Whether you wish to prevent having a virus or malware or if you suspect your system to be infected, here we will be going over some tools and utilities that can be used to prevent malware or to clean your system.

Disclaimer: This is merely for instructional purposes. I am not responsible for any mishaps that may overcome you and your system while executing some of the techniques covered in this tutorial.

Symptoms

Is your system showing signs of an infection? You should ask yourself these questions if you are unsure:

  • Do programs take longer to load?
  • Do popups plague me when surfing the web?
  • Does it seem like the hard drive is doing an awful lot for a simple task?
  • Do programs that once worked give strange error messages?
  • Is there less memory available than before?
  • Is there less space on the hard drive available than before?
  • Do files often become corrupted?
  • Does Windows hang before going to the desktop?
  • Can I access task manager? 1
  • Are there strange process running?
  • Can I access Run? 1
  • Has my internet browser home page changed?
  • Am I able to access other windows utilities? 1
  • Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com? 1
  • Can I access System Restore? 1

If some of these questions is "yes" then the chances your system is infected with a virus is high. (See below)

1 If you answered "no" to these questions the chances your system is infected with a virus is high.

Note: not all of these questions will mean that your system is infected. It may be an insufficient memory problem, other non-viral software problem, or hardware conflict.

Tools

If you answered "no" to the following questions:

  • Can I not access task manager?
  • Can I not access Run?
  • Can I access System Restore?
  • Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com?

Then you more than likely have an infected system and should be taken off a network immediately. If you cannot access task manager and you suspect there is a malicious process running that needs to be terminated, there are a few options.

First, the malware needs to be found. This can often be tricky if the malware or virus is one that is hidden in the system32 folder or in hidden folders within Windows.

If you are using Windows Vista or Windows 7, open task manager first and look for any malicious processes (see first solution below).

Go to Control Panel > Appearance and Personalization > Folder Options > Click on the view tab and select view hidden files, folders, and drives.

Task Manager

If you have access to task manager then this is the solution to see if you have any malicious processes. If you do not have access, see more solutions below.

Open task manager by pressing CTRL+SHIFT+ESC or CTRL+ALT+DELETE to bring up task manager. Click on the processes tab to view the running processes. Look for any processes that seem malicious by checking the amount of CPU and RAM the processes are using. Malicious processes are not named very intuitively. They generally contain random numbers and letters or there are several instances of the same process running.

task manager

This images show several instances of the same process running. This is an easy example that shows poorly names processes and the redundancy of the process. Observe the amount of RAM and CPU usage each instance uses.

If you are using Windows Vista or Windows 7, right click on the process and select Open File Location and then process to end any malicious processes. If you are using Windows XP then the malicious or infect file will need to be found manually which be covered later on.

To end a process, simply click on the process you wish to end and click on end process or you may right click and select end process.

DOS

If you have access to run/command prompt, but not task manager, this is the option for you. If you do not
have access to run/command prompt, see more solutions below.

Note: If you are using Windows Vista or Windows 7, launch DOS in administrative mode by right clicking on command prompt and selecting "Run as Administrator", respond to the UAC box.

Killing and process in dos does not require any special knowledge of DOS but it does require two main commands: tasklist and taskkill.

Tasklist shows us all services and console processes that are running on the system. We are particularly interested in the console processes. Our command in the command prompt would look like the following:

C:\ > tasklist

We don't need any special switches for this DOS command. Remember that we're looking for console [processes]. Look for console processes that have random number and/or letters. If there are multiple instances of such a process then it might be malicious.

tasklist

In this instance, the process called 16af79bhdf.exe is likely to be a malicious process. Let us assume that this malicious code is blocking our access to task manager. We cannot find the source of the process from DOS we can, however, kill the process and the search for it manually. There are a few things we should do first:

  1. Write down the process name 16af79bhdf.exe
  2. Document how much RAM the process is using
  3. Document the PID of the Process
  4. Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.

Assuming that the process is indeed malicious, we will not kill the task!

