How to kill malicious processes

Typically, antivirus and antimalware applications kill malicious processes automatically once detected. That is a preferred way, as these tools know how to precisely recognize bad processes. However, under certain circumstances processes need killing before running a scan:

  1. You want to delete malware manually;
  2. Malware processes block removers from execution or updating their database;
  3. You can not download anti-malware tools;
  4. Malware tools do not have a particular version of parasite in database yet and can not detect it.

It is important to know, that this important first step will stop symptoms for this reboot only, you will need to proceed with removal steps for completely cleaning the PC.

In case you fail to launch spyhunter or any other program, first try rightclicking on them and running as administrator (on windows 7 or Vista).

Using safe mode

Most of malicious processes are inactive when PC operates in safe mode with networking. To reach safe mode with networking, do the following:

  1. Reboot;
  2. Press F8 early on (you can press F8 couple times);
  3. Choose Safe mode with networking (preferably) or safe mode from menu;
  4. On success you should not see any alerts that bother you under normal mode, continue to next steps of malware removal.

This will not work if a malicious process is launched using drivers, master boot record or (in safe mode with networking) launched together with a browser. Also, Safe mode might be disabled.

Killing processes using task manager

The benefit of using task manager is that you do not need to download anything. Task manager is present in all windows computers, though it might be disabled and provides little control

  1. Open task manager by either pressing ctrl+shift+esc or pressing ctrl+alt+del and choosing from menu. For the best results, try doing so just after windows login, while other processes are still loading.
  2. If it fails, go to Start->Run and type taskmgr.
  3. If this fails, go to C:WindowsSystem32, copy taskmgr and rename it to 1.scr , 1.com or other random name. Launch that file. You can try right-clicking on it and choosing Run as administrator on Windows Vista or Windows 7.
  4. Choose process TAB, choose to see processes of all users (optional).
  5. Choose malicious process from the list, right click on it.
  6. Press End process.
  7. On successful stop of malicious processes alerts should disappear and you can continue to next steps of malware removal.

taskmanager

Sometimes task manager is disabled by malware. A workaround would be to go to C:WindowsSystem32, Make a copy of taskmgr.exe and rename it to 1.exe or iexplore.exe . Launch the file.
If you get a message about task manager disabled by group policy, read this guide on reenabling task manager.

Killing processes using process explorer

Process explorer provides more information on how the processes were launched. Also it is not blocked together with Task Manager. If it is blocked from execution, try saving it as 1.scr, 1.com or iexplore.exe before execution.

  1. Download Process explorer from here: https://download.sysinternals.com/files/ProcessExplorer.zip and unzip.
  2. Launch process explorer (procexp.exe ).
  3. Select malicious process and press DEL.
  4. On successful stop of malicious processes alerts should disappear and you can continue to next steps of malware removal.

processexplorer

Killing malicious processes using taskkill

Taskkill is an command line tool available on windows machines. This tool will work when malware process name is known and task manager is disabled.

  1. To use task kill, launch it by going to Start->run.
  2. Then entering taskkill /f /im [malwareprocessname].
  3. Press enter.

This approach works very well against rogues using the same process names and some Trojans.

Using automated free malware process killers build in anti-malware programs

Some Anti-malware program installers like SpyHunter and Stopzilla automatically kill all suspected processes during install. This is an aggressive approach, not so different from rkills. However, it works really well against some of the rogues that block execution and install.

Killing malicious processes using RKILL

Rkill is a useful utility by owner of bleepingcomputer.com . It kills all processes that are executed from user folder (where many of the malware resides) and couple other locations. It will not stop all malicious processes or remove malware though. It can be downloaded from http://download.bleepingcomputer.com/grinler/rkill.com.

  1. Download rkill.
  2. Run Rkill, open the saved log and see what processes were stopped.
  3. On a successful stop of malicious processes alerts should disappear and you can continue to next steps of malware removal.

The downside of this approach is that it might leave processes from windows system locations or program files running even if it is malicious.

WHAT NEXT?

Successful stopping of the processes will result in disappearance of alerts, advertisements and some of other symptoms of malware for this reboot only. After you reboot, the system reverts to state prior killing the process, so do not reboot till cleaning your PC completely or till explicitly required in other guides.

If you have failed to install and run Anti-Malware tools before the killing of processes or they crashed, now is the perfect time to try this again. They might detect processes you missed too. Do not forget to update them though! spyhunter might help identify files, dlls and registry entries that you have to remove or modify in next steps. The infections are not gone, they are just disabled for this boot. If you can not connect to websites, proceed to this guide on fixing redirections and internet connection problems, just do not reboot in process.

