Thank you so much. All these guides talk about using netstat to identify trojans, but the steps always go. Step 1) Eliminate known ports and connections. Step 2) Run whois on unknown TCP connections. Step 3) Disregard everything you just did and run a virus scan. This is so useful, even years later.

Almost ten years later and this is still a useful, well thought out tutorial.

14 years later and this video is still relevant - thanks!

14 years ago and still helpful

CTRL-DEL doesn't always work, but CTRL-SHIFT ESC will! Also, once PIDs are showing, click on PID to put them in number order. This will speed-up looking for the PID.

Amazing! The knowledge you bring forth with the clear and concise explanation of its use is extremely helpful. Thank you so much!

It was wonderful to notice that you had Kaspersky included, my preferred choice of anti-virus

Ive probably watched 10 different spyware removal videos today They pretty well were all trying to say the same thing but you were by far the easiest to understand ..

Need an update to 2019

This helped me out a lot. My computer was hacked and my cursor was moving on it’s own. I got enraged so I decided to deal with this.

Nice one Brian. Mine was all clear but a relief to know. Very followable video even for me! Good job.

@BearHit did you put the fport folder in c: root directory? and then run it for command line?

Actually if you have spyware that has installed a backdoor in your computer it would be LISTENING. Those 127 addresses that are established are your local loopback connections. When two pieces of software on your pc need to communicate with each other say different services your pc runs, they will use local loopbacks to do so. If your Itunes needs to talk to the apple mobile device manager, it's going to do it with a 127.0.0.1 IP.

on windows 10 u have to go to processes and right click cpu and then select PID

Your welcome John.

This was an awesome video. For someone like myself who is so green it is not funny. I learn a lot!! Thanks from VA!!

A 2019 update is requested indeed! I was playing around with Process Monitor (part of the Sysinternals suite by Microsoft) because task manager is lacking ... it's more complex, but maybe easier in the end ....

its part of ITunes and Quicktime, should be safe just disable service if you dont want it

Great video Brian, very well narrated and a very useful tutorial....thanks!

Very cool Britec - still the best pc guru!

The requested operation requires elevation 🚨🚨🚨🚨

great videos very helpful with lots of information and you have a great way of explaining things clear and simple

Thank you very much i am from the future 2020 but thank you I wasnt able to use fport but i did the -ano and task manager Also i was unable to use spyware guide i just searched the process or program name and google got ur back

this is one of the best video tutorials that i've found yet! thanks! :D

Adding -b after netstat lists executables along with their requested addresses. Or use TCPView freeware to view the connections in real time

ESTABLISHED means there is a connection. So if you go to your browser and open it on a page you should see ESTABLISHED.

This is cool stuff Britec!!

Thanks for the spyware and virus tips,,will be following you...how are you on Linux OS..?

Excellent video! Thank you for posting it.

Oldie but a goodie cheers bad

What is keeping the malware from replacing your NETSTAT with a hacked copy of netstat?

Thank you for the help and clear discriptions. cheers

are you sure its a rootkit? have you scanned with gmer, also moving mouse could be down to a settings problem with your mouse

If you are not connected to the internet should there be "ESTABLISHED " connections?

you can try panda root kit cleaner, sounds like a root kit you got, not easy to get rid of. try deleting it in safemode in command prompt or use a program call unlocker and kill process.

Question on backdoor , is their a away to manipulate the backdoor program and used it to your advantage?

Great and logical video. Though, the Fport link is no longer available. Also, in Windows 8, you can find where the program is located by right clicking it in task manager, then selecting "Open file location"

Great explanation

Thank you! Still relevant in 2018 :)

1. open command. 2. enter :: cd c:\ 3. enter :: shutdown -i {brings up the gui mgmt. for network remote shutdown} 4. add 5. add the computer name using ip [netstat] with the port used the rest is self explanitory

Very excellent video!!! Thank you. You pushed me in the right direction to find a virus in my cyber security class :)

Sandysuicide, if the command requires elevation, rt click on the cmd program and chose run as administrator. Or when you double click the command prompt icon, hold the shift key down this automatically opens a elevated command prompt...

I noticed when I get rid of the trackers a lot of the established connection go away. If I kill them, will those connections stop?

Thanks, I think i just nearly got scammed today by one of those indian guys pretending yo be my phone company calling about unknown users using my ip address. He had me opening the cmd window and stuff and showing me how there were several unknown ip address on the netstat list. Thankfully they hang up mid way. I called my phone company about it and they said it's a scam. I called my bank and suspended & cancelled my credit card immediately. Thanks, I now know how to check if there's a malware on my pc.

well organized explanation, thanks

If I don't find the PID number in the Task Manager, how can I locate the process?

Great Job, Thanks for uploading.

i'm trying to active NETSTAT -B but is not working. the command said the requested operation requires elevation ? could you pls help me with it

Great job! Keep up the good work.

