3 Shows recursively searched directories according to some regex and optionally deletes files
\r
7 Specifies a path to a location, typically a partition. No characters are interpreted
\r
8 as wildcards. If the path includes escape characters, enclose it in single
\r
9 quotation marks. Single quotation marks tell Windows PowerShell not to
\r
10 interpret any characters as escape sequences.
\r
12 massdel.ps1 -adir 'C:\Users>'
\r
16 # massdel.ps1 is a tool to clear directories affected by Maze/ChaCha ransomware.
\r
18 # Copyright (C) 2020 Yordan Manolov
\r
20 # This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
\r
22 # This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
\r
24 # You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
\r
28 [Parameter(Mandatory=$true)][string]$adir = "V:\",
\r
29 [string] $pathregex = "*LES.txt",
\r
30 [string]$fileregex = "*\.(jpg|pdf|doc|docx|png|xls|xlsx|eml|jpeg|8\[a-z]{2,}|.adm|advs|apln|ascs|bdf|compositefont|dlm|dsc|dwt|ebx|epf|eps|epsf|exif|exr|f4v|fl|fla|gif|gif|grd|idml|ifd|incp|imp|indesignplugin|indt|inix|inms|inx|iros|isa|jsf|jsfl|jsx|kfg|lbi|meh|mfx|mno|mpv|mulib|mxp|p3m|p3r|ps2|ps3|psq|ptl|pwl|raw|rfr|sbst|sbx|ses|shc|sta|std|ste|swb|swd|swtag|tds|tpl|tty|vce|vtv|wfx|workspace|xfd|xfl|xyze|zxp)\.\w{3,}", #todo
\r
31 [switch]$delall = $false
\r
35 Get-ChildItem $Path -Recurse |
\r
36 # only directories which contain the ransom message (txt) are affected
\r
37 Where{ $_.Name -Match [regex]::escape($pathregex) } |
\r
38 Where{ $_.Name -Match [regex]::escape($fileregex) } |
\r
39 # note: this does not remove the ransom message, for debugging reasons
\r
40 if($delall) { Remove-Item -Force }
\r
41 else { Remove-Item -Confirm }
\r