标题: [文本处理] 批处理版SREnglog智能分析工具(请帮忙找问题及精简) [打印本页]
作者: batpro 时间: 2011-5-24 22:01 标题: 批处理版SREnglog智能分析工具(请帮忙找问题及精简)
- rem 版权代码部分开始于此处
- @echo off
- rem
- mode con cols=100 lines=12 &color 9f
- cls
- set a=^set /p=■%b%^<nul^&ping/n 0 127.1.0^>nul^&
- echo.
- echo 程序正在初始化. . .
- echo ┌──────────────────────────────────────┐
- set/p= <nul&%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%
- echo 100%%
- echo └──────────────────────────────────────┘
- set b=
- set a=■
- set /a z=100
- :start
- cls
- set a=%a%■■
- set /a b+=5
- set /a z-=5
- echo.
- echo 程序正在启动,请稍候. . . 欢迎使用SREnglog智能分析助手 by 52kafan
- echo from [url]http://bbs.kafan.cn/[/url]
- echo ┌──────────────────────────────────────────┐
- echo %a% %b%%%
- echo └──────────────────────────────────────────┘
- ping /n 0 127.0 >nul
- if %b% geq 100 goto num2
- ping /n 0 127.0 >nul
- set /a sum =5
- goto start
- :_exit
- set /a sum-=1
- set/p=%sum% 秒后退出! <nul
- echo.
- if %sum% EQU 0 exit
- ping /n 0 127.0 >nul
- goto _exit
- :num2
- rem 版权部分结束于此处
- rem ⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙
- rem ┌─────────────────────────────────────────────────────────────┐
- rem 软 件 架 构 部 分
- rem └─────────────────────────────────────────────────────────────┘
- rem (1)穷举"N/A"写入到N-A.txt
- (echo 创建文本& echo.)>>tt.txt
- (echo 创建文本& echo.)>>N7.txt
- (echo 创建文本& echo.)>>old2.txt
- (echo 创建文本& echo.)>>ttt.txt
- findstr /li "N/" SREngLOG.log>>N-A.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (N-A.txt) do (
- set var=%%i
- rem ┌──────────────────────────────────────────────────────────────┐
- rem N/A 白 明 单 部 分
- rem └──────────────────────────────────────────────────────────────┘
- rem (2)标记"N-A.txt"中正常的驱动项和相关服务项
- set "var=!var:drivers\360AntiArp.sys=%正常!"
- set "var=!var:Garena\safedrv.sys=%正常!"
- set "var=!var:system32\DRIVERS\ewusbmdm.sys=%正常的华为CDMA上网卡驱动!"
- set "var=!var:system32\DRIVERS\ewusbdev.sys=%正常的华为出品无线网卡相关驱动!"
- set "var=!var:system32\drivers\massfilter.sys=%正常的DVD/CD-ROM设备管理程序驱动!"
- set "var=!var:system32\drivers\mpfilt.sys=%正常的安国U盘量产工具的驱动!"
- set "var=!var:system32\DRIVERS\pcdrndisuio.sys=%正常的联想toolbox安装的驱动!"
- set "var=!var:System32\Drivers\sptd.sys=%正常的虚拟光驱DAEMON Tools的驱动文件!"
- set "var=!var:system32\NtDriver.sys=%正常的卡巴斯基木马扫描工具troyanfindinfo驱动!"
- set "var=!var:system32\DRIVERS\tvtpktfilter.sys=%正常的联想thinkpad文件还原恢复程序的驱动!"
- set "var=!var:system32\DRIVERS\UIUSYS.SYS=%正常的联想调制解调器驱动!"
- set "var=!var:system32\DRIVERS\zgdccat.sys=%正常的CDMA人机接口驱动!"
- set "var=!var:system32\DRIVERS\zgdccdiag.sys=%正常的USB调制解调器/串行设备驱动!"
- set "var=!var:system32\DRIVERS\zgdccmdm.sys=%正常的CDMA联想USB调制解调器驱动!"
- set "var=!var:system32\DRIVERS\zgdccvousb.sys=%正常的USB调制解调器/串行设备驱动!"
- set "var=!var:AntiARPClientLoader.exe=%正常的!"
- set "var=!var:System32\TPHDEXLG.exe=%正常的!"
- set "var=!var:oracle\ora92=%正常的!"
- set "var=!var:ipinip.sys=%正常!"
- set "var=!var:aliide.sys=%正常!"
- set "var=!var:viaudio.sys=%正常!
- set "var=!var:SKNFW.sys=%正常!"
- set "var=!var:RsNTGdi.sys=%正常!"
- set "var=!var:SkyNet\Firewall\SkyProcs.sys=%正常!"
- set "var=!var:snpstd3.sys=%正常!"
- set "var=!var:ggghost.sys=%正常!"
- set "var=!var:p2pfilter.sys=%正常!"
- set "var=!var:tcphoc.sys=%正常!"
- set "var=!var:usb2vcom.sys=%正常!"
- set "var=!var:SystemCleaner\krpr.sys=%正常!"
- set "var=!var:dtscsi.sys=%正常!"
- set "var=!var:DRIVERS\sr.sys=%正常!"
- set "var=!var:d347prt.sys=%正常!"
- set "var=!var:npkcusb.sys=%正常!"
- set "var=!var:Rfw\HookUrl.sys=%正常!"
- set "var=!var:Rfw\RsFwDrv.sys=%正常!"
