CounterSpy... Detect 2 more spyware than others?!?

Hi.
I have downloaded CounterSpy as a trial test since it is said it can detect the newest and dangerous keylogger (Srv.SSA-KeyLogger).

Having a full scan, I didn't find this dangerous keylogger ( :-P ). Instead it managed to find 2 insidious spyware.

1) AB System Spy
File Name & Location:
C:\EA GAMES\The Sims 2\TSBin\ijl15.dll
C:\EA GAMES\The Sims 2 University\TSBin\ijl15.dll
Size: 344 KB

2) Ace Password Sniffer 1.1
File Name & Location:
C:\Program Files\WinPcap\NetMonInstaller.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\drivers\npf.sys
Size (in ascending order):
- 06.50 KB
- 84.00 KB
- 32.10 KB

At first sight, CounterSpy looked great. It detected 2 more spyware which others like MS Anti-spyware and ZoneAlarm couldn't.

However think twice, it seemed to be false positives/claims.
I need confirmation.
Can anyone confirm if they are spyware?
Or does anyone know how to confirm

Hi Wai Wai

You can get info on both files at

No.1 http://www.freedownloadscenter.com/Network_and_Internet/Misc__Networking_Tools/Ace_Password_Sniffer.html

No.2 http://www.spywareguide.com/product_show.php?id=591

Tex

-{ Quote: "2) Ace Password Sniffer 1.1
File Name & Location:
C:\Program Files\WinPcap\NetMonInstaller.exe
C:\Program Files\WinPcap\rpcapd.exe
C:\WINDOWS\system32\drivers\npf.sys" }-If you installed WinPcap (probably with Ethereal) then you should know why an anti-spyware scanner would detect it, but should also know it's purpose on your computer. Personally, if a packet sniffer had been installed on my system without my knowing, I would want to know about it. It did, however, misidentify it, although it's possible that Ace uses WinPcap.. can't say I'm ready to install Ace keylogger to find out.

The other definitely looks like a false positive, however.

I wouldn't let one (1.5?) false positive(s) throw you, pretty much every anti-spyware scanner will come up with false positives from time to time.. some are -much- worse than just one or two.

-{ Quote: "If you installed WinPcap (probably with Ethereal) then you should know why an anti-spyware scanner would detect it, but should also know it's purpose on your computer. Personally, if a packet sniffer had been installed on my system without my knowing, I would want to know about it. It did, however, misidentify it, although it's possible that Ace uses WinPcap.. can't say I'm ready to install Ace keylogger to find out.

The other definitely looks like a false positive, however.

I wouldn't let one (1.5?) false positive(s) throw you, pretty much every anti-spyware scanner will come up with false positives from time to time.. some are -much- worse than just one or two." }-
Yes, you are right. I won't get thrown either.
Just would like to confirm if they are *really* false positives.
To me, I do think they are all false positives.

-{ Quote: " If you installed WinPcap (probably with Ethereal) then you should know why an anti-spyware scanner would detect it" }-
I don't know why it was installed. Probably it was bundled by another software and the software installed it.
Also there are more than 1 person who will use this computer. So it may be done by others.

How can I set when it is first installed?
What's the use of WinPcap?
How can I determine if I need this or not?


The following is what "WinPcap" folder contains:
File/Folder Name..............Modify Date.............Create Date
WinPcap........................N/A.........................22 May, 2005
daemon_mgm.exe............14 May, 2004...........14 May, 2004
INSTALL.LOG..................22 May 2005.............22 May 2005
npf_mgm.exe..................14 May 2004.............14 May 2004
Uninstall.exe...................30 Aug 2003.............22 May 2005

Note: The "infected" files are quarantined, so they are not included.

The strangest thing is why "Uninstall.exe" can be created at 22 May 2005, but modified at 30 Aug 2003. I haven't change the date/time of the system clock. Really strange?!?

Considering the install log was created on May 22nd, that looks like when it was installed.

WinPcap is a driver used by tools like Ethereal to capture (or "sniff") what's being sent over the internet. Chances are that someone else that uses that computer was tinkering with Ethereal, but I personally don't like leaving WinPcap installed and enabled. I would ask around and find out.. if nobody knows then yank it. If you want to be on the safe side you can go into the properties of your network connection, and there should be a checkbox there for WinPcap (along with TCP/IP, Client for MS Networks, etc), just take the check out when it's not being used.