• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

How did WinPcap 4.1.2 get on my PC?

Dear Forum Members

As a very security minded person, I use a number of security products such as NIS2011, Spybot, Ad-Aware, etc. all kept scrupulously up to date and run regularly to ensure my PC is kept as clean as possible.

However, when checking "Add or Remove Programs" in Control Panel I came across a small program/utility called "WinPcap 4.1.2", which surpised me because I did not download or install in, I did a bit of research and found out that it was a windows network capture utility that works with most versions of  Windows O/S.  While there was no hint that this WinPcap was either spyware or a form of malware, still I can't help but wonder how did it get installed on my PC.

For example, did it come in as one of Microsoft's updates (I'd just completed this month's (December) security updates) or did it come in via something else.

If anyone knows a bit more about this utility please enlighten me.

UK Bob

Replies

Kudos1

Re: How did WinPcap 4.1.2 get on my PC?


ukbobboy wrote:

Dear Forum Members

As a very security minded person, I use a number of security products such as NIS2011, Spybot, Ad-Aware, etc. all kept scrupulously up to date and run regularly to ensure my PC is kept as clean as possible.

However, when checking "Add or Remove Programs" in Control Panel I came across a small program/utility called "WinPcap 4.1.2", which surpised me because I did not download or install in, I did a bit of research and found out that it was a windows network capture utility that works with most versions of  Windows O/S.  While there was no hint that this WinPcap was either spyware or a form of malware, still I can't help but wonder how did it get installed on my PC.

For example, did it come in as one of Microsoft's updates (I'd just completed this month's (December) security updates) or did it come in via something else.

If anyone knows a bit more about this utility please enlighten me.

UK Bob


Ad-Aware Free / Pro  Internet Security and Total Security features real-time protection that will/may conflict with Norton

Spybot's active real-time protection Tea Timer and SD Helper will/may conflict with Norton

Spybot's Immunize is passive protection and as such will not conflict with Norton

Spybot does however offer old information regarding compatibilty with Norton

In general it is never a good idea to have two real-time security applications in use simultaneously.  System performance can be adversely impacted and your protection can actually be lessened, as the two programs can seriously interfere with each other's proper functioning and blocking of malicious things that try to run on your PC.

NIS21.5 VistaSP2 FF31 IE9 Compaq A931NR
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

Bob,

Google will tell you a lot about WinPCap ....

<< , WinPcap is the packet capture and filtering engine of many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these tools, like Wireshark, Nmap, Snort, ntop are known and used throughout the networking community. >>

Have you had a problem that might have involved someone asking your for a "dump" of data from when something went wrong?

Hugh
Kudos2

Re: How did WinPcap 4.1.2 get on my PC?

It certainly did not come with any MS updates. It is not a Microsoft product.

It appears to be used by quite a few software packages, as listed here:

http://www.winpcap.org/misc/links.htm#tools

See whether anything you have is on that list. If so that might be what installed it. As it is open source it may also be used by others.

Otherwise look for its files under C:\program files (or equivalent depending on your version of Windows) and look at the date created and/or modified. That would give you a clue when you (or someone or something) installed it.

If you don't want it, and it is not needed by any other app you have and need, just uninstall it.

Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

HI ukbobboy,

First, please take note of bjm_'s response that you should have have more than one security software installed if it has a real-time component. I understand this is not the question you originally asked but bjm_ was correct to point this out. It is highly recommended that you uninstall any other software which has a real-time component. It is also recommended to use a removal tool provided by that company to ensure all remnants of it are removed.

There are a couple of free on-demand scanners such as MalwareBytes and Super Antispyware that we generally recommend as they do no interfere with NIS.


On to your original question.

WinPcap as you have found is a capturing engine for capturing packets. In general this is not typically installed as a standalone product, though it can be.

Most commonly it is installed as a seperate utility which is needed for software such as Wireshark to name but one popular program. You can find a more comprehensive list at the following URL.

http://www.winpcap.org/misc/links.htm

Have you ever installed any of the software listed above? If so that is where Winpcap came from.

Windows update would not have installed this.

Hope this helps.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.5.0.19 * Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.5.0.19
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

LOL, three of us responding at the same time!

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.5.0.19 * Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.5.0.19
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?


ukbobboy wrote:

However, when checking "Add or Remove Programs" in Control Panel I came across a small program/utility called "WinPcap 4.1.2"


Is WinPcap listed with your startup services

Does a system search WinPcap 4.1.2 point to another application

If used for packet sniffing or other malicious things.... wouldn't it have to run in conjunction with another application.


