Results 1 to 4 of 4

Thread: Is this really malware?

  1. #1
    Junior Member steveboston's Avatar
    Join Date
    Apr 2013
    Location
    North Queensferry Scotland
    Posts
    2

    Default Is this really malware?

    Hi after an update to S&D I get a report of Win32.SonyAgent.NFP I can't find any info about this and what it does/how it does it. It seems to be new to Spybot scans and others. Normally geek forums etc have a lot about new malware so Iam puzzled.

    It consists of (on mine anyway) an exe, 2 dlls and 2 reg entries
    C:\WINDOWS\system 32\drivers\npf.sys
    C:\WINDOWS\system 32\Packet.dll
    C:\WINDOWS\system 32\wpcap.dll
    then the reg entries in
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NPF
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NPF

    It rebuilds at next boot after S&D removes it (after removal npf.sys stays, I can't find wpcap.dll and Packet .dll but there is always a Packet.dll_old so that gets reborn at boot I guess)

    OK so also why I am puzzled is that after trying to replace the drivers I wound up with a non-booter. I do keep a clone of "C" unplugged and redone every few weeks when everything is running OK. I swapped HDs and there is the SonyAgent (but that was from 5 weeks ago and Spybot, Malwarebytes et al never found it then. it must have been around a while. Also the only people who seem to be connected with it are CACE Technologies inc. who LOOK legit. Hmmm! any more information would be appreciated.

  2. #2
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    Hello,

    this is a rookie false positive. Sorry for the inconvenience. And shame on us for not noticing it before it went public.
    These are actually network capture drivers for instance used by Wireshark.
    This will be fixed with the next detection update coming up tomorrow Wednesday 2013-04-24.
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

  3. #3
    Junior Member steveboston's Avatar
    Join Date
    Apr 2013
    Location
    North Queensferry Scotland
    Posts
    2

    Default

    Many thanks Yodama for a prompt reply and for putting my processor at rest on this!

  4. #4
    Junior Member
    Join Date
    Apr 2013
    Posts
    1

    Default

    Phew, I just got this too. Good to know it's just a false positive!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •