Right now, one key reality of supporting Windows computers is that they get viruses. There are more viruses for Windows than on any other computer Operating System that you can get. So, it should come as no surprise that I’m quite interested in what can be done to combat threats on a Windows computer with tools you already have. Today I’m going to look at three tools you’ll find on most any Windows flavour out there: Windows XP, Windows Vista, and Windows 7. Namely, wmic and taskkill. This is going to be more of a beginning overview of how you might use these tools to identify and stop a rogue application on your computer

So, you’re pretty sure you have a virus right? Your computer is running horribly slow, the startup is filled with application errors and you have suspicious icons in your system tray or on the desktop. These are common signs of an infection and generally what would lead folks to call me – the IT Guy. What I do (as part of the bigger picture) is attempt to identify a problem or a suspicious infection. (Note: The actions described here are not a cure-all, nor are 100% safe for the health of your computer. Please use caution when performing any operation such as killing tasks).

Step #1 – Identify
One thing that is absolutely common about all things that suck away CPU cycles is that they have to run. You may not see an indication of the running, but you know they are. In fact, any virus worth it’s salt is going to be amazing at hiding any indication that it’s running on your system. Often, it’ll be so bad that you can’t download tools like those from Sysinternals, or HijackThis or any number of other utilities that help you clean a system. Don’t fret though, there are some tools already on your system that can help.

To start with, you have to open a Command Prompt – that would be Start -> Run… and typing CMD or simply typing CMD in the Start Menu search box. Both of these will open a black window with a flashing cursor called the Command Prompt.

The key situation I speak of is that of having a computer so purely effected that you cannot even get to an internet connection, nor can you use a browser. these special situations require that you use all the tools available to you in a sort MacGyver-esque way. These tools are pretty limited in most cases, but if used right, they may get you connected and on the path of fixing the computer.

List Running Processes:
In your Command Prompt, run one of these commands:

wmic process list > apps.txt

.. or the better file layout, but longer command:

WMIC /OUTPUT:apps.txt path win32_process get Caption,Processid,Commandline

They’ll do the same thing for you – just one will be laid out better. The problem is that the better output will require you type a longer command line. Either way, you’ll get a list of running processes and their full paths.

Open the file
In the command prompt immediately following the above command, enter this command:

notepad apps.txt

1. The .exe or .com file is a random character name (For example: xdfeded.exe)What you’ll see in Notepad is a listing of Window Caption, Command Line for the application and processID. All of these details will be needed to kill the offending application. While there is no perfect way to identify what a malicious application will be (and they often change), there are some guidelines:

2. The file or command is running from a profile directory (For example: C:users or C:Documents and Settings)
3. The .exe or .com file looks like a system file (For Example services.exe), but runs from a non-Windows directory
4.  The process name is a very simple one, often malicious applications are named lwc.exe or some other short name
5. The process is not known or obviously unusual (For example – a virus named “Antivirus 2010” is running, and you see a process named 23av2010.exe)

The key is to look for anything that doesn’t look right. In most cases, you can just start killing anything unusual, and test the computer to see if it has improved (or if the virus’ interface is running, watch to see if it closes).

Wait, I can’t run the command prompt!

Some more severe cases won’t even let you open a command prompt, in those scenarios you’re going to have to try getting into the help system and open the command prompt (beyond the scope of this article) or using the Start -> Run… To attempt and execution of the commands I mentioned above. If all else fails, you have no choice but to fall back on a bootable disc/USB tool like Microsoft’s Standalone System Sweeper that you create elsewhere. Another possible option is to try running System Restore in Run:

%systemroot%\system32\restore\rstrui.exe

Step #2 – Kill the process

Killing the offending task is a seemingly simple task, but can be much more complicated given the nature and scope of malware on the system. You’ll want to identify the process ID (PID) of the process you want to kill and then run the following command (696 below is the corresponding process id determined with the above).

taskkill /PID 696

The output of the command will look like this:
SUCCESS: Sent termination signal to the process with PID 696.

Here you want to look for signs that the task has died. Hover over the system tray icon (if it has one) and it will disappear, the main window of the apparent infection will close, the system may become more responsive. If you don’t see the change you want, continue listing the tasks and killing those that seem suspect. Often, there are other process or services that run that will re-launch the process you just killed – so this doesn’t always work (such is life, so you don’t want to spend too much time on all of this. Just give it a try – if you get the infected file, this may be your path to getting the computer back). If you make progress here – move on to the step of cleaning.

Step #3 – Install/Run a virus scanner and attempt to clean

Now that you have a better idea of what’s running – use your local virus scanner to run a full scan and clean your computer. If that scanner doesn’t run, you can try running one of the many online scanners (like the one Eset offers). This may find some of the infection and clean them – getting you closer to a usable system. That usable system will let you backup your files and prepare for the next steps in cleaning – either a reinstallation for your virus scanner or a full scale Windows reinstall to ensure your system is clean.

Further Reading:
Full taskkill command line parameters [microsoft.com]
More on the wmic command [microsoft.com]
What is a virus? [microsoft.com]