1.    14 Mar 2017 #1

    Is this script safe


    *Warning may cause harm*

    I seen it posted in a forum its supposed to find if any svchost.exe's running on the system contain trojans or malicious backdoors/hidden scripts and viruses.

    PHP Code:
    @echo off
    REM First release on 01
    /03/2017 04:45
    REM Updated on 07
    /03/2017 04:05
    Set 
    "ProcessName=SVCHOST"
    Set "Tmp_Services=%Tmp%\%~n0.txt"
    If Exist "%Tmp_Services%" Del "%Tmp_Services%"
    Set "ProcessLog=%Tmp%\%ProcessName%.log"
    If Exist "%ProcessLog%" Del "%ProcessLog%"
    Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
    Set "Legit_Location=%windir%\system32\svchost.exe"
    Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
    Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
    Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
    If Exist "%LogFile%" Del "%LogFile%"
    Set /A Counter=0
    setlocal enableDelayedExpansion
    for /"skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
        for /
    "delims=" %%b in ("%%a") do (
            
    Color 0A
            set 
    /A Counter+=1
            set 
    "p=%%b"
            
    for /%%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
                echo [!
    Counter!] : !p!
            )
                ( echo 
    "!p!" )>>"%LogFile%"
        
    )
    )


    Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
    Type 
    "%ProcessLog%" find /"%Legit_Location%" "%Tmp_Services%"


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>con


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>> "%Tmp_Services%"
    CMD //C Type "%Tmp_Services%" "%Legits_Services_SVCHOST%"
    echo(
    Echo 
    All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
    echo(
    echo 
    Hit any key to look for a suspicious "%ProcessName%" paths
    Findstr 
    /LVI "%Legit_Location%" "%LogFile%" "%Suspicious_LogFile%"
    pause>nul 
    Start 
    "" "%Suspicious_LogFile%" 
    Start "" "%Legits_Services_SVCHOST%" & exit
    ::********************************************************************************************* 
    code.txt you can view it plainly in the text form I attached
      My ComputerSystem Spec
  2.    14 Mar 2017 #2
    Join Date : Oct 2014
    Trnava
    Posts : 2,862
    Windows 10.4 Home 1709 x64

    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    Attached Thumbnails Attached Thumbnails capture_03142017_114110.jpg  
      My ComputerSystem Spec
  3.    14 Mar 2017 #3

    Quote Originally Posted by TairikuOkami View Post
    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    That is helpful, thank you.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Windows Script Hoist - no script engine for file extension .js
I am using Windows 10 Home on a HP i3 laptop. Just recently I have started receiving an error pop-up which says "Windows Script Host - There is no script engine for file extension ".js"". There doesn't seem to be a pattern to when the error...
General Support
how to get rid of script error pop ups
how can I get rid of script error pop ups?
BSOD Crashes and Debugging
Sub-script and Super-script
Is it possible to use sub-script and super-script when typing emails with Windows 10? I was able to do this when using Windows 7 and typing documents but not for emails. I was expecting that with the major up-grade to from 7 to 10 it would now be...
General Support
w10, Script Error
Why suddenly " Script Error " appears continuously when I try to close an IE page? asking to choose "use script Yes or NO". & either clicked gives an blank page & have difficulty closing it. I tried Tools>Advanced & "disable script errors" is...
General Support
Can Someone Help me Write a Script
I use an old kvm switch without active ddc so I am always having to open screen resolution settings and click detect. I would like to make a script file and then a shortcut to the file to do this for me but I have never written a script and can't...
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 03:04.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums