cornfred
cornfred
/ cryptoLocker.ps1
Last active
August 29, 2015 13:56
CryptoLocker Detection Powershell Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Credit due to www.reddit.com/user/Zendainc | |
| # | |
| # What this does: | |
| # Finds out if CryptoLocker has infected pc's on the network by looking for a registery in the HKEY_USER hive. Maybe able to use for terminal servers too. | |
| # If you find it: | |
| # Go to the machine and extract the registry [HKEY_CURRENT_USER\Software\CryptoLocker\Files]. This gives you a list of files that have been encrypted. | |
| # Use combo fix to clean it | |
| # Recover files that have been affected from backups. | |
| # | |
| # How to use this script: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| if Wscript.Arguments.count > 0 then | |
| strComputer = Wscript.Arguments(0) | |
| else | |
| Wscript.StdOut.Write "Please enter a computer name: " | |
| strComputer = Wscript.StdIn.ReadLine | |
| end if | |
| Set objWMIService = GetObject("winmgmts:" _ | |
| & "{impersonationLevel=impersonate}!\\" _ | |
| & strComputer & "\root\cimv2") |