change attributes and rename recursively in windows

Question

In windows there is a malware that mounts a false executable (522k) and renames the real executables (.exe) in g * .exe and changes the attributes to hidden and read-only

Example:

folder 1
  Bar.exe # fake
  gBar.exe # real (hidden and only Read)

folder2
  Foo.exe # fake
  gFoo.exe # real (hidden and only Read)

I would like to know if there is command for Windows (to run with privileges in safe mode), that to do a recursive search of executables (in the whole hard drive) and in case there are coincidences (* .exe and g * .exe in the same directory or subdirectory) that changes the attributes of the .exe real, delete the fake or make the replacement (from g * .exe to * .exe)

Update:

1. I have removed the linux command to avoid confusion

2. This is what I have done so far (it's not a big deal):

   for /r "c:\" %%x in (g*.exe) do ren "%%x" "c:\*.exe"
   attrib -h -s -r +a g*.exe
   

Update:

The response indicated as correct may eventually compromise system files, so, i will solve the problem from Linux (with my initial proposal) and i abandon the question for Windows

Thank you all for your contribution (special thanks to Pimp Juice IT)

Answer 1

You can run two separate for /f loops with with the dir command using the /a:h in one to iterate the hidden files and a:/r in the other to iterate the read-only files.

You'd use the attrib command with the -h parameter to remove the hidden attributes of the files and with the -r parameter to remove the read-only attributes of the files.

Note: You can use "g*.exe" as the wildcard of all exe files starting with the letter "g". Also be sure to run this from the directory where you want to start your recursive find of the applicable files.

Remove Hidden Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:h "*.exe"') do attrib -h "%~a"

Remove Read-Only Attributes

FOR /F "TOKENS=*" %a IN ('dir /s /b /a:r "*.exe"') do attrib -r "%~a"

---

Remove Fake File and Rename Real File Back

Per your clarification to find the exe files that are prefixed with the g character at the beginning of the file name, use the below batch script after you remove the hidden and read-only attributes. This will recursively find the g prefixed files, set a variable with the g parsed from those file names, remove the fake file, and then rename the g prefixed file back to the original name.

@ECHO ON
setlocal enabledelayedexpansion
set src=C:\
set mvFldr=C:\Moved
if not exist "%mvFldr%" MD "%mvFldr%"
FOR /F "TOKENS=*" %%a IN ('dir /s /b /a-d "%src%\g*.txt"') do (
    set fakename=%%~NXa
    set realname=!fakename:~1!
    if /i not [%%~Xa]==[.exe] GOTO :EOF
    if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" move "%%~DPa!realname!" "%mvFldr%"
    ::if exist "%%~DPa!realname!" if exist "%%~DPa!fakename!" del /q /f "%%~DPa!realname!"
    ren "%%~DPa!fakename!" "!realname!"
    )
EXIT

---

Further Resources

• For /F
• Dir
• Attrib
• Setlocal EnableDelayedExpansion
• Variable Edit/Replace
• Ren
• Move

• If

• FOR /?

  In addition, substitution of FOR variable references has been enhanced. You can now use the following optional syntax:

  %~dI        - expands %I to a drive letter only
  %~pI        - expands %I to a path only
  %~nI        - expands %I to a file name only
  %~xI        - expands %I to a file extension only