- set "var=!var:scdriver\ScbkEx.sys=%正常!"
- set "var=!var:scdriver\ScCchMgr.sys=%正常!"
- set "var=!var:scdriver\ssfltpt.sys=%正常!"
- set "var=!var:Rfw\HookUrl.sys=%正常!"
- set "var=!var:Rfw\RsFwDrv.sys=%正常!"
- set "var=!var:3waregsm.sys=%正常!"
- set "var=!var:KLIF.SYS=%正常!"
- set "var=!var:tsusbhub.sys=%正常!"
- set "var=!var:Program Files=%正常!"
- set "var=!var:o2media.sys=%正常!"
- set "var=!var:o2sd.sysO2Micro=%正常!"
- set "var=!var:blueletaudio.sys=%正常!"
- set "var=!var:rdvgkmd.sys=%正常!"
- set "var=!var:btnetdrv.sys=%正常!"
- set "var=!var:vbtenum.sys=%正常!"
- set "var=!var:BTHidMgr.sys=%正常!"
- set "var=!var:npkcrypt.sys><N/A>=%npkcrypt.sys><N/A正常!"
- set "var=!var:xAntiArp.sys><N/A>=xAntiArp.sys><N/A>正常!"
- set "var=!var:<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>=%<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>正常!"
- set "var=!var:EagleXNt.sys=%正常!"
- set "var=!var:DRIVERS\epfwtdir.sys=%正常!"
- set "var=!var:零时空\ntio518xp.sys=%正常!"
- set "var=!var:DTL132\DTL132_x32.sys=%正常!"
- set "var=!var:360TimeProt.sys=%正常!"
- set "var=!var:synth3dvsc.sys=%正常!"
- set "var=!var:VcommMgr.sys=%正常!"
- set "var=!var:TDSMAPI.SYS=%正常!"
- set "var=!var:TPInput.sys=%正常!"
- set "var=!var:System32\drivers\Tppwrif.sys=%正常!"
- set "var=!var:ASIO.SYS=%正常!"
- set "var=!var:system32\drivers\AsIO.sys=%正常!"
- set "var=!var:drivers\PnpWmkDrv.sys=%正常!"
- set "var=!var:system32\DRIVERS\pfc027.sys=%正常!"
- set "var=!var:hostnt.sys=%正常!"
- set "var=!var:nod32drv.sys=%正常!"
- set "var=!var:hostnt.sys=%正常!"
- set "var=!var:mhdrv.sys=%正常!"
- set "var=!var:drivers\rcmhdog.sys=%正常!"
- set "var=!var:bdpredir.sys=%正常!"
- set "var=!var:LongRADrv.sys=%正常!"
- set "var=!var:gmsipci.sys=%正常!"
- set "var=!var:npf.sysCACE=%正常!"
- set "var=!var:EagleNT.sys=%正常!"
- set "var=!var:npkycryp.sys=%正常!"
- set "var=!var:PCAMp50.sys=%正常!"
- set "var=!var:PCASp50.sys=%正常!"
- set "var=!var:amd64\AODDriver2.sys=%正常!"
- set "var=!var:AmgVP.sys=%正常!"
- set "var=!var:DRIVERS\motfilt.sys=%正常!"
- set "var=!var:Drivers\motoandroid.sys=%正常!"
- set "var=!var:DRIVERS\motccgp.sys=%正常!"
- set "var=!var:DRIVERS\motccgpfl.sys=%正常!"
- set "var=!var:DRIVERS\motodrv.sys=%正常!"
- set "var=!var:DRIVERS\motmodem.sys=%正常!"
- set "var=!var:DRIVERS\motswch.sys=%正常!"
- set "var=!var:DRIVERS\Motousbnet.sys=%正常!"
- set "var=!var:DRIVERS\motusbdevice.sys=%正常!"
- set "var=!var:DRIVERS\TurboB.sys=%正常!"
- set "var=!var:SuperFZ.sys=%正常!"
- set "var=!var:SucopDrv.sys=%正常!"
- set "var=!var:epfwtdir.sys=%正常!"
- set "var=!var:\??\=%ddd!"
- set "var=!var:-k netsvcs-->=%@!"
- echo !var!>>N1.txt
- )
- rem (3)生成可疑驱动.txt
- findstr /li "ddd" N1.txt >>可疑驱动.txt
- setlocal enabledelayedexpansion
- for /f "delims=" %%i in (N1.txt) do (
- if not defined %%i set %%i=A & echo %%i>>report.txt)
- rem ⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙
- rem ┌──────────────────────────────────────────────────────────┐
- rem 软 件 报 告 部 分
- rem └──────────────────────────────────────────────────────────┘
- rem
- rem ----------------------------------------------------------------------------------------------------------------------------
- findstr /li "system32\COMRes.dll" SREngLOG.log >>old.txt
- rem ----------------------------------------------------------------------------------------------------------------------------
- findstr /li "[," SREngLOG.log >>1001.txt
- findstr /li ".ocx" 1001.txt >>old.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (old.txt) do (
- set var=%%i
- set "var=!var:System32=%system32!"
- set "var=!var:1=%!"
- set "var=!var:0=%!"
