If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.
If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.
If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.
* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."
Spybot Updates - published every Wednesday
Additions made on June 11, 2008:
Adware
++ HackNuke
++ Win32.Hacktool
+ Zango
+ Zango.ShoppingReport
+ Zango.WeatherDPA
Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ Coulomb Ltd.Content Access Plugin
Keyloggers (Keyloggers steal your typed logins and passwords)
++ PerfectKeylogger
Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AdvancedCleaner
++ Munga_Bunga.HDDFormat
++ Netcom3Cleaner
++ RegistryPatrol
+ Win32.BHO.je
++ Windows.Antivirus2008
PUPS (Possibly Unpopular Software or Unwanted Programs)
++ BitAccelerator
Security
+ Microsoft.Windows.RedirectedHosts
Trojans (Includes 3 updated Zlob* Trojan detections)
+ 180Solutions.SearchAssistant
++ CoolWWWSearch.hjg
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.ghs
++ Win32.Agent.LKF
++ Win32.Agent.SB
++ Win32.Serv-U.gen
+ Win32.Small.azl
+ Win32.Small.r
+ Zlob.Downloader
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt
Total: 628606 fingerprints in 163231 rules for 3998 products !
False positive detections fixed this week:
A detection of "Zlob.Downloader.jau" in the SYSTEMAX.bmp desktop wallpaper is a false positive that has been fixed in next week's updates.
Also fixed this week is the detection of "RegistryHelper" in the Disk Cleaner program. If you have Disk Cleaner and Spybot broke it by removing necessary files, you should restore them from backups made by Spybot.
If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.
* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.
Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4, I recommend that you update to 1.5.x, using the company links below.
There is a new version of Spybot S&D in public beta testing, version 1.6. I understand that it scans for threats much faster than 1.5.2 does. You are welcome to download it and try it out if you wish (please report bugs to the developers). It is a prelude to the upcoming version 2.0 incarnation of Spybot Search and Destroy.
Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.
After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).
Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".
English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History
See all security program update notices in this catagory
A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.
To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.
When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.
In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.
For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.
Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.
Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.
back to top ^
