ws2_64.dll引起的无法上网（PWSteal.Trojan Trojan.Redfall）

Symantec的官方解决办法（建议手动修改的朋友把这份文档打印出来照着做）

http://securityresponse.symantec.com/avcenter/venc/data/trojan.redfall.html

技术细节：

When Trojan.Redfall runs, it performs the following actions:

1. Drops the file:
   
   %System%\taskmon64.exe
   
   

   ---

   Note: %System% is a variable. The Trojan locates the System folder and inserts a dll file to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   ---

   
   This is a malicious program and is detected as Trojan.KillAV.
   
2. Drops the file:
   
   %System%\ws2_64.dll
   
   This is a malicious program and is detected as PWSteal.Trojan.
   
3. Creates the directory:
   
   C:\Programes\qlwg42
   
   This directory contains only non-malicious files that are not detected. Delete this directory if you do not want its contents.
   
4. Creates the directory:
   
   C:\Program Files\Common Files\qlwg42
   
   This directory contains only non-malicious files that are not detected. Delete this directory if you do not want its contents.
   
5. Adds two links to the desktop. These point to the following programs:
   
   C:\Program Files\Common Files\qlwg42\Artmoney.exe
   C:\Program Files\Common Files\qlwg42\PMLoad42.exe
   
   Delete these links if you do not wish to keep the programs to which they point.
   
6. Partially overwrites the PackedCatalogItem values of several of the subkeys under the following registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
   
   The subkeys are named 000000000001, 000000000002, 000000000003, and so forth.
   
7. Creates the subkey:
   
   Winsock
   
   in the registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\
   
   and adds a number of values to that subkey. These values contain the data that was overwritten as aforementioned. Do not delete these values before performing the removal instructions below, as you will need them to restore the original values in the following key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\

移除说明：

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. End the Taskmon64.exe process.
4. Run a full system scan and delete all the files detected as Trojan.Redfall, Trojan.KillAV, and PWSteal.Trojan.
5. Reverse the changes that Trojan.Redfall made to the registry.
   Restart the computer.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

---

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

---

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Ending the Taskmon64.exe process
To end the Trojan process, follow the steps for your version of Windows:

Windows 95/98/Me

1. Press Ctrl+Alt+Delete once.
2. Scroll through the list of programs and look for Taskmon64.exe.
3. If you find the file, click it, and then click End Task.

Windows NT/2000/XP

1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for Taskmon64.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.
   

4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with Trojan.Redfall, Trojan.KillAV, or PWSteal.Trojan, click Delete.

5. Reversing the changes made to the registry

---

CAUTION:

• Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
• The reversal of the changes that Trojan.Redfall made is an exacting task that requires great care. Be sure to follow these instructions explicitly. Read them in their entirety and ensure that you understand them before you begin this procedure.

---

1. Click Start, and then click Run. (The Run dialog box appears.)
   
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
   
   
4. Click on the first subkey. It will be named 000000000001.
   
5. In the right pane, double-click the name PackedCatalogItem. An "Edit Binary Value" dialog appears. If the text on the right-hand side of this window contains the string "ws2_64.dll" (an example is shown in the picture below), then Trojan.Redfall has changed this value, and therefore must be restored. Close the dialog by clicking Cancel, and then proceed to the next step.
   
   
   
   
   
6. To restore the value, perform steps i - xii.
   
   1. Navigate to the key:
      
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Winsock
      
      
   2. In the right pane, double-click on the name:
      
      1001
      
      A window entitled "Edit String" will appear. An example of the window is shown in the picture below.
      
      
      
      
      
   3. Carefully count the number of characters in the string listed. In this example, the string is 31 characters long, but your system may vary. Write this information down, as you will need it in step 9.
      
   4. Write down the Value data, or Highlight and copy it, and then paste it into Notepad for future reference.
      
      

      ---

      Note: You can copy the original value data, but when it comes time to replace the changed data, you will be unable to paste it in. You will need to type the value in by hand, so be sure to copy it some place for reference, or write it down exactly as it appears, using proper case, like capitalization.

      ---

      
      
   5. Click Cancel.
      
   6. Navigate to the key:
      
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
      
      and click on the subkey 000000000001.
      
      
   7. In the right pane, double-click the name PackedCatalogItem. An "Edit Binary Value" dialog appears.
      
   8. In the Value data box, place the cursor immediately to the left of the first character in the block of text, to the right of the box, as shown in the picture below:
      
      
      
      
      
   9. Using the character count from step 3, delete that number of characters from the beginning of the text displayed in the Value data box. The easiest way to do this is to put the cursor at the beginning of the text values, and then hit the delete key the correct number of times.
      
   10. With the cursor at the beginning of the text area (where it should still be after the previous step), type the value you copied in step 4 exactly as it appeared.
       
       
   11. After entering the correct value, scroll to the bottom of the Value data. It should look exactly like the picture below. If it does not, you have deleted or typed in the wrong number of characters. In this case, click Cancel and return to step 1. If the box appears exactly as shown in the picture below, click OK.
       
       
       
       
       
   12. You have now finished restoring the value of one subkey. To complete the removal, you must repeat steps C through F for each subkey under the key:
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
       
       
       Note: Each subkey that Trojan.Redfall has changed will have a corresponding value under the key:
       
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Winsock
       
       where the original data is stored.
       
       
       For example, the key:
       
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
       
       has the corresponding value 1002 in the key:
       
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Winsock
       
       and the key:
       
       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
       
       has the corresponding value 1003, and so forth.
       
       
7. Once you have examined the PackedCatalogItem values for each subkey under:
   
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
   
   and restored those values that Trojan.Redfall modified, delete the key:
   
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Winsock.
   
   
8. Exit the Registry Editor.
   
9. Restart the computer.