Table of contents.
Introduction
I. Find the process and try terminating it
+ Alternative steps for finding and terminating the process
II. Locate the malicious file and try deleting it
III. Using Pocket KillBox for removal of difficult malware
INTRODUCTION
Processes
Each program is a collection of files. To start the program you launch an executable file that runs the entire program or some of its components.
When you launch an executable, part of its code is being loaded into computer’s memory. This code is the process. It allows the system to run the corresponding program. In simple phrase, every running program is represented by its main process (or task). If such process doesn’t exist, the application doesn’t run at the moment.
Parasites are programs and also have processes. However, unlike regular software, their processes run without user knoledge. You cannot terminate a parasite like a common application by simply closing its window. That’s why you have to learn how to kill malicious processes.
Files
Each program consists of files. Even spyware, a virus or a different parasite - all have their own files. Removing a parasite often means deleting all its files. However, some files cannot be easily erased. You cannot delete the file while it’s used by an active application. Furthermore, some files are "invisible".
Imagine the situation: your anti-spyware program keeps detecting a parasite, and you know where its files reside. You open the corresponding folder, but see nothing in there! The parasite continues performing malicious actions and its files remain in that "empty" directory. You wonder how this happens?
Files can really be "invisible". However, it’s not their exceptional feature - the operating system simply hides them from you. Such OS behavior can be a result of recent malware activity. Fortunately, there are several ways to make your system display such files, and thus allow you to delete them.
In this guide manual process termination methods are described. These methods can be applied to all modern Windows operating system versions. The following instructions also explain how to find a file, make it visible (in case it’s hidden) and completely remove it from the system. This information is also fully applicable to folders (directories).
INSTRUCTIONS
I. Find the process and try terminating it
1. Start Windows Task Manager
Use the following key combination: press CTRL+ALT+DEL or CTRL+SHIFT+ESC. This will open the Windows Task Manager.
If that didn’t work, try another way. Press the Start button and click on the Run… option. This will start the Run tool. Type in taskmgr and press OK. This should start the Windows Task Manager.
Image 1. Start the Task Manager
2. Find and terminate the process
Within the Windows Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the first column from the left. Click on the Image Name button (it is designated by the blue box) to sort tasks in alphabetical order. Then scroll the list to find required process. Select it with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.
Image 2. Terminate the process
+Alternative steps for finding and terminating the process
II. Locate the malicious file and try deleting it
Let’s assume you know the file name or at least a part of it. In such case run Windows default search tool: Start > Search > For Files and Folders. Type in the file name or its part to the search field. Specify search location. For better results select "Look in: Local Hard Drives" or "Look in: My Computer". Now start searching. The file should appear in search results.
Image 6. Search for the file
If you have no idea how to spell a filename, but you know, where it can possibly be, then you should try finding this file manually. Most parasites attempt to hide their tracks, so you will have to enable the displaying of hidden and system protected files. Open Windows Explorer. Click on the Tools menu and select Folder Options.
Image 7. Make hidden files visible
Choose the View tab. In the Advanced Settings list find the option Show hidden files and folders (on Image 8 it is designated by the red box) and select it. Then remove a checkmark next to the line Hide protected operating system files (Recommended) (in the blue box).
Image 8. Change view settings
Some files may still be invisible. To see them, launch the Command Prompt. Press the Start button and then select Run. This should open the Run dialog. Type in cmd and press enter or click on the OK button.
Image 9. Open the Command Prompt
Type in dir /A name_of_the_folder to the console. This will list all the files that reside in that folder. Hidden files will also be displayed.
Image 10. View folder content
Simply delete the file using the Windows Explorer or any other program that you use to browse the file system. Don’t forget to empty the Recycle Bin. If an error message appears saying that file is in use and cannot be removed, try terminating the associated process and then delete the file. To do this you will have to open the Windows Task Manager (press CTRL+ALT+DEL or CTRL+SHIFT+ESCAPE). Then in the Processes tab select the corresponding process and click on the End Process button.
