MDM. EXE killing and Handling Methods

 
For example, an MDM is added to the root directory of my C drive WINDOWS. EXE file, which is automatically generated after each deletion and generates a process named SVCHOST. Since the process is in progress, all my folders are invisible, even if you select "show all files and folders" in the settings, turning off "Hide protected system files" is useless. what's going on?

I fell victim to this virus yesterday! Finally, the problem is solved (not formatting the hard disk, of course)

After the virus is detected, two files are generated under the root directory of each partition: autorun. inf and ravmon.exe (this file is relatively large) and the property is hidden. In c: Windows, mdm.exe, svchost.exe, and svchost are generated. ini, (some c: windowssystem32 will generate a skvp. sys File) at the same time, it will add auto-start and addition System Service in the startup Item to achieve self-start. write at least three key values in the registry!

At this time, your computer may be "show all file options" invalid (my computer is like this). Now let's talk about how to clear it:

First, end the process svchost.exe (you must end the process SVCHOST. EXE first. If it is not completed, the key value in the registry or the key value in the startup item will be automatically restored in less than one minute ). Then you can enter the command prompt ("program"> "attachment"> "command prompt" in the "Start" menu), and then run the following command

Cd c: windows

Then attrib c: windowssvchost.exe-r-h-a-s and del c: windowssvchost.exe/f/q/a/s

Then attrib c: windowssvhost. ini-r-h-a-s and del c: windowssvchost. ini/f/q/a/s

Then attrib c: windowsmdm.exe-r-h-a-s

Then del c: windowsmdm.exe/f/q/a/s is returned to the root directory cd and attrib c: autorun. inf-r-h-a-s

Then del c: autorun. inf/f/q/a/s, attrib c: avmon.exe-r-h-a-s

Then del c: avmon.exe/f/q/a/s

After the preceding operations, you can use the same method to restore the autorun. inf of other partitions and delete them!

Here I will provide the location of the Registry. You can refer to it for reference:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICacheSVCHOST whose key value is "c: windowssvchost.exe or c: windowsmdm.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsMSConfigstartupregSVCHOST. The key value of HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsMSConfigstartupregSVCHOST will be "c: windowssvchost.exe"

The key value of HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun is "c: windowssvchost.exe or c: windowsmdm.exe ",

After performing the preceding operations, you can search for the problem again.