刪除鏈接和取消隱藏隱藏文件c＃

Question

我們最近感染了thumbs.db2病毒，該病毒創建了我們網絡驅動器上所有Word和Excel文檔的快捷方式，並隱藏了真實文件。我已經能夠編寫代碼遍歷所有文件夾並找到快捷方式並刪除，但我需要能夠取消隱藏我無法實現的隱藏文件。

我的代碼如下，寫的很快，所以請善待:)

public static IEnumerable<string> GetFiles(string root, string searchPattern) 
    { 
     Stack<string> pending = new Stack<string>(); 
     pending.Push(root); 
     while (pending.Count != 0) 
     { 
      var path = pending.Pop(); 
      string[] next = null; 
      try 
      { 
       next = Directory.GetFiles(path, searchPattern); 
      } 
      catch { } 
      if (next != null && next.Length != 0) 
       foreach (var file in next) yield return file; 
      try 
      { 
       next = Directory.GetDirectories(path); 
       foreach (var subdir in next) pending.Push(subdir); 
      } 
      catch { } 
     } 
    } 
    static void Main() 
    { 
     string lines = ""; 
     string startFolder = @"S:\"; 

     // Take a snapshot of the file system. 
     System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder); 
     dir.GetDirectories("*.*"); 
     // This method assumes that the application has discovery permissions 
     // for all folders under the specified path. 
     IEnumerable<String> fileList = GetFiles(startFolder,"*.lnk"); 

     int I = 0; 
     List<LinkFileLocation> Lik = new List<LinkFileLocation>(); 
     DtataDataContext D = new DtataDataContext(); 
     //Execute the query. This might write out a lot of files! 
     foreach (string fi in fileList) 
     { 
      LinkFileLocation L = new LinkFileLocation(); 
      // Console.WriteLine(fi.FullName) ; 
      WshShell shell = new WshShell(); 
      WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi); 
      FileInfo F = new FileInfo(fi); 
      var fs = F.GetAccessControl(); 

      var sid = fs.GetOwner(typeof(SecurityIdentifier)); 
      Console.WriteLine(sid); // SID 
      try 
      { 
       var ntAccount = sid.Translate(typeof(NTAccount)); 
       Console.WriteLine(ntAccount); // DOMAIN\username 
       L.UserCreated = ntAccount.Value.ToString(); 
      } 
      catch { 
       L.UserCreated = "Not Known"; 
      } 

      L.CreationTime = F.CreationTime; 
      if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe")) 
      { 



       L.Arguments = shortcut.Arguments; 
       L.Description = shortcut.Description; 
       L.FullName = shortcut.FullName; 
       L.HotKey = shortcut.Hotkey; 
       L.IconLocation = shortcut.IconLocation; 
       Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine); 
       lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine; 
       I++; 

      } 
      D.LinkFileLocations.InsertOnSubmit(L); 
      D.SubmitChanges(); 

     } 

     // Compose a string that consists of three lines. 


     // Write the string to a file. 
     System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt"); 
     file.WriteLine(lines); 
     file.Flush(); 
     file.Close(); 
     Console.WriteLine("Press any key to exit"); 
     Console.ReadKey(); 
    } 

如何在C＃中

任何幫助將大大appriciated取消隱藏文件。

最親切的問候 SP

Answer 1

正如你可以MSDN看到它很容易從文件中刪除隱藏屬性：

var attributes = File.GetAttributes(fi); 
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden) 
{ 
    attributes &= ~FileAttributes.Hidden; 
    File.SetAttributes(fi, attributes); 
} 

但是，如果你沒有獲得這樣做或有任何其他問題，請在你的問題中解釋。

Answer 2

對於任何人誰具有同樣的問題，這是我們用來刪除的共享鏈接和取消隱藏文件使用System.Collections.Generic

using System; 

代碼;使用System.Linq的 ; using System.Text;使用IWshRuntimeLibrary的 ;使用System.IO的 ; using System.Security.Principal;

namespace HiddenFilesHow { using Microsoft.Win32.SafeHandles; 類FindFileByExtension {

