Home > Computer > How to Delete Files or Terminate Process When You Can’t
Donation Goal
Donate Now Goal amount for this year: 799 USD, Received: 100 USD (13%)
Please donate to help support this website. The funds will be used to purchase owned license of LiteSpeed Web Server Enterprise (2-CPU). It provides superior performance in terms of raw speed, scalability and anti-DDoS capabilities.

How to Delete Files or Terminate Process When You Can’t

Posted By Raymond In Category: Computer

Aug
28
2010

When a virus or malware is active on the computer, meaning that is it running in background, it can do a lot of damage to your computer. They can stop antivirus or antispyware from working, enable restriction on the computer by disabling task manager, sending keylogs to the hacker and etc. Since a virus needs to be active and running in background all the time, there is surely a method that it uses to auto run itself whenever Windows is booted up. Locating the auto startup entry is not difficult using Sysinternals Autoruns but virus makers have made it possible to auto re-add the startup entry whenever it is deleted.

That means you now have to first locate the virus process and terminate it, then only remove the startup entry. A virus disabling Windows Task Manager to prevent itself from being killed is no longer efficient since we can always use a third party task manager such as Process Explorer, Anvir Task Manager and etc to find the virus and terminate it. Some virus programmers have gotten smarter by protecting its process either through injection (firewall bypass) or a smart piece of code that creates a blue screen of death if you ever try to terminate the process in Windows.


Here is a screenshot of a bot creator where it has the “Protect Process” option.

How to terminate process that is unable to kill

If I try to end the process in Windows Task Manager, I get a warning saying “Ending this process will shut down the operating system immediately. You will lose all unsaved data. Are you sure you want to continue?”. Checking the Abandon unsaved data and shut down checkbox and then clicking the Shut down button causes a blue screen with crash dump and auto restarting Windows. To be honest, even “some” antivirus is unable to clean this virus because it kept on trying to terminate the process which ends up crashing Windows. If you encounter a similar case, it doesn’t mean you have to reformat your computer and waste hours to reinstall Windows and all your applications.

First you will need to know where the file is. The Task Manager in Windows 7 is already capable of doing that. Right click on the taskbar and select Start Task Manager. Locate the process that you cannot kill, right click on it and select Properties. Take note of the Location that is shown in the properties window. If Windows Task Manager has been disabled, use Process Explorer instead.

Task Manager Process Properties

Now download BlitzBlank and run it. At the designer tab, click once at Type column and select File. Then click once at the < File path > which will reveal the … button. Click on the … button and locate the executable file. Make sure the action is Delete, you can change it to Move if you want. If you wish to backup the file, click once on the checkbox for Backup. Finally click Execute Now button which will prompt you to save all your work and close all running applications to avoid data loss followed by a reboot. Before Windows is even loaded, BlitzBlank will delete the file that was specified earlier by working at a very low level.

BlitzBlank delete files on boot

There are other similar free tools that can do the same thing as BlitzBlank such as Unlocker and EMCO MoveOnBoot. I prefer BlitzBlank because it is portable and small in size. EMCO MoveOnBoot requires installation and is 24.1MB in size. Unlocker also requires installation although there are unofficial portable versions.

Another manual method of deleting file that cannot be deleted or terminated without using any third party tool is via Command Prompt from Windows System Recovery. Restart your computer and start tapping the F8 key. When you see the Advanced Boot Options menu, select Repair Your Computer and hit enter. Select a keyboard (by default is US) and click Next. When you see the System Recovery Options, select Command Prompt. The default current directory should show X:\windows\system32. Try changing the drive letter until you find one that is the same as your C: drive in Windows. For example, the C: drive when I am in Windows ended up as D: in System Recovery command prompt. Now all I need to do is use the cd command to navigate to the file that I want to delete and then use del command to delete the file. To move, use the move command.


Related posts:
  • Kill or End Process Without Getting “This System Is Shutting Down”
  • How to Terminate Full Screen Game or Software Process when Hang
  • Deleting Impossible to Delete Files
  • Remote Process Explorer Normally Cost $75 Now FREE for Personal Use
  • Permanently Set Process Priority in Windows Task Manager with Prio
    • Ron

      Can fileassasin do this kind of job?

    • ameer

      also Malwarebytes’ Anti-Malware have a tool to do it

    • dredge

      Great idea, I never use blitzblank before. Another tool that is quite useful for me to do this task is killbox.

    • play8oy

      hmmm useful tips, thank you.

    • Vanamali

      I think malwarebytes has some problems. My organization warned us not to use that. IS that true? can anyone shed some light on that, please?

    • :Neo:

      nice info ray
      effective against good malware infection… wish i knew this before my 1st encounter with a virus which restated my PC repeatedly and i couldn’t terminate the process

    • QAtester

      You can also use Icesword to locate and delete hidden files

    • Florin

      Too much talking about Emsisoft products dont you think ?

