Handblade "proxy trojan download server" virus

Keywords: manually clear "proxy trojan download" realplayer.exe
Lab environment: Windows2000

In the morning open the computer, suddenly found the home page was modified into a http://www.7939.com.
After changing the home page to a blank page in Internet Options, The http://www.7939.com still smiles at me several minutes after IE is opened.
Poisoned.
Open "Task Manager" and on the "process" tab, you will see a suspicious item: realplayer.exe.
The real player is not installed on my computer, so this process must be a virus. After the process is completed, "Start" --> "Run regeidt" is in the Registry Branch
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ run.pdf, the hiding place of realplayer.exe is "C: \ winnt \ System32 ".
You don't have to discuss it. Delete it. Go to the System32 folder and find this item on the left and right. Make sure that the "show all files and folders" option and "Hide protected file systems" option have been selected in "Folder Options.
"Start", run "cmd", and run the command

Cd c: \ winnt \ system32 // set "C: \ winnt \ System32" to the current directory
Attrib realplayer.exe // display realplayer.exe attributes

The fox's tail is displayed as follows:
Sh c: \ winnt \ system32 \ realplayer.exe // sh indicates that the file is system and hidden.
Files in the "sh" attribute cannot be deleted using "Del. Therefore, you must first remove the "sh" attribute:

Attrib-s-h realplayer.exe // "-" means to remove
Attrib realplayer.exe // display the attributes of realplayer.exe

Dizzy, no effect. The display is still:
Sh c: \ winnt \ system32 \ realplayer.exe
Please, Master. To delete the EXE file, killbox is required.

[Software name] Pocket killbox v2.0.0.881
A small tool that can delete arbitrary files on a hard disk. The main purpose is to clear files that are running and cannot be deleted (such as viruses and Trojans ). You do not need to enter the black hole dos interface to clear some viruses or trojan files. The software also includes cleanup of system spam files, process management, calling Resource Manager and registry, and viewing system services ,..
[] Zhufan software station Co., http://www.crsky.com/soft/4640.html.

Enter "C: \ winnt \ system32 \ realplayer.exe" under "full path of file to delete"
(In Windows XP, "C: \ windows \ system32 \ realplayer.exe ")
Be sure not to write an error. When there is no error, there will be a line of small words to show the file name.

Remember to select the "delete on reboot" below, or you cannot delete this bad stuff.
Then your computer restarts. After the instance is started, the device will be unavailable. In "Internet Options", modify the home page.

It is indeed a virus. Google. This process has been done elsewhere. Follow the instructions in Zhongguancun to execute the following command in cmd:

C: \ winnt \ system32> attrib brlmon. dll
File not found-brlmon. dll

C: \ winnt \ system32> attrib ravmon. dll
File-ravmon. dll not found

C: \ winnt \ system32> attrib rsvtub. dll
Sh c: \ winnt \ system32 \ rsvtub. dll

Only rsvtub. dll is supported.
In the task manager, Run "cmd.exe.
Run

C: \ winnt \ system32> attrib rsvtub. dll-H-S
C: \ winnt \ system32> Del rsvtub. dll

If your computer has two other files, the operation is the same.
Call "Task Manager" again, select "file" --> "open", enter "Explorer", and your desktop is back.
The final task is to delete related items in the registry.
Start, Run "Regedit", expand "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ run.pdf, and delete the realplayer.exe string.

Delete the entire branch of [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft NT]
Delete [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ rundown] entire branch (I do not have this branch here)
You can also delete the registry key by using the following registry file. Save the following code as clear. Reg and double-click it. (Note that the carriage return at the end of the line cannot be omitted)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Realplayer.exe" =-
[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft NT]
[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ rundown]

Okay, close the job.