Thanks for the information and video.

Outstanding! Thanks a bunch.

Are there instances where the PID number doesn't show up in the taskbar monitor? If so, what would you need to do? Cheers BRI, once again

Since the requested operation requires evaluation???????

Have I missed something? I´ve checked the Established PID numbers and they all correspond to a running process. Does that mean all is well? Or could a trojan or RAT not be disguised as a legit process? Is that not what they would normally do? So, in that case, how do we identify if all running processes are legitimate?

What if you have PID listed in your Netstat you can not find?

Should I be worried about a statues of syn_sent?

Hello Brian. I have a friend living in the US who recently has experienced strange things happening to his MSN email account. He’s not receiving mail from random people/email addresses. What can he do? Any ideas?

So what if the PID number isn't showed @ taskmanager?

after you kill the process is there anything else that should be done

Thanks, great video and you hit the nail on the head!

I followed your directions, but the PID number list to the right of of cmd, is missing. I have Windows 8

Hey great video . I have a problem there is a PID with an established connection but it doesn't show up in task manager. I found all the others except for one . Can you help?

Thank you so much. This was very helpful. I'm using Windows 7 Ultimate and this works perfectly. Cheers.........!

just run malwarebytes and superantispyware to remove trojans and spyware

@Karloki100 your welcome

Britec thanks in advance for your video, it was really informative and illustrative. However, I do know time has passed and I’m new on all this I was unable to configure or set up fport do you know how can I do it? Is it still available?

Hi and Thanks for posting this video.. its been really helpful... Question I'm unable to use the -b, the response is the command needs elevation.. what does that mean? thanks again

Great video - Very useful! Thanks!

hello quick question, i have established connections but its not on the task manager when i cross reference it. what do i do?

when I type netstat.exe it says that the requested operation requires elevation....

Very well done Sir, thanks.

hi when I type netstat -b, it says "the requested operation requires elevation". please help me

Excellent and useful video.....thank you..

You are a legend.

very nice video. helped me a lot!

What if the PID present in the command is not in the task, what should I do?

@gunjin2112 your welcome

Is there a way to permanently block an IP of a pid process that you found , that it might be a Trojan. Apart from using ps kill of course to kill the process.

Of course if some skid didn't write the malware and it beacons back to it's c&c, then this doesn't do you much good does it?

Good stuff here!

Go to start>accessories> (right click) Command Prompt and run as admin.

Hello, great video however I have a question. What does it mean if I find a PID listed on netstat -ano but it is not listed on my task manager PIDs? Thanks!

very nice vid keep em comin

thanks mate, very informative.

Looks great except witn WIN7 I enter netstat -b I get a response "requested operation requires elevation" what does that mean and how do I get to the next screen? How do I open the next screen so I can review settings after typing netstat -b ? I have no issues with netstat -ano in fact the only PID's in question were from Google Chrome which is normal unless chrome has a live hack so I think those PID's are okay. Problem is days earlier I got hacked and my firewall & antivirus was disabled along with spyware and the jackal changed my screen saver and screen background to black. Nothing missing plus I write down all important (financial etc) passwords on a mini notebook. My email sub files were all opened and normal Thunderbird does not open sub files just the main email file opens to read & download email. Browser password protection is lousy & they know they lie about it because of constant threats security is our problem.

Hello, I have one question. What if in cmd shows that there is one established connection with PID but in the task manager there is not that PID. What then?

need an update for 2020 and it looks "show process for all users" was uncheck is it needed?

trouble with rootkit is there hard to detect, if I was you, I would do a operating system rebuild, that way your be sure its gone, rootkits let the person come in and out of your computer when they like. But if your sure its gone and you have deleted it then your be fine rescan with rootkit scanner to make sure somethink like gmer

Hi Soilgirl Use malwarebytes and superantispyware and vundofix run them in safemode and you should be all clean. let me know how you get on Brian

Excellent, thank you

britec create a video to show us which ports are dangerous for virus and malware and how close them.

Thanks Alot

brilliant mate.

@theCIAguy007 I had the same problem & I found the solution. What you have to do is just open command prompt as administrator. (Just go to start>All Programs>Accessories> and Right click on Command Prompt and click on "Run as Administrator)

I found some "established" connections when I pulled up that list. I had closed all other windows, so I am concerned. I checked each by name on "Spywareguide", and no results were found for most, only 1 called "system", didn't seem to be very dangerous. Does this mean I may be ok? Perhaps they are supposed to be there?

after downloading fport from the mentioned site, im unable to run the command. Error message "fport is not recognized as an internal or external command, operable program or batch file". How do i resolve this issue?

your welcome

What if you have a established port that does not show up in the task manager? Is there a way to kill this port and is it a hacked port?

What does it mean when you type in comand prompt ''netstat -b'' the you get the message ''the requested operation requires elevation''?

I have downloaded fport and pskill. How can i use them in command prompt?