Symantec's official solution (I suggested that the manual modified friend prints out this document)
Http://securityResponse.symantec.com/avcenter/ensc/data/trojan.redfall.html
Technical details: When Trojan.redfall Runs, IT Performs The Following Actions:
DROPS the file:% system% / taskmon64.exe
Note:% system% is a variable. The Trojan Locates The System Folder and INSERTS A DLL FILE to That Location. By Default, This Is C: / Windows / System (Windows 95/98 / ME), C: / Winnt / System32 (Windows NT / 2000), OR C: / Windows / System32 (Windows XP).
This is a malicious program and is detected as Trojan.KillAV Drops the file:.% System% / ws2_64.dllThis is a malicious program and is detected as PWSteal.Trojan Creates the directory:. C: / Programes / qlwg42This directory contains only non -malicious files that are not detected Delete this directory if you do not want its contents Creates the directory:.. C: / Program Files / Common Files / qlwg42This directory contains only non-malicious files that are not detected Delete this directory if you. do not want its contents Adds two links to the desktop These point to the following programs:.. C: / Program Files / Common Files / qlwg42 / Artmoney.exeC: / Program Files / Common Files / qlwg42 / PMLoad42.exeDelete these links if you do not wish to keep the programs to which they point Partially overwrites the PackedCatalogItem values of several of the subkeys under the following registry key:. HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_Entries / The subkeys are named 000 000000001, 000000000002, 000000000003, and so forth Creates the subkey:. Winsockin the registry key: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Winsock2 / and adds a number of values to that subkey These values contain the data that was overwritten as aforementioned.. Do not delete these values before performing the removal instructions below, as you will need them to restore the original values in the following key: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_Entries / remove Description: The following instructions ......................
Disable System Restore (Windows Me / XP). Update the virus definitions. End the Taskmon64.exe process. Run a full system scan and delete all the files detected as Trojan.Redfall, Trojan.KillAV, and PWSteal.Trojan. Reverse the changes that Trojan.Redfall made to the registry.Restart the computer.For specific details on each of these steps, read the following instructions.1. Disabling System Restore (Windows Me / XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me / XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools can not remove threats in the System Restore folder. As a result, System Restore has the Potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.For instructions on how to turn Off system restore, read your windows documentation, or one of the folload articles:
"How to Disable or Enable Windows Me System Restore" "How to Turn Off Or Turn On Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Can not Clean Infected Files in the _Restore Folder," Article ID:. Q263455.2 Updating the virus definitionsSymantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers There are two ways to obtain the most recent virus definitions:. Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak to determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate) Downloading the definitions using the Intelligent Updater:.. The Intelligent Updater virus definitions are Posted on US Business Days (Monday Through Friday). You Should Download The Definitions from the Symantec Security Response Web site and manually install them To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater) .The Intelligent Updater virus definitions are available:. Read "How to update virus definition files using the Intelligent Updater "For Detailed Instructions. 3. ending the task64.exe processto end the Trojan Process, FOLLOW THE Steps for your version of Windows:
Windows 95/98 / ME
Press Ctrl Alt Delete Once. Scroll Through The List of Program and Look for TaskMon64.exe. If you find the file, click it, and then click end.
Windows NT / 2000 / XP
Press Ctrl Alt Delete once. Click Task Manager. Click the Processes tab. Double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for Taskmon64.exe. If you find the file, click it And the clending the infected files EXIT The TASK Manager.4. Scanning for and deletring
Start Your Symantec Antivirus Program and make Sure That It is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files." For Symantec AntiVirus Enterprise products: ". How to verify that a Symantec Corporate antivirus product is set to scan all files" Read the document, Run A Full System Scan. IF Any Files Are Detected As Infected with Trojan.redfall, Trojan.killav, Or PWSTEAL.TROJAN, CLICK DELETE. 5. Reversing The Changes Made To The Registry
CAUTION:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, "for instructions. The reversal of the changes that Trojan.Redfall made is an exacting task that requires great care. Be sure to follow these instructions explicitly. Read them in their entirety and ensure that you understand them before you begin this procedure.
Click Start, and then click Run (The Run dialog box appears.) Type regedit Then click OK (The Registry Editor opens.) Navigate to the key:.. HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_Entries Click on the first subkey. It will be named 000000000001. In the right pane, double-click the name PackedCatalogItem. An "Edit Binary Value" dialog appears. If the text on the right-hand side of this window contains the string "ws2_64. dll "(an example is shown in the picture below), then Trojan.Redfall has changed this value, and therefore must be restored. Close the dialog by clicking Cancel, and then proceed to the next step. to restore the value, perform steps . i - xii.Navigate to the key: HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Winsock in the right pane, double-click on the name: 1001A window entitled "Edit String" will appear An example of the window is shown in The Picture Below. Carefully Count The Number of Characte rs in the string listed. In this example, the string is 31 characters long, but your system may vary. Write this information down, as you will need it in step 9. Write down the Value data, or Highlight and copy it, and Then Paste It Into Notepad for Future Reference.
Note: you can copy the Original Value Data, Buthen It comes Time To Replace To Paste It in. You Will Need to Type To Copy IT SOBE Sure To Copy It Some Place For Reference, Or Write It Down Exactly As It Appers, Using Propitalization.
. Click Cancel Navigate to the key:. HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_Entriesand click on the subkey 000000000001. In the right pane, double-click the name PackedCatalogItem An "Edit Binary Value"
. Dialog appears In the Value data box, place the cursor immediately to the left of the first character in the block of text, to the right of the box, as shown in the picture below: Using the character count from step 3, delete that number of characters from the beginning of the text displayed in the Value data box. The easiest way to do this is to put the cursor at the beginning of the text values, and then hit the delete key the correct number of times. With the cursor at the beginning of the text area (where it should still be after the previous step), type the value you copied in step 4 exactly as it appeared. After entering the correct value, scroll to the bottom of the value data. It should look exactly like the picture below. If it does not, you have deleted or typed in the wrong number of characters. in this case, click Cancel and return to step 1. If the box appears exactly as shown in the picture below, click OK. You Have Now Finished Restoring The Value of One Subkey. TO C omplete the removal, you must repeat steps C through F for each subkey under the key: HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_EntriesNote: Each subkey that Trojan.Redfall has changed will have a corresponding value under the key : HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Winsockwhere the original data is stored.For example, the key: HKEY_LOCAL_MACHINE / System / CurrentControlSet / Services / Winsock2 / Parameters / Protocol_Catalog9 / Catalog_Entries / 000000000002has the corresponding value 1002 in the key: HKEY_LOCAL_MACHINE / System / currentcontrolset / services / Winsock2 / Winsockand the key:
