开机时弹出对话框,报加载KB896425.log出错

本文详细介绍了KB896425.log病毒的工作原理及清除步骤。该病毒通过创建系统服务并修改注册表实现开机启动,能够窃取World of Warcraft账户密码并发送给远程攻击者。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

记得2个多月前,就一直有报这个错误,当时在google上搜索KB896425.log啥也搜不出来,结果就天天开机这么忍着,到现在快3个月了。刚才再到google上搜了一把,终于查出了具体的原因,原来是一个病毒的残留物。

搜出的一些中文网页上,一般是说运行regedit,将开机启动项中的KB896425.log的启动项删除,再用注册表的查找功能搜KB896425.log,搜索到后,删除与它相关的选项。但说得不是很详细,搜了个中文网页,说得非常清楚。现摘录如下(http://www.viruslist.com/en/viruses/encyclopedia?virusid=130036):

Trojan-PSW.Win32.WOW.el

Aliases
Trojan-PSW.Win32.WOW.el (Kaspersky Lab) is also known as: Trojan.PWS.Wow (Doctor Web),   TSPY_WOW.GY (Trend Micro),   TR/PSW.WOW.el.31.C (H+BEDV),   PSW.Generic2.ADQJ (Grisoft),   Trojan.Agent.TA (SOFTWIN)
Detection addedAug 03 2006 12:18 GMT
Update releasedAug 03 2006 13:26 GMT
Description addedOct 03 2006
BehaviorPSW Trojan

Technical details

This Trojan program is designed to steal user passwords to accounts on WoW servers. The Trojan itself is a Windows PE EXE file, written in Delphi and packed using NsPack. The packed file is 136069 bytes in size, and the unpaced file is approximately 316KB in size.

Installation

Once launched, the Trojan creates a DLL file in the C:/ root directory:

c:/nxldr.dat

It then launches this file and calls the "start" function:

When launching, the DLL file copies its executable file to the Windows system directory:

%System32%/KB896425.log

The Trojan creates a service called NetWork Logon in order to ensure that it is automatically run each time Windows is restarted:

[HKLM/System/CurrentControlSet/Services/NetWorkLogon]

Payload

When launching, the DLL file gets a list of processes. It then loads itself to the address space of a process chosen at random from the list, as well as to the processes listed below:

EXPLORER.EXE
IEXPLORE.EXE

where the DLL file will install a hook for the send function of WS2_32.dll which is used to track the user's HTTP requests. For POST requests where the URL contains the following string:

/vk/unblock_deal.php

the Trojan gets the values of the following parameters:

account=
pin=

If the URL contains the string /dologin.php, the Trojan will get the value of the parameters listed below:

loginname=
&password=

For processes called WOW.EXE the Trojan gets the values entered in dialogue boxes, and will also take screenshots of some dialogue boxes.

The Trojan sends the harvested information to the remote malicious user's site.

The Trojan will also delete all links containing the string "the9.com" from the browser cache.

Removal instructions

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how it initially penetrated the victim machine).
  3. Delete the files created by the Trojan:

     

    %System32%/KB896425.log
    c:/nxldr.dat

     

  4. Delete the following system registry keys:

     

    [HKLM/System/CurrentControlSet/Services/NetWorkLogon]

     

  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值