The next logical step is to unregister malicious DLLs and fix the system startup. This needs to be done before deleting the infected files as that might cripple some system functions taken over by malicious parasites.

NOTE

We recommend commenting and asking questions under a particular parasite that troubles you. These instructions are generic, there might be specific tips for a particular form of malware.

Read "How to kill malicious processes" in other languages

57 responses to “How to kill malicious processes

  1. Asking people to download anti-malware etc.doesn’t work with AntivirusIS .It blocks all attempts to INSTALL & RUN the downloaded software.It also blocks access to the registry & prevents booting up in ‘Safe’ mode,by de-activating the selection of the ‘safe’ mode function.In other words,the folk who wrote the malware are a darned sight more clever than the folks who wtite all the anti-malware etc. software.
    For example, your advice to download ‘Process Explorer’ is fine,except when you try to install & run it,AntivirusIS
    prevents it,by telling you that it’s infected !!!.It also prevents ‘Task Manager’ from launching.

  2. Mr. I Kelsall
    I recommend reading particular guides related to parasites about specific process stopping techniques. For example, Antivirus IS can be stopped by creating or using another user account (and performing full system scan from it). Also, there are various workarounds how to overcome virus blocking process explorer or task manager.

  3. Hi there I am tryng to do all the task show above but my computer screen goes black showing the thinkpoint screen only,when i go to the task manager and end the process the thikpoint screen goes away but the computer screen still stay black witout acess to the window os

  4. I got the same problem.
    I can’t connect to network.
    then I try with game booster, then stop the hotfix.exe application. then I can run others applications as before infected. maybe it can help. and I still can’t delete this malware. anybody help me?
    thanks…

  5. Miles: Read guide about specific parasite. Though good bet is to kill processes that are launched from C:\Users\ or C:\Documents and Settings\ and you do not know programs they belong to. Process explorer lets you see the launching path. Also, it is good idea to stop processes that look like random set of numbers and letters (with exception of ones that have only 32 or 64 in the end of the name).

  6. I have not paid for internet anti virus 2011 but when i saw the pop up open browsing the internet it showed and asked me a question. I clicked ok but to this day I have not paid for it. The prompts telling me that I need virus protection and that i should buy internet antivirus 2011 pop up more often. I tried deleting it by simply going to the folder and deleting it and then emptying my recyle bin. It said that one file could not be deleted and that i was unauthorized to do so. Then today the ones I deleted were back! I have a 2009 Hp using windows. how do i go about deleting the software without using the steps you wrote? Am I infected? I have a REAL virus scanner that says I do not.

  7. Alese: Scan with Anti-Malware tools instead of your antivirus. See if they identify something. The antiviruses typically miss some of the malware infections, especially new ones.

  8. sir,my system got affected with windows optimization center.I downloaded spywaredoctor but while installing it spyware is switchingoff what to do now……i want to install xp can i?

  9. ok im having problems removing this antimalware doctor I cant access the internet through safe mode either I ran malwarebytes but its kinda of useless when u can get an update to fully remove it…I tried the step u had to offer but when i when i went to task manger none of those files r there to delete what do i do?? thank u

  10. But how do I get the internet connection going im sure if I can update malawarebytes or have spyware doctor updates working i can fix the problem as i try to reset internet connection the antiware doctor counts down and goes back on icon i click on what should i do to get the internet going….

  11. Speaking about malwaredoctor exactly, it is good idea to run TDSS Killer (preferably in safe mode), which can be downloaded from kaspersky page. Typically, Anti-malware doctors internet issues can be attributed to TDSS rootkit. Another option would be trying using safe mode with networking.

  12. Is there a perticular name for the virus program cause i cant find it is it related to “windows optimazion security” there wasnt any random programs either, may be it was “undercover” who knows .I used Process explorer and hijackfree but i could not fiugure it out. Before that entered in safe mode tried to open taskmgr.exe but all atempts failed. …guess only option is format!?

  13. Will a system restore to a setpoint prior to infection remove personal security sentinel?

  14. Bruce: Likely, though likely that not completely. System restore might leave trojan downloader or rootkit infections. Only format or scan with several tools ensure that system is clean for real.

  15. Hi, i have something called smart internet protection that has infected my PC. how do i go about removing this as when i try to use spyware doctor in safe mode, it wont allow me to launch it?

    thankyou

  16. I cant even get on the internet to download
    anything to get rid of the Win 7 total security…even in safe mode! What do I do now?PLZ help me!