    • macky

      I once use spyware Terminator to do this job.
      first I use the Analyse file at the Tool Option. after running the analysis. the report will show the registry entries of the application. then upon noting down all the entries. i delete the application by Remove File function at the Tool options, then i manually delete the entries at the registry editor

    • Boyfriend

      Thanks Raymond. BlitzBlank (1.0) seems very useful tool. Your nice article has forced me to include it in my kit.

      Regards.

    • http://www.hazarks.tk/ hazarks

      thanks for the tip, but you should know that once a system is infected there is only one way to make sure the system will be clean again. Nuke the whole system and reinstall. It takes only 5 minutes to nuke and reinstall. So why not make sure the system is clean ? I just keep my important files on an external harddrive and backed up online. But anyway I use linux so I have never been infected, but we never know.

    • http://www.raymond.cc/ Raymond

      @Florin: Is there such thing as “too much” when it’s free? Anyway, Emsisoft recently released Emergency Kit and it has BlitzBlank. Do you see the coincidence?

    • Newbie

      How to know exactly which process is a malware?

    • INDRANIL

      Thank you Raymond for the useful tip.

    • phil

      I’ve used these file renamer /deleter utils before, they are wonderful applications.

      I must say though, I have managed to kill these process’s and remove the files using Ztree and Process Hacker, peek and regedit.

      Here’s the scoop. Process Hacker finds the rogue app. You pin down the filename.

      Kill the process, and immediately (speed of the essence sometimes) use ztree to rename the file then create a dir with the same name.

      This allows me to analyze the rogue file. I use “peek” to look for more connections to other files, to web urls, and to the registry. You’d be surprised how much extra rogue junk files, and registry entries, I find this way. Also Ztree has a viewer in ascii, junk, dump, and hex each has it’s benefit / drawback, but if you can get it all done in ztree it saves time.

      This also allows me to ban netblocks / ip’s with the information contained inside the file(s) “when found.”(unplugging your Cat5 works also) I’ve even seen where sometimes blocking the net connection alone is all you need to delete / rename / remove the rogue file which becomes active when your network(s) become active.

      Another way is to use a Bootable Linux, and mount the drive and delete / rename the files that way.

      While I don’t expect many to take my exact path. Hopefully it helps someone down the road.

      I also haven’t used these techniques on win 7. So win 7 lovers, you’ll be the guinea pig first I guess. Just be aware of account ownership (user vs admin) and junctions (like a symlink in linux) in win 7 they trip up how you START ztree and what it can or can’t access.

      Tools -
      Ztree: http://www.ztree.com
      Process Hacker: http://processhacker.sourceforge.net
      peek: http://colepc.com/files/peek11.zip (Search for the filename peek11.zip if mirror goes down)
      regedit: comes with windows…

    • http://the-electronic-cigarette-store.co.cc fr33mumia

      Combining Process Explorer, Unlocker, taskkill can get the job done too. thanx for sharin Raymond =)

    • Merlin_Magii

      Thank you Raymond

    • http://www.raymond.cc/forum/members/grr.html Grr

      Thanks Ray for the article & introducing another good tool-BlitzBlank.

      As u mentioned W7 shows the properties in task manager, is there a similar way for XP also?

      Thanks,
      Grr

    • Sunil Sherekar

      Thanks for this great info ! But, I have one query, how to find out which process is virus/malware/unwanted ? Please help me…

    • http://marouf1982.blogspot.com Marouf Haider Nepo

      Thanks Man. really this helps…
      But i do use process explorer a LOT.

    • Sandeep Jopat

      Try using killbox….
      It doesn’t require installation and has the capacity to delete on next reboot, or replace with custom file on next reboot…

      Sandeep

    • Gajanan

      hey can u tell me which bot creator have u showed in this article and where to get it

    • http://walrusbucketsaga.com Lookin4Bukkit

      I use Unlocker to kill “stuck” processes. Great little app. And free.

    • pamelax

      thanks for the hint!!

    • Ken Stewart

      I’m setting up 3 pc’s at present due to various falures, hard drive, tinkering aroung in the registry, 1 new custom build – all being XP Pro.

      After having installed some Ashampoo apps & allowing special offers (there are too many actually), they sent me an email offering Uninstaller 4 for $8 each & I bought 4 licenses. This is their latest pro version & they have a free also. It does a full OS check initially & can possibly be a form of a backup – still playing with it.

      So, what I have seen so far is this app catches anything that is trying to install & monitors all changes to the O/S including the registry. You finish by naming each install operation & can then uninstall completely so they claim. Time will tell.

      I may later post when I get two of these pc’s online to see if it catches malware. I believe it’s worth a checking out.

      Ken

    Copyright © 2005-2012 - Raymond.CC Blog