Killing malicious processes

Every program is a set of certain files. To start the program you run an executable file that loads the entire program or some of its components. When you launch an executable, part of its code is being loaded into computer memory. This code have the process name. It allows the system to run the corresponding program. In simple phrase, every running program is represented by its main process (or task). If such process doesn’t exist, the application doesn’t run at the moment.

Parasites are same programs and also have own processes. However, unlike regular software, their processes start and run without user knowledge. You cannot terminate a parasite like a common application by simply quitting it. That is why you have to learn how to kill malicious processes. In this guide manual process termination methods are described. These methods can be applied to all modern Windows operating system versions.

Let’s assume you know the name of the process you want to kill. Let’s say it is a running SDMonitor process, started by the SDMonitor.exe executable file. Depending on your Windows version select the appropriate section and follow the instructions to kill a process. (Note that SDMonitor task was taken as an example. It is a legitimate program that doesn’t need to be killed or removed from the system!)

Windows 95, Windows Me

In Windows 95 and Windows Me a process can be terminated only by using the Close Program utility. This tool isn’t powerful enough and cannot show all hidden active tasks, so if you are sure that the process is running, but doesn’t appear in the Close Program tool, consider using third-party process managers.

Press CTRL+ALT+DEL to open the Close Program utility. Find the process and select it with your mouse or keyboard. Then click on the End Task button (designated by the red box). This will terminate the task.


Image 1. Kill the task using the Close Program utility

Windows 98

In Windows 98 a process can be killed in two ways:
A. by using standard graphical Close Program tool;
B. from the command line.

The first method is recommended in most situations. However, Windows 98 Close Program tool is not powerful enough and cannot show all hidden tasks, so if you are sure that the process is active, but doesn’t appear in Close Program, try to find and terminate it using kill and tlist commands. These utilities are included in Windows 98 Resource Kit, which usually comes on the same CD with the system distribution. To install Resource Kit, access Windows installation CD, navigate to [CD_DRIVE]:\Tools\Reskit folder and run the setup.exe file.

If you do not have Resource Kit, consider using third-party process managers.

A.
Press CTRL+ALT+DEL to open the Close Program utility. Find the process and select it with your mouse or keyboard. Then click on the End Task button (designated by the red box). This will terminate the task.


Image 2. Kill the task using the Close Program utility

B.
1. Open the MS-DOS Prompt
Press the Start button, select the Programs option and in the appeared menu click on the MS-DOS Prompt line.

2. Kill the process
When the MS-DOS Prompt window will appear, type the following command in it and press enter:
kill -f [process_name]
This will terminate the named process.

3. View remaining process
If you suspect that the process could start once again, you can list running tasks with the tlist command. Invoke the command without any keys.

Windows NT4, Windows 2000

In Windows NT4 and Windows 2000 the process can be killed in two ways:
A. by using standard graphical tool Windows (NT) Task Manager;
B. from the command line.

The first method is recommended in most situations. However, sometimes you may be unable to run Windows (NT) Task Manager. Some parasites can disable, corrupt or even delete this tool. In such cases you will need to use kill and tlist utilities included in Microsoft Resource Kit. However, few users have it installed, so consider using free third-party alternativeses pslist and pskill developed by Mark Russinovich. The first command allows to list running processes and the second one should be used to kill certain task. These tools can be downloaded from the following official web pages:
pskill: http://www.sysinternals.com/Utilities/PsKill.html
pslist: http://www.sysinternals.com/Utilities/PsList.html

A.
1. Start Windows (NT) Task Manager
Press CTRL+SHIFT+ESC. This will open Windows (NT) Task Manager.

If the key combination didn’t worked, you can try another way. Press the Start button and select the Run… option. This will start the Run tool. In its Open: field type taskmgr and press the OK button. This will start Windows (NT) Task Manager.


Image 3. Open the Command Prompt

2. Find and kill the process
Within Windows (NT) Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the Image Name column (it is designated by the blue box). Select the task with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.


Image 4. Terminate the process

B.
1. Open the Command Prompt

Press the Start button and click on the Run option. This will start the Run tool. In its Open: field type cmd and press the OK button.


Image 5. Open the Command Prompt

2. Kill the process
When the Command Prompt window will appear, change current directory to folder, where pskill and pslist commands are. Let’s assume these commands are in C:\Tools directory. The following command will change current directory:
cd [directory_name]
Then type this command:
pskill [process_name]
This will terminate the named process.


Image 6. Terminate the process

3. List remaining process
If you suspect that the process could start once again, you can list running tasks with the pslist command. Invoke the command without any keys as shown on Image 8:


Image 7. List active tasks

Windows XP

In Windows XP you can kill the process in two ways:
A. by using standard graphical tool Windows Task Manager;
B. from the command line.
The first method is recommended in most situations. However, sometimes you may be unable to run Windows Task Manager. Some parasites can disable, corrupt or even delete this tool. In such cases you will need to use Windows XP native command line utilities tasklist and taskkill. The first command allows to view running processes and the second one should be used to kill certain task.

A.
1. Start Windows Task Manager

Use the following key combination: press CTRL+ALT+DEL or CTRL+SHIFT+ESC. This will open Windows Task Manager.

If the key combination didn’t worked, you can try another way. Press the Start button and click on the Run… option. This will start the Run tool. In its Open: field type taskmgr and press the OK button. This will start Windows Task Manager.


Image 8. Open the Command Prompt

2. Find and kill the process
Within Windows Task Manager click on the Processes tab (it is in the red box). This will bring the complete list of all active tasks. Find the process by name. Names are in the first column from the left. Click on the Image Name button (it is designated by the blue box) to sort tasks in alphabetical order. Then scroll the list to find required process. Select it with your mouse or keyboard and click on the End Process button (in the green box). This will kill the process.


Image 9. Terminate the process

B.
1. Open the Command Prompt

Press the Start button and click on the Run… option. This will start the Run tool. In its Open: field type cmd and press the OK button.


Image 10. Open the Command Prompt

2. Kill the process
When the Command Prompt window will appear, type the following command in it as shown on Image 11 and press enter:
taskkill /F /IM [process_name]
This will terminate the named process.


Image 11. Terminate the process

3. List remaining process
If you suspect that the process could start once again, you can list running tasks with the tasklist command. Invoke the command without any keys as shown on Image 12:


Image 12. List active tasks

If you do not know how to perform described actions, are not sure why you have to do a certain task or above guide is too difficult for you, feel free to try our recommended automatic spyware removers.


  • joe blow

    Ensure you’ve ran cmd under admin privileges.. if not, at least run taskkill under admin privileges…

    i.e…
    runas /noprofile /user:mymachine\administrator taskkill /f /pid 2944

  • afro

    C:\>taskkill /f /pid 2944
    ERROR: The process with PID 2944 could not be terminated.
    Reason: Access is denied.

    How to deal with these kind of process ??
    How to get around Access denied process ?