- echo !var!>>old2.txt
- )
- setlocal enabledelayedexpansion
- for /f "delims=" %%i in (old2.txt) do (findstr /c:"%%i" tt.txt>nul||echo %%i>>tt.txt)
- (echo 1、用替换工具替换以下文件:& echo.)>分析报告.txt
- findstr /li "system32\COMRes.dll" tt.txt >>分析报告.txt
- findstr /li "Infected" SREngLOG.log >>分析报告.txt
- (echo ———————————————————————————————————————& echo.)>>分析报告.txt
- (echo 2、用xdelbox删除以下文件 :& echo.)>>分析报告.txt
- findstr /li "[," report.txt >>要删除的文件.txt
- findstr /li "A," report.txt >>要删除的文件.txt
- findstr /li "<internat>" SREngLOG.log>>要删除的文件.txt
- findstr /li "updater.exe" SREngLOG.log>>要删除的文件.txt
- findstr /li ".ocx" tt.txt >>要删除的文件.txt
- findstr /li "菜单" SREngLOG.log>>要删除的文件.txt
- findstr /li "samservice.exe><>" SREnglog.log>>要删除的文件.txt
- findstr /li "@" N1.txt >>要删除的文件.txt
- findstr /li ".exe><N/" N1.txt >>要删除的文件.txt
- findstr /li ".dll><N/" N1.txt >>要删除的文件.txt
- findstr /li "tasks\SogouImeMgr.job" SREnglog.log>>要删除的文件.txt
- findstr /li "Tmp" SREngLOG.log >>Temp.txt
- findstr /li "[]" Temp.txt >>要删除的文件.txt
- findstr /li "LOCALS~1\Temp" SREngLOG.log >>要删除的文件.txt
- @findstr /v "PID" 要删除的文件.txt >>重复文件.txt
- setlocal enabledelayedexpansion
- for /f "delims=" %%i in (重复文件.txt) do (findstr /c:"%%i" ttt.txt>nul||echo %%i>>ttt.txt)
- findstr /li "Tmp" ttt.txt >>分析报告.txt
- @findstr /v "tmp" ttt.txt >>分析报告.txt
- (echo ———————————————————————————————————————& echo.)>>分析报告.txt
- (echo 正在运行的程序:& echo.)>>分析报告.txt
- @findstr /v "特权" 要删除的文件.txt >8.txt
- findstr /li "PID" 8.txt>>mm.txt
- findstr /li "svchost.exe" SREngLOG.log >>mm.txt
- findstr /li "smss.exe" SREngLOG.log >>mm.txt
- (echo 正在运行的程序:& echo.)>>正在运行的程序.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (mm.txt) do (
- set var=%%i
- set "var=!var:.cn=%!"
- set "var=!var:/=%!"
- set "var=!var:System32\smss.exe=%!"
- set "var=!var:system32\svchost.exe=%!"
- echo !var!>>正在运行的程序.txt
- )
- findstr /li ".exe" 正在运行的程序.txt >>分析报告.txt
- findstr /li ".tmp" 正在运行的程序.txt >>分析报告.txt
-
- (echo ———————————————————————————————————————& echo.)>>分析报告.txt
- (echo 3、打开SREng,选择【启动项目】-【注册表】,将以下项删除:& echo.)>>分析报告.txt
- findstr /li "><" SREngLOG.log >>N2.txt
- findstr /li "[]" N2.txt >>N3.txt
- findstr /li "missing]" SREngLOG.log >>N3.txt
-
- @findstr /v "菜单" N3.txt >>分析报告.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (分析报告.txt) do (
- set var=%%i
- rem ┌──────────────────────────────────────────────────────────┐
- rem report 白 明 单 部 分
- rem └──────────────────────────────────────────────────────────┘
- rem
- set "var=!var:[File is missing]=%<注册表残留项>!"
- set "var=!var:assembly\=%正常!"
- set "var=!var:奇虎网=%正常!"
- set "var=!var:CMBProtector.dat><N/A>=%CMBProtector.dat><N/A>正常!"
- set "var=!var:CertClient.dat><N/A>=%CertClient.dat>正常!"
- set "var=!var:system32\srvany.exe=%正常!"
- set "var=!var:KMService.exe=%正常!"
- set "var=!var:\jre\bin\=%正常!"
- set "var=!var:Garena\safedrv.sys=%正常!"
- set "var=!var:XLPPoEPCIoctl.dll=%正常!"
- set "var=!var:BYTEHERO\BSD=%正常!"
- set "var=!var:通讯簿=%正常!"
- set "var=!var:Smallfrogs=%正常!"
- set "var=!var:360\360SD=%这是正常程序!"
- set "var=!var:load=%正常!"
- set "var=!var:360Chrome\Chrome=%正常!"
- set "var=!var:WebCheck=%正常!"
- set "var=!var:@C:\WINDOWS\system32\=%!"
- set "var=!var:AppInit_DLLs=%正常!"
- set "var=!var:CPUMon\CPUMon.exe=%正常!"
- set "var=!var:kolscan\sqlite.dll=%kolscan\sqlite.dll (这是正常程序)!"
- set "var=!var:Thunder=%Thunder正常!"
- set "var=!var:msdmo.dll=%正常!"
- set "var=!var:kingsoft\=%正常!"
- set "var=!var:\Avira\AntiVir=%正常!"
- set "var=!var:Yuguo\=%Yuguo\正常的雨过天晴电脑保护系统!"
- set "var=!var:Software\Avast=%正常!"
- set "var=!var:KuGou\KuGou=%正常!"
- set "var=!var:(Signed)=%(Signed)正常!"
- set "var=!var:<load><>=%<load><>正常!"
- set "var=!var:atitray=%正常!"
- set "var=!var:Macrovision=%正常!"
