From 20f3370747ac8d15e728c663783f57a242bf0448 Mon Sep 17 00:00:00 2001
From: Yordan Manolov <yordan.manolov@rwth-aachen.de>
Date: Sat, 28 Mar 2020 23:02:47 +0100
Subject: [PATCH 1/1] initial commit

---
 massdel.ps1 | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 massdel.ps1

diff --git a/massdel.ps1 b/massdel.ps1
new file mode 100644
index 0000000..7327a18
--- /dev/null
+++ b/massdel.ps1
@@ -0,0 +1,41 @@
+<#
+.SYNOPSIS
+    Shows recursively searched directories according to some regex and optionally deletes files
+.DESCRIPTION
+    .
+.PARAMETER adir
+    Specifies a path to a location, typically a partition. No characters are interpreted 
+    as wildcards. If the path includes escape characters, enclose it in single
+    quotation marks. Single quotation marks tell Windows PowerShell not to 
+    interpret any characters as escape sequences.
+.EXAMPLE
+    massdel.ps1 -adir 'C:\Users>'
+#>
+
+#
+#    massdel.ps1 is a tool to clear directories affected by Maze/ChaCha ransomware.
+#
+#    Copyright (C) 2020 Yordan Manolov
+#
+#    This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
+#
+
+param (
+    [Parameter(Mandatory=$true)][string]$adir = "V:\",
+    [string] $pathregex = "*LES.txt", 
+    [string]$fileregex = "*\.(jpg|pdf|doc|docx|png|xls|xlsx|eml|jpeg|8\[a-z]{2,}|.adm|advs|apln|ascs|bdf|compositefont|dlm|dsc|dwt|ebx|epf|eps|epsf|exif|exr|f4v|fl|fla|gif|gif|grd|idml|ifd|incp|imp|indesignplugin|indt|inix|inms|inx|iros|isa|jsf|jsfl|jsx|kfg|lbi|meh|mfx|mno|mpv|mulib|mxp|p3m|p3r|ps2|ps3|psq|ptl|pwl|raw|rfr|sbst|sbx|ses|shc|sta|std|ste|swb|swd|swtag|tds|tpl|tty|vce|vtv|wfx|workspace|xfd|xfl|xyze|zxp)\.\w{3,}", #todo
+    [switch]$delall = $false
+ )
+
+
+Get-ChildItem $Path -Recurse | 
+  # only directories which contain the ransom message (txt) are affected
+  Where{ $_.Name -Match [regex]::escape($pathregex) } |  
+    Where{ $_.Name -Match [regex]::escape($fileregex) } | 
+      # note: this does not remove the ransom message, for debugging reasons
+      if($delall) { Remove-Item -Force }
+      else  { Remove-Item -Confirm }
-- 
2.11.0