Wiz's Computer and Website Security Blog

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 30, 2008:

Adware
+ Wintouch

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
++ KeyloggerDouglas
++ KeyloggerSpy

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareBell
++ AntiVirProtect
+ IEDefender
++ Killsoft.V2008
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ EuroGrand.Casino.PT
++ Monaco.Gold.Casino.PT

Trojans Includes 4 new Zlob* Trojan detections
++ BachKhoaAntivirus
++ BaiduBar.HostsRep
++ Delf.Inject
+ Prorat-D
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.aou
++ Win32.Agent.ay
++ Win32.Mutant.jz.rtk
++ Win32.Shark.ae
+ Zlob.Downloader.bs
+ Zlob.Downloader.se
+ Zlob.Downloader.vet
+ Zlob.Downloader.vdt
++ YMCam

Total: 593837 fingerprints in 154855 rules for 3880 products!

False positive detections fixed this week:
No false positives to report at this time.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 12:54 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending April 27, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 21 through 27, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the 7 'biggies" that typically block 50%+ of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 12:44 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released a day later than usual, on Thursday, April 24, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are normally released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings, or in this instance, on Thursday. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

While immunizing your computer is generally a good security measure, there may be occasions where the immunization detections break a program you want to use, or block access to a website you choose to visit. If this happens to you after you immunize with new definitions, go to the Immunize tab and run UNDO, to remove the last immunizations. You can also use the checkboxes to selectively undo or redo immunizations. Right-clicking on the immunization list gives you the option to select all or select none, which helps with mass immunizations or undoing mass immunizations. Also, if you are going to uninstall Spybot S&D, always select all immunizations, then click on Undo. This will unblock everything before you delete the program.

Spybot Updates - published every Wednesday, except this week

Additions made on April 24, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your logins and passwords)
+ Winsession Logger
++ XPCSpyPro

Malware Includes fake anti-virus and anti-spyware programs
+ ContraVirus
++ Fake.Antispyware.TheSpybot2007
+ MalwareCrush
+ PestTrap
+ Smitfraud-C.
+ SpywareQuake
+ Swizzor
+ TitanShield
+ TrustCleaner
+ VirusBlast
+ VirusBurst
+ VirusProtectPro

PUPS Possibly UnPopular Software
+ 32Vegas.PT (4)
+ Deskbar
+ Europa.Casino.PT (13)
+ Vegas.Red.Casino.PT (20)

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Exefile.HideExtension

Trojans Includes new or updated Zlob* Trojan detections
+ BraveSentry
+ Fraud.ProtectionBar
+ Hupigon (11)
++ Hupigon.evc
++ Hupigon.Gen
+ Nuclearwinter
+ SafetyBar
+ Virtumonde.dll
++ Warpcom
++ Win32.Agent.af
++ Win32.Agent.ip
++ Win32.Agent.vye
+ Win32.Autorun
++ Win32.Backdoor.ajhb
++ Win32.Bifrose.blr
++ Win32.Delf.asz
++ Win32.mIRC
++ Win32.Pakes.cgn
+ Win32.Qhost.ake
++ Win32.Settec
++ Win32.Soundmix
++ Win32.VB.tr
+ Zlob.Downloader.bs (2)

Total: 575727 fingerprints in 137545 rules for 3893 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 5:20 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 20, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 14 through 20, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the 7 'biggies" that typically block 50%+ of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 2:42 PM | Permalink

back to top ^

After people began applying the Spybot Search and Destroy definition updates of April 16, 2008, then immunizing their computers through the Immunize function, those with both Firefox and SpywareBlaster installed began experiencing sudden terminations when trying to open SpywareBlaster. It turns out that one of the definitions in the Spybot immunization database was causing a memory conflict with SpywareBlaster, directly related to a Firefox immunization update. There was a heated discussion about this on the Spybot S & D forum and on April 17, 2008, a second update was released to fix the problem. If you use Spybot S & D, SpywareBlaster and Firefox, and you applied the April 16 updates, you need to download the patched definitions. Use the Spybot Search and Destroy Updater from your Start Menu > Programs to fetch the newest updates, then apply them, then open Spybot's user interface and re-apply immunization for Firefox.