- set "var=!var:Secdrv=%正常!"
- set "var=!var:VIA=%正常!"
- set "var=!var:system32\COMRes.dll=%正常!"
- set "var=!var:WDM=%正常!"
- set "var=!var:ChinaNet=%正常!"
- set "var=!var:VIAudio=%正常!"
- set "var=!var:KSM\sqlite.dll=%正常!"
- set "var=!var:SKNFW=%正常!"
- set "var=!var:SkyProcs=%正常!"
- set "var=!var:SkyNet\Firewall\SkyProcs.sys=%正常!"
- set "var=!var:SNPSTD3=%正常!"
- set "var=!var:Camera=%正常!"
- set "var=!var:ZSMC=%正常!"
- set "var=!var:VM=%正常!"
- set "var=!var:ICBCEbankTools=%正常!"
- set "var=!var:SogouExplorer\=%正常!"
- set "var=!var:Unlocker=%正常!"
- set "var=!var:snapshot\Client=%正常!"
- set "var=!var:Jollytime=%正常!"
- set "var=!var:usb2vcom=%正常!"
- set "var=!var:MemTurbo\=%正常!"
- set "var=!var:sptd=%正常!"
- set "var=!var:dtscsi=%正常!"
- set "var=!var:[Explorer]=%<Explorer>!"
- set "var=!var:Mozilla\Firefox=%正常!"
- set "var=!var:Manager\PowerUtl.dll=%正常!"
- set "var=!var:firefox\mozjs.dll=%正常!"
- set "var=!var:d347bus=%正常!"
- set "var=!var:ufjdk\bin\java.exe=%正常!"
- set "var=!var:d347prt=%正常!"
- set "var=!var:(Verified)Microsoft=%正常!"
- set "var=!var:npkcrypt=%正常!"
- set "var=!var:npkcusb=%正常!"
- set "var=!var:SMPLSCSI=%正常!"
- set "var=!var:CMBProtector=%正常!"
- set "var=!var:rfw\rfwproxy.exe=%正常!"
- set "var=!var:rfw\rfwsrv.exe=%正常!"
- set "var=!var:3WAREGSM=%正常!"
- set "var=!var:3WDRV=%正常!"
- set "var=!var:IObit\Advanced SystemCare=%正常!"
- set "var=!var:oreans32=%正常!"
- set "var=!var:EHttpSrv.exe=%正常!"
- set "var=!var:O2MDRDR=%正常!"
- set "var=!var:ekrn.exe=%正常!"
- set "var=!var:Numen\NumenAgentWin\=%正常!"
- set "var=!var:O2Micro=%正常!"
- set "var=!var:O2SDRDR=%正常!"
- set "var=!var:o2sd.sysO2Micro=%正常!"
- set "var=!var:Lenovo=%正常!"
- set "var=!var:fsp.exe=%正常!"
- set "var=!var:usblogon.exe=%正常!"
- set "var=!var:Bluetooth=%正常!"
- set "var=!var:[ ]=%!"
- set "var=!var:Google\Chrome\Application=%Google\Chrome\Application正常!"
- set "var=!var:_DLLs><>=%_DLLs><>正常!"
- set "var=!var:Easy Display Manager\HookDllPS2.dll]=%Easy Display Manager\HookDllPS2.dll] 正常!"
- set "var=!var:System32\bcm1xsup.dll=%System32\bcm1xsup.dll (这是正常程序)!"
- set "var=!var:Mozilla Firefox\mozjs.dll]=%Mozilla Firefox\mozjs.dll] 正常!"
- set "var=!var:VMware Workstation\libxml2.dll]=%VMware Workstation\libxml2.dll] 正常 !"
- set "var=!var:Program Files\WinRAR=%Program Files\WinRAR正常的WinRAR文件!"
- set "var=!var:json.dll]=%json.dll正常的金山在线杀毒模块]!"
- set "var=!var:network\tp=%network\tp(这是正常程序)!"
- set "var=!var:KWMUSIC\bin\=%KWMUSIC\bin\(这是正常程序)!"
- set "var=!var:Fetion=%Fetion(这是正常程序)!
- set "var=!var:\Holdfast\platform=%\Holdfast\platform(这是正常程序)!
- set "var=!var:<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>=%<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>正常!"
- set "var=!var:regsvr32.exe /s /n /i:/UserInstall=%regsvr32.exe /s /n /i:/UserInstall (这是正常程序)!"
- set "var=!var:\Outlook=%\Outlook (这是正常程序)!"
- set "var=!var:VMware\VMware=%VMware\VMware (这是正常程序)!"
- set "var=!var:Yuguo\shieldclnt.exe><N/A>=%Yuguo\shieldclnt.exe><N/A> (这是正常程序)!"
- set "var=!var:bcmwltry.exe><N/A>=%bcmwltry.exe><N/A> (这是正常程序)!"
- set "var=!var:System32\WLTRYSVC.EXE]=%System32\WLTRYSVC.EXE] (这是正常程序)!"
- set "var=!var:Adobe Systems, Inc.,=%Adobe Systems, Inc.,正常!"
- set "var=!var:Funshion Online=%Funshion Online (这是正常程序)!"
- set "var=!var:Maxthon=%正常!"
- set "var=!var:<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, >=%这是正常文件!"
- set "var=!var:webaClient.exe=%正常!"
- set "var=!var:NvCpl.dll=%正常!"
- set "var=!var:NvStartup=%正常!"
