Spybot Search and Destroy Definitions Updated on 7/23/2008
If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.
If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.
If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.
* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."
Spybot Updates - published every Wednesday
News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.
Additions made on July 23, 2008:
Adware
+ WhenU.DAEMONTools.SearchBar
+ WhenU.Search
Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners)
++ AdwareDelete
++ AntiSpywareMaster
++ AntivirusGold
+ Fraud.XPAntivirus
+ IEDefender
++ PCPrivacyCleaner
+ PSGuard
+ Smitfraud-C.gp
+ SpySheriff
+ SpywareIsolator
+ Win32.BHO.je
++ Win32.Delf.aph
+ Win32.ServU
+ WinSpywareProtect
++ YourWebSafe
PUPS (Possibly Unpopular Software or Unwanted Programs)>\+ WPA_Reset5
Trojans
+ Autorunreplacer
+ Nuclearwinter
+ Smitfraud-C.MSVPS
+ SystemDoctor2006
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.AutoIt.co
++ Win32.Fujacks.AB
++ Win32.Hupigon.ack
++ Win32.GGDoor
++ Win32.Reload.m
++ Win32.Sramler.c
+ Zlob.Downloader.rid
++ Zlob.Downloader.tfr
Total: 1038867 fingerprints in 267952 rules for 4080 products./strong>
False positive detections reported or fixed this week:
A false positive has been reported in BugDoctor, which for reasons unknown, Spybot flags with "Destination=HKEY_CLASSES_ROOT\.bdr." This will be fixed in next week's updates. It is a confirmed false positive.
False positives in Linux ISOs and Wireless Migrator have been fixed this week.
any of the current false positives are only displayed in the "Heuristic" scan analysis when you right-click on a file or folder and select Scan with Spybot Search & Dsstroy; not in standard scans from the program interface, or in the Malware (top) section of the right-click-scan window. Some of these false positives are being fixed this week, while others may take longer to isolate and fix.
The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to [email protected] for analysis.
If you are still using Spybot S&D 1.3, or 1.4, please read this!
I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.
These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.Apply the main update that shows up within the internal updater to upgrade to (1.6.x).
If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.
If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.
If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.
Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.
Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.
After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).
Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".
English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History
See all security program update notices in this catagory
A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.
To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.
When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.
In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.
For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.
Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.
Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.