Solved

i don't have wireshark installed. why is winpcap trying to run?

Posted on 2014-12-26
9
1,325 Views
Last Modified: 2014-12-26
I am getting the following repeatedly in my event logs, but wireshark is not installed.  Does anyone have any insight?  Am I being attacked?

Event ID 7000: The WinPcap Packet Driver (NPF) service failed to start due to the following error:  The system cannot find the file specified.

Event ID 61703: Mbamchameleon Failed to obtain file name information - C00000BE
0
Comment
Question by:mkraemer11
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 69

Accepted Solution

by:
Qlemo earned 167 total points
ID: 40518653
The latter message is an issue with MalwareBytes' Auto-Protect feature.

PCap might still be "installed", at least as a service,  but the binaries removed already. Simple solution is to set the service to disabled.  But I would remove the service entry, either by re-installing and uninstalling again, or by removing the entry in registry,  or removing it with sc,  ...
0
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 40518671
Also, WinPCap is a separate install from Wireshark. So if you had Wireshark installed and then uninstalled it, WinPCap would stay installed.

Look in Programs and Features for WinPCap and uninstall it.
0
 
LVL 15

Assisted Solution

by:ZabagaR
ZabagaR earned 166 total points
ID: 40518673
Run msinfo32.exe and go to Software Environment -> system drivers
do you see npf listed?

You probably have winpcap left over in part.

you can manually delete packet.* and wpcap.dll as well as npf.sys, see:
http://superuser.com/questions/527710/how-do-i-remove-an-old-version-of-winpcap

They're trying to manually remove in order to install a newer version of winpcap but same thing...

How about this from a command prompt?
sc config npf start= disabled

you should get "success" after running that line. then reboot. or do sc stop npf from command line
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 

Author Comment

by:mkraemer11
ID: 40518709
Wireshark and WinPCap is not currently nor has it ever been installed on this PC therefore could not be uninstalled to leave anything behind.  both event IDs started  on 12/17 and have been filling up my logs ever since.  

- npf.sys is not present
- winpcap is not in Programs and Features list
- packet.dll is not present in windows/system32
- wpcap.dll is not present in windows/system32
- full search of C: produces no results for either as well.

Any other advice?  Why would it be trying to run when WinPCap is not and has not been installed on this PC?
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 40518718
Look for the Cain Agent install. Maybe someone tried to install the Agent on your computer. This has never happened to me (although I know and have used Cain (oxid.it) ) . Cain uses WinPCap which is what brings it to mind.

I cannot understand why your system would reference WinPCap if never installed. WinPCap is not a virus, nor is Cain.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40518734
As has been said, WinPcap is used for several products, and probably came with once of them. That you cannot find the files belonging to it does not come as a surprise. But the service might still be there.
And I cannot see how both eventlog entries should be connected.
0
 

Author Comment

by:mkraemer11
ID: 40518744
I don't recall installing anything other than C Cleaner in the past month, but I will take a closer look to see if I just overlooked something.

Thank you all for your quick replies.
0
 

Author Comment

by:mkraemer11
ID: 40518748
Although I don't recall installing anything other than C Cleaner (aside from Microsoft updates) in the past month and can't find any of the associated files all replies have made me feel better about knowing that I am not under some sort of attack.  Split points across the three replies as they were all similar.
0
 
LVL 94

Expert Comment

by:John Hurst
ID: 40518749
Thanks for the update and I was happy to help.
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question