Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Security
Cleaning Windows XP
Symptoms of Infection or Compromise
Basic Steps
Advanced Steps
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Education & Outreach
Support & Repair
Information Security Office (ISO)

Advanced Section

Other Diagnostic Tools

There are many built-in Windows diagnostic programs you can run to determine what is exactly happening on your computer. Unless otherwise noted these programs are run at the command prompt. Follow these steps:

  1. Click Start > Run.
  2. Type CMD. A command shell window appears.
    Note: You can also find advanced diagnostic utilities on this page.
  3. Enter one of the following at the command prompt:
    • netstat - Shows all listening ports and all current connections to those ports. Common Port list; Common "Trojan" Port list;
    • nbtstat - Lists all current and recent NetBIOS connections.
    • arp - Shows MAC addresses that the computer has been communicating with.
    • eventvwr.msc - Shows system, application and security logging information for the computer. (Be sure to type the .msc after the typing eventvwr).
    • fsmgmt.msc - Shows shared folders and files and connected users on the computer. (Be sure to type the .msc after the typing fsmgmt).
    • at - Shows scheduled jobs on the computer. This is a common ploy by attackers to run programs such as Trojans. A typical computer shouldn't have any scheduled jobs.
    • msconfig - For Windows XP computers, displays system settings. Of notable interest is the "Startup" tab. Contact us if you have questions about suspicious startup items.

MSCONFIG

Windows XP users can also run MSCONFIG. Follow these steps:

  1. Click Start > Run.
  2. In the text box, type MSCONFIG.

Of notable interest is the Startup tab. Many trojans will place programs here that run when the computer starts up.

Note: Many legitimate programs will be installed here so disable programs with caution. Email us if you have questions about suspicious startup items.

Hijackthis 

  1. Download Hijackthis and save it to your desktop.
  2. When you run the program, be sure to select the option to save a log file.
  3. From the log file, you'll need to determine which entries should be deleted.  Novice users should work with a knowledgeable system engineer who can advise you on which entries to delete. Advanced users should note that false positves are likely on this report. Unless you are sure of what you're doing, consult with a knowledgeable system engineer. If you wish to proceed, refer to the Hijackthis tutorial for help with deleting entries. 

Last Updated:  02/13/08