[文本处理] 批处理版SREnglog智能分析工具(请帮忙找问题及精简)

rem   版权代码部分开始于此处
@echo off 
rem 
mode con cols=100 lines=12 &color 9f 
cls
set a=^set /p=■%b%^<nul^&ping/n 0 127.1.0^>nul^& 
echo.
echo         程序正在初始化. . .           
echo       ┌──────────────────────────────────────┐
set/p=        <nul&%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%%a%
echo 100%% 
echo       └──────────────────────────────────────┘
set b=
set a=■
set /a z=100
:start
cls
set a=%a%■■
set /a b+=5
set /a z-=5
echo.
echo        程序正在启动，请稍候. . . 欢迎使用SREnglog智能分析助手       by 52kafan
echo                                                                     from [url]http://bbs.kafan.cn/[/url]
echo       ┌──────────────────────────────────────────┐
echo        %a% %b%%%
echo       └──────────────────────────────────────────┘
ping /n 0 127.0 >nul
if %b% geq 100 goto num2
ping /n 0 127.0 >nul
set /a sum =5
goto start
:_exit
set /a sum-=1
set/p=%sum% 秒后退出! <nul
echo. 
if %sum% EQU 0 exit
ping /n 0 127.0 >nul
goto _exit
:num2
rem   版权部分结束于此处
rem ⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙
rem ┌─────────────────────────────────────────────────────────────┐
rem                                       软            件            架            构            部            分
rem └─────────────────────────────────────────────────────────────┘
rem   (1)穷举"N/A"写入到N-A.txt
(echo 创建文本& echo.)>>tt.txt
(echo 创建文本& echo.)>>N7.txt
(echo 创建文本& echo.)>>old2.txt
(echo 创建文本& echo.)>>ttt.txt
findstr /li "N/" SREngLOG.log>>N-A.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (N-A.txt) do (
set var=%%i
rem ┌──────────────────────────────────────────────────────────────┐
rem                                       N/A           白            明            单            部            分
rem └──────────────────────────────────────────────────────────────┘
rem   (2)标记"N-A.txt"中正常的驱动项和相关服务项
set "var=!var:drivers\360AntiArp.sys=%正常!"
set "var=!var:Garena\safedrv.sys=%正常!"
set "var=!var:system32\DRIVERS\ewusbmdm.sys=%正常的华为CDMA上网卡驱动!"            
set "var=!var:system32\DRIVERS\ewusbdev.sys=%正常的华为出品无线网卡相关驱动!"            
set "var=!var:system32\drivers\massfilter.sys=%正常的DVD/CD-ROM设备管理程序驱动!"          
set "var=!var:system32\drivers\mpfilt.sys=%正常的安国U盘量产工具的驱动!"   
set "var=!var:system32\DRIVERS\pcdrndisuio.sys=%正常的联想toolbox安装的驱动!"         
set "var=!var:System32\Drivers\sptd.sys=%正常的虚拟光驱DAEMON Tools的驱动文件!"               
set "var=!var:system32\NtDriver.sys=%正常的卡巴斯基木马扫描工具troyanfindinfo驱动!"         
set "var=!var:system32\DRIVERS\tvtpktfilter.sys=%正常的联想thinkpad文件还原恢复程序的驱动!"      
set "var=!var:system32\DRIVERS\UIUSYS.SYS=%正常的联想调制解调器驱动!"              
set "var=!var:system32\DRIVERS\zgdccat.sys=%正常的CDMA人机接口驱动!"            
set "var=!var:system32\DRIVERS\zgdccdiag.sys=%正常的USB调制解调器/串行设备驱动!"          
set "var=!var:system32\DRIVERS\zgdccmdm.sys=%正常的CDMA联想USB调制解调器驱动!"            
set "var=!var:system32\DRIVERS\zgdccvousb.sys=%正常的USB调制解调器/串行设备驱动!"          
set "var=!var:AntiARPClientLoader.exe=%正常的!"   
set "var=!var:System32\TPHDEXLG.exe=%正常的!"      
set "var=!var:oracle\ora92=%正常的!"                                                                           
set "var=!var:ipinip.sys=%正常!"
set "var=!var:aliide.sys=%正常!"
set "var=!var:viaudio.sys=%正常!
set "var=!var:SKNFW.sys=%正常!"
set "var=!var:RsNTGdi.sys=%正常!"
set "var=!var:SkyNet\Firewall\SkyProcs.sys=%正常!"
set "var=!var:snpstd3.sys=%正常!"
set "var=!var:ggghost.sys=%正常!"
set "var=!var:p2pfilter.sys=%正常!"
set "var=!var:tcphoc.sys=%正常!"
set "var=!var:usb2vcom.sys=%正常!"
set "var=!var:SystemCleaner\krpr.sys=%正常!"
set "var=!var:dtscsi.sys=%正常!"
set "var=!var:DRIVERS\sr.sys=%正常!"
set "var=!var:d347prt.sys=%正常!"
set "var=!var:npkcusb.sys=%正常!"
set "var=!var:Rfw\HookUrl.sys=%正常!"
set "var=!var:Rfw\RsFwDrv.sys=%正常!"
set "var=!var:scdriver\ScbkEx.sys=%正常!"
set "var=!var:scdriver\ScCchMgr.sys=%正常!"
set "var=!var:scdriver\ssfltpt.sys=%正常!"
set "var=!var:Rfw\HookUrl.sys=%正常!"
set "var=!var:Rfw\RsFwDrv.sys=%正常!"
set "var=!var:3waregsm.sys=%正常!"
set "var=!var:KLIF.SYS=%正常!"
set "var=!var:tsusbhub.sys=%正常!"
set "var=!var:Program Files=%正常!"
set "var=!var:o2media.sys=%正常!"
set "var=!var:o2sd.sysO2Micro=%正常!"
set "var=!var:blueletaudio.sys=%正常!"
set "var=!var:rdvgkmd.sys=%正常!"
set "var=!var:btnetdrv.sys=%正常!"
set "var=!var:vbtenum.sys=%正常!"
set "var=!var:BTHidMgr.sys=%正常!"
set "var=!var:npkcrypt.sys><N/A>=%npkcrypt.sys><N/A正常!"
set "var=!var:xAntiArp.sys><N/A>=xAntiArp.sys><N/A>正常!"
set "var=!var:<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>=%<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>正常!"