- set "var=!var:PCHealth=%正常!"
- set "var=!var:AcPrfMgrSvc=%正常!"
- set "var=!var:ThinkPad=%正常!"
- set "var=!var:AcSvc=%正常!"
- set "var=!var:Backup\QQPet=%正常!"
- set "var=!var:H3C\gmMgr_h3c.exe=%正常!"
- set "var=!var:ConnectUtilities=%正常!"
- set "var=!var:AcSvc.exeLenovo=%正常!"
- set "var=!var:ThinkPad=%正常!"
- set "var=!var:Defender\mpsvc.dll=%正常!"
- set "var=!var:IBMPMSVC=%正常!"
- set "var=!var:Tencent\QQ=%正常!"
- set "var=!var:Intel\Wireless\Bin\=%正常!"
- set "var=!var:ibmpmsvc.exe=%正常!"
- set "var=!var:IBM=%正常!"
- set "var=!var:system32\TpKmpSVC.exe=%正常!"
- set "var=!var:system32\ati2sgag.exe=%正常!"
- set "var=!var:UfAutoLoadService=%正常!"
- set "var=!var:UfMsgGhost=%正常!"
- set "var=!var:MsgGhost.exe=%正常!"
- set "var=!var:U8AuthServer=%正常!"
- set "var=!var:UFNet=%正常!"
- set "var=!var:Outlook=%正常!"
- set "var=!var:shmgrate.exe=%正常!"
- set "var=!var:system32\ServerNT.exe=%正常!"
- set "var=!var:Simulator=%正常!"
- set "var=!var:System32\PAStiSvc.exe=%正常!"
- set "var=!var:Cyberip=%正常!"
- set "var=!var:RichVideo.exe"=%正常!"
- set "var=!var:powershadow=%正常!"
- set "var=!var:ShadowSystemService=%正常!"
- set "var=!var:ShadowService.exe=%正常!"
- set "var=!var:O2Micro=%正常!"
- set "var=!var:system32\o2flash.exe=%正常!"
- set "var=!var:srservice=%正常!"
- set "var=!var:srsvc.dll=%正常!"
- set "var=!var:MAPGIS=%正常!"
- set "var=!var:zdLccSvc=%正常!"
- set "var=!var:system32\ZDLCCSVC.EXE=%正常!"
- set "var=!var:ALi=%正常!"
- set "var=!var:AliIde=%正常!"
- set "var=!var:Antimalware=%正常!"
- set "var=!var:NvMcTray.dll=%正常!"
- set "var=!var:WBEM=%疑似灰鸽子木马!"
- set "var=!var:PPPoEWin=%正常!"
- set "var=!var:TDSMAPI=%正常!"
- set "var=!var:TPInput=%正常!"
- set "var=!var:RUNDLL2000.EXE=%危险!"
- set "var=!var:TPPWRIF=%正常!"
- set "var=!var:System32\drivers\Tppwrif.sys=%正常!"
- set "var=!var:TSMAPIP=%正常!"
- set "var=!var:PnpWmkDrv=%正常!"
- set "var=!var:SoC=%正常!"
- set "var=!var:HOSTNT=%正常!"
- set "var=!var:MHDRV=%正常!"
- set "var=!var:Rainbow=%正常!"
- set "var=!var:aswFsBlk=%正常!"
- set "var=!var:bdfdll=%正常!"
- set "var=!var:BitDefender=%正常!"
- set "var=!var:\H3C\iNode=%正常!"
- set "var=!var:bdpredir=%正常!"
- set "var=!var:KSafe\json.dll=%正常!"
- set "var=!var:Protector=%正常!"
- set "var=!var:ProtectorA=%正常!"
- set "var=!var:npf.sysCACE=%正常!"
- set "var=!var:WinPcap=%正常!"
- set "var=!var:/Program=%正常!"
- set "var=!var:system32\PnkBstrA.exe=%正常!"
- set "var=!var:punkbuster=%正常!"
- set "var=!var:c20ukdrwsvr.exe=%正常!"
- set "var=!var:IcbcDaemon.exe=%正常!"
- set "var=!var:WDelMgr20=%正常!"
- set "var=!var:system32\nvshell.dll=%正常!"
- set "var=!var:system32\pthreadvc.dll=%正常!"
- set "var=!var:MacType.dll=%正常!"
- set "var=!var:Ock.dll=%正常!"
- set "var=!var:VopClient.exe=%正常!"
- set "var=!var:bgswitch.exe=%正常!"
- set "var=!var:BigDogPathVM=%正常!"
- set "var=!var:X-Scan-v3.3=%正常!"
- set "var=!var:dumprep=%正常!"
- set "var=!var:HookDll.dll=%正常!"
- set "var=!var:dominodomino.exe=%正常!"
- set "var=!var:VMSnapset=%正常!"
- set "var=!var:Htpatch.exe=%正常!"
- set "var=!var:HTpatchhtpatch.exe=%正常!"
- set "var=!var:QQ\Bin=%正常!"
- set "var=!var:Notify\DfLogon=%正常!"
- set "var=!var:DfLogonLogonDll.dll=%正常!"
- set "var=!var:Interface=%正常!"
- set "var=!var:HidServ.dll=%正常!"
- set "var=!var:helpsvc=%正常!"
- set "var=!var:><N>=%正常!"
- set "var=!var:System32\WLTRYSVC.EXE=%正常!"
- set "var=!var:rundll32.exe=%rundll32.exe 正常!"
