Yesterday I had a nasty run in with a fake antivirus application yesterday. I was trying to remove it and un-do the troubles it had caused the user. But I was unable to delete the executables associated with it due to there being in use. So I tried to bring up the task manager and got an error message that this was not allowed… WTF?

But wait it got worse… As I was trying to open a alternative task manager I got a blue screen of death…


image Using PSKIll to kill tasks from the command line.

Huh? I was able to Alt-Tab out of the error seeming it was just a running program with an image…. Sons of bitches! I needed to stop these processes so I can start recovering… So I dropped to a command prompt and ran this command:


taskkill /IM av1010.exe

This will cause the program to terminate gracefully, asking for confirmation if there are unsaved changes. To forcefully kill the same process, add the /F option to the command line. Be careful with the /F option  it will kill all processes with the name you specified without asking for any confirmation.

You can also kill a single instance of a process this is helpful if there are multiple instances of the same name application running. All we need to do is  specify its process id aka PID.

If your rouge process has a PID of 321, use the following command to kill it:

taskkill /PID 321

Using filters (/FI), a variety of different patterns can be used to specify the processes to kill. For example, the following filter syntax will forcefully kill all processes owned by the user AtA:

taskkill /F /FI "USERNAME eq AtA"

The following table shows the available filters and their use.

Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq ne RUNNING | NOT RESPONDING
IMAGENAME eq ne Image name
PID eq ne gt lt ge le PID value
SESSION eq ne gt lt ge le Session number.
CPUTIME eq ne gt lt ge le CPU time in the format
of hh:mm:ss.
MEMUSAGE eq ne gt lt ge le Memory usage in KB
USERNAME eq ne User name in [domain\]user
format
MODULES eq ne DLL name
SERVICES eq ne Service name
WINDOWTITLE eq ne Window title

eq: equals ne: not equal
gt: greater than lt: less than
gt: greater than or equal le: less than or equal

I was able to kill the processes and delete them. I removed references to them in msconfig and then rebooted. I was able to run Malware Bytes and clean out the rest of the garbage.

_TheSpyWareKillinAdmiN_


Related Posts
  • Twitter
  • StumbleUpon
  • Slashdot
  • Technorati Favorites
  • Facebook
  • Digg
  • Delicious
  • LinkedIn
  • Fark
  • Google Bookmarks
  • Google Reader
  • Windows Live Favorites
  • MySpace
  • Yahoo Bookmarks
  • Blinklist
  • Faves
  • Netvouz
  • Propeller
  • Reddit
  • Simpy
  • Spurl
  • WordPress
  • Yahoo Buzz
  • BibSonomy
  • Share/Bookmark