Note: taskkill is a very powerful command and will terminate core system processes without any hesitation. Be sure you have the image name or PID entirely correct before you terminate a process.

In addition to stopping a difficult process, if you regularly use task manager to stop a process that is freezing your system, you may use the taskkill command as an alternative.

For the example provided above, since there are multiple instances of the malicious program and we're assuming that they all need to be terminated, we will use the image name switch: /im. We also want to be sure the process will actually end and we will not get a error message, use the /f for forceful termination of the process.

C:\ > taskkill /im 16af79bhdf.exe /f

This lick of DOS code will kill the task (process) with the image name of 16af79bhdf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.

taskkill

C:\ > taskkill /pid 2588 /pid 4448 /pid 304 /f

This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.

taskkill

Windows Powershell

If you do not have access to Run or DOS, there is an alternative method that we can use: Windows Powershell. Windows Powershell is a task-based command-line shell and scripting infrastructure designed for system administration. IT Professionals might use Windows Powerhshell to accomplish everday tasks.

The beauty of Powershell is that it will also take some DOS commands and execute them exactly as DOS would. If malicious software blocks access to task manager, run, and command prompt, but not Powershell, we can view running processes and kill any malicious processes within Powershell like we could with DOS.

The environment is slightly different and a little bit more colorful. We can enjoy a medium blue background with the same raster-based text of DOS. To view the running processes we can use tasklist and to terminate malicious processes we can use taskkill.

PS C:\ > tasklist

Remember, there are things to ask yourself before you killing processes:

  1. Write down the process name 16af79budf.exe
  2. Document how much RAM the process is using
  3. Document the PID of the Process
  4. Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.

If you find that a process might be malicious, proceed with further instructions to kill the process.

tasklist

PS C:\ > taskkill /im 16af79budf.exe /f

This lick of DOS code will kill the task (process) with the image name of 16af79budf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.

taskkill

PS C:\ > /pid 2588 /pid 4448 /pid 304 /f

This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.

taskkill

Process Hacker

If you have no access to task manager, Run, DOS, or Windows Powershell, there still is hope out there! There are programs that exist like task manager that can run completely locally. This means that no install is required in order for the program to run and it can be stored on a USB Drive, SD Card, or other hot-swappable portable devices. Be sure to visit http://processhacker.sourceforge.net/ to download the program.

If you wish for it to run locally, download the binary zip file and save to desktop or other convenient location. If you wish to install the program then click on the download button.

If you're running the program locally, create a new folder called process hacker and put the .zip file inside the folder. Once the .zip file is inside the folder, extract to the same location in which the zip file is located.

Process Hacker File List

There will be 10 files one of which will be called ProcessHacker.exe. Double click on ProcessHacker.exe and the program will launch. Since it's running locally, give it a moment to fully propagate all of the processes that are running on your system. When it's complete it will look like the following:

Process Hacker

Process Explorer

Process Explorer is an alternative to Process Hacker if you do not have access to task manager, run, DOS, or powershell. Both Process Explorer and Process Hacker have the ability to run locally, however; Process Explorer will only run locally and has no installation .exe available.

Final Thought

Whether you're preventing an infection or dealing with one, keeping Process Hacker and/or Process Explorer is always something to keep handy. This will help you extinguish malicious software very quickly after your system is infected and you are denied access to task manager. Having a Graphical User Interface (GUI) makes life a lot easier and is definitely more appealing than straight DOS.

Process Hacker

Things to consider:

  • If you don't already, get some anti-virus software like kaspersky, bitdefender, notron, mcafee, etc.
  • Consider investing in anti-malware software like malwarebytes
  • Do not visit shady websites and always have your firewall on
  • Use a popup blocker
  • Filter your webmail with a spam filter
  • Backup your data regularly
  • Enable Parental Controls on a wireless router or by using third-party software such as Net Nanny or Cyber Patrol to prevent children from accidentally infecting a computer with malware.
Be Sociable, Share!