set "var=!var:EagleXNt.sys=%正常!"
set "var=!var:DRIVERS\epfwtdir.sys=%正常!"
set "var=!var:零时空\ntio518xp.sys=%正常!"
set "var=!var:DTL132\DTL132_x32.sys=%正常!"
set "var=!var:360TimeProt.sys=%正常!"
set "var=!var:synth3dvsc.sys=%正常!"
set "var=!var:VcommMgr.sys=%正常!"
set "var=!var:TDSMAPI.SYS=%正常!"
set "var=!var:TPInput.sys=%正常!"
set "var=!var:System32\drivers\Tppwrif.sys=%正常!"
set "var=!var:ASIO.SYS=%正常!" 
set "var=!var:system32\drivers\AsIO.sys=%正常!"
set "var=!var:drivers\PnpWmkDrv.sys=%正常!"
set "var=!var:system32\DRIVERS\pfc027.sys=%正常!"
set "var=!var:hostnt.sys=%正常!"
set "var=!var:nod32drv.sys=%正常!"
set "var=!var:hostnt.sys=%正常!" 
set "var=!var:mhdrv.sys=%正常!"
set "var=!var:drivers\rcmhdog.sys=%正常!"
set "var=!var:bdpredir.sys=%正常!"
set "var=!var:LongRADrv.sys=%正常!"
set "var=!var:gmsipci.sys=%正常!"
set "var=!var:npf.sysCACE=%正常!" 
set "var=!var:EagleNT.sys=%正常!"
set "var=!var:npkycryp.sys=%正常!"
set "var=!var:PCAMp50.sys=%正常!"
set "var=!var:PCASp50.sys=%正常!" 
set "var=!var:amd64\AODDriver2.sys=%正常!" 
set "var=!var:AmgVP.sys=%正常!"
set "var=!var:DRIVERS\motfilt.sys=%正常!"
set "var=!var:Drivers\motoandroid.sys=%正常!"
set "var=!var:DRIVERS\motccgp.sys=%正常!"
set "var=!var:DRIVERS\motccgpfl.sys=%正常!"
set "var=!var:DRIVERS\motodrv.sys=%正常!"
set "var=!var:DRIVERS\motmodem.sys=%正常!"
set "var=!var:DRIVERS\motswch.sys=%正常!"
set "var=!var:DRIVERS\Motousbnet.sys=%正常!"
set "var=!var:DRIVERS\motusbdevice.sys=%正常!"
set "var=!var:DRIVERS\TurboB.sys=%正常!"
set "var=!var:SuperFZ.sys=%正常!"
set "var=!var:SucopDrv.sys=%正常!"
set "var=!var:epfwtdir.sys=%正常!"
set "var=!var:\??\=%ddd!"
set "var=!var:-k netsvcs-->=%@!" 
echo !var!>>N1.txt
)
rem   (3)生成可疑驱动.txt
findstr /li "ddd" N1.txt >>可疑驱动.txt
setlocal enabledelayedexpansion
for /f "delims=" %%i in (N1.txt) do ( 
if not defined %%i set %%i=A & echo %%i>>report.txt)
rem ⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙⊙
rem ┌──────────────────────────────────────────────────────────┐
rem                              软            件            报            告            部            分
rem └──────────────────────────────────────────────────────────┘
rem 
rem ----------------------------------------------------------------------------------------------------------------------------
findstr /li "system32\COMRes.dll" SREngLOG.log >>old.txt
rem ----------------------------------------------------------------------------------------------------------------------------
findstr /li "[," SREngLOG.log >>1001.txt
findstr /li ".ocx" 1001.txt >>old.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (old.txt) do (
set var=%%i
set "var=!var:System32=%system32!"
set "var=!var:1=%!" 
set "var=!var:0=%!" 
echo !var!>>old2.txt
)
setlocal enabledelayedexpansion
for /f "delims=" %%i in (old2.txt) do (findstr /c:"%%i" tt.txt>nul||echo %%i>>tt.txt)
(echo 1、用替换工具替换以下文件：& echo.)>分析报告.txt
findstr /li "system32\COMRes.dll" tt.txt >>分析报告.txt
findstr /li "Infected" SREngLOG.log >>分析报告.txt
(echo ———————————————————————————————————————& echo.)>>分析报告.txt
(echo 2、用xdelbox删除以下文件 ：& echo.)>>分析报告.txt 
findstr /li "[," report.txt >>要删除的文件.txt
findstr /li "A," report.txt >>要删除的文件.txt
findstr /li "<internat>" SREngLOG.log>>要删除的文件.txt
findstr /li "updater.exe" SREngLOG.log>>要删除的文件.txt
findstr /li ".ocx" tt.txt >>要删除的文件.txt
findstr /li "菜单" SREngLOG.log>>要删除的文件.txt
findstr /li "samservice.exe><>" SREnglog.log>>要删除的文件.txt
findstr /li "@" N1.txt >>要删除的文件.txt
findstr /li ".exe><N/" N1.txt >>要删除的文件.txt
findstr /li ".dll><N/" N1.txt >>要删除的文件.txt
findstr /li "tasks\SogouImeMgr.job" SREnglog.log>>要删除的文件.txt
findstr /li "Tmp" SREngLOG.log >>Temp.txt
findstr /li "[]" Temp.txt >>要删除的文件.txt
findstr /li "LOCALS~1\Temp" SREngLOG.log >>要删除的文件.txt
@findstr /v "PID" 要删除的文件.txt >>重复文件.txt 
setlocal enabledelayedexpansion
for /f "delims=" %%i in (重复文件.txt) do (findstr /c:"%%i" ttt.txt>nul||echo %%i>>ttt.txt)
findstr /li "Tmp" ttt.txt >>分析报告.txt 
@findstr /v "tmp" ttt.txt >>分析报告.txt 
(echo ———————————————————————————————————————& echo.)>>分析报告.txt
(echo 正在运行的程序:& echo.)>>分析报告.txt
@findstr /v "特权" 要删除的文件.txt >8.txt 
findstr /li "PID" 8.txt>>mm.txt
findstr /li "svchost.exe" SREngLOG.log >>mm.txt
findstr /li "smss.exe" SREngLOG.log >>mm.txt
(echo 正在运行的程序:& echo.)>>正在运行的程序.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (mm.txt) do (
set var=%%i
set "var=!var:.cn=%!"
set "var=!var:/=%!"
set "var=!var:System32\smss.exe=%!"
set "var=!var:system32\svchost.exe=%!"
echo !var!>>正在运行的程序.txt
)
findstr /li ".exe" 正在运行的程序.txt >>分析报告.txt
findstr /li ".tmp" 正在运行的程序.txt >>分析报告.txt

