Trojans can cause both moral and financial damage to the computer user. Antivirus programs and firewalls stop the main stream of malicious software, but new versions of Trojans appear every day. Sometimes a PC user finds himself in a situation where the antivirus does not see the malicious code, then he has to deal with the malicious program on his own.
Instructions
Step 1
One of the most unpleasant types of Trojans is backdoors, which allow a hacker to remotely control an infected computer. True to its name, backdoor opens a loophole for an attacker through which any action can be performed on a remote computer.
Step 2
The backdoor consists of two parts: the client, installed on the hacker's computer, and the server, located on the infected computer. The server side is always waiting for a connection, "hanging" on some port. It is on this basis - the occupied port - that it can be tracked, after which it will be much easier to remove the Trojan horse.
Step 3
Open the command line: "Start - All Programs - Accessories - Command Prompt". Enter the command netstat –aon and press Enter. You will see a list of your computer's connections. Current connections will be indicated in the Status column as ESTABLISHED, pending connections are marked with the LISTENING line. The backdoor waiting for a connection is in the listening state.
Step 4
In the first column, you will see the local addresses and ports used by the programs making the network connections. If you see programs in your list in a pending connection state, this does not mean that your computer is certainly infected. For example, ports 135 and 445 are used by Windows services.
Step 5
In the very last column (PID), you will see the process ID numbers. They will help you find out which program is using the port you are interested in. Type tasklist in the same command line window. You will see a list of processes with their names and identifier numbers. By looking at the identifier in the list of network connections, you can use the second list to determine which program it belongs to.
Step 6
There are times when the process name doesn't tell you anything. Then use the program Everest (Aida64): install it, run it and see the list of processes. Everest makes it easy to find the path where the executable file is located. If you are unfamiliar with the program that starts the process, delete the executable file and close its process. During the next boot of the computer, a warning window may appear stating that such and such a file cannot be started, and its autorun key will be indicated in the registry. Using this information, delete the key using the registry editor ("Start - Run", the regedit command).
Step 7
If the process under investigation really belongs to the backdoor, in the "External address" column you can see the ip of the computer that connected to you. But this will most likely be the address of the proxy server, so you are unlikely to be able to figure out the hacker.
