Killing off a Virus attached to explorer.exe (i.e. NovArg.m) Windows 2000/XP

Because this nasty virus configures itself to launch when explorer loads, preying on the extensibility of the interface, it can be tricky to quickly remove the virus one it has settled in. I found that in a Corporate/Help Desk scenario, utilization of the remote administration functions can resolve this quickly.

1. have the user log off the system to the CTRL-ALT-DELETE screen
2. connect to the system remotely, if necessary using the UNC path \\[computername]\C$\WINNT\SYSTEM32
3. locate shimgapi.dll, delete it
4. locate taskmon.exe, delete it
5. have the user log back in
6. using regedit locally or remotely (slower) search the affected system for registry keys relating to taskmon.exe, and shimgapi.dll

This logic can be applied to many situations, but this was our recent fix. Your first defense is ensuring your virus definitions are up-to-date though user-education is often just as valuable. For more information research the virus at the Symantec or McAfee web sites. Symantec now has a removal tool. You might want to use this as it is more thorough.