If you’re curious whether a particular piece of software might be spyware, or you have some other reason to believe your computer might have been compromised and might be talking to something it shouldn’t be, there’s a quick and easy way to find out besides using the standard netstat -an command.
Windows XP and 2003 (and, presumably, Vista) have the netstat -o command, which tells you what IP addresses your computer is talking to and on what ports, plus it adds the process IDs that have those ports open. There’s a hotfix to add that functionality to Windows 2000, but it appears you have to demonstrate a need for it in order for Microsoft to provide it.
Regardless, I like the Sysinternals tool TCPview better. The most important thing it does is give you the names of the application, instead of the process ID, using each port. That saves you from having to run task manager and figure it out yourself. It puts everything in a GUI window, making it a little bit easier to scroll around, and it also tries to resolve the IP addresses, which can be nice. So if all you have open is a web browser pointing at Google and you see processes talking to web addresses you’ve never heard of, you have reason to be suspicious.
The next time someone complains to me that a computer is running slow, once I think I’ve cleaned off the spyware I think I’ll run this utility just to see if there might be anything left.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