NIS21.5 VistaSP2 FF31 IE9 Compaq A931NR
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?


bjm_ wrote:

ukbobboy wrote:

However, when checking "Add or Remove Programs" in Control Panel I came across a small program/utility called "WinPcap 4.1.2"


Is WinPcap listed with your startup services

Does a system search WinPcap 4.1.2 point to another application

If used for packet sniffing or other malicious things.... wouldn't it have to run in conjunction with another application.



Hi bjm_

It could be malware which installed WinPcap but the first step is to determine if the OP installed any of the other applications. If so I would consider the presence of WinPcap as normal.

If none of the other programs are or ever were installed then it is possible that malware could have installed this, in which case some scans with NIS and MalwareBytes would be warranted along with removing WinPcap.

The OP can uninstall WinPcap but if any of those other programs are also installed, they will become non-functional as well. So best to search through add/remove programs list and determine if any of the others are installed as well. If they are then all of them should be removed or none of them.

If WinPcap is there by itself then it can be safely uninstalled.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.5.0.19 * Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.5.0.19
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

Hi Folks,

WinPcap has heard of instances where it was installed by malware but indicated that typically WinPcap will NOT be listed in add/remove programs for what should be obvious reasons.

See: http://www.winpcap.org/misc/faq.htm and search for the word malware on the page.

At this point of course it would be premature to assume that it is malware. Let's see what the OP says about whether any of the referenced programs were ever installed.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.5.0.19 * Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.5.0.19
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

re >  If WinPcap is there by itself then it can be safely uninstalled.

Along with OP .... (quote) still I can't help but wonder how did it get installed on my PC.

Hopefully, OP will determine and post back as to how ......

Cheers

NIS21.5 VistaSP2 FF31 IE9 Compaq A931NR
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

This could have been installed by a number of legitimate programs. I use both Wireshark  and DownloadStudio and they both require it.

Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

Dear Forum Members

Thanks very much for your replies and suggestions I have received regarding my query; I was honestly surprised by the avalanche of responses.

Hi Bjm

I will try to answer your questions as best I can to give you a fuller picture of what may or may not be a problem.

First, I have always used Ad-Aware Free and Spybot with NIS, since as far back as 2005 and never had any problems with them interfering with each other, i.e. from NIS2005 all the way up to NIS2011 inclusive. However, I do take the point that one day there may be a problem but as of today there is not.

Second, WinPcap is not listed in my "Start up Services" but something is using it, in fact the last time it says it was used was on 15th December.  This now leads me to believe that this utility was installed when I did an "Add-on" update for my Firefox browser, probably "Download Manager". In addition, the 15th was the last time I actually used Firefox.

You see, I use three browsers, Opera is my main browser, I use Firefox because it is the safest browser to use when surfing the Internet and finally Internet Explorer to ensure I get my MS updates.

As you can no doubt guess, I keep all my software, browsers, security apps, O/S, etc., religiously updated.

Hi AllenM

I have never installed any software listed by your URL and there is no installation date in "Add and Remove Programs" but I did find where WinPcap is installed, along with it's "Installation LOG" dated 10th October 2010 (see below).

WinPcap 4.1.0.2001 Installation LOG

-----------------------------------------------------

Debug Information

Operating system detected on registry: XP - x86

True operating system (kernel.dll):    XP - x86

npptools.dll present on the system:    true

netnm.inf present on the system:       true

nmnt.sys present on the system:        true

End of log

-----------------------------------------------------

Also, I am inclined to believe this WinPcap utility was not installed by malware because, as you said, it would not appear in “Add/Remove Programs”  plus Anti-Malware MalwareBytes is another one of my protective apps that I practically use on a daily basis.

At this point it is best for me to list all the protective apps I use:

1)     NIS2011

2)     NU V14

3)     Anti-Malware MalwareBytes

4)     Ad-Aware

5)     Spybot

6)     MS Malicious Software Removal Tool

7)     Sandboxie

8)     Various Firefox Add-ons, i.e. No Script, Ad Block and some others I can’t remember (I’m at work at the moment).

9)     NAT firewall via my modem-router.

Hi Hugh

I did google "WinPcap" before coming to the forum to find out if "WinPcap" was known as a rogue app or malware and I found the same thing you did, i.e. it is a lightweight network utility.

However, and to answer your question, I don't recall anything or anyone asking for dumped data plus, as I said before, I am a very security minded person and I would not let anyone outside of my home network log onto my PC.  In fact, I had a problem with Norton Utilities recently and Norton's help desk suggested that one of their team log onto my PC, I refused.

Hi JRosenfeld

As with my reply to Hugh, I do not recognise any of those apps as ones that I have used nor do I have plans to use them.