Details
After immunizing Firefox, with the updates from 17/4/08, upon attempting to open SpywareBlaster this error message popped up:

Error: Access violation at 0x005F71FC (tried to read from 0x04F3032C), Program termminated

Some users performed an immunization "Undo" on the Firefox protection only and it worked,
just using SpywareBlaster to immunize Firefox. Normally, these programs get along quite well, but this time there was a glitch. I applaud Team Spybot for rushing out a sudden patch to correct this problem, as I also use SpywareBlaster and Firefox on some of my computers and was similarly affected.

For those who don't know the details about these programs, both Spybot Search and Destroy, by Patrick M. Kolla, and SpywareBlaster, by Javacool Software, are well known freeware security programs that have a feature they call "Immunization," which is a proactive form of protection against known hostile ActiveX controls, dangerous domains, browser hijackers and even advertiser's cookies, placed by websites you visit. By "Immunizing" after updating you protect against exploits from the controls, files, websites and other items in the definitions. If these unwanted items are on your computer already they get nullified by the immunization. Otherwise, once immunized, these applications cannot install themselves unless you knowingly override your already applied protection. This is done by unchecking a particular immunization rule, or by undoing all immunizations, en-masse.

Both programs require users to perform manual checking for updates, although SpywareBlaster does offer automatic updates for a small fee. Spybot S & D is always updated on Wednesdays and users must run a manual check for updates. I usually do this on Wednesday evenings, or on Thursday afternoon, just in case a faulty definition was released then patched, like just happened here. SpywareBlaster's latest definitions were released on 4/6/2008, so their update schedule is less regular than Spybot's.

Posted by Wiz at 12:06 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 16, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax (2 variants)

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpywareDeluxe
++ AntiSpywareShield
+ Awola.Anti-Spyware
+ FakeAlert.cc
+ Smitfraud-C.gp
+ VirusHeat
+ Win32.BHO.je (2)
++ Win32.Agent.bk (2)
++ Win32.Agent.xg (2)

PUPS Possibly Un(popular|wanted) Software
++ 24kt.Gold.Casino.PT
++ 32Vegas.PT
++ 50.Stars.Casino.PT
++ African.Palace.Casino.PT
++ Bakara.Casino.PT
++ Cameo.Casino.PT
++ Carnival.Casino.PT
++ Casino.Bellini.PT
++ Casino.Del.Rio.PT
++ Casino.Las.Vegas.PT
++ Casino.Tropez.PT
++ Casino365.PT
++ CasinoKing.PT
+ CasinoRoyal.PT (100)
++ City.Club.Casino.PT
++ Club.Dice.Casino.PT
++ Craps.com.PT
++ Diamond.Club.Casino.PT
++ Enter.Casino.PT
++ EuroGrand.Casino.PT
++ Europa.Casino.PT
++ Flamingo.Casino.PT
++ Golden.Palace.Casino.PT
++ Grand.Online.Casino.PT
++ Hotel.Casino.Network.PT
++ Indio.Casino.PT
++ Joyland.Casino.PT
++ Kiwi.Casino.PT
++ Magic.Box.Casino.PT
++ Mansion.Casino.PT
++ Mega.Sport.Casino.PT
++ New.York.Casino.PT
++ Playgate.Casino.PT
++ Prestige.Casino.PT
++ Royal.Dice.Casino.PT
++ SIA.Casino.PT
++ Sierra.Star.Casino.PT
++ Sky.Kings.Casino.PT
++ Slots.PT
++ Swiss.Casino.PT
++ USA.Casino.PT
++ Vegas.Red.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans Includes 4 new or updated Zlob* Trojan detections
+ Hupigon
+ Smitfraud-C.MSVPS
++ Win32.Agent.frl (2)
++ Win32.Banbra.anp
+ Win32.BHO.acw
+ Win32.Bifrose.aci
+ Win32.Delf.zq
++ Win32.Qhost.ake
++ Win32.Shark.if
++ Win32.Small.tnt
++ Win32.Small.vy
++ Win32.VB.bmr
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.DNSChanger
+ Zlob.Downloader.vdt
+ Zlob.VideoAccess
++ Zlob.Downloader.vet

Total: 573372 fingerprints in 136752 rules for 3857 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This has been removed in the current updates for the HOSTS file.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 8:15 PM | Permalink

back to top ^

After taking one week off from analyzing my spam (junk-mail) statistics, I am resuming them this weekend. I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

On to the spam analysis at hand!