- set "var=!var:updaterC=%C!"
- set "var=!var:WinRAR\rarext.dll=%WinRAR\rarext.dll正常的WinRAR文件!"
- echo !var!>>白名单.txt
- )
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (白名单.txt) do (
- set var=%%i
- set "var=!var:状=%正常!"
- echo !var!>>分析结果.txt
- )
- (echo ———————————————————————————————————————&echo.)>>分析结果.txt
- (echo 4、用专杀或者修复工具修复以下磁碟机劫持: &echo.)>>分析结果.txt
-
- findstr /li "IFEO" SREngLOG.log >>IFEO.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (IFEO.txt) do (
- set var=%%i
- set "var=!var:ntsd=%!"
- set "var=!var:-d=%!"
- set "var=!var:IFEO=% [IFEO] !"
- set "var=!var:<=%!"
- set "var=!var:>=%!"
- echo !var!>>分析结果.txt
- )
- (echo ———————————————————————————————————————&echo.)>>分析结果.txt
- (echo 5、打开SREng,选择【启动项目】-【服务】-【Win32服务应用程序】,将以下项删除:&echo.)>>分析结果.txt
- findstr /li "missing)" SREngLOG.log >>ff.txt
- findstr /li "samservice.exe><>" SREnglog.log>>ff.txt
- findstr /li ".dll" 白名单.txt >>ser.txt
- findstr /li ".EXE" 白名单.txt >>ser.txt
- @findstr /v ".dll" ser.txt >>servers.txt
- @findstr /v ".exe" servers.txt >>N4.txt
- @findstr /v "菜单" N4.txt >>N5.txt
- @findstr /v "特权" N5.txt >>ff.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (ff.txt) do (
- set var=%%i
- set "var=!var:Program Files/=%正常!"
- echo !var!>>N7.txt
- )
- @findstr /v "正常" N7.txt>>分析结果.txt
- (echo 6、打开SREng,选择【启动项目】-【服务】-【驱动程序】,将以下项删除:& echo.)>>分析结果.txt
-
- findstr /li ".sys" N1.txt>>分析结果.txt
-
- findstr /li "tmp" 可疑驱动.txt>>分析结果.txt
- (echo ———————————————————————————————————————& echo.)>>分析结果.txt
- (echo 7、用“SREng”修复以下【Winsock 提供者】项:& echo.)>>分析结果.txt
- findstr /li "(, N/A)" SREngLOG.log >>分析结果.txt
- (echo ———————————————————————————————————————& echo.)>>分析结果.txt
- (echo 8、用U盘专杀工具查杀【Autorun.inf 】& echo.)>>分析结果.txt
- findstr /li "ntldr" SREngLOG.log >b.txt
- @more +6 b.txt >>分析结果.txt
- (echo ———————————————————————————————————————& echo.)>>分析结果.txt
- (echo 9、用“SREng”修复以下 【hosts文件】项:& echo.)>>分析结果.txt
- findstr /li "127.1" SREngLOG.log >>分析结果.txt
- (echo ———————————————————————————————————————& echo.)>>分析结果.txt
- (echo 10、用“SREng”修复以下【文件关联】项:& echo.)>>分析结果.txt
- findstr /li "Error." SREngLOG.log >>分析结果.txt
- (echo ———————————————————————————————————————& echo.)>>分析结果.txt
- (echo 11、该项可能被修改,请参考系统默认值。& echo.)>>分析结果.txt
- findstr /li "<AppInit_DLLs>" SREngLOG.log>>分析结果.txt
- findstr /li "<load>" SREngLOG.log>>分析结果.txt
- findstr /li "<run>" SREngLOG.log>>分析结果.txt
- findstr /li "setup.exe>" SREngLOG.log >>分析结果.txt
- findstr /li "<shell>" SREngLOG.log>>分析结果.txt
- findstr /li "<Userinit>" SREngLOG.log>>分析结果.txt
- findstr /li "<UIHost>" SREngLOG.log>>分析结果.txt
- @findstr /v "正常" "分析结果.txt">分析报告.log
- (echo ———————————————————————————————————————& echo.)>>分析报告.log
- (echo 12、修复完成后,建议用Windows清理助手扫描清除恶意插件。& echo.)>>分析报告.log
- findstr /li "ASSIST" SREngLOG.log>>分析报告.log
- del /q *.txt
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (分析报告.log) do (
- set var=%%i
- set "var=!var:<AppInit_DLLs><>=%正常!"
- set "var=!var:<load><>=%正常!"
- set "var=!var:<shell><Explorer.exe>=%正常!"
- set "var=!var:<Userinit><C:\WINDOWS\system32\userinit.exe,>=%正常!"
- set "var=!var:<UIHost><logonui.exe>=%正常!"
- set "var=!var:><=%> <!"
- set "var=!var:[NA, ]=%!"
- set "var=!var:[]=%!"
- set "var=!var:[ SYSTEM]=%!"
- set "var=!var:[ Administrator]=%!"
- set "var=!var:[N/A, ]=%!"
- set "var=!var:hidserv.dll><N/A>=%hidserv.dll><N/A> <正常的系统服务项>!"
- set "var=!var:\SystemRoot\=%!"
- set "var=!var:ddd=%!"
- set "var=!var:<N/A>=%!"
- set "var=!var:<(File is missing)>=% <服务残留项>!"
- set "var=!var:ExplorerC=%C!"
- set "var=!var:[ ]=%!"