(echo ———————————————————————————————————————& echo.)>>分析报告.txt
(echo 3、打开SREng，选择【启动项目】-【注册表】，将以下项删除：& echo.)>>分析报告.txt
findstr /li "><" SREngLOG.log >>N2.txt
findstr /li "[]" N2.txt >>N3.txt
findstr /li "missing]" SREngLOG.log >>N3.txt

@findstr /v "菜单" N3.txt >>分析报告.txt  
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (分析报告.txt) do (
set var=%%i
rem ┌──────────────────────────────────────────────────────────┐
rem                                       report           白            明            单            部            分
rem └──────────────────────────────────────────────────────────┘
rem
set "var=!var:[File is missing]=%<注册表残留项>!"
set "var=!var:assembly\=%正常!"
set "var=!var:奇虎网=%正常!"
set "var=!var:CMBProtector.dat><N/A>=%CMBProtector.dat><N/A>正常!"
set "var=!var:CertClient.dat><N/A>=%CertClient.dat>正常!"
set "var=!var:system32\srvany.exe=%正常!"   
set "var=!var:KMService.exe=%正常!" 
set "var=!var:\jre\bin\=%正常!"
set "var=!var:Garena\safedrv.sys=%正常!"
set "var=!var:XLPPoEPCIoctl.dll=%正常!"
set "var=!var:BYTEHERO\BSD=%正常!"
set "var=!var:通讯簿=%正常!"
set "var=!var:Smallfrogs=%正常!"
set "var=!var:360\360SD=%这是正常程序!"
set "var=!var:load=%正常!"
set "var=!var:360Chrome\Chrome=%正常!"
set "var=!var:WebCheck=%正常!"
set "var=!var:@C:\WINDOWS\system32\=%!"
set "var=!var:AppInit_DLLs=%正常!"
set "var=!var:CPUMon\CPUMon.exe=%正常!"
set "var=!var:kolscan\sqlite.dll=%kolscan\sqlite.dll (这是正常程序)!"
set "var=!var:Thunder=%Thunder正常!"
set "var=!var:msdmo.dll=%正常!"
set "var=!var:kingsoft\=%正常!"
set "var=!var:\Avira\AntiVir=%正常!"
set "var=!var:Yuguo\=%Yuguo\正常的雨过天晴电脑保护系统!"
set "var=!var:Software\Avast=%正常!"
set "var=!var:KuGou\KuGou=%正常!"
set "var=!var:(Signed)=%(Signed)正常!"
set "var=!var:<load><>=%<load><>正常!" 
set "var=!var:atitray=%正常!" 
set "var=!var:Macrovision=%正常!"
set "var=!var:Secdrv=%正常!"
set "var=!var:VIA=%正常!" 
set "var=!var:system32\COMRes.dll=%正常!" 
set "var=!var:WDM=%正常!"
set "var=!var:ChinaNet=%正常!"
set "var=!var:VIAudio=%正常!"
set "var=!var:KSM\sqlite.dll=%正常!" 
set "var=!var:SKNFW=%正常!"
set "var=!var:SkyProcs=%正常!"
set "var=!var:SkyNet\Firewall\SkyProcs.sys=%正常!"
set "var=!var:SNPSTD3=%正常!"
set "var=!var:Camera=%正常!"
set "var=!var:ZSMC=%正常!"
set "var=!var:VM=%正常!"
set "var=!var:ICBCEbankTools=%正常!"
set "var=!var:SogouExplorer\=%正常!"
set "var=!var:Unlocker=%正常!"
set "var=!var:snapshot\Client=%正常!" 
set "var=!var:Jollytime=%正常!" 
set "var=!var:usb2vcom=%正常!"
set "var=!var:MemTurbo\=%正常!"
set "var=!var:sptd=%正常!" 
set "var=!var:dtscsi=%正常!"
set "var=!var:[Explorer]=%<Explorer>!"
set "var=!var:Mozilla\Firefox=%正常!"
set "var=!var:Manager\PowerUtl.dll=%正常!" 
set "var=!var:firefox\mozjs.dll=%正常!" 
set "var=!var:d347bus=%正常!" 
set "var=!var:ufjdk\bin\java.exe=%正常!"    
set "var=!var:d347prt=%正常!"
set "var=!var:(Verified)Microsoft=%正常!" 
set "var=!var:npkcrypt=%正常!" 
set "var=!var:npkcusb=%正常!" 
set "var=!var:SMPLSCSI=%正常!" 
