1. Welcome to PHCorner Forums. Take a moment to Sign up and gain unlimited access and extra privileges that guests are not entitled to, such as:

    All that and more! Registration is quick, simple and absolutely free. Join our community today!

Tutorial Detecting Rats & këÿlôggêrs Using CMD And Task Manager

Discussion in 'Windows Tools & Tips' started by hostreplica, Sep 19, 2015.

  1. In this tutorial, I'll be showing you the easiest way of finding out malicious applications installed on your PC that transfer data using the internet without you knowing it.

    As stated in the title, we'll be using TaskManager and CMD for the purposes of this tutorial.

    Part 1 :- Customizing Taskbar

    1. To get started, open up your TaskManager by right clicking your TaskBar and selecting TaskManager or just hit CTRL+ALT+DEL to get it open.

    2. Once that is done, click the "Processes" tab of your TaskManager and click View -> Select Columns -> Make sure that "Process Identifier(PID)" is ticked.

    Pic [​IMG]

    3. Now click the PID column to make sure that all the processes are sorted in a specific order. This step is not necessary, but it will make it easier for you to detect processes using their IDs.

    Pic :-[​IMG]
    Part 2 :- Using CMD

    Once you've done that right, we're going to move on to part 2 of our tutorial, which is using CMD to view established connections.

    Assuming you know how to open up CMD, I'm just going to rush through step 1.

    1. Start -> Run -> CMD
    Just type in cmd in the searchbar if you're running a system powered by Windows7.

    2. Once cmd is open, I want you to type in "netstat -ano".
    Your result should be something like this:

    Pic :-[​IMG]
    3. Now what we're interested in are only the connections with the state "ESTABLISHED".
    Isolate them out and look for the PID right next to them. There will be many connections with "ESTABLISHED" state, you'll have to repeat the following steps for all of them.


    This is the fun part. Now go back to the Task Manager and look for the name of the process(es) that has the same PID(s) as the one you found with the ESTABLISHED connection(s)


    In the above case, it's a safe and trusted application known as Dropbox, so I'm good. But incase you find a process which you do not know, if it's something like svchost.exe that you're sure is infected, right click the process and select "Open File Location".

    Now all you have to do is right click the file and scan it using your AV or upload it to an online scanner such as Please or Register to view links and check if it's infected.


    It's as easy as that.
    Hope you find this useful.
    mobilerom, hk_ace, clayntouch and 2 others like this.
  2. ravage

    ravage Administrator Staff Member Administrator

    Another handy option: use tcpview by sysinternals.
    mobilerom likes this.
  3. Pag aral ko rin yan boss ravage.(y)
    Thanks sa info.
    ravage likes this.
  4. hk_ace

    hk_ace Addict Established

    Salamat dito sa info sir. Makakatulong to sa akin..:happy:
  5. thanks for sharing bossing(y)
  6. great tips sir.. na try ko ito pero wla nman safe ako hahaha
  7. Thanks for sharing :)
Tags / Keywords:

Share This Page