// This query will produce the full path for all .txt files 
    // under the specified folder including subfolders. 
    // It orders the list according to the file name. 
    public static IEnumerable<string> GetFiles(string root, string searchPattern) 
    { 
     Stack<string> pending = new Stack<string>(); 
     pending.Push(root); 
     while (pending.Count != 0) 
     { 
      var path = pending.Pop(); 
      string[] next = null; 
      try 
      { 
       next = Directory.GetFiles(path, searchPattern); 
      } 
      catch { } 
      if (next != null && next.Length != 0) 
       foreach (var file in next) yield return file; 
      try 
      { 
       next = Directory.GetDirectories(path); 
       foreach (var subdir in next) pending.Push(subdir); 
      } 
      catch { } 
     } 
    } 
    static void Main() 
    { 
     try 
     { 
      string lines = ""; 
      Console.WriteLine("Please enter folder location:- "); 
      string startFolder = Console.ReadLine(); 
      Console.WriteLine("Begining Scan "); 
      // Take a snapshot of the file system. 
      System.IO.DirectoryInfo dir = new System.IO.DirectoryInfo(startFolder); 
      dir.GetDirectories("*.*"); 
      // This method assumes that the application has discovery permissions 
      // for all folders under the specified path. 
      IEnumerable<String> fileList = GetFiles(startFolder, "*.lnk"); 

      int I = 0; 
      //Execute the query. This might write out a lot of files! 
      foreach (string fi in fileList) 
      { 
       // Console.WriteLine(fi.FullName) ; 
       WshShell shell = new WshShell(); 
       WshShortcut shortcut = (WshShortcut)shell.CreateShortcut(fi); 
       FileInfo F = new FileInfo(fi); 
       var fs = F.GetAccessControl(); 

       var sid = fs.GetOwner(typeof(SecurityIdentifier)); 
       // Console.WriteLine(sid); // SID 
       try 
       { 
        var ntAccount = sid.Translate(typeof(NTAccount)); 
        Console.WriteLine(ntAccount); // DOMAIN\username 
       } 
       catch 
       { 
       } 





       if (shortcut.Arguments.Contains("thumbs.db2 start") && shortcut.TargetPath.Contains("cmd.exe")) 
       { 



        // Console.Write("Infected Shortcut --" + I.ToString() + "-- :-" + shortcut.FullName.ToString() + Environment.NewLine); 
        lines += "Infected Shortcut :-" + shortcut.FullName.ToString() + Environment.NewLine; 
        I++; 
        FileAttributes attributes = System.IO.File.GetAttributes(fi.Replace(".lnk", "")); 
        if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden) 
        { 
         try 
         { 
          // Show the file. 
          attributes = RemoveAttribute(attributes, FileAttributes.Hidden); 
          System.IO.File.SetAttributes(fi.Replace(".lnk", ""), attributes); 
          Console.WriteLine("The {0} file is no longer hidden.", fi.Replace(".lnk", "")); 
          if (fi.EndsWith(".lnk")) 
          { 
           System.IO.File.Delete(fi); 
           Console.WriteLine("The {0} file is no longer exists.", fi); 
          }else 
          Console.WriteLine("The {0} file not deleted --------.", fi); 
         } 
         catch { } 
        } 
       } 


      } 

      // Compose a string that consists of three lines. 


      // Write the string to a file. 
      System.IO.StreamWriter file = new System.IO.StreamWriter("c:\\test.txt"); 
      file.WriteLine(lines); 
      file.Flush(); 
      file.Close(); 
      Console.WriteLine("Press any key to exit"); 
      Console.ReadKey(); 
     } 
     catch (Exception e) 
     { 
      Console.WriteLine(e.Message); 
      Console.WriteLine("Error"); 
      Console.ReadLine(); 
     } 
    } 
    private static FileAttributes RemoveAttribute(FileAttributes attributes, FileAttributes attributesToRemove) 
    { 
     return attributes & ~attributesToRemove; 
    } 
} 

}

Answer 3

整潔......但

DEL/S * .xls.lnk

DEL/S * .doc.lnk

這也是一個竅門。此外

ATTRIB -H/S * .DOC

ATTRIB -H/S * .xls的

Answer 4

一個問題：

del /S *.xls.lnk 

del /S *.doc.lnk 

does the trick too. Also 

attrib -H /S *.doc 

attrib -H /S *.xls 

該惡意軟件還修改現有的快捷方式，包括電話到thumbs.db2。此方法還需要從備份中恢復先前存在的.LNK文件！

另外（正如我打算這樣做），採取上面的代碼，並添加一個檢查先前存在的LNK文件 - 基於創建日期/時間和/或缺少隱藏文件在同一目錄中名稱匹配LNK文件。

此外，對於這個問題的人仍然在等待任何AV公司來弄清楚這一點......替換大拇指。具有虛擬文件並鎖定ntfs權限的db2似乎停止執行，而不會像某些人提到的那樣將惡意軟件更改爲不同的文件名。

Answer 5

另外，也請其他的.lnk文件的路徑在你的網絡共享

這種病毒，我們不僅創造.xls.lnk文件和doc.lnk文件的版本，它也改變任何現有的LNK文件

Answer 6

System.IO.File.SetAttributes(<Filename>, IO.FileAttributes.Normal) 

應該這樣做，我認爲