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals have reclaimed the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 13, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 7 through 13, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the 7 'biggies" that typically block 50%+ of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 11:55 AM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 9, 2008:

+ CnsMin
+ CoolWWWSearch.OleHelp

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ FreeKeylogger
+ Perfect Keylogger

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpyKit
+ AntiVerminsPro
+ FakeAlert.cc
++ Fake.PC-Antispyware
++ PCCleaner
++ PlatinumPartner
+ Smitfraud-C.
++ Win32.Agent.pn
+ Win32.BHO.je
++ Win32.Krotten.ex
+ Win32.Renos
++ Win32.VB.bpv

Trojans Includes 67 new or updated Zlob* Trojan detections!
+ BackOrifice2k
+ Hupigon
++ Hupigon.dsx
+ Smitfraud-C.MSVPS
++ Win32.Agent.agx
++ Win32.Agent.AQ
++ Win32.Agent.bno
++ Win32.IRCBot.auf
++ Win32.Poison.pg
++ Win32.VB.aqt
++ Win32.Webmoner.co
+ Zlob.AdultAccess
+ Zlob.BrainCodec
+ Zlob.DigiPassword
+ Zlob.DirectVideo
+ Zlob.DNSChanger.rtk
+ Zlob.Downloader.bs
++ Zlob.Downloader.idt
+ Zlob.Downloader.mld
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.Downloader.vdt
++ Zlob.Downloader.vot
+ Zlob.EliteCodec
+ Zlob.FreeVideo.DVDCodec
+ Zlob.GoldCodec
+ Zlob.HomepageMonitor
+ Zlob.HQCodec
+ Zlob.HQvideo
+ Zlob.iCodecPack
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.iMediaCodec
+ Zlob.IVideoCodec
+ Zlob.JPEG-Encoder
+ Zlob.KeyCodec
+ Zlob.KeyGenerator
+ Zlob.Mediacodec
+ Zlob.MMediaCodec
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.MPVideoCodec
+ Zlob.MyPassGenerator
+ Zlob.NewMediaCodec
+ Zlob.PerfectCodec
+ Zlob.PornMagPass
+ Zlob.PornPassManager
+ Zlob.PowerCodec
+ Zlob.PPlayer
+ Zlob.PrivateVideo
+ Zlob.QualityCodec
+ Zlob.SilverCodec
+ Zlob.SiteEntry
+ Zlob.SiteTicket
+ Zlob.SoftCodec
+ Zlob.strCodec
+ Zlob.SuperCodec
+ Zlob.TrueCodec
+ Zlob.VAXCodec
+ Zlob.Vcodec
+ Zlob.VidCodec
+ Zlob.VideoAccess
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.VideoCodec2007
+ Zlob.VideoCompressionCodec
+ Zlob.VideoKeyCodec
+ Zlob.VideoPlugin
+ Zlob.WinMediaCodec
+ Zlob.XpassGenerator
+ Zlob.XPasswordManager
+ Zlob.ZCodec
+ Zlob.ZipCodec

Total: 578031 fingerprints in 129018 rules for 3855 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This will be removed in the next update cycle, or you can manually edit your HOSTS file and remove this domain from being redirected to 127.0.0.1 (your local machine IP).

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:19 PM | Permalink

back to top ^

This is a follow up to two articles I published earlier this year. They both dealt with an attack against 2Wire brand modems used in Mexico, with the first article titled "Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts" and the latter titled "2Wire Modem DNS Poisoning Attack Returns to Mexico." In both of those articles I urged owners of the affected models of these and other brands of modem/router combinations to change the default administrator password, which is blank be default. By creating a personal password the scripted attacks described in these articles will fail, as they rely upon a blank, or known default password to gain access to the configurations pages.

Yesterday I learned about a new means being tested by security cracking professionals and hackers, whereby a 2Wire modem can still be hacked after a personal administrator password has been applied to it! The exploit may already be in the wild, on MySpace, Facebook, or other popular social networking websites, or soon will be. The technique they are using is not brute force, nor a dictionary attack, in fact, it is what I'd call a chance opportunity attack vector. The way it works is by launching a script aimed at your router's GUI configuration page, in your browser, hoping that you have recently logged into the router, in the same browser session. If you have been logged into your router and not closed that browser in the interim, and you happen upon a web page that contains the JavaScript exploit code, your router can be taken over! This happens because having logged in once, and not logged out, you are still authenticated by the router and anything you want to change is only a mouse click, or code string away. No further challenges would appear in most consumer modem/routers or wireless routers. After gaining access to the configuration utility a hacker's code can change your router's administrator password, poison the DNS tables (to redirect you to phishing websites), enable remote administration, download hostile firmware, and anything else the hacker can think of. You wouldn't be any the wiser until you closed that browser, then tried to log in again, only to find that your password was incorrect.

