In this Case Study I'm going to track down a virus (worm) named W32.HLLW.Gaobot.gen.

NOTE:
By no means I pretend to be an expert at countering virusses and other malicious programs.
DirMonitor is a tool to help you find such threads, but will not guarantee your computer to be free of virusses!

Actually, it's "thanks to" this virus that I started writing DirMonitor. I couldn't locate the virus right away, so I implemented a very rudimentary version of DirMonitor. That's the day this program saw the light :-)

To limit your log, it's a good idea to disable the Modify Watch Kind. Therefore, right-click a Watch and uncheck Set Watch Kind|Modify.

Also, applying Filters can be a good idea. In a later session, I'll explain how to do that.

Now both C:\Windows as C:\Windows\System32 will be watched closely for changes.

It appears that there are two new files in C:\Windows\System32. As these two files have the same size, and have quite odd names, they definitively are candidates for being virusses.

It's never a good idea to immediately delete a file. Just rename it, and see what happens after a restart.

Of course a good virus scanning program will find most of the new virusses. However, sometimes a virus will get through because you didn't update the virus definitions, or the program is antiquated.

• How to monitor individual files will be shown in next session.