- set "var=!var:ssMgr_ccb=%正常的建设银行U盾程序!"
- set "var=!var:创建文本=%………………………………………………………………………………………………………!"
- echo !var!>>报告文件.txt
- )
- @findstr /v "正常" 报告文件.txt>>智能分析报告.txt
- del /q 报告文件.txt
- del /q 分析报告.log
- start 智能分析报告.txt
- exit
复制代码
作者: batpro 时间: 2011-5-24 22:05
本帖最后由 batpro 于 2011-5-24 22:10 编辑
1# batpro
请求专家帮忙找问题,文本处理我不太懂,复制代码后请修改为.bat文件
能不能精简代码,但不精简功能
原创首次发表于 http://bbs.kafan.cn/thread-973790-1-1.html
作者: batpro 时间: 2011-5-24 22:07
本帖最后由 batpro 于 2011-5-24 22:09 编辑
提供测试文本文件,测试时请复制到SREnglog.log中,并与bat文件放于同一文件夹中- 2009-04-09,23:02:06
- System Repair Engineer 2.7.0.1210
- Smallfrogs ([url=http://www.kztechs.com/][color=#0000ff]http://www.KZTechs.com[/color][/url])
- Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能
- 以下内容被选中:
- 所有的启动项目(包括注册表、启动文件夹、服务等)
- 浏览器加载项
- 正在运行的进程(包括进程模块信息)
- 文件关联
- Winsock 提供者
- Autorun.inf
- HOSTS 文件
- 进程特权扫描
- 计划任务
- API HOOK
- 隐藏进程
-
- 启动项目
- 注册表
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe> [(Infected) Microsoft Corporation]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- <load><> [N/A]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- <VMware Tools><C:\Program Files\VMware\VMware Tools\VMwareTray.exe> [VMware, Inc.]
- <VMware User Process><C:\Program Files\VMware\VMware Tools\VMwareUser.exe> [VMware, Inc.]
- <EQSysSecure><E:\Program Files\EQSecurePro\EQSysSecure.exe /background> [EQSecure]
- <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32> [(Verified)Microsoft Windows Component Publisher]
- <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Component Publisher]
- <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- <config.exe><C:\WINDOWS\khdk0.exe> []
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- <shell><Explorer.exe> [(Verified)Microsoft Windows Component Publisher]
- <Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- <AppInit_DLLs><> [N/A]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- <UIHost><logonui.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
- <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
- <PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
- <CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
- <WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Component Publisher]
- <SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
- <WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
- <WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
- <WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
- <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
- <WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
- <WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
- <WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
- <WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
- <WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
- <WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
- <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
- <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
- <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
- <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [File is missing]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
- <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
- <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [File is missing]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
- <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
- <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [File is missing]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
- <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
- <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
- <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
- <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [File is missing]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
- <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
- <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
- <IFEO[360rpt.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
- <IFEO[360Safe.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
- <IFEO[360tray.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe]
- <IFEO[DrRtp.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
- <IFEO[QQDoctor.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe]
- <IFEO[RStray.exe]><C:\WINDOWS\system32\svchost.exe> [(Verified)Microsoft Windows Component Publisher]
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- <SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr> [(Verified)Microsoft Windows Component Publisher]
- ==================================
- 启动文件夹
- N/A
- ==================================
- 服务
- [EQService / EQService][Stopped/Auto Start]
- <E:\Program Files\EQSecurePro\EQService.exe><EQSecure>
- [Human Interface Device Access / HidServ][Stopped/Disabled]
- <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
- [VMware Tools Service / VMTools][Running/Auto Start]
- <"C:\Program Files\VMware\VMware Tools\VMwareService.exe"><VMware, Inc.>
- ==================================
- 驱动程序
- [EQSysSecure / EQSysSecure][Running/System Start]
- <\??\C:\WINDOWS\system32\drivers\EQSysSecure.sys><EQSecure>
- [Creative AudioPCI (ES1371,ES1373) (WDM) / es1371][Running/Manual Start]
- <system32\drivers\es1371mp.sys><Creative Technology Ltd.>
- [hgfs / hgfs][Running/Auto Start]
- <System32\DRIVERS\hgfs.sys><VMware, Inc.>
- [AMD PCNET Compatable Adapter Driver / PCnet][Stopped/Manual Start]
- <system32\DRIVERS\pcntpci5.sys><AMD Inc.>
- [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
- <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
- [Secdrv / Secdrv][Stopped/Manual Start]
- <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
- [VMware Pointing Device / vmmouse][Running/Manual Start]
- <system32\DRIVERS\vmmouse.sys><VMware, Inc.>
- [vmscsi / vmscsi][Running/Boot Start]
- <\SystemRoot\system32\DRIVERS\vmscsi.sys><VMware, Inc.>
- [VMware Ethernet Adapter Driver / vmxnet][Running/Manual Start]
