Stop Malicious Processes With Your Task Manager

11:06:00 AM |

How to start your Task Manager

To start your Task Manager, press “Ctrl+Alt+Delete” keys simultaneously. You can also right click on the Windows Task Bar and select “Task Manager” option in the pop-up menu. Windows 7 and Vista will invite you to confirm starting this administrative tool, and that's all you need to start Task Manager on your computer.

This simple procedure might get complicated in the network environment since network administrator can block your access to Windows administrative tools, and you will have another chance to see this guy. If your Task Manager doesn't appear on your home computer, then it is blocked by the malicious program that you are trying to remove.


Killing processes with your Task Manager

When the program is started, open Applications tab and make sure that other programs are not running. If you find some, stop it and open Processes tab. At the bottom, find the button “Show the processes for all users” and click it (on Windows XP put check mark in the box with the same name)

























Find malicious processes in the list, right click them, and chose stop process option in a pop-up menu or use the button "End Process". 


How to identify malicious processes 

Look for strange names. Insolent rogues often use arrogant names for malicious files they create. Something like "mybestvirus.exe" is definitely malicious.

Rogues with more practical purpose often use random names that are hard to trace with antivirus software. Something like "LZ185635KXJ580654.exe" is also definitely malicious.

In some cases finding malicious processes might a be tricky task since malware writers often name these processes as a normal ones placing files that the processes belongs to into a different location. On Windows 7 and Vista you can find the file locations by right-clicking a process name. Then you can try to figure out what processes are the duplicates of normal ones. System processes usually belong to files located in system folders, and malicious duplicate files are placed anywhere else.

Be aware of different trick used by criminals. Sometimes, they might place files in system folders and use names that are different from original ones but look very similar. As an example, they might use a digit "1" instead of "l" character, and you need to take a close look to find tricks like that.

Note: Do not become a shooting cowboy killing all the processes that look suspicious to you. Think before you "shoot" since removing important system processes might make your system unstable, and you might need to restart it or even reinstall it in the worst case. If you are in doubt is the process suspicious or not go to processlibrary.com and check it.


How to enable blocked Task Manager

Malicious programs often block Task Manager and other system tools. Unless you got some nasty malware backed up by TDSS rootkit, you can manually unblock your Task Manager. Less advanced malicious programs often use just the same means that a network administrator would use to block users' access to system tools. Follow the instruction placed in my post How to unlock your Task Manager and see if it helps.

If it doesn't help, then this malicious program blocked your Task Manager by placing entries in your Windows system registry. Then you need to edit your system registry and remove the keys that are blocking Task Manager and other system tool needed for the removal. It is likely that your Registry Editor is also blocked by the malicious program, and you need to start this program in a Safe Mode to prevent malicious program from running and blocking your system tools.

Afrer you reboot your system in Safe Mode

Click Start button.

For Windows XP:
Click Run menu option to bring up the command input box, type regedit.exe and hit Enter.

For Windows 7 and Vista:
Type regedit.exe in the "Search programs and files" input field at the bottom and click the link that will appear at the top of the Main menu.

In Registry Editor expand the root keys in a tree all the way down to the System folder, find following keys in the list on the right and remove them.

HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit"= 0

Close Registry Editor and restart your system in normal mode. If you are able to start Task Manager in a normal mode, then you can look for malicious processes and kill them with your Task Manager. Otherwise, it is likely that your activity is monitored by the rootkit and it do not let you to save changes you made in the system registry. The only reliable tool for fighting rootkits installed as system drivers is TDSSKiller from Kaspersky Lab.

Alternative ways of killing malicious processes

Killing malicious processes with taskkill command line utility

Taskkill is one of hidden goodies under the hood of Windows OS. It is a command line tool that can help you in case you know the malicious process name. Then you need to start command prompt box and type taskkill /f /im [malicious process name] - (do not use brackets when typing it down)

Press Enter or click OK button and the process is gone.

Killing malicious processes using RKill

RKill is a utility offered by bleepingcomputer.com that kills all processes ran from files in a user's folder where malicious files are often installed. To use this tool, download it from the site and run. Be aware of a fact that some malicious programs will block RKill, and you might need to somehow rename it before running.