One the easiest ways to detect spyware or malware, should any exist on your computer, is to use a network scanning utility. It should be one that’s easy to use and tells you everything you need to know up front.
In Windows, one of the best network traffic scanning utilities is TCPView. I use this myself and it’s a fantastic tool, which I’ll cover in a moment. And yes, it’s free and works on any NT-based Windows from NT 4.0 Workstation all the way up to Windows 7 and everything in between.
The in-Windows way of doing network scanning with no download involved is to use NETSTAT with the -b flag.
In Windows XP and earlier, you launch a Command Prompt and type:
NETSTAT -B
In Windows Vista and 7 you must run a Command Prompt as "Administrator" (click Windows logo, type command, when Command Prompt appears, right-click and choose to run as Administrator) in order to run the above command with what’s called "elevated privileges".
What NETSTAT with the -B flag does is show you every executable in Windows that is actively accessing the network at that given moment. When scanning for potential spyware, all you have to do is look for executables that appear "weird" to you. If you see any that do, search Google for that executable name and the search results will bring you to page explaining if said executable is bad or not.
TCPView does the same thing NETSTAT with the -B flag does, except a whole lot cleaner and a lot easier to manage.
The TCPView program itself is nothing but a single executable file. There is no installer. When you download the TCPView.zip, the ZIP contains four files:
- Eula.txt (End User License Agreement text document)
- tcpview.chm (The TCPView help file)
- Tcpvcon.exe (a console version of TCPView)
- Tcpview.exe (the graphic version of TCPView)
The only one you need be concerned with is TCPView.exe itself, because that’s the utility. Extract the file direct to your desktop and double-click it to run.
On first run of the software you will be presented with license terms. Click the Agree button.
An example of what TCPView looks like once running:
The two columns to be most concerned with are Process and State.
Process is the actual executable file that’s running. It is completely normal for a process to be listed multiple times. In the example above, my instant messenger executable, aimlite.exe, accesses several servers on the AIM instant messenger network in order to work properly.
State is literally the state of the connection at the given time. ESTABLISHED means there is a live connection. LISTENING means the process is sitting there waiting for a connection. TIME_WAIT is when a connection has been made, and there is a delay period of a few seconds up to around 2 minutes to where the connection confirms everything has been completed. You will see TIME_WAIT most with web browser connections to web sites. When you leave one web site and go to the next, you usually see a bunch of TIME_WAIT’s show up.
The great thing about TCPView and its distinct advantage over NETSTAT is that it is updated in real time. Once running, all you have to do is watch TCPView to examine any new/changed network connections that occur.
When attempting to detect things like malware and spyware, what to look for is a process with a weird name, such as 123kja.exe, and see if it’s ESTABLISHED or not. If it is, something wrong is probably going on and you have spyware in your Windows. However it should be noted to always perform a Google search for an executable file name, because some look "weird" but may be normal.
It’s important to note that TCPView is not a spyware removal tool but simply a network scanning utility. Even though that’s the case, this software gives you information that spyware detection suites don’t, nor will your router’s administration program.
The best part about TCPView is that it easily answers the question, "What software is accessing which servers?" Now you know. And if there are any rogue Process names that look odd to you, you can Google search them easily to find out how much of a threat they are, if any.
On a final note, TCPView only scans the network traffic for the computer its running on, meaning it’s not a wi-fi scanner. If you want to know if other people are using your wi-fi without your permission, that must be done from the router administration program in the web browser directly.
Leave A Reply (No comments So Far)
You must be logged in to post a comment.
No comments yet