In Part I, I discussed how a computer that was fully protected with a virus scanner, firewall, spyware blocker etc can still get a virus. In this part, I will walk you through how to investigate your computer if you suspect a spyware, virus problem exists and your virus scan and spyware scan do not find anything.

What we want to do is investigate Your Windows Folder and System32 folder for recent additions (why? Hold that thought, I will explain why in a second)

First thing, you need to make sure that you have hidden files and folders unhidden. To do this:

Click Start, then My Computer. Click on Tools then Folder Options.

On the View tab check mark Show Hidden Files and Folders , and uncheck Hide Extensions For Known File Types then Click Apply

Now, click Start then My Computer then navigate to C:\Windows\system32 Folder

Now Change the View to Details. On the Top Menu select View, then Details

Now sort the folder by clicking on the Date Modified column (click where the blue X¯ is)

Warning: Do Not Delete Anything Out Of This Folder Until You Have Fully Investigated It. Randomly Deleting Files Out Of This Folder, Can Severly Damage Your System and/or Render It Unbootable.

These files are your system files. This folder (and the C:/Windows folder) are a common location where viruses, spyware and other destructive files target. If you scroll through the list of files, you should notice that the bulk of the files all will have the same date. For my version of Windows (Windows XP Media Center Edition 2005), the date is 8/10/2004. This date corresponds to the time when Microsoft finalized the files (so it has nothing to do with when you installed Windows XP).

Ok, back to why we are sorting this list by Date Modified¯. The reason is, because typically, viruses and spyware will have a Date Modified¯ date that is a newer date than the operating system files.

What sorting this list allows us to do is to pinpoint which files to investigate further (which would be the files that had date modified dates that were more recent than the operating system files).

Please be aware that an updates or (certain) programs that are installed do place files into this folder (and these files are valid ) which would have different Date Modified dates than the operating system files. (In other words, just because it has a different date than the operating system files, does not mean it is a bad file).

Ok, so now we have the list sorted, next to inspect the newer files a bit more, I use the mouse and hover over each file to see what it is. When you hover, a little box will pop up displaying what the file is, like this:

In the pop up description you can see the Description, Company, File Version, Date Created, & Size. In the above example, you can see that the file did have all of this information.

When I come across a file, where the pop up file box, is missing this information (sometimes it will just say File in the pop up file box). That alerts me to investigate that particular file a bit further.

The next step, to investigate a file further, is to right click on it, and go to Properties

Then I click on the Version tab and see if there is any further information on the file (such as company name, description etc).

Whenever I get to this point of investigating the file, and I still either suspect the file as being a bad file or if Im not sure. I always take the entire name of the file and I do a Google Search On it.

The search will lead you to pages that tell you what the file is. Usually, If you find out that the file is in fact a destructive file, or a virus/spyware, the same site will have info on how to remove it.

After you have finished looking through and investigating the C:/Windows/System32 , folder, check the C:/Windows folder (using the exact same technique).

And remember Warning: Do Not Delete Anything Out Of This Folder Until You Have Fully Investigated It. Randomly Deleting Files Out Of This Folder, Can Severly Damage Your System and/or Render It Unbootable.

This guide was written by Jason LeDuc. Copyright © 2005-2006. All rights reserved.