If a suspicious hosts file (%WINDIR%\system32\drivers\etc\hosts) is detected, you have to open it and review its entries.
It is often used by malicious programs for redirections or blocking access to specific useful sites.
Ignore this alert if you have modified the file on purpose.
If a suspicious file is detected due to its unknown hash, unknown version or invalid location, you should upload it on virustotal or jotti or another
similar service. Additionally, in some cases you can use an automated threat analysis system such as threatexpert.
If a hidden autorun.inf file is detected on a drive, you must open it with a text editor and check the executable file that it opens.
Proxy settings are used to tell Internet Explorer the network address of an intermediary server (known as a proxy server) that is used
between the browser and the Internet on some networks. If a proxy server with an unknown address is set, you can disable it through:
Control Panel > Internet Options > Connections tab > LAN Settings, and uncheck proxy box
Some viruses and rootkits prevent access to security websites in order to make removal more difficult. If Malware Scene Investigator
could not reach avg.com or f-secure.com, there may be a problem (you can also check the hosts file).
A list of all active TCP connections is shown in the detailed log with the format "local IP address:port <==> remote IP address:port -> hostname"
Malware Scene Investigator will alert you if there is an active connection to a blacklisted IP included in "MDL_iplist.txt" list from MDL.
It will also try to resolve the host name of each remote IP address. If an IP or hostname looks suspicious you can
submit it to IPVoid to check if it is blacklisted/dangerous or safe.
Some rootkits (like TDL4) create a small hidden partition in order to load before OS remaining undetected. Malware Scene Investigator
will warn you if a very small partition is found, and it will present its properties. You can then use a specialized anti-rootkit
program, such as TDSSKiller, to detect and delete the partition and the rootkit.
Malware Scene Investigator will alert you if an essential windows service is not running. It is common for malware to
disable certain services such as the security center service. To manually examine the state of a service go to:
Control Panel > Administrative Tools > Services > right click on the service and click on Properties > configure the state and the Startup type
A number of non-standard or suspicious registry values can be detected. These include restrictions set by malware, plus modifications that are
usually made to allow malware execution. Make a backup of the registry first if you are willing to edit and correct the detected registry values.
Also note that the occurrence of a registry modification does not necessarily imply an active infection, as it can be a remnant of a past incident.
Malware Scene Investigator queries the registry to detect suspicious programs, based on their location, that are set to start automatically
at system startup. It will show you the path of the file, so you will able to check if the file still exists and then upload it to an online scanning service.
(A) Outdated installed applications can cause security risks, as they may have vulnerabilities. Malware Scene Investigator detects the installed
versions of Java, Flash player plugin and Adobe Reader and gives a warning if an outdated version is found. If an old version is detected it does not
mean that your system is infected, but you must update to the latest version as soon as possible.
(B) The TEMP folder, where temporary files are stored, is a common hiding place for malicious files. An alert will be shown if there is a very large
number of temporary files, so in this case it is recommended to empty the TEMP folder. Also please note that the detailed log displays the .exe files
located in the TEMP folder. If you want to empty the TEMP folder in order to delete possible malware and increase performance & disk space, you can
use the Disk Cleanup tool of Windows OS or a third-party tool such as CCleaner.
Running processes: List of running processes with format [PID] - [NAME] - [PATH]
Scheduled tasks: List of scheduled tasks + properties
Files in system folder created last 30 days: List of files with format [DATE CREATED] - [PATH]
User accounts: List of local user accounts with format [NAME] - [STATUS]
Malware Scene Investigator can produce a risk rating (Low, Medium or High) based on the number of the detected items and their severity.
The higher the rating, the more attention is required by the user in order to examine the results.