CounterSpy... Detect 2 more spyware than others?!?

Discussion in 'other anti-malware software' started by Wai_Wai, Aug 11, 2005.

Thread Status:
Not open for further replies.
  1. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    CounterSpy... Detect 2 more spyware than others?!?

    Hi.
    I have downloaded CounterSpy as a trial test since it is said it can detect the newest and dangerous keylogger (Srv.SSA-KeyLogger).

    Having a full scan, I didn't find this dangerous keylogger ( :p ). Instead it managed to find 2 insidious spyware.

    1) AB System Spy
    File Name & Location:
    C:\EA GAMES\The Sims 2\TSBin\ijl15.dll
    C:\EA GAMES\The Sims 2 University\TSBin\ijl15.dll
    Size: 344 KB

    2) Ace Password Sniffer 1.1
    File Name & Location:
    C:\Program Files\WinPcap\NetMonInstaller.exe
    C:\Program Files\WinPcap\rpcapd.exe
    C:\WINDOWS\system32\drivers\npf.sys
    Size (in ascending order):
    - 06.50 KB
    - 84.00 KB
    - 32.10 KB

    At first sight, CounterSpy looked great. It detected 2 more spyware which others like MS Anti-spyware and ZoneAlarm couldn't.

    However think twice, it seemed to be false positives/claims.
    I need confirmation.
    Can anyone confirm if they are spyware?
    Or does anyone know how to confirm
     
  2. Texcritter

    Texcritter Registered Member

    Joined:
    May 6, 2005
    Posts:
    1,985
    Location:
    Teesside, North East England
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If you installed WinPcap (probably with Ethereal) then you should know why an anti-spyware scanner would detect it, but should also know it's purpose on your computer. Personally, if a packet sniffer had been installed on my system without my knowing, I would want to know about it. It did, however, misidentify it, although it's possible that Ace uses WinPcap.. can't say I'm ready to install Ace keylogger to find out.

    The other definitely looks like a false positive, however.

    I wouldn't let one (1.5?) false positive(s) throw you, pretty much every anti-spyware scanner will come up with false positives from time to time.. some are -much- worse than just one or two.
     
  4. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Yes, you are right. I won't get thrown either.
    Just would like to confirm if they are *really* false positives.
    To me, I do think they are all false positives.

    I don't know why it was installed. Probably it was bundled by another software and the software installed it.
    Also there are more than 1 person who will use this computer. So it may be done by others.

    How can I set when it is first installed?
    What's the use of WinPcap?
    How can I determine if I need this or not?


    The following is what "WinPcap" folder contains:
    File/Folder Name..............Modify Date.............Create Date
    WinPcap........................N/A.........................22 May, 2005
    daemon_mgm.exe............14 May, 2004...........14 May, 2004
    INSTALL.LOG..................22 May 2005.............22 May 2005
    npf_mgm.exe..................14 May 2004.............14 May 2004
    Uninstall.exe...................30 Aug 2003.............22 May 2005

    Note: The "infected" files are quarantined, so they are not included.

    The strangest thing is why "Uninstall.exe" can be created at 22 May 2005, but modified at 30 Aug 2003. I haven't change the date/time of the system clock. Really strange?!?
     
    Last edited: Aug 12, 2005
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Considering the install log was created on May 22nd, that looks like when it was installed.

    WinPcap is a driver used by tools like Ethereal to capture (or "sniff") what's being sent over the internet. Chances are that someone else that uses that computer was tinkering with Ethereal, but I personally don't like leaving WinPcap installed and enabled. I would ask around and find out.. if nobody knows then yank it. If you want to be on the safe side you can go into the properties of your network connection, and there should be a checkbox there for WinPcap (along with TCP/IP, Client for MS Networks, etc), just take the check out when it's not being used.
     
Loading...
Thread Status:
Not open for further replies.