set "var=!var:CMBProtector=%正常!"
set "var=!var:rfw\rfwproxy.exe=%正常!"
set "var=!var:rfw\rfwsrv.exe=%正常!"
set "var=!var:3WAREGSM=%正常!"
set "var=!var:3WDRV=%正常!"
set "var=!var:IObit\Advanced SystemCare=%正常!"
set "var=!var:oreans32=%正常!"
set "var=!var:EHttpSrv.exe=%正常!"
set "var=!var:O2MDRDR=%正常!" 
set "var=!var:ekrn.exe=%正常!" 
set "var=!var:Numen\NumenAgentWin\=%正常!"
set "var=!var:O2Micro=%正常!"
set "var=!var:O2SDRDR=%正常!"
set "var=!var:o2sd.sysO2Micro=%正常!"
set "var=!var:Lenovo=%正常!"
set "var=!var:fsp.exe=%正常!"
set "var=!var:usblogon.exe=%正常!"
set "var=!var:Bluetooth=%正常!" 
set "var=!var:[   ]=%!" 
set "var=!var:Google\Chrome\Application=%Google\Chrome\Application正常!"
set "var=!var:_DLLs><>=%_DLLs><>正常!" 
set "var=!var:Easy Display Manager\HookDllPS2.dll]=%Easy Display Manager\HookDllPS2.dll] 正常!"
set "var=!var:System32\bcm1xsup.dll=%System32\bcm1xsup.dll (这是正常程序)!"
set "var=!var:Mozilla Firefox\mozjs.dll]=%Mozilla Firefox\mozjs.dll] 正常!"
set "var=!var:VMware Workstation\libxml2.dll]=%VMware Workstation\libxml2.dll] 正常 !" 
set "var=!var:Program Files\WinRAR=%Program Files\WinRAR正常的WinRAR文件!"
set "var=!var:json.dll]=%json.dll正常的金山在线杀毒模块]!"
set "var=!var:network\tp=%network\tp(这是正常程序)!"
set "var=!var:KWMUSIC\bin\=%KWMUSIC\bin\(这是正常程序)!"
set "var=!var:Fetion=%Fetion(这是正常程序)!
set "var=!var:\Holdfast\platform=%\Holdfast\platform(这是正常程序)!
set "var=!var:<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>=%<\??\C:\PROGRA~1\thunder network\thunder\XLDoctor\7.1.7.2244_2\Program\tcphoc.sys><N/A>正常!"
set "var=!var:regsvr32.exe /s /n /i:/UserInstall=%regsvr32.exe /s /n /i:/UserInstall (这是正常程序)!"
set "var=!var:\Outlook=%\Outlook (这是正常程序)!"
set "var=!var:VMware\VMware=%VMware\VMware (这是正常程序)!"
set "var=!var:Yuguo\shieldclnt.exe><N/A>=%Yuguo\shieldclnt.exe><N/A> (这是正常程序)!"
set "var=!var:bcmwltry.exe><N/A>=%bcmwltry.exe><N/A> (这是正常程序)!"
set "var=!var:System32\WLTRYSVC.EXE]=%System32\WLTRYSVC.EXE] (这是正常程序)!"
set "var=!var:Adobe Systems, Inc.,=%Adobe Systems, Inc.,正常!"
set "var=!var:Funshion Online=%Funshion Online (这是正常程序)!"
set "var=!var:Maxthon=%正常!"
set "var=!var:<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, >=%这是正常文件!"
set "var=!var:webaClient.exe=%正常!"
set "var=!var:NvCpl.dll=%正常!"
set "var=!var:NvStartup=%正常!"
set "var=!var:PCHealth=%正常!"
set "var=!var:AcPrfMgrSvc=%正常!"
set "var=!var:ThinkPad=%正常!"
set "var=!var:AcSvc=%正常!"
set "var=!var:Backup\QQPet=%正常!"
set "var=!var:H3C\gmMgr_h3c.exe=%正常!" 
set "var=!var:ConnectUtilities=%正常!"
set "var=!var:AcSvc.exeLenovo=%正常!"
set "var=!var:ThinkPad=%正常!"
set "var=!var:Defender\mpsvc.dll=%正常!"
set "var=!var:IBMPMSVC=%正常!"
set "var=!var:Tencent\QQ=%正常!"
set "var=!var:Intel\Wireless\Bin\=%正常!"
set "var=!var:ibmpmsvc.exe=%正常!"
set "var=!var:IBM=%正常!"
set "var=!var:system32\TpKmpSVC.exe=%正常!"
set "var=!var:system32\ati2sgag.exe=%正常!"
set "var=!var:UfAutoLoadService=%正常!"