Should this type of attack happen to you and you find yourself locked out of your router, or modem/router configuration page, don't panic yet. The first thing you should do is reset the router to its default state. Most routers have a small hole on the back, where you can insert the tip of a pen, pencil, or hair pin and hold it in for a half minute, or so, then power off, hold it in again, then release the button and power the unit back on. After the device stabilizes you should be back to factory default settings. Close any open browsers to clear any possible hostile sessions and empty your browser's cache, or Temporary Internet Files. Next, open a new browser window and enter the web interface for your router and change the administrator password, disable remote administration and UPnP, then, if at all possible, change the router's IP address. Do not open any other web pages yet; they could have hostile codes embedded without the owner's knowledge.

The last item I mentioned is important because many router or modem attacks have hardcoded IP addresses in the scripts, which will target specific brands of routers. Some will target the address 192.168.1.254, used by 2-wire and certain other routers. If your router will allow you to alter its IP address, do so and save the changes, then log in using the new IP. For instance, if the default IP is 192.168.1.254, change it to something like 192.168.2.253. Be creative here. As long as you change it to a valid LAN IP, in the 192.168 range, it should accept it. When you restart the router, after saving the change, you will probably have to release and renew the computer's IP address, to get a new one from the changed router. To do this open a command prompt. Go to Start > Run and type in CMD then press the Enter key. A black command window should open, with a blinking cursor after a text path ending in a > symbol.

At the blinking cursor type the following commands:

IPCONFIG /RELEASE
press Enter
IPCONFIG /RENEW
press Enter

The last command will show your new computer's IP address as well as the IP of the gateway, which is your router (or modem/router). The gateway IP should be the same as the one you just assigned to your router.

Go back to your browser and try to log into the router again, using the new IP address you assigned to it. You should have to type in your user name and password to get authenticated. Once you are successful and have checked everything that needs checking, close that browser. From henceforth, until all of the major router manufacturers update their firmware to force you to type your old password before changing it, always close all browsers after visiting the router's web interface. Empty your browser's cache before surfing to any other websites, just in case they have been compromised with hostile codes aimed at your router.

If you have visited your online bank, or other financial institution, contact them as soon as possible to put a fraud watch on your account. Then, after securing your (modem) router, log in again to these websites and change you passwords. Hopefully, you will notice the problem with the router before the hackers receive your login details and empty your accounts.

Make it a point to visit your router/modem-router's manufacturer's website to look for new firmware and install it when it becomes available. If you do not know how to do this call your broadband service provider, who supplied the router, and ask them what they are doing to safeguard their routers. They may offer a flash upgrade on demand and may even do it without notifying you first. If that does occur, your personal settings and administrator password may have been reset to default again, along with the IP address you changed. This is typical for firmware updates, but I can't say for sure that you exact model will get reset completely by an upgrade. Just write down everything you know about the router's login and IP address, or save the configuration file after you have everything where you want it, and import it after you flash the firmware. Always verify your settings and make sure you are able to connect to the net, before closing out the router interface. Exit all browser windows afterward and clear the cache/Temporary Internet Files before starting to surf. I have detailed instructions in the extended comments below, for automatically clearing your browser's cache, upon closing all browser windows.

Clearing your browser's Temporary Internet Files, or "Cache"

Different brands and versions of web browsers provide different means of clearing the temporary files they save as you browse the Internet, or when you login to your router to inspect or alter any settings. Most allow you to automatically empty your Temporary Internet Files, or the browser cache and authenticated sessions, when you close your browser. Below, are the details clearing these caches for Internet Explorer, Firefox and Opera.

Internet Explorer

You can do this in two ways. The simplest is to have the browser open and click on Tools > Internet Options. When the Internet Options window opens click on the Advanced tab. Scroll down to the section labeled "Security." There, you will see a checkbox item labeled "Empty Temporary Internet Files folder when browser is closed." Place a checkmark in that option, then click on the Apply button at the bottom right. Look over other options and make any changes you want, then click OK to close the Internet Options window. When you close all of your browser all of the temporary files saved as you browse will be deleted, except for cookies. They are dealt with in the Privacy section of Internet Options. Session Cookies are temporary cookies that are only meant to live during an authenticated logged in session. You should allow these session cookies if you don't want to have to retype your user name and password for every page you visit, on a website where you have to login.

