NT/2000/XP: Clearing relaunching spyware processes

Contributed by GauntletWizard

September 11, 2004

Tagged: Windows spyware

How to use the KILL (NT/2000) or TSKILL (XP) command.

Many spyware programs now come in twos, so that if one is killed the other will restart it. They also set up blocks to prevent other programs such as Spybot or AdAware from launching. In order to remove the infection, you must kill both processes in rapid sucession.

On NT and 2000, you first need the NT Resource kit, availible at http://www.microsoft.com/ntworkstation/downloads/Recommended/Featured/NTKit.asp.

Go to start->run and type in KILL * (NT/2000) or TSKILL * (XP). This will have the effect of killing all running processes, including the explorer bar. This is useful as many spyware programs cause explorer to load their components when any directories are viewed. From here, you can use AdAware or Spybot at will

Previous recipe | Next recipe |

Viewing 6 Comments

davak 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

So when I use this in XP:

tskill *

It kills everything... and then reboots. I have no way to running anything before the system reloads everything. There is got to be an easy way to kill everything except the nonvitals.

Do you have an easier way?

reply edit reblog flag

GauntletWizard 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Hmm.. I've never seen that require a reboot. You can replace the asterisk with a regular expression that matches the process names of the spyware (e.g. tskill w* for wintoolsa and wsup, the wintools daemons). You can also run "tskill *" and then "Shutdown -a" to prevent a shutdown, if you can bring up the task manager fast enough.

reply edit reblog flag

MickeyMouse 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

If you kill an svchost.exe process with CTRL-ALT-DEL, it gives that little countdown and then reboots...

the blanket tskill * does it as well... I am assuming it is from killing the svchost.exe.

I can't imagine a system that it wouldn't force a reboot.

reply edit reblog flag

GauntletWizard 4 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Well, I tested it out some, and discovered that as an administrator (Which you should NEVER run as), you can indeed kill SVCHOST with this util. Most people shouldn't be running as admin. Running the desktop as a normal user account and using runas (Hold down "Shift" while right clicking on an executable or link to executable) should be sufficent for any normal use and even most installations.

Also, is it possible to edit recipes? I'd like to make a note of this in the main writeup.

reply edit reblog flag

russellcomputer 3 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I did the tskill * and the computer wanted to shutdown. I got around it by Ctrl-Alt-Del, clicked on Task Manager -> File -> Run -> shutdown -a.

It stopped the shutdown and I could then work on the computer some more.

reply edit reblog flag

davak 3 years ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

<ul id="quote"><h6>russellcomputer wrote:</h6>I did the tskill * and the computer wanted to shutdown. I got around it by Ctrl-Alt-Del, clicked on Task Manager -> File -> Run -> shutdown -a.

It stopped the shutdown and I could then work on the computer some more.</ul>

You rock! Love it!

reply edit reblog flag

CATEGORIES