And Finally, Hi Jack (xxJackxx)

I don’t use Wireshark or DownloadStudio but, as I said before, there is a Download manager add-on for Firefox which I recently updated, I’m guessing that it was then that this “WinPcap” utility got installed on my PC.

Thanks for your help guys, I will investigate this further by checking out the Firefox forum to either prove or disprove my idea.

Once again, cheers for your help.

UK Bob

Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

Hi Bob,

If you want, you can safely uninstall WinPcap since you indicate you did not install any of the applications such as Wireshark which needs it.

It seems unlikely that Firefox would have downloaded something like this but please do let us know what you find.

Again, if you want to use SpyBot I would highly recommending disabling the Tea Timer option. Ad-aware is also not recommended.

Best wishes.

Allen

Windows 7 Ultimate SP 1, 64 bit, 32 GB * NIS Vers. 21.5.0.19 * Ghost 15 * IE 9, Firefox, Safari. Test laptop with W7 Home Premium 64 bit * NIS Vers. 21.5.0.19
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?

If you don't want to uninstall WinPCap and if it is a browser addon then you can just disable it in the Browser Tools Manage Add-ons and see if anything misbehaves ..... if not you can unintall it then.

Hugh
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Have you installed Firesheep in Firefox? That also uses it.

Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Hi Allen, Hugh and Jack

As Christmas is fast approaching, I have decided to hold off  on my research for the moment but instead I have disabled the WinPcap exe file by renaming it old, i.e. rpcapd.exe to rpcapd.old.

Allen, to clear up a misunderstanding, I don't believe Firefox itself needs WinPcap but possibly one of the add-ons I am using, probably one of the download enabling add-ons.

However, now that I have disabled WinPcap I'll see if one of the add-ons stops working.

Hugh, I've taken your advice but changed it around, which I hope will achieve the same ends, I will now wait and indeed watch for any misbehaving Firefox add-ons .

Jack, I've not installed Firesheep but I will now look it up to see what it does.

Thanks for all your help and advice.

UK Bob

Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

<< Hugh, I've taken your advice but changed it around, which I hope will achieve the same ends, I will now wait and indeed watch for any misbehaving Firefox add-ons . >>

Since you have renamed the exe file but left the add-ons active in the browser I would not expect it to have the same result but rather to generate "we can't find the file" messages ....

Hugh
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Well Hugh

You are right, but it will tell me which add-on loaded this utility and that is the objective.

Once I know which add-on installed WinPcap I will then decide whether I should keep this utility are delete it.

Cheers

UK Bob

Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

So WinPCap does not show up in Manage Add-ons in any of the areas that tool covers?

Hugh
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Hi Hugh

WinPcap does not show up as an add-on or as a separate application that's why I was so surprised when I found it in "Add/Remove Programs" because I certainly did not install myself.  So I reckon that it must have been installed by something else, such as an update or some other item that I regularly check.

Now, as this WinPcap is a network utility only some sort of download manager could be using it.

The only download managers I know of, installed on my PC, are the add-ons within Firefox.

So, at  the moment, I will have to wait and see which one of the Firefox add-ons gives out an error.

UK Bob

Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Thanks for taking the trouble to explain all the ins and outs ... Let us know how it develops please.

Hugh
Kudos1

Re: How did WinPcap 4.1.2 get on my PC?


ukbobboy wrote:

Hi Hugh

WinPcap does not show up as an add-on or as a separate application that's why I was so surprised when I found it in "Add/Remove Programs" because I certainly did not install myself.  So I reckon that it must have been installed by something else, such as an update or some other item that I regularly check.

Now, as this WinPcap is a network utility only some sort of download manager could be using it.

The only download managers I know of, installed on my PC, are the add-ons within Firefox.

So, at  the moment, I will have to wait and see which one of the Firefox add-ons gives out an error.

UK Bob


The core of WinPCap is actually a driver. Renaming the exe probably will have no noticable effect on your system. It's been a long time since I've personally had WinPCap installed but I'm pretty sure that it should show up in your device list or network adapters list. Disabling WinPCap via one of these routes is more like to discover the culprit...

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: How did WinPcap 4.1.2 get on my PC?

Hi Reese

Thanks for your info, I used it to check the drivers on my USR dial up modem (used for faxing) and my Realtek network card (broadband connection) and I cannot find any driver with the name of  WinPcap or rpcapd (with or without the .exe). And since changing the WinPcap (rpcapd) exe to old I have not had any errors of loss of functionality (yet).

But what has got me slightly worried is that WinPcap was installed on my PC on 10/10/2010 when I did not install anything, other than various updates, on that particular date, so I don't know where this utility came from.

I guess that I'll have to wait until something stops working or get some sort of error.

UK Bob

Replies are locked for this thread.