in reply to your netstat question:

If the trojan or backdoor was listening on a port, under most circumstances it would show up in a netstat -a. However, if your system was rootkitted, either the API that netstat uses or the netstat binary itself could be hacked, giving a false readout. In order to see whats really open, do a portscan from another puter.