Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


infected with recover_file_fdayggywp.txt

  • This topic is locked This topic is locked
1 reply to this topic

#1 DanyH


  • Members
  • 5 posts
  • Local time:10:28 PM

Posted 07 March 2016 - 04:32 AM

I signed up here because I was infected with the  Cryptowall
I did pay ransom.  The ransomer provided decrypter.exe that did work just for some .avi and .txt files.
When I sent a note to the ransomers that their .exe would not work they said that probably there is other virus.
Here is the content of the recover_file I found on My documents named recover_file_fdayggywp.txt
Can you help me please!

Edited by quietman7, 07 March 2016 - 02:10 PM.
Moved from Introductions to Gen Security - Hamluis.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,773 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:28 PM

Posted 07 March 2016 - 02:09 PM

There are several variants of CryptoWall but they do not leave a ransom note named recover_file_[random].txt.

However, any files that are encrypted with TeslaCrypt 2.0 (AlphaCrypt) will leave ransom notes with names like Howto_Restore_FILES.txt, RECOVERY_FILE_[random].txt, restore_files_[random].txt, recover_files_[random].txt, recover_file_[random].txt, Howto_RESTORE_FILES_[random].txt, howto_recover_file_[random].txt, _how_recover_[random].txt, how_recover+[3-random].txt. Encrypted data will have the .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc or .vvv extension appended to the end of the filename. At least one version is disguised as CryptoWall.

Any files that are encrypted with TeslaCrypt 3.0 will have the .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename and leave files (ransom notes) with names like recovery_file_[random].txt, recover_file_[random].txt, Howto_Restore_FILES.TXT, help_recover_instructions+[random].txt, Recovery+[5-random].txt, _H_e_l_p_RECOVER_INSTRUCTIONS+[3-random].txt, _ReCoVeRy_+[5_random].txt, Recovery_[5_random].txt, and RECOVERY.TXT.

Information for decrypting files with .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, or .vvv extensions can be found in this BC News article: TeslaCrypt Decrypted: Flaw in TeslaCrypt allows recovery of encrypted files. Instructions on how to recover the key for decryption are also included in TeslaDecoder.zip.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Support for decryption requests can be posted in this topic:Support for TeslaCrypt 3.0 is in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your encrypted files yet.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussions, particularly the last if dealing with one of the newer variants. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users