However, some processes will run immediately after you terminate them. In such case you have to reboot your system into Windows Safe Mode (this tutorial article explains how to do this). In this mode many system services are disabled and programs do not run automatically on startup. Practically any file can be easily removed.
The malicious file can also be deleted from the Command Prompt. Open the Command Prompt and navigate to the folder, where the harmful file is. To do this issue the following command: cd name_of_the_folder. Then invoke this command: del name_of_the_file. To delete the folder use another command: rmdir /S name_of_the_folder.
Image 11. Delete the folder from the Command Prompt
III. Using Pocket KillBox for removal of difficult malware
Sometimes malicious files cannot be deleted normally or even after entering into Safe Mode. Sophisticated parasites use integrated rootkits and special techniques in order to lock their files and prevent them from being deleted. Usually, such files run processes that cannot be terminated by the Task Manager. In such cases specially designed third-party tools should be used. One of them is Pocket KillBox, a tiny, but priceless utility designed for terminating harmful processes, deleting malicious files and folders containing malware.
If the above steps did not help you to delete a parasite file or kill its process, please do the following.
1. Download Pocket KillBox
This tool is absolutely free. You can get it either from the official web site, or from one of the trusted distributor sites such as Bleeping Computer.
There is no need to install the tool. Pocket KillBox comes as a single executable file. Just unpack (if you downloaded Pocket KllBox as an archive) and run the downloaded file. This will launch the utility.
2. Delete the file
Type in the full path of file you want to delete as shown on Image 12. Make sure that the Standard File Kill option is selected (it is designated by the blue box). Then click on the Delete file button (it is designated by the green box).
Image 12. Delete the file with KillBox
As parasites becoming more complex and sophisticated, there is always a possibility that even Pocket KillBox or similar powerful tool may fail removing certain files. In such case it is highly recommended to repeat the removal procedure in Windows Safe Mode (this tutorial explains how to do restart your system into it).
If the file cannot be deleted in Safe Mode too, repeat the removal once again, but this time select the Delete on Reboot option instead of Standard File Kill. Then restart your computer. Pocket KillBox will attempt to delete the file on next system startup.
If the process or file is still present, if you do not know how to follow steps above, if you are not sure why you have to do certain tasks, or the above guide is too difficult for you, feel free to try our recommended automatic spyware removers. You can also ask for help in our free spyware removal forum.
March 16th, 2007 at 11:55 pm
Thank you very much for this information. I am computer illiterate. i just know how to chat and surf. our computer is slow, always shut off and when we download yahoo messenger, it says another program si running but we can’t find the file. we downloaded anti virus software but some programs can’t be deleted.it says it’s an adware but then i can’t find the file.funny that we missed to ride on the ufo going to the world of computers.anyhow, thanks and more power to cnet.
April 29th, 2007 at 9:52 am
I find this site so informative specially to those who’ suffering from maskrider2001.vbs
May 9th, 2007 at 6:17 am
why is printing of text not allowed?
May 25th, 2007 at 9:58 am
Huh………brave sentry make me sick!!!!!!!!!!
May 28th, 2007 at 4:00 pm
This seems to work only if you know the location of the problem
June 12th, 2007 at 12:33 am
hi,
i have a problem with backwork. I deleted the program backwork and its file a long time ago. The problem is that a process keeps coming on that looks for the file and it’s driving me crazy, taking up so many computer resources on my windows 98 system. i don’t know where the file is that’s doing this. what do you suggest?
thanx.
June 16th, 2007 at 11:25 pm
i found spybot worked well for most of it, my avg picked up on it right away but im not sure how much it caught (being a free anti virus and all) and next up is my adware finds all those hkey files, i havent tryed spyware doctor yet thats the next step.
June 17th, 2007 at 12:01 am
other than the fact the spyware doctor costs money, i love the program
solved all my problems in only minutes, Highly recommend it. And thank you to this website for helping me find my way through this horible virus.