The second way you can do the same thing is to click on the Start button > Settings > Control Panel and locate your Internet Options icon. Different versions of Windows may display this icon alphabetically, in Classic View, or hide it inside another section, in Web View, of Control Panel. Once you find the Internet Options icon double-click on it to open the properties sheets.

Firefox
Firefox has an option to automatically clear your private data when you close the browser, which is accessed under the menu-bar item "Tools" > Options. When the Options sheet opens click on the "Privacy" tab, then in the section labeled "Private data" place a checkmark in "Always clear my private data when I close Firefox." Now, click on the Settings button to the right of that option and choose which items you want to delete, when you close Firefox. I would recommend Cache and Authenticated Sessions. Click OK, to save your preferences and close the Options. Your cache files and logged in sessions will be cleared each time you close out all Firefox browser windows.

Opera

If you use a current version of the Opera browser you can instruct it to automatically empty it's cache in this manner. With the browser open click on "Tools" > "Preferences." When Preferences opens click on the "Advanced" tab. On the left sidebar - click on the word "History." This will open options for your browsing history, including a checkbox labeled "Empty on exit." Check that box, then make any other changes you want, then click OK, to save your preferences and close the Preferences window.

In all of the above listed browsers your temporary internet files, or cache will only be cleared if you close all open browser windows, from each brand of browser. If you use Firefox and have the Downloads window open, then close the main browser, your Authenticated Sessions and cache will not be cleared, until you close the Downloads window. If a second instance of any browser is open, closing one, but not both will result in the cache not being cleared. You have to shut them all down to clear your Cache/Temporary Internet Files.

Use your HOSTS file to protect your 2Wire modem-router from being accessed by its host name.

Hackers can access a 2Wire modem-router by call it by a host name, such as http://gateway.2wire.net, http://home, or by the IP address: http://192.168.1.254. If you have changed the modem-router's IP address you have closed off only one of three attack vectors. Unless you also change the DNS mapping of HOME and gateway.2wire.net, you are still vulnerable to a non-directed attack against these host names. You can easily change the DNS mapping on a Windows computer by editing a file with the unique file name HOSTS. This file is usually located in your system32 directory, in the Drivers sub-directory, inside a folder named "Etc." If Windows is installed in your C drive, in a directory named Windows, the path to HOSTS is as follows:

C:\Windows\System32\Drivers\Etc\HOSTS

HOSTS can be opened in any plain ascii text editor, such as Windows Notepad, or in HostsFileReader - by Option^Explicit, or with HostsMan. After you edit your HOSTS file you must Save the changes, but, if you are using Notepad, you have to follow these special instructions, to save the file correctly.

After making changes to HOSTS in Windows Notepad, or any other text editor, you must not simply Save, but instead use "Save As." When the Save as window opens you must first go to the section labeled "Save as type" and change it to "All Files." Next, change the "Encoding" to ANSI, then make sure the file name is HOSTS without any extension. Then click Save.

Here are the additions to make to your HOSTS file to protect against a 2wire modem attack, using host names. Add them under 127.0.0.1 localhost using the TAB key to space the host name after the IP address.

127.0.0.1      localhost
127.0.0.1      home/
127.0.0.1      gateway.2wire.net/

Save these changes to HOSTS and reboot the computer. From now on you will have to type in the IP address of the router interface, to access it. If you have the default IP of http://192.168.1.254, then it would be best to change this a random value that is a RFC 1918 address (10.X.X.X, 192.168.X.X, or 172.16.X.X - 172.31.X.X), to protect against an IP address based attack. Something like 192.168.2.253 is a good starting point, but it could be just a different IP in the same subnet, like 192.168.1.221. Don't forget to release and renew your computer's IP after changing the router's own IP, as described in the 5th paragraph of this article.

I will post another follow up to this after I learn more about the new exploits being tested, along with any news about firmware updates from 2Wire and other manufacturers, to protect against password changes with out knowing the old password.

Posted by Wiz at 1:30 PM | Permalink

back to top ^

Exim Spam Filters for Websites with CPanel

If you have a website that uses cPanel as the control panel and it has email filtering enabled, on an account-wide basis, the rules below will reduce the amount of spam you see, dramatically.

