Results 1 to 6 of 6

Thread: WINPCAP spyware/remote monitoring

  1. #1
    johnsin Guest

    Default WINPCAP spyware/remote monitoring

    Hi, I've been using zone alarms antispyware utility, but today I installed XoftSpy and it immediately pointed me out to the following entries:
    (Please see image for winpcap entries that it found with severe level on it.)
    http://img220.imageshack.us/my.php?image=winpcap3vt.jpg (ZA Spyware Didn't find these however)

    Can anyone tell me if that is infact someone remotely monitoring my system and if so how can I prevent it using my firewall, as zonealarm hasn't detected the nppagent.exe or winpcap utility or blocked any sort of entry like that.

    When I searched about winpcap on the internet it mentions that it bypasses protocol stack. I'm not sure what this means, but I have CSS Diamond Port Explorer Installed and neither that detects any backdoor trojans or remote connections.

    Can someone confirm if those entries are infact dangerous and why zonealarm hasn't picked them up and should I be concerned about changing any settings or adjusting my zonealarm settings to deal with the above problem?

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.5

  2. #2
    billc Guest

    Default Re: WINPCAP spyware/remote monitoring

    Being unfamiliar with winpcap I did some research like you. What I found were legitimate uses of the process. It has been my experience that if something is a "nasty" process, there will be all sorts of references to security forums and the like. I found no such indications which leads me to conclude that this is nothing bad. With regard to your Zone Alarm firewall, as long as you did not grant 'access' to a program who's purpose for needing access is unclear to you, I think you are ok. As to why XoftSpy says this is a 'severe' risk, I don't know. What sort of information do you get when you click on the View Details link in XoftSpy?

  3. #3
    johnsin Guest

    Default Re: WINPCAP spyware/remote monitoring

    The screenshot I posted were the only details that Xoftspy reported. however when i do click on the reference link which goes to their website it classes it as a malicious program and with capabilities of keylogging and monitoring etc.

    I searched as well and as far as I can tell those registry entries seem harmless, although I'm not too sure how good my assessment on registry entries are. I'm a bit paranoid as my pc was hacked and monitored a while ago when i was using z(s)ygate pro as, I believe zygate pro assigns everything server access when you grant a program access and they leave the rest of the bit for the user to figure out that you have too manually change the auto server grant to only allow client access(which is very bad in my opinion). I have another query also I use CSS Diamonds Port Explorer as well along with my zone alarm suite and am very pleased with the monitoring capabilities that I possess using these two software. However I was wondering can any backdoor, and malicious keylogging program etc go unnoticed by zonealarm bypass the firewall and go undetected by my portexplorer and transfer data, is that possible for the application to be totally stealthed from the processes viewer and zonealarm. I also have filemon and regmon. What would be clues to look for when searching for invisible applications if there is a chance that they will go unnoticed by zonealarm and say my other utilities. Are all ports that my portexplorer utility software covered and can anything bypass the basic check that these programs make when remotely establishing or sending data without my knowledge?

    If you could let me know on the questions I asked I would be extremely grateful. Also shieldsup reports that dns port 53 is always open, I have a router in between me and my firewall though. I don't think its possible to close that port either, I do get occasional port scans coming from that port. Any suggestions?

  4. #4
    billc Guest

    Default Re: WINPCAP spyware/remote monitoring

    Your Zone Alarm firewall watches everything that leaves your computer which means the application sending data must have 'access' permission to get out. I'm not going to say it is impossible to get around the Zone Alarm firewall, but the chances are very very close to nil. Even if some nefarious program tries to hijack a 'trusted' program Zone Alarm will give you an alert. With your security set up, I would not lose any sleep. And remember, for something to get out, you must first let it in. So practicing safe computing is your first line of defense. Don't open e-mail attachments unless you are sure they are safe and don't file-share.

    The report you got from ShieldsUp is not unusual when you have a router between your machine & your modem. Worry not.

  5. #5
    johnsin Guest

    Default Re: WINPCAP spyware/remote monitoring

    Cheers for that bill, made me feel a whole lot more comfortable on my setup since getting monitored and then abused is not something which is very easy to deal with especially when you use your pc for all your personal work. I guess you said it the chances are low especially with the new version of za which picks up about everything which is fabolous.

    Is it possible though for a program to access the internet without any ticks next to granting it permission? (Should I change the ones with question marks to blocks or leave it until it asks for permission?) I use the manual option as that gives me more control over my configuration, and I'm currently waiting on ZA bug fix which enables you to save all your advanced program settings and expert rules which it fails to do after the first install, meaning whatever you type into the expert rules gets saved after the 1st install but it then fails to hold further rules or advanced program rules.

    Sharing is off by default as I use another application to do that which is password protected, third party software. Much more convenient too.

    Last question: is it possible that my portexplorer app which is probably the best out there atm will not pick port connections, I heard that it can be done if you monitor your connections using netstat? Is that possible or should I quit worrying as you said which I have by 50%

    Thanks for that. Looking forward to what you can tell me.

    Cheers
    JS

  6. #6
    billc Guest

    Default Re: WINPCAP spyware/remote monitoring

    I guess you know you can do a lot of monitoring with netstat . But if I were you, I'd stop worrying by 95%. In my view, nothing is always a 100% because there may always be something generally unknown.

    Leave the question marks so you'll know if a program wants access. If the program is on your Program list with a question mark, it can not access the internet unless you allow it. In fact, Zone Alarm is programmed such that it can not be allowed by another program (such as a Trojan) but only by the user who is logged in to Zone Alarm via your password. That means even someone with physical access to your computer could not allow access to a program without knowing your password.

    It is always prudent to be alert and suspicious, but I think you're ok.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •