lately and may miss this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:20 PM

Posted 08 April 2015 - 08:14 PM

You could search the Registry with a few of these encrypted file names to see if they come up under a particular Registry key or keypair. If they don't then it means that Cryptowall didn't append these files anywhere in the Registry. FRST could do that I guess.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 08 April 2015 - 08:47 PM

JSntgRvr...I have asked Nathan to look at this topic. Since he has been working with Grinler on a lot of these infections, he most likely knows for sure.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 JSntgRvr

JSntgRvr

    Master Surgeon General

  • Topic Starter

  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 09 April 2015 - 10:08 AM

Thanks, quietman7. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General

  • Topic Starter

  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 09 April 2015 - 10:11 AM

You could search the Registry with a few of these encrypted file names to see if they come up under a particular Registry key or keypair. If they don't then it means that Cryptowall didn't append these files anywhere in the Registry. FRST could do that I guess.

Thanks, Aura. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:20 PM

Posted 09 April 2015 - 03:52 PM

I also gave Grinler a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 PM

Posted 10 April 2015 - 07:14 AM

Yes cryptowall will log to the registry every file it encrypts, anywhere.


Have you performed a routine backup today?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General

  • Topic Starter

  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 10 April 2015 - 08:36 AM

I have requested the OP to run SystemLook, trying to see if other drives' files are being written in another key, rather than in the usual.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General

  • Topic Starter

  • Malware Response Team
  • 11,761 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:20 PM

Posted 10 April 2015 - 08:41 AM

Another question, do these files have a common content we can use to weed them out of the rest?


Edited by JSntgRvr, 10 April 2015 - 08:41 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 PM

Posted 10 April 2015 - 08:58 AM

sadly not really. There is a way through patterns at the bottom of the file, but you wont find a out of the box solution.


Have you performed a routine backup today?

#15 dewey.elsik

dewey.elsik

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 28 July 2015 - 04:13 PM

Guys I need help. I got hit last night. Not real bad but bad enough. I ran ListCWall and have the text file. I cannot figure out the DOS Prompt flags to move the encrypted files. Can someone please help we with this?

 

Dewey






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users