First of all, you should be aware that not all cPanel icon layouts are the same, nor are all of the same options available from various hosting companies. I have my websites hosted at Bluehost and enjoy lots of user configurable options, including account-wide user-created email filter rules. I gain access to the email filters by following this path: Login to cPanel > "Home" > "Mail" section > "Account Level Filtering" icon. This opens a new cPanel page with the heading: "Edit Filters for All Mail On Your Account" - "In this area you can manage filters for your main account. Note, that if you have add-on domains hosted under the main account, their email accounts will also be covered by these filters. My cPanel also has an icon that when clicked upon allows me to create filters on an individual account basis. This way I can apply more restrictive rules to the accounts receiving the most spam, leaving the others to be filtered less drastically.

For simplicity sake I have grouped all of my various account rules into one set, which can be applied site-wide. You'll still see some spam, but not nearly as much as you do before applying these rules.

On the cPanel "Account Level Filtering" page, click the button labeled "Create a new Filter." The first input field is labeled: "Filter Name:" and you should type in the name you want to assign to each rule, or use mine, shown below. Each rule must have a unique filter name.

The next section down is labeled "Rules" and is where you select the various criteria for the rules. The options list on the left is where you choose which part of the email message the rule on that line will apply to. Use the down-arrow button to open the options list. Most commonly used filter selections are: "From, Subject, To, Body and Any Header."

The options list on the right side of Rules section determines how that rule will be applied. The options in the flyout list are: "Equals, Matches Regex, Contains, Does Not Contain, Begins With, Ends With, Does Not Begin With, Does Not End With, Does Not Match."

The actual rule text goes into the input field under the flyout options. Type, or copy and paste my rules below, into the input field for each rule. Next, under Actions, choose Discard Message, then click on the button labeled: "Activate." You will be taken to a page reporting that rule "such and such" was successfully created, and which contains a button to take you back to the main Filters page. There, under "Filter Test," you can test your rules in the test message area. Just enter text, or headers to be tested into the appropriate section, adding to or replacing what is already there, then press the "Test Filter" button. The results page will tell you what, if any filter rule has been matched and that the results would be a delivery to "/dev/null" (the bit bucket).

If the results of a filter test are "Normal Delivery," for a filtered spam message, something is wrong with your input selections. Use the Edit button next to the filter that should have applied and check your options settings and look for typos in the actual rule text. Save changes by clicking the Activate button, then test again. You'll get it right eventually. Trust me, I know - I've gone through this already.

Every rule group has a plus and a minus button on the right side. These are used to add additional criteria to the rule set. Plus adds a new rule, while minus removes the last rule. Each rule can apply to a different part of the message and have a different matching criteria. Theoretically, one could apply all of my rules to one filter set, but that would make it very hard to debug if legitimate email gets sent to the bit bucket in the sky. Keep the rules separate and properly labeled to make it easy to edit or remove them, if it becomes necessary.

See my extended comments in the section below, for the actual rules.

Wizcrafts' cPanel spam filter rules

The # sign indicates the title of the spam filter rule. Copy and paste it into the Filter Name field.

The words on the next line, beginning with a $ and sometimes ending with a colon, followed by a space, indicate the criteria selection option (what part of the message to apply the rule to). e.g: "$From:" indicates that the rule is to applied to the From field in the email message, while "$message_headers" means any header.

The word following the criteria descriptor, followed by a space, is the type of match to be performed; such as: "contains, equals, or matches."

Finally, the actual rule text, or regular expression, will follow the method criteria, and will be enclosed in quotes, which should be removed (the quote marks). e.g: "<(_|-).+@.+>" should be pasted in as: <(_|-).+@.+>

If there are multiple rules in one set they will appear on a new line, preceded by the word "or."

Please check the criteria in each rule to see if any of them may apply to legitimate messages you might normally receive. For instance, if you receive email from senders having email accounts at freenet.de, you won't want to use the rule that deletes those messages! These rules were developed in the USA, based on my own preferences, and may not agree with yours. Feel free to edit, or delete any rules that you don't think are safe in your situation. Any message sent to /dev/null is unrecoverable.

I apologize in advance for the duplications in the list below. I merged both site wide and an individual account into one group, which resulted in some duplicate rules, or rules that override others. At least the overrides will block the unwanted sender domains.