set "var=!var:UfMsgGhost=%正常!"
set "var=!var:MsgGhost.exe=%正常!"
set "var=!var:U8AuthServer=%正常!"
set "var=!var:UFNet=%正常!"
set "var=!var:Outlook=%正常!"
set "var=!var:shmgrate.exe=%正常!"
set "var=!var:system32\ServerNT.exe=%正常!"
set "var=!var:Simulator=%正常!" 
set "var=!var:System32\PAStiSvc.exe=%正常!"
set "var=!var:Cyberip=%正常!"
set "var=!var:RichVideo.exe"=%正常!"
set "var=!var:powershadow=%正常!"
set "var=!var:ShadowSystemService=%正常!"
set "var=!var:ShadowService.exe=%正常!"
set "var=!var:O2Micro=%正常!"
set "var=!var:system32\o2flash.exe=%正常!"
set "var=!var:srservice=%正常!"  
set "var=!var:srsvc.dll=%正常!"
set "var=!var:MAPGIS=%正常!"
set "var=!var:zdLccSvc=%正常!"
set "var=!var:system32\ZDLCCSVC.EXE=%正常!"
set "var=!var:ALi=%正常!" 
set "var=!var:AliIde=%正常!"
set "var=!var:Antimalware=%正常!"
set "var=!var:NvMcTray.dll=%正常!"
set "var=!var:WBEM=%疑似灰鸽子木马!"
set "var=!var:PPPoEWin=%正常!"
set "var=!var:TDSMAPI=%正常!" 
set "var=!var:TPInput=%正常!"
set "var=!var:RUNDLL2000.EXE=%危险!"
set "var=!var:TPPWRIF=%正常!"
set "var=!var:System32\drivers\Tppwrif.sys=%正常!"
set "var=!var:TSMAPIP=%正常!"
set "var=!var:PnpWmkDrv=%正常!" 
set "var=!var:SoC=%正常!" 
set "var=!var:HOSTNT=%正常!"
set "var=!var:MHDRV=%正常!" 
set "var=!var:Rainbow=%正常!" 
set "var=!var:aswFsBlk=%正常!"
set "var=!var:bdfdll=%正常!"
set "var=!var:BitDefender=%正常!"
set "var=!var:\H3C\iNode=%正常!"
set "var=!var:bdpredir=%正常!"
set "var=!var:KSafe\json.dll=%正常!" 
set "var=!var:Protector=%正常!" 
set "var=!var:ProtectorA=%正常!" 
set "var=!var:npf.sysCACE=%正常!" 
set "var=!var:WinPcap=%正常!"
set "var=!var:/Program=%正常!"
set "var=!var:system32\PnkBstrA.exe=%正常!" 
set "var=!var:punkbuster=%正常!" 
set "var=!var:c20ukdrwsvr.exe=%正常!"
set "var=!var:IcbcDaemon.exe=%正常!" 
set "var=!var:WDelMgr20=%正常!" 
set "var=!var:system32\nvshell.dll=%正常!" 
set "var=!var:system32\pthreadvc.dll=%正常!" 
set "var=!var:MacType.dll=%正常!" 
set "var=!var:Ock.dll=%正常!"
set "var=!var:VopClient.exe=%正常!"
set "var=!var:bgswitch.exe=%正常!"
set "var=!var:BigDogPathVM=%正常!"
set "var=!var:X-Scan-v3.3=%正常!"
set "var=!var:dumprep=%正常!" 
set "var=!var:HookDll.dll=%正常!" 
set "var=!var:dominodomino.exe=%正常!" 
set "var=!var:VMSnapset=%正常!" 
set "var=!var:Htpatch.exe=%正常!"
set "var=!var:HTpatchhtpatch.exe=%正常!"
set "var=!var:QQ\Bin=%正常!"
set "var=!var:Notify\DfLogon=%正常!"
set "var=!var:DfLogonLogonDll.dll=%正常!" 
set "var=!var:Interface=%正常!" 
set "var=!var:HidServ.dll=%正常!" 
set "var=!var:helpsvc=%正常!"
set "var=!var:><N>=%正常!"
set "var=!var:System32\WLTRYSVC.EXE=%正常!"
set "var=!var:rundll32.exe=%rundll32.exe 正常!"
set "var=!var:updaterC=%C!"
set "var=!var:WinRAR\rarext.dll=%WinRAR\rarext.dll正常的WinRAR文件!"
echo !var!>>白名单.txt
) 
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (白名单.txt) do (
set var=%%i
set "var=!var:状=%正常!"
echo !var!>>分析结果.txt
) 
(echo ———————————————————————————————————————&echo.)>>分析结果.txt 
(echo 4、用专杀或者修复工具修复以下磁碟机劫持: &echo.)>>分析结果.txt 

findstr /li "IFEO" SREngLOG.log >>IFEO.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (IFEO.txt) do (
set var=%%i
set "var=!var:ntsd=%!" 
set "var=!var:-d=%!"
set "var=!var:IFEO=% [IFEO]    !"
set "var=!var:<=%!"
set "var=!var:>=%!"
echo !var!>>分析结果.txt
)
(echo ———————————————————————————————————————&echo.)>>分析结果.txt 
(echo 5、打开SREng，选择【启动项目】-【服务】-【Win32服务应用程序】，将以下项删除：&echo.)>>分析结果.txt 
findstr /li "missing)" SREngLOG.log >>ff.txt
findstr /li "samservice.exe><>" SREnglog.log>>ff.txt
findstr /li ".dll" 白名单.txt >>ser.txt
findstr /li ".EXE" 白名单.txt >>ser.txt
@findstr /v ".dll" ser.txt >>servers.txt  
@findstr /v ".exe" servers.txt >>N4.txt
@findstr /v "菜单" N4.txt >>N5.txt 
@findstr /v "特权" N5.txt >>ff.txt 
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (ff.txt) do (
set var=%%i
set "var=!var:Program Files/=%正常!"
echo !var!>>N7.txt
)
@findstr /v "正常" N7.txt>>分析结果.txt 
(echo 6、打开SREng，选择【启动项目】-【服务】-【驱动程序】，将以下项删除：& echo.)>>分析结果.txt

