TechSpot

Is WinPcap safe to delete? Can it be being used by malware?

By scapegoat
Apr 14, 2009
Topic Status:
Not open for further replies.
  1. Hi, I've recently been getting Zone Alarm Pro prompts to allow rpcapd.exe to act as a server. Possibly I've only just noticed this because I've recently reconfigured ZA after becoming somewhat more security conscious.

    From the ubiquitous Google searches I've done, it appears that c:\program files\WinPcap does have legitimate uses, from what I can see - for monitoring remote network traffic?

    However, I've no idea why I would need this on a single use home PC or where this application came from. It doesn't appear in add/remove programs by the way.

    Is it safe to fix/remove this in HJT and to remove the directory folder? I'm guessing it is, as I've already got Zone Alarm to deny it access to everything and have killed it in process manager. Could you confirm?

    I've recently done a full virus/malware sweep (incorporating the 8 steps from these forums):

    MS update, purged sys restore, msconfig@normal, Java updated, purged quarantines/recycler, hidden files/OS files visible etc. All security software updated, restarted, Ccleaner'ed.

    Scanned in normal mode and again in safe mode (physically unhooked from internet) where possible with: AVG antivirus, Spybot, Superantispyware, Malwarebytes, also for the hell of it with Zone Alarm antispyware and Windows Defender.

    Then repeated Ccleaner and did a HJT log.

    Everything came up clean apart from what I'm assuming (hoping!) was a false positive - Zone Alarm antispyware detected an old version of HJT as Win32.Trojan.Startpage.DAP. I deleted the .exe just to be on the safe side and downloaded Trend Micro's version.

    I'm using a netgear router modem with Zone Alarm Pro, Windows XP Pro SP3.

    Logs attached, in which I can already see in the HJT log there's lots of stuff that might be eligible for deletion. I'd appreciate any advice on that too, though I'm more concerned with WinPcap opening ports.

    Might someone be able to offer some advice?

    Thanks in advance.
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    this will help you understand;
    see http://www.bleepingcomputer.com/startups/rpcapd.exe-7147.html

    it's useful ONLY as a diagnostic tool :)

    Run Services.msc, then scroll to PRTG Service; set Startup Type to MANUAL and then STOP the service
     
  3. scapegoat

    scapegoat TS Rookie Topic Starter

    Thanks for the reply.

    I ran Service.msc. There was no PRTG service. But there was an entry for Remote Packet Capture Protocol v.0 (experimental) which I set to manual and stopped. It came up with an error:1035 saying that it couldn't stop it/was timed out, but when I Ok'd that it registered as stopped. It also vanished in Process Explorer.

    Could I not set this to Disable instead of Manual? Will it load when Windows reboots? At the mo I've also set the process to kill in ZA. I might re-name the program folder and see if that stops anything loading it, but then...

    After reading the faq at the winpcap website (I'd post a link but I can't) I'm still a little concerned as to why (and how) I have the WinPcap serive running:

    Quote:

    "Q-1: How can I see if WinPcap is installed on my system? How can I remove it?

    A: WinPcap 2.1 or newer: go to the control-panel, then open the "Add or Remove Programs" applet. If WinPcap is present in your system, an entry called "WinPcap" will be present. Double-click on it to uninstall WinPcap.
    WinPcap 2.02 or older: go to the control-panel, then open the "Network" applet. If WinPcap is present in your system, an entry called "Packet Capture Driver" will be listed (in Windows NT you have to choose the "Services" tab). Select it and press "Remove" to uninstall WinPcap.

    To be absolutely sure that WinPcap has been installed, please look at your system folder: you should find files called packet.* and wpcap.dll. Please check the file dates: these should be compatible with the WinPcap release dates. We've had reports of trojans or other malware that silently install the WinPcap driver, NPF.sys. If you've been infected by them, you'll probably see the driver file in Windows\System32\Drivers, but no entries in the "Add or Remove Programs" applet and no dlls."

    I don't have WinPcap listed in add/remove programs.
    There is no uninstaller in the program folder.
    It isn't listed in any way on network connections (its v.3.1.0.27)
    The files packet.* and wpcap.dll do not exist in my system folder.
    The files packet.dll and wpcap.dll DO exist in my system32 folder.
    The driver npf.sys exists in Windows\System32\Drivers

    From reading between the lines, this looks suspiciously like its not necessarily the safe application it might appear to be and may have been silently installed by malware.

    If this is a valid program that is required to run at startup, as Bleepingcomuter says, why does the info from the manufacurer's website seem to indicate that in this instance it may have been installed by stealth? And if killing the process is safe, can I not just fix it with HJT?

    I apologize for my paranoia. I'm trying to make myself more secure, but the more I find out the more paranoid I get! So much I don't understand - I'd rather understand why I'm doing things than just know how to do them :)
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    it's only a tool: use or lose it at your choice.

    I keep it around for special cases and yes, DISABLE is fine instead of MANUAL.
     
  5. scapegoat

    scapegoat TS Rookie Topic Starter

    Cool, thanks:)

    Though it IS a tool I didn't install myself.

    Curiously...the created date on the files is March 6, 2009.
    My new Virgin Media router was installed with Wireless Manager on March 6, 2009.

    Maybe used for monitoring bandwidth? Knowing VM it wouldn't surprise me. I've since found VM router users online that confirm it comes with the Wireless Manager. Personally, I think that's sneaky.

    Disabled, blocked, but not killed off. Thanks again for the advice.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.