How to: Investigate Virus Activites on Windows

Common signs of Viruses:

  • Unusual messages may appear on your screen.
  • Decreased system performance.
  • Missing data.
  • Inability to access your hard drive.

Steps to identify the Viruses:

  1. Isolate/disconnect the machine from the network.
  2. Check/kill for the unusual processes.
    1. Use process explorer, task manager, etc,.
  3. Check/delete for any new users’ added in administrator (or) power user groups.
  4. Check/delete for any new unusual files created.
    1. files like .exe, .bat, .tmp, completely in hex code, etc,.
    2. in folders like %Systemdrive%, %WinDir%system32, %ProgramFiles%, %WinDir%system32Drivers, %Systemdrive%Recycler, etc,. Sort the files by date created or modified.
  5. Check/delete any extra keys created in below startup registry paths.
    1. Run, RunOnce, etc,.
    2. Use autoruns, etc,.
  6. Check/disconnect the client communication with outside machines.
    1. Use netstat, netcat, tcpview, netmon, etc,.
  7. Check/ensure that firewall (CSA) and antivirus (SAV) programs are running.
  8. Check/note the event logs to notice any abnormal sequence of actions took place.
  9. If still couldn’t find?
    1. Boot in safe mode.
    2. Disable any non-standard services.


  1. How to check all the executables involved, ports, active network connections made from an infected machine to another machine?

C:>netstat -b -v

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    Test:3886      ESTABLISHED     4
  — unknown component(s) —

  TCP    Test:4278      ESTABLISHED     3332
  C:Program FilesCommon FilesSYSTEMMSMAPI1033EMSMDB32.DLL
  C:Program FilesCommon FilesSystemMSMAPI1033msmapi32.dll


Windows components:

  1. Default explorer shell
    1. All Windows versions have a default shell consisting of one main program, Explorer.exe, launched by the Winlogon process each time an interactive session is opened.
    2. The Windows Shell program, Explorer.exe, is stored in the Windows folder (%WinDir%).
    3. In the Windows NT family (NT4/2K/XP/2003), the shell value is stored in the registry.
      1. The Winlogon process begins by retrieving the shell data value in the registry key:                                     HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
      2. If it does not exist, it looks for it in the key:                                                          HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
  2. Command-Line Switches for Windows Explorer

Windows Procedures:

  1. How to create a new folder in Control Panel?
Expand Special Folder on the Start Menu. Once you’ve found the ID the hard work is done, now all you need to do is right-click on the Start button and chose open. Now create a new folder with the name of the folder followed by a dot and the folder ID. For Control Panel create a new folder called ‘Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}’. The new folder should now change into the Control Panel logo. Close the explorer window and click on the Start button, and there should now be a new expanding folder for the Control Panel.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.