Friday, 8 February 2013

Detecting RATs/Keyloggers installed on your PC using CMD and TaskManager.

[Image: a6KviOY.png]
In this tutorial, I'll be showing you the easiest way of finding out malicious applications installed on your PC that transfer data using the internet without you knowing it.

As stated in the title, we'll be using TaskManager and CMD for the purposes of this tutorial.

[Image: EU1A3x6.png]
1. To get started, open up your TaskManager by right clicking your TaskBar and selecting TaskManager or just hit CTRL+ALT+DEL to get it open.

2. Once that is done, click the "Processes" tab of your TaskManager and click View -> Select Columns -> Make sure that "Process Identifier(PID)" is ticked.

[Image: So5iBIG.png]

3. Now click the PID column to make sure that all the processes are sorted in a specific order. This step is not necessary, but it will make it easier for you to detect processes using their IDs.

[Image: Iz3VtpJ.png]

[Image: pmv2ItE.png]
Once you've done that right, we're going to move on to part 2 of our tutorial, which is using CMD to view established connections.

Assuming you know how to open up CMD, I'm just going to rush through step 1.
1. Start -> Run -> CMD
Just type in cmd in the searchbar if you're running a system powered by Windows7.

2. Once cmd is open, I want you to type in "netstat -ano".
Your result should be something like this:
[Image: 75xp0C4.png]

3. Now what we're interested in are only the connections with the state "ESTABLISHED".
Isolate them out and look for the PID right next to them. There will be many connections with "ESTABLISHED" state, you'll have to repeat the following steps for all of them.

[Image: 2U2fQNs.png]

This is the fun part. Now go back to the TaskManager and look for the name of the process(es) that has the same PID(s) as the one you found with the ESTABLISHED connection(s).

[Image: mSBPnZn.png]

In the above case, it's a safe and trusted application known as Dropbox, so I'm good. But incase you find a process which you do not know, if it's something like svchost.exe, right click the process and select "Open File Location".

Now all you have to do is right click the file and scan it using your AV or upload it to an online scanner such as and check if it's infected.

[Image: ycn4yyH.png]

It's as easy as that.
Hope you find this useful.


All the posts found in this blog are meant either for educational purposes or are the personal opinions of myself (Arcanecfg). I do not condone any illegal activities whatsoever. I cannot be held responsible for any actions the readers of this blog may perform with the knowledge attained from here (Wasted Wolf). These Terms and Conditions of Use apply to you when you view, access or otherwise use the blog located at

Theme designed by mono-lab / Edited by Arcanecfg. Protection Status
/ Wasted Wolf /