Tech news, tips, tricks & tutorials

  • Killing malicious processes and removing harmful files


    Processes
    Each program is a collection of files. To start the program you launch an executable file that runs the entire program or some of its components.
    When you launch an executable, part of its code is being loaded into computer’s memory. This code is the process. It allows the system to run the corresponding program. In simple phrase, every running program is represented by its main process (or task). If such process doesn’t exist, the application doesn’t run at the moment.
    Parasites are programs and also have processes. However, unlike regular software, their processes run without user knoledge. You cannot terminate a parasite like a common application by simply closing its window. That’s why you have to learn how to kill malicious processes.
    Files
    Each program consists of files. Even spyware, a virus or a different parasite – all have their own files. Removing a parasite often means deleting all its files. However, some files cannot be easily erased. You cannot delete the file while it’s used by an active application. Furthermore, some files are "invisible".
    Imagine the situation: your anti-spyware program keeps detecting a parasite, and you know where its files reside. You open the corresponding folder, but see nothing in there! The parasite continues performing malicious actions and its files remain in that "empty" directory. You wonder how this happens?
    Files can really be "invisible". However, it’s not their exceptional feature – the operating system simply hides them from you. Such OS behavior can be a result of recent malware activity. Fortunately, there are several ways to make your system display such files, and thus allow you to delete them.
    In this guide manual process termination methods are described. These methods can be applied to all modern Windows operating system versions. The following instructions also explain how to find a file, make it visible (in case it’s hidden) and completely remove it from the system. This information is also fully applicable to folders (directories).

    INSTRUCTIONS

    I. FIND THE PROCESS AND TRY TERMINATING IT

    1. Start Windows Task Manager
    Use the following key combination: press CTRL+ALT+DEL or CTRL+SHIFT+ESC. This will open the Windows Task Manager.
    If that didn’t work, try another way. Press the Start button and click on the Run… option. This will start the Run tool. Type in taskmgrand press OK. This should start the Windows Task Manager.

    Image 1. Start the Task Manager
    2. Find and terminate the process
    Within the Windows Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the first column from the left. Click on the Image Name button (it is designated by the blue box) to sort tasks in alphabetical order. Then scroll the list to find required process. Select it with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.

    Image 2. Terminate the process

    II. LOCATE THE MALICIOUS FILE AND TRY DELETING IT

    Let’s assume you know the file name or at least a part of it. In such case run Windows default search tool: Start > Search > For Files and Folders. Type in the file name or its part to the search field. Specify search location. For better results select "Look in: Local Hard Drives" or "Look in: My Computer". Now start searching. The file should appear in search results.

    Image 6. Search for the file
    If you have no idea how to spell a filename, but you know, where it can possibly be, then you should try finding this file manually. Most parasites attempt to hide their tracks, so you will have to enable the displaying of hidden and system protected files. Open Windows Explorer. Click on the Tools menu and select Folder Options.

    Image 7. Make hidden files visible
    Choose the View tab. In the Advanced Settings list find the option Show hidden files and folders (on Image 8 it is designated by the red box) and select it. Then remove a checkmark next to the line Hide protected operating system files (Recommended) (in the blue box).

    Image 8. Change view settings
    Some files may still be invisible. To see them, launch the Command Prompt. Press the Start button and then select Run. This should open the Run dialog. Type in cmd and press enter or click on the OK button.

    Image 9. Open the Command Prompt
    Type in dir /A name_of_the_folder to the console. This will list all the files that reside in that folder. Hidden files will also be displayed.

    Image 10. View folder content
    Simply delete the file using the Windows Explorer or any other program that you use to browse the file system. Don’t forget to empty the Recycle Bin. If an error message appears saying that file is in use and cannot be removed, try terminating the associated process and then delete the file. To do this you will have to open the Windows Task Manager (press CTRL+ALT+DEL orCTRL+SHIFT+ESCAPE). Then in the Processes tab select the corresponding process and click on the End Process button.
    However, some processes will run immediately after you terminate them. In such case you have to reboot your system into Windows Safe Mode (this tutorial article explains how to do this). In this mode many system services are disabled and programs do not run automatically on startup. Practically any file can be easily removed.
    The malicious file can also be deleted from the Command Prompt. Open the Command Prompt and navigate to the folder, where the harmful file is. To do this issue the following command: cd name_of_the_folder. Then invoke this command: del name_of_the_file. To delete the folder use another command: rmdir /S name_of_the_folder.

    Image 11. Delete the folder from the Command Prompt

    III. USING POCKET KILLBOX FOR REMOVAL OF DIFFICULT MALWARE

    Sometimes malicious files cannot be deleted normally or even after entering into Safe Mode. Sophisticated parasites use integrated rootkits and special techniques in order to lock their files and prevent them from being deleted. Usually, such files run processes that cannot be terminated by the Task Manager. In such cases specially designed third-party tools should be used. One of them is Pocket KillBox, a tiny, but priceless utility designed for terminating harmful processes, deleting malicious files and folders containing malware.
    If the above steps did not help you to delete a parasite file or kill its process, please do the following.
    1. Download Pocket KillBox
    This tool is absolutely free. You can get it either from the official web site, or from one of the trusted distributor sites such as Bleeping Computer.
    There is no need to install the tool. Pocket KillBox comes as a single executable file. Just unpack (if you downloaded Pocket KillBox as an archive) and run the downloaded file. This will launch the utility.
    2. Delete the file
    Type in the full path of file you want to delete as shown on Image 12. Make sure that the Standard File Kill option is selected (it is designated by the blue box). Then click on the Delete file button (it is designated by the green box).

    Image 12. Delete the file with KillBox



    Warning: Killing system processes or deleting system files may damage your operating system, so please follow the instructions with due care.


    No comments:

    Post a Comment