Find out if your computer is a zombie PC

Last updated: September 23, 2023

One day, a reader of our site wrote to me: “Ahmed, I recently read your article on how to control a PC remotely with a USB stick. So, I was wondering if we can identify a zombie PC part of a hacker's botnet, since I'm using Windows. »

In order to answer this question, I have chosen to present to you an effective method for monitor your computer activity.

In reality, when a PC is infected, it harbors a program that scans the hard drive. Indeed, it can either steal your contacts in order to send them to databases for spam, or establish a link with other infected machines in order to create a botnet.

In any case, certain symptoms should not be ignored, such as:

Starting the fan at full speed while the computer is asleep.
An abnormally long computer shutdown time.
Friends who receive emails from you that you never sent.
A particularly slow Internet connection.
The untimely appearance of advertising pop-ups, including when your browser is closed.

How to spot a hidden intrusion on your computer

Footnotes : The method that I am going to present to you does not in any way replace conventional protection solutions such as antiviruses.

Step 1: Using TCPView

We'll start by using a free tool called TCPView.

Indeed, this tool allows you to monitor TCP/IP protocol activity on your computer. Unlike Windows' built-in tools, TCPView tells you exactly which process is associated with each TCP/IP connection.

Here's how to use it:

First of all, download TCPView and unzip it.
No installation is necessary. Simply double-click on the “Tcpview.exe” file to launch the application.
Once opened, TCPView updates every second to show you network exchanges between your PC and other devices or sites on the Internet.

One of the advantages of TCPView over command netstat is its ability to interrupt a specific connection without closing the process that manages it.

Step 2: Identifying a possible backdoor on your PC

The TCPView tool can help identify an intrusion on your system in several ways:

See your connections : It shows all TCP and UDP connections. So you can spot if a unknown IP address attempts to connect to your PC.
Identify connected programs : If an unexpected program establishes a connection, this may be a warning sign.
Search for strange addresses : Unknown or strange IP addresses may indicate a problem. TCPView displays them for you.

Basically, if your PC is infected, you could see strange IP addresses.

Example : In the screenshot below, you will observe all the connections currently open on my computer.

Pay special attention to remote addresses that seem suspicious.

In summary, TCPView shows you who is chatting with your computer. It's a bit like a doorman telling you who is knocking at the door. If someone strange tries to get in, you'll know right away!

Easy to use and super useful for avoiding intruders. To try !

Anne O'Nime says:

August 30 2017 to 7 44 h min

Blackhats can take control of some PCzombies, how can we tell them apart from a botnet?
Because my PC has been doing tons of updates for 1 month, for 3 months it has been running when it is inactive and yesterday, the mouse pointer was moving on its own then disappeared, I had to restart the PC with the keyboard and a little later my headphones was playing music for no apparent reason.

Goat says:

July 12 2016 to 19 34 h min

Hi Ahmed
thank you for sharing your method
on the other hand, how did you recognize that the “telnet” client was spyware? Because of the local port, the protocol, its address or simply because the other processes have the same name globally?

Dat_Modo says:

29 2014 June to 23 00 h min

Ok but how to recognize “exotic” names?
Because in that case I wouldn't have guessed that telnet and nc was malicious :/
Why isn't isass.exe?
In short, you have to know what.

obiwank says:

March 16 2014 to 14 30 h min

c’est vieux comme article ça ! pq le redater du 15/03/14 !!!

- Ahmed says:
  
  March 16 2014 to 20 11 h min
  
  So that new visitors and blog subscribers benefit!
  
kapuss says:

March 11 2013 to 19 15 h min

do you know if this kind of intrusion is common on ubuntu?

- Ahmed says:
  
  March 12 2013 to 9 56 h min
  
  Ubuntu is a Linux distribution.
  Linux is just like Windows or MacOS X contains vulnerabilities that can be exploited by hackers. Linux is therefore also sensitive to this kind of intrusion, just like Windows.
  
cat rock says:

21 September 2012 17 to 13 h min

can you tell us the normal ports for use in the system?

Ahmed says:

July 23 2012 to 18 53 h min

Quite simply because backdoors need to open one or more doors to listen. It is through this activity that we can spot them, especially if the open ports are unusual or have no reason to be open at this time. How about the example of netcat which is listening on port 8888!!

nawras_universe says:

July 23 2012 to 17 10 h min

And how did you know it's a backdoor??
My blog : http://inf0mag.blogspot.com

- Ahmed says:
  
  July 23 2012 to 18 54 h min
  
  Quite simply because backdoors need to open one or more doors to listen. It is through this activity that we can spot them, especially if the open ports are unusual or have no reason to be open at this time, such as the example of the netcat backdoor which is listening on Port 8888!!
  
  - Charles says:
    
    March 22 2014 to 18 14 h min
    
    The explanation is really very basic, and what is the local port that is supposed to appear. In the process, how to know if we are hacked.
  - DRC says:
    
    December 19 2014 to 12 46 h min
    
    In fact, you must first close all the utilities that are supposed to be connected to the internet (browser, torrent client, etc.) and only then launch the detection utility, if despite the fact that all applications are closed, unusual connections appear other than local, then it is possible, I mean possible that you are infected, the best thing is still to ask confirmation from a friend who knows a little about it.