Author Posts

September 4, 2015 at 4:07 am

We have found a Shylock botnet on one of our servers and one of the symptoms is it replaces all files in a share with identically named shortcuts and then hiding the original files.
I need to be able to run a script to see which directories have these shortcuts in.
So there will be a logmein.exe and logmein shortcut in the same location.
Please help!

September 4, 2015 at 6:51 am

You could use Get-ChildItem to get a Recursive listing of all of your files, excluding those with the .lnk extension. Then use ForEach-Object on the returned list to loop though all the returned files and replace the extension on the FullName property with .lnk and check for the existance of that file. If found. Out-Default that object.

September 4, 2015 at 11:13 am

Try something like this:

$dir = Get-ChildItem c:\test -Directory 
foreach ($Folder in $dir){

   Get-ChildItem $Folder.FullName | where {$_.Extension -eq '.lnk'}
}

September 4, 2015 at 11:42 am

Keep in mind that Get-ChildItem does not get hidden items by default. To do that you must use the -Force switch.