How to end a virus process which disguise as critical system process in taskmanager?
- Friday Dec 18,2009 04:51 PM
- By diddy
- In Others
How to end a virus process which disguise as critical system process in taskmanager?
For eg: that process is a virus and when i tried to end process, it says tat i is a critical system process. How can i end that process?
I am using windows sp2. The path c:\windows\system32\services.exe is there. I tried to remove the virus entry in startup using ccleaner. But not working. Also i cant access the msconfig.exe. So how can i end the process?
Critical System, Msconfig Exe, Path C, Remove Virus, Virus Entry
3 Comments
antivirus tips and antivirus download:
http://best-computer-antivirus.cn
The first thing I would try is to run MalwareBytes, which can fix most problems.
To regain control, You may need to download RKILL.com and FIXTM.reg to your desktop first, to kill off rouge processes, and regain access to your task manager so you can run programs again. ( or optionally burn them to CD or jump drive on a working PC).
I would also like to note as a service to other users, that you can manually restore your registry even when Windows wont start in regular or safe mode. Most users give up and reformat un-neccessairly when the solution in on their hard drive.
You may have difficulty accessing the internet, or running most files. I will walk through several work arounds.
But please be specific, what exactly is the symptom, does it say Antivirus Live has detected…. or Windows Police Pro, or any other symptom.
Usually the task manager is hijacked, so you cant run anything, and the internet is switched to a proxy.
- - - -
Get to Safe mode if you can:
Power off, then power on and hit the F8 key several times until the boot options menu appears. Select Safe mode with networking. Windows will take longer to boot than usual, but hopefully you can get it working, and download MalwareBytes, and follow the instructions below to run it.
In case your problem is Antivirus Live, here are the directions for removal. I have also added the link if it is Windows Police Pro. Either way, run these two files, then Malware Bytes.
RKILL.com and FIXTM.reg can solve your problems killing off offending tasks, regain contol of your computer, and download Malware bytes to remove the problem. You may also need to fix the Internet connection by removing the Proxy some viruses enable to restore your internet.
These two files can fix you problem even if it is not Antivirus Live/Windows Police Pro.
ANTIVIRUS LIVE removal:
See the attached ANIVIRUS LIVE removal guide link,
Fixing the machine:
If you want to try to fix the broken machine by it self(without the CD listed above), then you need to fix the Internet connection used by InternetExplorer. If you happen to have installed another browser that is working, that can save you some time by skipping the proxy fix steps.
InternetExplorer:
The Infection changes you server to a proxy server.
Open Internet Explorer, on the menut select TOOLS, INTERNET OPTIONS, CONNECTIONS, LAN SETTINGS.
UNCHECK the USE A PROXY SERVER FOR YOUR LAN.
APPLY, OK.
NEXT, you must end the process for AntiVirusLive.
DOWNLOAD RKILL.COM to your DeskTop.
( see the attached link for RKILL).
Download FIXTM.reg to your desktop
If you are unable to connect, re-check that the proxy is un-checked.
Now, click on the rkill.com icon on your DeskTop.
This will open a Command window as the process runs.
This may take some time, so be patient.
Ignore any message stating that RKILL is a virus.
If RKILL is closed by the bad antivirus program, leave the warning on the screen ( dont close it), and run RKILL again from the desktop icon.
Or if your task manager is hijacked, run FIXTM.REG.
? Do you want to merge data to your registery, select YES.
Now you should have control of your Task Manager so you can kill off the processes described later.
Do not reboot your computer.
After RKILL/ or FIXTM.REG has finished, you should be able to download MalwareBytes. ( if you have Windows Police Pro, see the additional instructions lower down to kill off processes Windows Police Pro.exe, svchast.exe, svchasts.exe, or svohost.exe ( but not svchost.exe))
( see the attached MalwareBytes link from download.com).
Save it to your DeskTop ( mbam-setup.exe ).
Follow the prompts, dont change any default settings.
Keep both checkboxes checked for UPDATE MALWAREBYTES ANTI-MALWARE, AND LAUNCH MALWAREBYTES ANTIMALWARE.
FINISH.
If prompted to reboot, DO NOT REBOOT.
MalwareBytes should start, and indicate that you should update, click OK, and it should update automatically.
Select PERFORM FULL SCAN, SCAN.
This can take a long time ( maybe an hour or more).
When it is done, it will popup THE SCAN COMPLETED SUCESSFULLY, OK.
CLICK on SHOW RESULTS.
click REMOVE SELECTED.
It should then open a scan log file.
It will need to reboot to remove the remaining infections, so follow the prompts to reboot, exiting MalwareBytes.
If MalwareBytes finds some problems, but closes before finishing, then rerun it, and stop it part way through, and remove what it found, then restart it and find more, remove them and restart it. In that way you can get it to finish properly. Just dont reboot until it can make it all the way through.
- - -
If you have Windows Police Pro, after RKILL has finished, Do Not Reboot, you need to start the TaskManger and stop the processes Windows Police Pro.exe, svchast.exe, svchasts.exe, or svohost.exe ( but not svchost.exe)) .
Right click on the time icon in the lower right of your screen and select TaskManager. Click the Processes tab.
Click ( check) Show processes from All Users.
Click Windows Police Pro.exe, then click End process.
Click svchast.exe, then click End process.
Click svchasts.exe, then click End process.
Click svohost.exe, then click End process.
Do not end the svchost.exe.
Now return back up to after RKILL has finishedand download MalwareBytes and follow those instructions carefully, until Malware Bytes runs to the end without finding any problems.
Please be specific in updating your question with the exact symptom so we can help you better.
- - - - -
Registery Restore even when windows wont start:
I will list this option, as it may help some people with registry problems.
Viruses often invade the registry and restore points. So restoring without removing the infection often doesnt help.
If windows is working, or working is Safe Mode:
System Restore: Start, All programs, Accessories, System Tools, System Restore. Select Restore my computer to an eariler time, and select a highlighted date from the displayed calander that is a few days before the registry problem occured, and follow the prompts to reboot.
Sometimes after a virus infection, none of the restore points are listed. This is because the registry was altered by the virus to not point to the correct restore directories. Contact me if you have that problem.
In order to restore your registry, you usually need to be able to start Windows in order to run the registery restore tool.
But you can restore the registery Manually even if windows wont start.
There are two methods. One is to use the Windows startup disk, and use the Repair option, which will get you to a command prompt. Due to security settings, you cant just access and copy the files as the directories are superhidden.
I attached the procedure provided by Microsoft in one of the last links, it is convoluted and requires patience, and some PC ability to work with command prompts etc.
The second method also requires a special boot disk, which you can create by using UBCD4WIN to create your own boot disk from your system disks. With this disk, you can then easily boot and navigate superhidden directories and copy the necessary files from their backups.
Please contact me for further assistance with maually restoring your registery even when Windows is kaput.
May the force be with you . . .
Yeah, Malware bytes and also it has to be done in SAFE mode.
Disconnect from the internet completely, and then restart your comp and hit F8 after the beep. Navigate to malwarebytes which you’ll already have to have downloaded to your desktop or whatever (its a free download) and run a complete system scan with Malwarebytes.
It’ll find it but it won’t be able to remove it…it’ll just place it in quarantine which is still fine because who or whatever that "service" was connecting to it won’t be able to anymore with it in quarantine.
It can only happen in safe mode though, once it’s quarantined you’ll be fine to go back into "regular" mode.
Recent Posts
Recent Comments
Leave a reply