sniff the packets to see who is communicating with her box or who her box is trying to call. Then off to the whois databases to see who claims ownership of the the IP being used. Then emails followed by phonecalls to the ISP abuse department. Also see if anyone in the local gendarmes are interested in this stuff.

Then tootle around the process stack in taskmanager, googling each iffy one to see if it is malware.

at the command prompt telnet localhost 25 to see if you are a part of a botnet running an smtp server.

netstat -an tells you what ports have a listener then google tcp listener port portnumber this will reference any known badguys.

tcpdump can be downloaded from the net. Telnet and netstat are built in cmd commands.

Dunno if there is a copy of saint on the net for windows, maybe download that to the mac and aim it at the dosbox to see what gapers are there.
thanx,
bill