#Forged sender begins with dash or underscore
$From: matches "<(_|-).+@.+>"

#German domain sender
$From: matches ".+@.+\.de"

#From: .cn
$From: matches ".+@.+\.cn"

#From: yahoo.fr
$From: contains "@yahoo.fr"

#server4you.de in Any Headers
$message_headers contains "server4you.de"

#From: @yahoo.co.in
$From: contains "@yahoo.co.in"

#Debt consolidation
$header_subject: contains "debt consolidation"

#Blocked Country From domains
$From: matches ".+@.+\.(ru|es|th|sk|pl|\.co\.uk|ro)"

#Dearest Friend
$header_subject: matches "^Dearest\ Friend,?"

#Blocked country in headers
$message_headers contains ".tpnet.pl"

#From: yahoo.co.uk
$From: matches ".+@yahoo\.co\.uk"
or $reply_address: contains "@yahoo.co.uk"

#Known Spam Subjects
$header_subject: contains "RE: Discount. Coupon #"
or $header_subject: contains "student loan"
or $header_subject: contains "CONTACT FEDEX EXPRESS COURIER COMPANY"
or $header_subject: contains "CONTACT HER IMMEDIATELY"
or $header_subject: matches "debt\ cons[io0]lidation"
or $header_subject: matches "[7-9][0-9]%\ discount\.\ Coupon\ #"
or $header_subject: contains "YOUR CONTRACT PAYMENT"
or $header_subject: contains "Contact FedEx Service Courier Company"

#From yahoo.it - yahoo.in
$From: matches ".+@yahoo\.i[nt]"

#The United States National Medical Association
$header_subject: contains "The United States National Medical Association"

#The Ultimate Online Pharmaceutical
$header_subject: contains "The Ultimate Online Pharmaceutical"

#Block Nigerian senders in the 82.128.0.0/16 CIDR
$message_headers contains "Received: from [82.128."

#Block IPPlanet satellite service to Nigeria: 81.199.0.0/16
$message_headers contains "Received: from 81.199."

#Block Russian Senders in 89.178.0.0/16 CIDR
$message_headers contains "Received: from 89.178."

#From: mail.ru
$From: matches ".+@mail\..*ru"

#Received from Brazil
$message_headers matches "^Received:\ from\ .+\.dsl\.telesp\.net\.br\ "

#From: matches dw.+m@.+
$From: matches "dw.+m@.+"

#From: matches lin.+met@.+\.de
$From: matches "lin.+met@.+\.de"

#From: matches tequil.?a.+@.+\.com
$From: matches "tequil.?a.+@.+\.com"

#From begins with dash or underscore
$From: begins "-"
or $From: begins "_"
or $From: matches "^(_|-).+@.+"

#Admin ® Official Site
$From: contains "Admin ® Official Site"

#Freenet.de
$From: matches ".+@freenet\.de"

#Blocked Countries in Headers
if
$message_headers matches "Received:\ from\ .+\.adsl\.tpnet\.pl"
or $message_headers matches "Received:\ from\ .+\.veloxzone\.com\.br"
or $message_headers contains ".ttnet.net.tr"
or $message_headers contains ".ono.com"
or $message_headers is ".telefonica.es"

#Nigerian 419 scams
$header_subject: contains "YOUR E-MAIL HAS WON"

#Subject contains Penis
$header_subject: matches "p[e3]n[i1]s"

#Counterfeit watches, shoes and clothing
$header_subject: matches "replica|watches|//atch|Rolex"

#MED...SHOP
$header_subject: matches ".*(?-i)MED.*SHOP.*"

DISCARD MESSAGE

Posted by Wiz at 4:36 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 2, 2008:

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareWipe
++ Win32.Alman
++ ZlobDownloader.vdt

Security
++ Microsoft.Windows.FileExecution

Trojans
+ Bifrose.LA (2)
+ CoolWWWSearch.SearchToolbar (2)
+ Hupigon
++ Hupigon.cbs
++ Injector.u
+ PremiumSearch (1574)
++ RysioLogger
+ SubSeven
++ Wannnadoo
++ Win32.BKClient
++ Win32.GBDialer.j
+ Win32.Nakuru.a
++ Win32.OnLineGame.jun
++ Win32.VB.sj

Total: 563708 fingerprints in 125654 rules for 3757 products!

False positive detections fixed this week:
False positive on vxSystem.dll from the Vigilix remote monitoring product. It was being incorrectly reported as VX2.b.BDS

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in Whoville. I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Admin account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 1:25 AM | Permalink

back to top ^