Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries
Click on the first subkey. It will be named 000000000001.
In the right pane, double-click the name PackedCatalogItem. An "Edit Binary Value" dialog appears. If the text on the right-hand side of this window contains the string "ws2_64.dll" (an example is shown in the picture below), then Trojan.Redfall has changed this value, and therefore must be restored. Close the dialog by clicking Cancel, and then proceed to the next step.
To restore the value, perform steps i - xii.
Navigate to the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2Winsock
In the right pane, double-click on the name:
1001
A window entitled "Edit String" will appear. An example of the window is shown in the picture below.
Carefully count the number of characters in the string listed. In this example, the string is 31 characters long, but your system may vary. Write this information down, as you will need it in step 9.
Write down the Value data, or Highlight and copy it, and then paste it into Notepad for future reference.
--------------------------------------------------------------------------------
Note: You can copy the original value data, but when it comes time to replace the changed data, you will be unable to paste it in. You will need to type the value in by hand, so be sure to copy it some place for reference, or write it down exactly as it appears, using proper case, like capitalization.
--------------------------------------------------------------------------------
Click Cancel.
Navigate to the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries
and click on the subkey 000000000001.
In the right pane, double-click the name PackedCatalogItem. An "Edit Binary Value" dialog appears.
In the Value data box, place the cursor immediately to the left of the first character in the block of text, to the right of the box, as shown in the picture below:
Using the character count from step 3, delete that number of characters from the beginning of the text displayed in the Value data box. The easiest way to do this is to put the cursor at the beginning of the text values, and then hit the delete key the correct number of times.
With the cursor at the beginning of the text area (where it should still be after the previous step), type the value you copied in step 4 exactly as it appeared.
After entering the correct value, scroll to the bottom of the Value data. It should look exactly like the picture below. If it does not, you have deleted or typed in the wrong number of characters. In this case, click Cancel and return to step 1. If the box appears exactly as shown in the picture below, click OK.
You have now finished restoring the value of one subkey. To complete the removal, you must repeat steps C through F for each subkey under the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries
Note: Each subkey that Trojan.Redfall has changed will have a corresponding value under the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2Winsock
where the original data is stored.
For example, the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries00000000002
has the corresponding value 1002 in the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2Winsock
and the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries00000000003
has the corresponding value 1003, and so forth.
Once you have examined the PackedCatalogItem values for each subkey under:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries
and restored those values that Trojan.Redfall modified, delete the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2Winsock.
Exit the Registry Editor.
Restart the computer.
按照如上步骤修改注册表,把诺顿的病毒库更新到最新,重启后,发现病毒已经消除.
解决方案 
