Ws2_64.dll-caused access failure (PWSteal. Trojan. Redfall)

Symantec's official solution (it is recommended that you manually print the document and follow it)

Http://securityresponse.symantec.com/avcenter/venc/data/trojan.redfall.html

Technical details:

When Trojan. redfall runs, it performs the following actions:

1. Drops the file:

   % System %/taskmon64.exe

   Note:% System % is a variable. Trojan Locates the System folder and inserts a dll file to that location. by default, this is C:/Windows/System (Windows 95/98/Me), C:/Winnt/System32 (Windows NT/2000), or C: /Windows/System32 (Windows XP ).
   This is a malicious program and is detected as Trojan. KillAV.
2. Drops the file:

   % System %/ws2_64.dll

   This is a malicious program and is detected as PWSteal. Trojan.

3. Creates the directory:

   C:/Programes/qlwg42

   This directory contains only non-malicious files that are not detected. Delete this directory if you do not want its contents.

4. Creates the directory:

   C:/Program Files/Common Files/qlwg42

   This directory contains only non-malicious files that are not detected. Delete this directory if you do not want its contents.

5. Adds two links to the desktop. These point to the following programs:

   C:/Program Files/Common Files/qlwg42/Artmoney.exe
   C:/Program Files/Common Files/qlwg42/PMLoad42.exe

   Delete these links if you do not wish to keep the programs to which they point.

6. Partially overwritesPackedCatalogItemValues of several of the subkeys under the following registry key:

   HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2/Parameters/Protocol_Catalog9/Catalog_Entries/

   The subkeys are named000000000001,000000000002,000000000003, And so forth.

7. Creates the subkey:

   Winsock

   In the registry key:

   HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2/

   And adds a number of values to that subkey. these values contain the data that was overwritten as aforementioned. do not delete these values before construct the removal instructions below, as you will need them to restore the original values in the following key:

   HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2/Parameters/Protocol_Catalog9/Catalog_Entries/

Removal Instructions:

The following instructions pertain to all current and recent Symantec Antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP ).
2. Update the virus definitions.
3. End the Taskmon64.exe process.
4. Run a full system scan and delete all the files detected as Trojan. Redfall, Trojan. KillAV, and PWSteal. Trojan.
5. Reverse the changes that Trojan. Redfall made to the registry.
   Restart the computer.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. if a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. therefore, antivirus programs or tools cannot remove threats in the System Restore folder. as a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

 

Note:When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable system restore by following the instructions in the aforementioned statements.

For additional information, and an alternative to disabling Windows ME System Restore, see the Microsoft Knowledge Base Article, "antivirus tools cannot clean infected files in the _ restore folder," Article ID: q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. to determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate ).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U. s. business days (Monday through Friday ). you shocould download the definitions from the Symantec Security Response Web site and manually install them. to determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater ).

  The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Ending the Taskmon64.exe process
To end the Trojan process, follow the steps for your version of Windows:

Windows 95/98/Me

1. Press Ctrl + Alt + Delete once.
2. Scroll through the list of programs and look for Taskmon64.exe.
3. If you find the file, click it, and then click End Task.

Windows NT/2000/XP

1. Press Ctrl + Alt + Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the processes.
5. Scroll through the list and look for Taskmon64.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

4. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • ForNorton AntiVirus consumer products:Read the document, "How to configure Norton AntiVirus to scan all files ."
   • ForSymantec Antivirus Enterprise Products:Read the document, "How to verify that a Symantec elastic ate antivirus product is set to scan all files ."
2. Run a full system scan.
3. If any files are detected as infected with Trojan. Redfall, Trojan. KillAV, or PWSteal. Trojan, click Delete.

5. Reversing the changes made to the registry

CAUTION:

• Symantec stronugly recommends that you back up the registry before making any changes to it. incorrect changes to the registry can result in permanent data loss or your upted files. modify the specified keys only. read the document, "How to make a backup of the Windows registry," for instructions.
• The reversal of the changes that Trojan. redfall made is an exacting task that requires great care. be sure to follow these instructions explicitly. read them in their entirety and ensure that you understand them before you begin this procedure.

 

1. Click Start, and then click Run. (The Run dialog box appears .)
2. TypeRegedit

   Then click OK. (The Registry Editor opens .)

3. Navigate to the key:

   HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Winsock2/Parameters/Protocol_Catalog9/Catalog_Entries

4. Click on the first subkey. It will be named000000000001.
   
5. In the right pane, double-click the name PackedCatalogItem. an "Edit Binary Value" dialog appears. if the text on the right-hand side of this window contains the string "ws2_64.dll" (an example is shown in the picture below), then Trojan. redfall has changed this value, and therefore must be restored. close the dialog by clicking Cancel, and then proceed to the next step.

6. To restore the value, perform steps I-xii.
   1. Navigate to the key:

      HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/Winsock

   2. In the right pane, double-click on the name:

      1001

      A window entitled"Edit string"Will appear. An example of the window is shown in the picture below.

   3. Carefully count the number of characters in the string listed. in this example, the string is 31 characters long, but your system may vary. write this information down, as you will need it in step 9.
   4. Write down the Value data, or Highlight and copy it, and then paste it into Notepad for future reference.
      Note:You can copy the original value data, but when it comes time to replace the changed data, you will be unable to paste it in. you will need to type the value in by hand, so be sure to copy it some place for reference, or write it down exactly as it appears, using proper case, like capitalization.

   5. Click Cancel.
   6. Navigate to the key:

      HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/parameters/protocol_catalog9/catalog_entries

      And click on the subkey000000000001.

   7. In the right pane, double-click the name packedcatalogitem. An "Edit binary value" dialog appears.
   8. In the value data box, place the cursor immediately to the left of the first character in the block of text, to the right of the box, as shown in the picture below:

   9. Using the Character Count from step 3, delete that number of characters from the beginning of the text displayed in the value data box. the easiest way to do this is to put the cursor at the beginning of the text values, and then hit the delete key the correct number of times.
   10. With the cursor at the beginning of the text area (where it shoshould still be after the previous step), type the value you copied in Step 4 exactly as it appeared.
   11. After entering the correct value, scroll to the bottom of the value data. it shoshould look exactly like the picture below. if it does not, you have deleted or typed in the wrong number of characters. in this case, click Cancel and return to step 1. if the box appears exactly as shown in the picture below, click OK.

   12. You have now finished restoring the value of one subkey. To complete the removal, you must repeat steps C through F for each subkey under the key:
       HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/parameters/protocol_catalog9/catalog_entries

       Note: Each subkey that Trojan. redfall has changed will have a corresponding value under the key:

       HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/Winsock

       Where the original data is stored.

       For example, the key:

       HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Winsock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000002

       Has the corresponding value1002In the key:

       HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Winsock2/Winsock

       And the key:

       HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Winsock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000003

       Has the corresponding value1003, And so forth.

7. Once you have examined the PackedCatalogItem values for each subkey under:

   HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/parameters/protocol_catalog9/catalog_entries

   And restored those values that Trojan. Redfall modified, delete the key:

   HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/Winsock2/Winsock.

8. Exit the Registry Editor.
9. Restart the computer.