findstr /li ".sys" N1.txt>>分析结果.txt

findstr /li "tmp" 可疑驱动.txt>>分析结果.txt
(echo ———————————————————————————————————————& echo.)>>分析结果.txt
(echo 7、用“SREng”修复以下【Winsock 提供者】项：& echo.)>>分析结果.txt
findstr /li "(, N/A)" SREngLOG.log >>分析结果.txt
(echo ———————————————————————————————————————& echo.)>>分析结果.txt
(echo 8、用U盘专杀工具查杀【Autorun.inf 】& echo.)>>分析结果.txt
findstr /li "ntldr" SREngLOG.log >b.txt
@more +6 b.txt >>分析结果.txt 
(echo ———————————————————————————————————————& echo.)>>分析结果.txt
(echo 9、用“SREng”修复以下 【hosts文件】项：& echo.)>>分析结果.txt
findstr /li "127.1" SREngLOG.log >>分析结果.txt
(echo ———————————————————————————————————————& echo.)>>分析结果.txt
(echo 10、用“SREng”修复以下【文件关联】项：& echo.)>>分析结果.txt
findstr /li "Error." SREngLOG.log >>分析结果.txt
(echo ———————————————————————————————————————& echo.)>>分析结果.txt
(echo 11、该项可能被修改,请参考系统默认值。& echo.)>>分析结果.txt
findstr /li "<AppInit_DLLs>" SREngLOG.log>>分析结果.txt
findstr /li "<load>" SREngLOG.log>>分析结果.txt
findstr /li "<run>" SREngLOG.log>>分析结果.txt
findstr /li "setup.exe>" SREngLOG.log >>分析结果.txt
findstr /li "<shell>" SREngLOG.log>>分析结果.txt
findstr /li "<Userinit>" SREngLOG.log>>分析结果.txt
findstr /li "<UIHost>" SREngLOG.log>>分析结果.txt
@findstr /v "正常" "分析结果.txt">分析报告.log
(echo ———————————————————————————————————————& echo.)>>分析报告.log
(echo 12、修复完成后，建议用Windows清理助手扫描清除恶意插件。& echo.)>>分析报告.log
findstr /li "ASSIST" SREngLOG.log>>分析报告.log
del /q *.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (分析报告.log) do (
set var=%%i
set "var=!var:<AppInit_DLLs><>=%正常!"
set "var=!var:<load><>=%正常!"
set "var=!var:<shell><Explorer.exe>=%正常!"
set "var=!var:<Userinit><C:\WINDOWS\system32\userinit.exe,>=%正常!"
set "var=!var:<UIHost><logonui.exe>=%正常!"
set "var=!var:><=%>  <!"
set "var=!var:[NA, ]=%!"
set "var=!var:[]=%!"
set "var=!var:[   SYSTEM]=%!"
set "var=!var:[   Administrator]=%!"
set "var=!var:[N/A, ]=%!"
set "var=!var:hidserv.dll><N/A>=%hidserv.dll><N/A>  <正常的系统服务项>!"
set "var=!var:\SystemRoot\=%!"
set "var=!var:ddd=%!"
set "var=!var:<N/A>=%!"
set "var=!var:<(File is missing)>=%   <服务残留项>!"
set "var=!var:ExplorerC=%C!"
set "var=!var:[ ]=%!"
set "var=!var:ssMgr_ccb=%正常的建设银行U盾程序!" 
set "var=!var:创建文本=%………………………………………………………………………………………………………!"
echo !var!>>报告文件.txt
) 
@findstr /v "正常" 报告文件.txt>>智能分析报告.txt 
del /q 报告文件.txt
del /q 分析报告.log
start 智能分析报告.txt 
exit
复制代码

