We have already covered a topic regarding tips to remove virus from USB or any drive using CMD, and now is the time to uncover malware which runs in the background.
So, when a malware is running in the background, it must establish a connection to the outside internet world. They also use a protocol like TCP or UDP to establish the internet connection and send our private information outside. Another important factor is that every process is assigned a PID (Process ID) in Windows.
So, using the simple cmd commands, we will try to extract all these information and then kill the unwanted process (suspected malware) based on its PID.
Please follow the steps mentioned below:
As you can in the above screenshot that netstat command used above shows all the required information and gets updated every 5 seconds.
Some of the active connections in the above screenshots are googledrivesync.exe, explorer.exe, chrome.exe and I do not see any suspicious connection like autorun.exe or autorun.inf. So, once you find these suspected executable active connections, note their PID.
Sometimes, it might also happen that the malware operates intermittently. In that case, we just cannot sit and wait for the malware to appear up.
So, we can print the output of the netstat -b -o 5 command to a text file using the below command and analyze that output file.
In this case, the filename of the .txt file will be sus-mal.txt. and the location of the file will be as shown in the cmd. So, you can go to the file location and look out for any suspicious connection making a remote connection from your PC to the internet.
Forget not to check this file as soon as possible because PID of the process may change over the time as well.