- <system32\DRIVERS\vmxnet.sys><VMware, Inc.>
- [vmx_svga / vmx_svga][Running/Manual Start]
- <system32\DRIVERS\vmx_svga.sys><VMware, Inc.>
- [zg / zg][Running/Manual Start]
- <2 - 系统找不到指定的文件。
- ><N/A>
- ==================================
- 浏览器加载项
- []
- {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
- [Messenger]
- {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
- [9Box Agent Object]
- {49484D63-60FB-4E4E-A400-9092F418CB61} <C:\PROGRA~1\Shutter\9BOX-S~1\NINEBO~1.DLL, (Signed) N/A>
- [Shockwave Flash Object]
- {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, (Signed) Macromedia, Inc.>
- []
- {E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
- []
- {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
- ==================================
- 正在运行的进程
- [PID: 364][\SystemRoot\System32\smss.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [PID: 600][\??\C:\WINDOWS\system32\csrss.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [PID: 632][\??\C:\WINDOWS\system32\winlogon.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [PID: 676][C:\WINDOWS\system32\services.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [PID: 688][C:\WINDOWS\system32\lsass.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
- [PID: 844][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [PID: 928][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [PID: 1032][C:\WINDOWS\System32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [C:\WINDOWS\System32\COMRes.dll] [N/A, ]
- [PID: 1152][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [PID: 1216][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [PID: 1392][C:\WINDOWS\Explorer.EXE] [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [C:\Program Files\VMware\VMware Tools\hook.dll] [N/A, ]
- [C:\WINDOWS\System32\hgfs.dll] [N/A, ]
- [C:\Program Files\WinRAR\rarext.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\WINDOWS\fonts\ComRes.dll] [N/A, ]
- [C:\WINDOWS\fonts\gth77327.ttf] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [PID: 1884][C:\Program Files\VMware\VMware Tools\VMwareService.exe] [VMware, Inc., 5.5.2 build-29772]
- [C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
- [PID: 228][C:\WINDOWS\System32\alg.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
- [C:\WINDOWS\System32\COMRes.dll] [N/A, ]
- [PID: 432][C:\Program Files\VMware\VMware Tools\VMwareTray.exe] [VMware, Inc., 5.5.2 build-29772]
- [C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
- [C:\Program Files\VMware\VMware Tools\VMControlPanel.cpl] [VMware, Inc., 5.5.2 build-29772]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [PID: 440][C:\Program Files\VMware\VMware Tools\VMwareUser.exe] [VMware, Inc., 5.5.2 build-29772]
- [C:\Program Files\VMware\VMware Tools\hook.dll] [N/A, ]
- [C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [PID: 536][C:\WINDOWS\system32\ctfmon.exe] [(Infected) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [C:\WINDOWS\system32\704C3595.dll] [N/A, ]
- [PID: 1560][C:\WINDOWS\system32\gr.exe] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [PID: 1580][C:\Program Files\Microsoft Office\SYSTEM\sysbar.exe] [N/A, ]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [PID: 1668][C:\WINDOWS\khdk0.exe] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\Program Files\VMware\VMware Tools\hook.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [PID: 1824][C:\program files\internet explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
- [C:\WINDOWS\system32\COMRes.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [C:\WINDOWS\system32\704C3595.dll] [N/A, ]
- [PID: 2036][E:\Tools\sreng2\SREngLdr.EXE] [Smallfrogs Studio, 2.7.0.1210]
- [PID: 2044][E:\Tools\sreng2\SRE7677f6e6.EXE] [Smallfrogs Studio, 2.7.0.1210]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll] [N/A, ]
- [C:\Program Files\VMware\VMware Tools\hook.dll] [N/A, ]
- [E:\Tools\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat] [N/A, ]
- [C:\WINDOWS\fonts\ComRes.dll] [N/A, ]
- [C:\WINDOWS\fonts\gth77327.ttf] [N/A, ]
- [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat] [N/A, ]
- [C:\WINDOWS\system32\704C3595.dll] [N/A, ]
- ==================================
- 文件关联
- .TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
- .EXE OK. ["%1" %*]
- .COM OK. ["%1" %*]
- .PIF OK. ["%1" %*]
- .REG OK. [regedit.exe "%1"]
- .BAT OK. ["%1" %*]
- .SCR OK. ["%1" /S]
- .CHM OK. ["C:\WINDOWS\hh.exe" %1]
- .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
- .INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
- .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
- .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .LNK OK. [{00021401-0000-0000-C000-000000000046}]
- ==================================
- Winsock 提供者
- N/A
- ==================================
- Autorun.inf
- N/A
- ==================================
- HOSTS 文件
- 127.0.0.1 localhost
- ==================================
- 进程特权扫描
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 432, C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 440, C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 536, C:\WINDOWS\SYSTEM32\CTFMON.EXE]
- 特殊特权被允许: SeDebugPrivilege [PID = 1560, C:\WINDOWS\SYSTEM32\GR.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 1560, C:\WINDOWS\SYSTEM32\GR.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 1580, C:\PROGRAM FILES\MICROSOFT OFFICE\SYSTEM\SYSBAR.EXE]
- 特殊特权被允许: SeDebugPrivilege [PID = 1668, C:\WINDOWS\KHDK0.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 1668, C:\WINDOWS\KHDK0.EXE]
- 特殊特权被允许: SeLoadDriverPrivilege [PID = 2036, E:\TOOLS\SRENG2\SRENGLDR.EXE]
- ==================================
- 计划任务
- N/A
- ==================================
- API HOOK
- N/A
- ==================================
- 隐藏进程
- N/A
- ==================================
复制代码
作者: techon 时间: 2011-5-24 22:55
代码很难简了,大多都是定义黑白名单的代码。。。 可以考虑把可信任文件单独放到一个配置文件里
感觉如果会用Sreng,这个P就是个鸡肋
Sreng有自动将可疑文件复制到一个目录的功能
欢迎光临 批处理之家 (http://bbs.bathome.net/) |
Powered by Discuz! 7.2 |