How to: Kill process which just keep coming back

[Xon]

Sometime when trying to clean a computer you get malware which keeps respawning from the grave.

Some tricky ones will even take ownership of the file to another user and monitor the file and reset it back when you try and change it.

If only there was some way to tell Windows to not load an application or extension. But there is(well for 2k/XP Pro/2k3, XP Home is out of luck)!

Run "secpol.msc", "Software Restriction Policies", right click and select the "new security policies"(it should be the only option in the rightclick menu). Then browse to "Additional Rules", right click -> "New <rule type> rule" and you can determine how you want to identify the file (md5/SHA-1 hash or path, etc), and windows will never run the file again.

You can then go to "Software Restriction Policies" and double click on "Enforcement", and determine if it applies to just the main executable or all libraries loaded by it and some other minor stuff.

This allows for preventing an application to run were you can not remove the file or alter the permisions for some reason.

[Xon]

Crud, this isnt in the right forum. Can some mod dump this in the write place?

[Grand Admiral Thrawn]

Right forum, not write forum.

[InnocentBystander]

Useful info, maybe we can sticky this, or even add it to some sort of "Computer Troubles Knowledge base"?

[Stormbringer]

Spybot Search and Destroy has some tools for that.

Other than that something like Hijack This! is probably necessary.

[Xon]

Right forum, not write forum.

I posted that at 1:13 am after finishing some reading on the msdn!

[phongn]

Remind me to FAQ this if I haven't done it in a few days, ggs.

[Vertigo1]

I'll have to make a note of that somewhere. Thx for posting this.