Spybot Search and Destroy Definitions Updated on May 20, 2009
If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 20, 2009, as listed below. A slew of fake security programs and rootkits were added to the latest definitions.
Updating Spybot Search and Destroy
In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."
Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.
Immunizing and scanning with Spybot S&D
With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.
After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."
If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.
Additions to malware definitions made on May 20, 2009:
Adware
++ Digifast
Keyloggers
+ Ardamax
Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fraud.WinPCAntivirus
+ InternetAntivirusPro
++ Win32.OnLineGames.bklm
Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
+ Fake.Javacore
+ Webshow
++ Win32.Agent.afq
+ Win32.Agent.amwr
++ Win32.Agent.cfuc
++ Win32.Agent.jjv
++ Win32.Agent.NKV
++ Win32.Agent.ukv
++ Win32.BHO.sx
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.Virut.q
++ Win32.Webprefix
+ Zlob.Downloader
+ Zlob.Downloader.miu
Total: 1411185 fingerprints in 482185 rules for 4667 products.
False positive detections reported or fixed this week:
A false positive detection of "Virtumonde.sdn" in iwlandrvxpver.dll was confirmed and fixed with today's updates.
A false positive detection in Malwarebytes mbamgui.exe, detected as Smitfraud-C, was fixed today.
Some false positive bad-site detections in Mozilla Firefox bookmarks, to legitimate trusted websites, were finally fixed, after two weeks of discussions.
One user reported that right after updating his definitions last week (May 13) a total of 48 Windows\System32 files were flagged as Trojans. After sending them in for analysis it was determined that these were false positives and all have been added to the program's white list. Note, that sometimes malware will replace legitimate system files with infected copies, so scanning with other programs (anti virus) is recommended.
Additional Information about Spybot S&D and links
Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.
Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.
If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.
If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.
If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.
Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.