给力的npe---第一次用它杀毒

wjcharles

运行此样本，http://bbs.kafan.cn/thread-922405-1-1.htmlNIS2011没任何反应，于是上npe试试，结果如下，提示重启清除，重启后一切正常。
以前最多用npe来查查系统有无异常，再另外想办法手杀，这次有这么多条目，只能靠npe了。。。

- <Remediate DateAndTime="Thursday, 03 March 2011 Time: 02:41">
- <Infections_Selected_For_Remediation>
  <DRIVERS Count="0" />
- <SERVICES Count="1">
- <Service ID="1">
- <File_Information>
  <Path>c:\program files\windows.exe</Path>
  <FileVersion><></FileVersion>
  <ProductVersion><></ProductVersion>
  <ProductName><></ProductName>
  <Company><></Company>
  <Copyrights><></Copyrights>
  <MD5>D6D36B6C54E1B47F64B8AC9A6E2F60A7</MD5>
  <SHA256>0348A51A41B6516CB54FF0B1147F20EEC9532D5D8325F7A72C87EAE9597B10C4</SHA256>
  <FileSize>34966016</FileSize>
  </File_Information>
- <SideEffects Count="39">
  <File>c:\program files\windows.exe</File>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\open\command\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\shell\open\command\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\comfile\shell\open\command\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\piffile\shell\open\command\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{762F86D0-B3EA-11d2-84D3-0080AD160D07}\InprocServer32\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E598560B-28D5-46aa-A14A-8A3BEA34B576}\InprocServer32\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}\InprocServer32\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\WPDContextMenu.Image\shellex\ContextMenuHandlers\ShImageViewer\""</RegistryValue>
  <RegistryValue>HKEY_LOCAL_MACHINE\Software\Classes\WPDContextMenu.Video\shellex\ContextMenuHandlers\ShImageViewer\""</RegistryValue>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.wpc\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.tsp\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.tlb\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.res\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.dpl\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.dcr\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.cnv\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.bpl\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.acm\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.rc\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\BomeRst.ax\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\sysfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\scrfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\ocxfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\exefile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\drvfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\dllfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\cplfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\comfile\shellex\ContextMenuHandlers\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\WPDContextMenu.Video\shellex\ContextMenuHandlers\ShImageViewer</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\WPDContextMenu.Image\shellex\ContextMenuHandlers\ShImageViewer</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}\InprocServer32</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E598560B-28D5-46aa-A14A-8A3BEA34B576}\InprocServer32</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{762F86D0-B3EA-11d2-84D3-0080AD160D07}\InprocServer32</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E598560B-28D5-46aa-A14A-8A3BEA34B576}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{762F86D0-B3EA-11d2-84D3-0080AD160D07}</RegistryKey>
  <RegistryKey>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend</RegistryKey>
  </SideEffects>

ming9888

就释放了一个Windows.exe,用诺顿的信誉云就可以查到这个可疑文件，直接删掉就可以了。

wjcharles

ming9888 发表于 2011-3-3 20:31
就释放了一个Windows.exe,用诺顿的信誉云就可以查到这个可疑文件，直接删掉就可以了。

那npe为什么要修复注册表？以前npe也就报一个exe，一两个注册表项，这次报了这么多，很奇怪。。。

皇甫暮云

npe本来就是系统修复工具。。。正常

yingshudai

npe本来就是系统修复工具。。。学习了[:26:]