Monday, October 10, 2005

Killing off a Virus attached to explorer.exe (i.e. NovArg.m) Windows 2000/XP

Because this nasty virus configures itself to launch when explorer loads, preying on the extensibility of the interface, it can be tricky to quickly remove the virus one it has settled in. I found that in a Corporate/Help Desk scenario, utilization of the remote administration functions can resolve this quickly.
  1. have the user log off the system to the CTRL-ALT-DELETE screen
  2. connect to the system remotely, if necessary using the UNC path \\[computername]\C$\WINNT\SYSTEM32
  3. locate shimgapi.dll, delete it
  4. locate taskmon.exe, delete it
  5. have the user log back in
  6. using regedit locally or remotely (slower) search the affected system for registry keys relating to taskmon.exe, and shimgapi.dll

This logic can be applied to many situations, but this was our recent fix. Your first defense is ensuring your virus definitions are up-to-date though user-education is often just as valuable. For more information research the virus at the Symantec or McAfee web sites. Symantec now has a removal tool. You might want to use this as it is more thorough.

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be. 

  • Tired of loading that HP Photo and Imaging Director?
    You can eliminate the use of this middle-man tool by creating Desktop or Quick Launch toolbar shortcuts to the actual program easily, but it...
  • Powershell - Parsing Email Addresses
    I'll be honest, I'm not the best at RegEx but it's an incredible tool for breaking down data. If I used it every day I would lik...
  • (no title)
    There is no individual ownership when you are part of a team, it's the sum of the parts that makes you the RESILIENT team you need to be.