batpro

一级士官

Rank: 2

帖子: 71
积分: 137
技术: 2
捐助: 0
注册时间: 2011-5-8

2楼

发表于 2011-5-24 22:05 | 只看该作者

本帖最后由 batpro 于 2011-5-24 22:10 编辑

1# batpro

请求专家帮忙找问题，文本处理我不太懂，复制代码后请修改为.bat文件

能不能精简代码，但不精简功能
原创首次发表于 http://bbs.kafan.cn/thread-973790-1-1.html

TOP

batpro

一级士官

Rank: 2

帖子: 71
积分: 137
技术: 2
捐助: 0
注册时间: 2011-5-8

3楼

发表于 2011-5-24 22:07 | 只看该作者

本帖最后由 batpro 于 2011-5-24 22:09 编辑

提供测试文本文件,测试时请复制到SREnglog.log中，并与bat文件放于同一文件夹中

2009-04-09,23:02:06
System Repair Engineer 2.7.0.1210
Smallfrogs ([url=http://www.kztechs.com/][color=#0000ff]http://www.KZTechs.com[/color][/url])
Windows XP Professional Service Pack 3 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描
    计划任务
    API HOOK
    隐藏进程

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Infected) Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <VMware Tools><C:\Program Files\VMware\VMware Tools\VMwareTray.exe>  [VMware, Inc.]
    <VMware User Process><C:\Program Files\VMware\VMware Tools\VMwareUser.exe>  [VMware, Inc.]
    <EQSysSecure><E:\Program Files\EQSecurePro\EQSysSecure.exe /background>  [EQSecure]
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Component Publisher]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Component Publisher]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <config.exe><C:\WINDOWS\khdk0.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    <WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
    <IFEO[360rpt.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
    <IFEO[360Safe.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe]
    <IFEO[DrRtp.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
    <IFEO[QQDoctor.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe]
    <IFEO[RStray.exe]><C:\WINDOWS\system32\svchost.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\System32\logon.scr>  [(Verified)Microsoft Windows Component Publisher]
==================================
启动文件夹
N/A
==================================
服务
[EQService / EQService][Stopped/Auto Start]
  <E:\Program Files\EQSecurePro\EQService.exe><EQSecure>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[VMware Tools Service / VMTools][Running/Auto Start]
  <"C:\Program Files\VMware\VMware Tools\VMwareService.exe"><VMware, Inc.>
==================================
驱动程序
[EQSysSecure / EQSysSecure][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\EQSysSecure.sys><EQSecure>
[Creative AudioPCI (ES1371,ES1373) (WDM) / es1371][Running/Manual Start]
  <system32\drivers\es1371mp.sys><Creative Technology Ltd.>
[hgfs / hgfs][Running/Auto Start]
  <System32\DRIVERS\hgfs.sys><VMware, Inc.>
[AMD PCNET Compatable Adapter Driver / PCnet][Stopped/Manual Start]
  <system32\DRIVERS\pcntpci5.sys><AMD Inc.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[VMware Pointing Device / vmmouse][Running/Manual Start]
  <system32\DRIVERS\vmmouse.sys><VMware, Inc.>
[vmscsi / vmscsi][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\vmscsi.sys><VMware, Inc.>
[VMware Ethernet Adapter Driver / vmxnet][Running/Manual Start]
  <system32\DRIVERS\vmxnet.sys><VMware, Inc.>
[vmx_svga / vmx_svga][Running/Manual Start]
  <system32\DRIVERS\vmx_svga.sys><VMware, Inc.>
[zg / zg][Running/Manual Start]
  <2 - 系统找不到指定的文件。
><N/A>
==================================
浏览器加载项
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[9Box Agent Object]
  {49484D63-60FB-4E4E-A400-9092F418CB61} <C:\PROGRA~1\Shutter\9BOX-S~1\NINEBO~1.DLL, (Signed) N/A>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\macromed\flash\flash.ocx, (Signed) Macromedia, Inc.>
[]
  {E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
==================================
正在运行的进程
[PID: 364][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 600][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 632][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
[PID: 676][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 688][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[PID: 844][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
[PID: 928][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
[PID: 1032][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [C:\WINDOWS\System32\COMRes.dll]  [N/A, ]
[PID: 1152][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1216][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
[PID: 1392][C:\WINDOWS\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
    [C:\Program Files\VMware\VMware Tools\hook.dll]  [N/A, ]
    [C:\WINDOWS\System32\hgfs.dll]  [N/A, ]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\WINDOWS\fonts\ComRes.dll]  [N/A, ]
    [C:\WINDOWS\fonts\gth77327.ttf]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
[PID: 1884][C:\Program Files\VMware\VMware Tools\VMwareService.exe]  [VMware, Inc., 5.5.2 build-29772]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 228][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
    [C:\WINDOWS\System32\COMRes.dll]  [N/A, ]
[PID: 432][C:\Program Files\VMware\VMware Tools\VMwareTray.exe]  [VMware, Inc., 5.5.2 build-29772]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\VMware\VMware Tools\VMControlPanel.cpl]  [VMware, Inc., 5.5.2 build-29772]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
[PID: 440][C:\Program Files\VMware\VMware Tools\VMwareUser.exe]  [VMware, Inc., 5.5.2 build-29772]
    [C:\Program Files\VMware\VMware Tools\hook.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
[PID: 536][C:\WINDOWS\system32\ctfmon.exe]  [(Infected) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
    [C:\WINDOWS\system32\704C3595.dll]  [N/A, ]
[PID: 1560][C:\WINDOWS\system32\gr.exe]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
[PID: 1580][C:\Program Files\Microsoft Office\SYSTEM\sysbar.exe]  [N/A, ]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
[PID: 1668][C:\WINDOWS\khdk0.exe]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\Program Files\VMware\VMware Tools\hook.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
[PID: 1824][C:\program files\internet explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
    [C:\WINDOWS\system32\COMRes.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
    [C:\WINDOWS\system32\704C3595.dll]  [N/A, ]
[PID: 2036][E:\Tools\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.7.0.1210]
[PID: 2044][E:\Tools\sreng2\SRE7677f6e6.EXE]  [Smallfrogs Studio, 2.7.0.1210]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\xunxianqq.dll]  [N/A, ]
    [C:\Program Files\VMware\VMware Tools\hook.dll]  [N/A, ]
    [E:\Tools\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\msdfjsadfjd.dat]  [N/A, ]
    [C:\WINDOWS\fonts\ComRes.dll]  [N/A, ]
    [C:\WINDOWS\fonts\gth77327.ttf]  [N/A, ]
    [C:\DOCUME~1\gz\LOCALS~1\Temp\jxinit.dat]  [N/A, ]
    [C:\WINDOWS\system32\704C3595.dll]  [N/A, ]
==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1       localhost
==================================
进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 432, C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWARETRAY.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 440, C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\VMWAREUSER.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 536, C:\WINDOWS\SYSTEM32\CTFMON.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1560, C:\WINDOWS\SYSTEM32\GR.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1560, C:\WINDOWS\SYSTEM32\GR.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1580, C:\PROGRAM FILES\MICROSOFT OFFICE\SYSTEM\SYSBAR.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1668, C:\WINDOWS\KHDK0.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 1668, C:\WINDOWS\KHDK0.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2036, E:\TOOLS\SRENG2\SRENGLDR.EXE]
==================================
计划任务
N/A
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
复制代码

TOP

techon

一级士官

Rank: 2

帖子: 95
积分: 115
技术: 4
捐助: 0
注册时间: 2011-4-13

4楼

发表于 2011-5-24 22:55 | 只看该作者

代码很难简了，大多都是定义黑白名单的代码。。。可以考虑把可信任文件单独放到一个配置文件里

感觉如果会用Sreng，这个P就是个鸡肋
Sreng有自动将可疑文件复制到一个目录的功能

解释执行的脚本语言与编译语言还是有很大差别的。。。

TOP

返回列表

[新手上路]批处理新手入门导读	[视频教程]批处理基础视频教程	[视频教程]VBS基础视频教程	[批处理精品]批处理版照片整理器
[批处理精品]纯批处理备份&还原驱动	[批处理精品]CMD命令50条不能说的秘密	[在线下载]第三方命令行工具	[在线帮助]VBScript / JScript 在线参考

[文本处理] 批处理版SREnglog智能分析工具(请帮忙找问题及精简)

[收藏此主题] [关注此主题的新回复]

[通过 QQ、MSN 分享给朋友]