  17. I recently had a bout with XP Home Security 2011 a trojan virus that I opened up in my desktop out of stupid curiosity. After trying all of the above and about to wipe my drive and reload the operating system it ocurred to me to get into the C files under programs I found my spyware called Spybot that I was totally unable to use due to this virus then I found two icons for initiating the program and lo and behold one of them worked and it came on and killed the virus in a few minutes. I have simplified but it was a desperate move and it worked by accident. Try it it may work for you…

  18. Really bad xp internet security.
    It blocks IE and Firefox,but it does not block Googlw chrome.So it is better to have 1

  19. Hi, my computer has been infected with Antivirus Center and I was wondering if it was okay to get rid of it with Spysweeper instead of Spyware Doctor. Spysweeper has detected it, but will it help get rid of it? I do have Malwarebytes. PLease help because it’s taking over my system!

  20. hi,i hav downloaded the spyware doctor and have already reboot computer in safe mod with networking, but stil i cannot lunch the doctor spyware . . . plx need help . . .please HELP

  21. xteive: Right-click on executable and choose run as administrator on Vista/Windos 7.
    It depends on particular parasite.

  22. I just did a system restore and set the date the the previous day…hmm seemed to work

  23. H Rudd: After system restore is good idea to scan anyways. Depending on OS and parasite, system restore does not restore everything 100%, thus infections MIGHT remain.

  24. I located the exe file related to privacy protection and both renamed the file and moved it to the desktop. Once I rebooted the computer the program didn’t start. After that I simply deleted the file. I am sure that the virus isn’t completely gone, but these steps did allow me to retake control of my pc.

  25. I am having a major malfunction with AV Protection 2011. My daughter downloaded it on her desktop and I am having problems removing it. Help please…..

  26. If you see this I know you are panic now, so I will go direct to the point.
    1. JUST pull out the electric cable and plug in again, select safe mode and wait until it get in to window.
    2. Goto “START” and type in “msconfig”
    3. Inside {system congfiguration} goto “services” and disable all the application.
    4. Restart your notebook/pc until it get in to window again.
    5. If you find out everything running smoothly, just goto “start” and type in “msconfig” again.
    6. Inside {system congfiguration} goto “services” and ENABLE all application EXCEPT anti virus programe. Then restart again. <======read this again.****
    7. restart it and it work fine for me.

    (few days ago one of my friend got this problem and I did the samething for him, he is using some chinese 360 anti virus. Today my own notebook also facing same problem "after open an email in hotmail". I also used this method and it works for me)

  27. admin :Mr. I KelsallI recommend reading particular guides related to parasites about specific process stopping techniques. For example, Antivirus IS can be stopped by creating or using another user account (and performing full system scan from it). Also, there are various workarounds how to overcome virus blocking process explorer or task manager.

    Awsome posts like very help full an informative

  28. Your no different then other site promissing that this will fix your problems but you are just another out let to sell you crap insted of fixing it.

  29. Help! I accidentally downloaded Windows Advanced Firewall on the computer, my parents are trying to delete all the data on the computer! I tried to show them the website but they got angry. How do I delete this malware? It doesn’t let me on the internet!

  30. This message came upp but their was more than one in the list of virus and one was admin/ something and two trojans, I dont know what because I freaked, closed the alert(yes not to smart) and ran a trend-micro scan. I didn’t download any of the “antivirus” programs but am I infected by the pop-up alone, such as a dormant trojan? Please respond ASAP!

    BTW the trend-micro scan found no ttrojans nor did I find any of the programs like hotfix and tmb in my %AppData% folder.

  31. Can I download audio drivers? The sound came back on the other day but it’s gone again……

  32. I keep getting a windo at startup that says ” unable to access module at c:\users\doug\appdata\local\temp\wgsdgsdgddsgsd.exe” is this one of the virus files, and can I find it and delete it? Thanks

  33. Hi. I installed uTorrent and got a toolbar called uControl2 or somethinh like that. After that the linkbucks.com redirect page appeared. So I tried to format c:\ in Windows 7 install DVD and thought that everything would be nice. But after the installation was finished, the linkbucks.com popped up at once I used internet again. I have tried removal in SpyHunter (registered version), but it doesn’t fix the linkbucks.com problem, only a lot of other ones. Help!!!! What should I do?

  34. when I setup the program ” recover my file ” this message appears and the program dosnt started ” For security purposes, this program will not run while system debuggers are active. Please remove or disable the system debugger before trying to run this program again.”
    can u help me to run the program

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments