::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::
:: 搜索硬盘上所有的可疑文件,搜索可疑文件内部的可疑关键字
::
:: 可疑文件可以自行增减,关键字也可以自行增减,见file和evil定义部分,用空格分隔
::
:: 如果病毒脚本的关键字使用字符串连接,那么搜索一些类型的可疑文件时会失效
::
:: Author: NeedJava
::
:: Modified: 2007.09.21
::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ECHO OFF
SETLOCAL EnableDelayedExpansion
SET "file=Autorun.inf Folder.htt Desktop.htt Desktop.ini"
SET "evil=application x-oleobject codebase exe pif"
FOR %%b IN ( !file! ) DO (
DEL /F /Q "%%~nxb.vab" 1>NUL 2>NUL
DEL /F /Q "%%~nxb.txt" 1>NUL 2>NUL
)
FOR %%a IN ( C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
IF EXIST "%%a:/" (
CLS
ECHO. & ECHO 正在搜索〔%%a:〕盘……
FOR %%b IN ( !file! ) DO (
ECHO. & ECHO 正在搜索文件〔%%b〕……
ATTRIB.EXE /S "%%a:/%%b">>"%%~nxb.vab" 2>NUL
REM DIR /A-DS /B /S "%%a:/%%b">>"%%~nxb.vab" 2>NUL
REM DIR /A-DH /B /S "%%a:/%%b">>"%%~nxb.vab" 2>NUL
REM DIR /A-DA /B /S "%%a:/%%b">>"%%~nxb.vab" 2>NUL
REM DIR /A-DR /B /S "%%a:/%%b">>"%%~nxb.vab" 2>NUL
REM SORT.EXE /R "%%~nxb.vab" /O "%%~nxb.vab"
SET "prev="
FOR /F "delims=" %%c IN ( %%~nxb.vab ) DO (
SET "list=%%c"
REM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
REM ::
REM :: 处理ATTRIB命令生成的行,前11个字符固定用来表示只读、系统等属性
REM ::
REM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IF "!list:~12,2!"==":/" (
SET "list=!list:~11!"
)
REM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
REM ::
REM :: DIR命令生成的行有重复,需要剔除掉,即先排序,再比较上一个
REM ::
REM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
IF "!list:~1,2!"==":/" (
IF NOT "!list!"=="!prev!" (
ECHO. & ECHO 找到文件〔!list!〕……
ECHO.>>"%%~nxb.txt" & ECHO - - - -[!list!]- - - - - - - - - - - - - - - - - - - ->>"%%~nxb.txt"
FINDSTR.EXE /I "!evil!" "!list!">>"%%~nxb.txt" 2>NUL
)
)
SET "prev=!list!"
)
DEL /F /Q "%%~nxb.vab" 1>NUL 2>NUL
)
)
)
@ECHO ON