We had a variant of CryptoLocker (CryptoWall) and I am trying to create a PowerShell script that will find the file "DECRYPT_INSTRUCTION.TXT" and if found somewhere, delete some other files (in that container or folder) like *.doc, *.pdf and *.xls.
I am pretty new to PowerShell and the client's latest backup is 2 weeks ago. So I want to only delete the encrypted files then replace them with the ones in the backup, without touching the rest of the files (we where been able to stop the virus progression quite early).
So far, I have been writing this test script but I have commented portions as I am not shure if the get-childitem is able to pipe a remove-item command and know that it's only in the directory it found the searched file:
get-childitem c:\PS\ -include DECRYPT_INSTRUCTION.TXT -recurse |`
$Item = $_
$Type = $_.Extension
$Path = $_.FullName
$Folder = $_.PSIsContainer
$Age = $_.CreationTime
<#remove-item $_.fullname #>
Write-Host $_.FullName " found in " $_.PSIsContainer
<#get-childitem c:\PS\ -include *.doc, *.pdf, *.xls | `
Thank you for helping.