Please note the message text in blue
at the top of this forum. No one should be using ComboFix
unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. Please read the pinned topic ComboFix usage, Questions, Help? - Look here
is a stand-alone tool that will help investigate for the presence of rootkits. It will not actually tell you if you are infected or not unless you know what you're looking for. If you're unsure how to use a particular anti-rootkit (ARK) tool, then you should not
be using it. Some ARKs are intended for advanced users
or to be used under the guidance of an expert who can interpret the log results. Further, such tools are powerful and using them incorrectly could lead to disastrous problems with your operating system.
There are many free ARK tools but some require a certain level of expertise and investigative ability to use. These are a few of the easier ARKS for novice users:Not all hidden components detected by ARKs are malicious
. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.
With Malwarebytes Anti-Malware, once the scan is completed, infected files marked for "Remove Selected
", are copied, renamed, handled with additional secure measures, then sent to Quarantine. The original file is either immediately removed or removed on reboot. While in Quarantine, the copy of the renamed original file is no longer a thread and can therefore cannot do any harm. If at a later date you find MBAM removed a legitimate file (known as a false positive
), it can be restored from Quarantine by clicking the Restore button. When the quarantined file is known to be malicious
, you can delete
it at any time. Choosing delete, removes the backup copy and it no longer can be restored.
I recommend taking advantage of the Malwarebytes Anti-Malware Protection Module
which uses advanced heuristic scanning technology
to monitor your system and provide real-time protection to prevent
the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer
. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.
You can use netstat
, a command-line tool that displays incoming and outgoing network connections, from a command prompt
to obtain Local/Foreign Addresses, PID and listening state.
- netstat /? lists all available parameters that can be used.
- netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
- netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
- netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically; no attempt is made to determine names.
- netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
Edited by quietman7, 31 January 2010 - 08:35 AM.