Well, there are lots of tools that are designed to find trojans and malware available, but what do you do if these tools fail? You may find youself having to identify the processes manually. This tutorial will show you how. It is also a good idea to do this on a clean system in order to create a process baseline with which you can compare future data.

I did this mainly as a reference for all the noobies, as well as to remind myself that even "experts" have a tendency to forget! (Memory, cheyenne1212, and MsMittens, you all know what I'm referring to!)

Part I - The tools

This method in this tutorial relies on the netstat command, notepad, and the Windows Task Manager, which are part of the Windows OS, in addition, in order tosucessfully accomplish this task, we will need access to the following:

1.) An active internet connection

2.) User account with administrative privelages preferred, but not entirely needed, as long as the user has access to the command line.

3.) Access to a spreadsheet program. A text editior such as notepad can be used, but the output is much cleaner in a spreadsheet. I will be using Microsoft Excel in my examples.

Part II - Gathering the information

OK. The first thing that we want to do is get information on all the active TCP/IP connections. To do this, we'll bring up a command line and type "netstat -ano"

the "-a" operand will display all the connections and their listening port

the "n" operand will display the addresses and ports in numerical form, as opposed to the DNS name and TCP/IP service name. I use this option because the output is cleaner.

the "o" operand will list the process identification number (PID) of the process using the connection. Without this switch, we're wasting our time, so don't forget it.

The resulting output will look something similar to this:

Active Connections

Proto....Local Address.....................Foreign Address.......State.....................PID
TCP......0.0.0.0:135.........................0.0.0.0:0..................LISTENING.............784
TCP......0.0.0.0:445.........................0.0.0.0:0..................LISTENING.............4
TCP......0.0.0.0:1025.......................0.0.0.0:0..................LISTENING.............832
TCP......0.0.0.0:1032.......................0.0.0.0:0..................LISTENING.............4
TCP......0.0.0.0:1080.......................0.0.0.0:0..................LISTENING.............3176
TCP......0.0.0.0:1850.......................0.0.0.0:0..................LISTENING.............3268
TCP......0.0.0.0:1851.......................0.0.0.0:0..................LISTENING.............1588
TCP......0.0.0.0:1991.......................0.0.0.0:0..................LISTENING.............3148
TCP......0.0.0.0:4569.......................0.0.0.0:0..................LISTENING.............4
TCP......0.0.0.0:4633.......................0.0.0.0:0..................LISTENING.............4
TCP......0.0.0.0:5000.......................0.0.0.0:0..................LISTENING.............1000
TCP......0.0.0.0:12174.....................0.0.0.0:0..................LISTENING.............1924
TCP......0.0.0.0:38292.....................0.0.0.0:0..................LISTENING.............1836
TCP......127.0.0.1:1030...................0.0.0.0:0..................LISTENING.............1924
TCP......127.0.0.1:1031...................0.0.0.0:0..................LISTENING.............1588
TCP......127.0.0.1:1031..................127.0.0.1:1850.........ESTABLISHED........1588
TCP......127.0.0.1:1080..................127.0.0.1:1031.........CLOSE_WAIT.........3176
TCP......127.0.0.1:1850..................127.0.0.1:1031.........ESTABLISHED.........3268

I trimmed it down and all, but you get the idea.

Now, if we right-click inside the command prompt window, we'll be presented with an option menu. We want to "Select All". Now, to copy the info, right-click on the title bar of the cmd window and you'll see a menu option that says "Edit". If you hover over this option, it will open another menu where we can select "Copy". That's what we want to do.

Now on to the next step

Part III - Formatting the information for analysis

Now, we'll open notepad and paste the information. Save it. Now we have a text file with most of the critical information that we need. At this point, I import the text file into Microsoft Excel as a Tab delimited spreadsheet. That gives me a much cleaner layout to work with, as well as the use of a search function. However, this is optional.

In Excel, I add the following columns:

Process Name
Runs As
Description

You can do the same thing in notepad by tabing over and inserting.

Now it's time to match the info from netstat's output to the processes that are running. To do this, we simply press <Ctrl>+<Alt>+<Delete> and select the "Task Manager". From here select the "Processes" Tab. Now select "View" from the menu at the top of the Task Manager Screen and then "Select Columns" option. For our purposes, the only item here that we are concerned with are "Image Name" (Process Name). "PID" (Process Identifier) and "User Name".

Now we simply match the PID in our table to the PID in the Task Manager's Process List. If a process is hidden, we'll be able to easily identify it, as it's PID and image name will not be listed in the Process List. For each PID in the table (spreadsheet), record the corresponding Image Name and User Name.

The reason that we want the User Name is co that we know under what context the process is running. This is important if a rogue process is identified, as this will show you the account, which can then be checked to see if it has been compromised by reviewing the system logs.

Part IV - Research and Analyze

Now comes the dirty work...finding out what the process is. For this, we will need an internet connection and our best friend Google. Enter the process name that you have for each process into the search engine, and you'll be able to identify what that process does. To save time in your process identification, you can access the Wintasks process library , which has a listing of most of the common system, application, and trojan process names and there discriptions.

Armed with this information, you'll be able to not only find the process, but you'll know what it does, the port it's using, and with any luck, the IP address of the person using it.

Hope you guys liked it.