If despite all your best efforts, a system in your organization has managed to pick up some unwanted executable code, you'll no doubt want to remove it. Assuming that the standard Add/Remove Programs approach can't remove the code, let me offer you some alternative approaches for each kind of unwanted code.
Removing Viruses
First, if it's a virus, you'll want to get rid of it with a virus-cleaning utility.
If the system has virus prevention in place, but it didn't manage to catch the
unwanted code, check the signature file's date. If the file is out of date,
update it and run a scan. If the system doesn't have virus prevention in place,
try the free online virus scanning that Trend Micro offers at http://housecall.trendmicro.com.
Trend Micro's HouseCall is an ActiveX control that's downloaded to and executes
in the user's browser (make sure the system's Microsoft Internet Explorer—IE—
security settings allow this behavior) and scans the local system with the latest
signature file from Trend Micro. If you want it to do so, the utility can remove
any virus infections it finds.
If the virus-scanning utility doesn't work, you can also try Microsoft's Malicious
Software Removal Tool (MSRT), available at http://www.microsoft.com/security/malwareremove/default.mspx
to rid your system of the unwanted executable code. Microsoft updates the tool
at least once a month with new viruses and worms to be removed.
Removing Adware and Spyware
If the unwanted executable code isn't a virus and MSRT doesn't remove it, you're
probably dealing with adware or spyware. Adware and spyware exist in a gray
area; antivirus utilities don't always automatically detect them. Because most
adware and spyware are intended to run on client systems at all times, the applications
typically configure themselves to launch when the OS launches. You can examine
the various locations and methods such applications can use to launch themselves,
including the following:
- Start, Programs, Startup folder— Look for application shortcuts, which
are a common way to have an application start up at the same time that a user
logs on. It's relatively easy to remove adware and spyware from this location—just
delete the shortcut.
- Win.ini file—Check the win.ini file (located in the %SystemRoot% directory)
for any evidence of applications configured to launch with the OS. In the
win.ini file, check the [Windows] section for any programs listed after a
Run= or Load= statement. Because file names can be hidden by padding them
with enough spaces to push them out of view, make sure you check the entire
line.
- System.ini file—In the system.ini file (same location as win.ini,
the %System Root% directory), be wary of any program listed on a Shell= statement
in the [Boot] section.
- Startup registry subkeys—Several areas in the registry can trigger
a program to execute automatically at system startup. Check the following
subkeys for any evidence of applications you're unsure about: In the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
subkey, check Run, RunOnce, Run Services, and RunServicesOnce; in the HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version subkey, check Run, Run Once, and RunServices.
Note: As always, take great care when you edit the registry. An incorrectly applied change could have a severe impact on your system, including making it unbootable.
Checking Components Before Removal
The tricky part about going after programs isn't so much in finding the applications
that start automatically with the OS but knowing which autostart executables
are valid—part of the OS or valid third-party software—and which
are unwanted. Before you start removing references to applications configured
to start up automatically, you should consult two references for each application
you find. The first is the Microsoft DLL Help component-lookup utility, which
you can find at http://support.micro
soft.com/dllhelp. Enter an executable name (e.g., mstask.exe), and the tool
tells you whether it's a valid Microsoft executable.
As a second check, go to the Win-Tasks Process Library that UniBlue (formerly
LiUtilities) maintains at http://www.liutilities.com/products/wintaskspro/processlibrary/
to see whether a component is part of a valid third-party application.
To make the process of removing unwanted executable code easier, you can use
the System Configuration Utility (Msconfig) available on Windows XP and Windows
98 (click Start, Run and enter msconfig) to check automatic startup components.
Figure 1 shows the Msconfig utility. Go to
the Startup tab to see all applications configured to start up with the system
or to the *.INI tabs to inspect the local .ini files.
If you run a system other than XP or Win98 or you want a more in-depth look
at what components start up with your system, you can download the free Autoruns
utility from Sysinternals at http://www.sysinternals.com/utilities/autoruns.html.
Autoruns gives you an incredible amount of detail about the components configured
to start up as your system boots or as you log on to your desktop. Figure
2 shows a sample Autoruns screen.