NT/2000/XP: Clearing relaunching spyware processes

Contributor Icon Contributed by GauntletWizard Date Icon September 11, 2004  
Tag Icon Tagged: Windows spyware

How to use the KILL (NT/2000) or TSKILL (XP) command.


Many spyware programs now come in twos, so that if one is killed the other will restart it. They also set up blocks to prevent other programs such as Spybot or AdAware from launching. In order to remove the infection, you must kill both processes in rapid sucession.

On NT and 2000, you first need the NT Resource kit, availible at http://www.microsoft.com/ntworkstation/downloads/Recommended/Featured/NTKit.asp.

Go to start->run and type in KILL * (NT/2000) or TSKILL * (XP). This will have the effect of killing all running processes, including the explorer bar. This is useful as many spyware programs cause explorer to load their components when any directories are viewed. From here, you can use AdAware or Spybot at will

Previous recipe | Next recipe |
 
  • davak
    So when I use this in XP:

    tskill *

    It kills everything... and then reboots. I have no way to running anything before the system reloads everything. There is got to be an easy way to kill everything except the nonvitals.

    Do you have an easier way?
  • GauntletWizard
    Hmm.. I've never seen that require a reboot. You can replace the asterisk with a regular expression that matches the process names of the spyware (e.g. tskill w* for wintoolsa and wsup, the wintools daemons). You can also run "tskill *" and then "Shutdown -a" to prevent a shutdown, if you can bring up the task manager fast enough.
  • MickeyMouse
    If you kill an svchost.exe process with CTRL-ALT-DEL, it gives that little countdown and then reboots...

    the blanket tskill * does it as well... I am assuming it is from killing the svchost.exe.

    I can't imagine a system that it wouldn't force a reboot.
  • GauntletWizard
    Well, I tested it out some, and discovered that as an administrator (Which you should NEVER run as), you can indeed kill SVCHOST with this util. Most people shouldn't be running as admin. Running the desktop as a normal user account and using runas (Hold down "Shift" while right clicking on an executable or link to executable) should be sufficent for any normal use and even most installations.

    Also, is it possible to edit recipes? I'd like to make a note of this in the main writeup.
  • russellcomputer
    I did the tskill * and the computer wanted to shutdown. I got around it by Ctrl-Alt-Del, clicked on Task Manager -> File -> Run -> shutdown -a.

    It stopped the shutdown and I could then work on the computer some more.
  • davak
    <ul id="quote"><h6>russellcomputer wrote:</h6>I did the tskill * and the computer wanted to shutdown. I got around it by Ctrl-Alt-Del, clicked on Task Manager -> File -> Run -> shutdown -a.

    It stopped the shutdown and I could then work on the computer some more.</ul>

    You rock! Love it!
blog comments powered by Disqus