September 30, 2009

Spybot Search & Destroy updates for Sept 30, 2009

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on September 30, 2009, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on September 30, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
+ BaiduBar

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ Fraud.GreenAV
+ Fraud.PersonalGuard2009
++ Fraud.SaveArmor
++ Fraud.SecurityFighter
+ Fraud.WindowsProtectionSuite
+ Virantix
++ Win32.Agent.rsp
++ Win32.Agent.ssr
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
++ Win32.Mastak

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
++ QiwangC.RegistryEasy

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.36
++ Win32.Agent.avp
++ Win32.AutoIt.gp
+ Win32.Fakealert.ttam
+ Win32.Games.ubha
++ Win32.OnLineGames.uhbb
++ Win32.OnLineGames.ulja
++ Win32.rbot.cs
+ Win32.TDSS.ntf
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1540435 fingerprints in 545254 rules for 4933 products.

False positive detections reported, discussed, or fixed this week:

There were no new false positives reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2.46 , it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 27, 2009

My Spam analysis for Sept 21 - 27, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have decreased for the first time in five weeks.This means that the Bot Masters running spam Botnets may only have intermittent access to their command and control (C&C) servers, used to reactivate their sleeping zombie computers. Those zombie PCs are now sending out medium volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Yahoo Groups Spam Link" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches, software, lottery, phishing and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 21 - 27, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Sept 21 - 27, 2009. Spam amounted to 18% of my incoming email this week. This represents a -6% change from last week.
finger pointing right MailWasher Pro by Firetrust
Canadian Pharmacy Scams: 16.00%
"Other Filters" category: 16.00%
Male Enhancement scams: 12.00%
Yahoo Groups spam links: 8.00%
Weight Loss Scams: 8.00%
Lottery Scams: 8.00%
Phishing Scams: 8.00%
Counterfeit Watches: 8.00%
Pirated Software: 4.00%
Viagra Spam: 4.00%
Casino spam: 4.00%
Blacklisted senders: 4.00%
The latest weekly updates to my custom MailWasher Pro filters were to the "Phishing Scams" and "Lottery Scams" filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 24, 2009

Spybot Search & Destroy updates for 9/23/2009

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on Sept 23, 2009, as listed below. Sixteen new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 23 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. Also, a KoobFace Worm detection was added.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on Sept 23, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Hijackers
+ CoolWWWSearch.OleHelp

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ Fraud.OmegaAntiVir
+ Fraud.PCAntispyware2010
++ Fraud.PersonalGuard2009
++ Fraud.PrivacyCommander
++ Fraud.ProofDefender2009
++ Fraud.SafeKeeper
++ Fraud.SafetyKeeper
++ Fraud.SoftSafeness
++ Fraud.SystemBooster2009
+ Fraud.SystemSecurity
++ Fraud.TrustWarrior
++ Fraud.WinProtector
++ Win32.Agent.anh
+ Win32.FraudLoad
+ Win32.FraudLoad.edt
+ Worldsecurityonline.FakeAlert

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
++ Win32.MSNPass.b

Spyware
+ AdRotator
+ Alexa

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ Ertfor.bho
++ NNC.MGRS
+ Vario.AntiVirus
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.bf
++ Win32.Agent.kg
++ Win32.Agent.ns
++ Win32.Agent.wl
++ Win32.Agent.wlg
+ Win32.Agent.ws
+ Win32.Agent.xwr
+ Win32.AutoRun.ww
+ Win32.Fakealert.ttam
++ Win32.Games.ubha
++ Win32.Ikmet.j
+ Win32.TDSS.blk
+ Win32.TDSS.gen
++ Win32.TDSS.gr
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.VB.uk
+ Win32.ZBot

Worm
+ Win32.Koobface

Total: 1536885 fingerprints in 544022 rules for 4915 products.

False positive detections reported, discussed, or fixed this week:

There was one new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

A confirmed false positive was reported where Spybot mistakenly flagged a user-disabled System Restore as a malware attack. This issue will be fixed with next week's updates (on 9/30/09).

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 20, 2009

My Spam analysis for Sept 14 - 20, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for four weeks in a row.This means that the Bot Masters running spam Botnets have regained access to their command and control (C&C) servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for the fake Canadian Pharmacy, male enhancement scams and counterfeit Viagra. There was also some spam for counterfeit watches and weight loss scams.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 14 - 20, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Sept 14 - 20, 2009. Spam amounted to 24% of my incoming email this week. This represents a +3% change from last week.
finger pointing right MailWasher Pro by Firetrust
"Other Filters" category: 20.59%
Canadian Pharmacy Scams: 17.65%
Known Spam Domains: 14.71%
Viagra Spam: 11.76%
Hidden ISO, ASCII, or UTF subject: 5.88%
Counterfeit Watches: 5.88%
Weight Loss Scams: 5.88%
Pharmaceutical spam: 5.88%
Known Spam TO: 5.88%
Pills spam: 2.94%
RIPE filter: 2.94%
The latest weekly updates to my custom MailWasher Pro filters were to the "Phishing Scams" and "Image Spam #11" filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 17, 2009

Spybot Search and Destroy Definitions Updated on 9/16/2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on September 16, 2009, as listed below. Four new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus five new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to Spybot S&D malware definitions made on September 16, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ Fraud.QuickHealCleaner
++ Fraud.UltimateSystemGuard
++ Fraud.WindowsGuardPro
+ Fraud.XPAntivirus


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ RootMax.x86.azds
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.spi
+ Win32.TDSS.rtk

Total: 1872017 fingerprints in 542608 rules for 4897 products.

False positive detections reported, discussed, or fixed this week:

No new false positives were reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 13, 2009

My Spam analysis for Sept 7 - 13, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for three weeks in a row.This means that the Bot Masters running spam Botnets have regained access to their command and control (C&C) servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters. This will continue until the people hosting the C&C servers cut off the accounts, or get shut down by authorities.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for male enhancement scams and fake Viagra. There was also a bunch of spam for illegal casinos and the fake Canadian Pharmacy.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Sept 7 - 13, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Sept 7 - 13, 2009. Spam amounted to 21% of my incoming email this week. This represents a +4% change from last week.
finger pointing right MailWasher Pro by Firetrust
Male Enhancement scams: 20.00%
Known Spam FROM: 16.67%
Canadian Pharmacy Scams: 10.00%
Pills spam: 10.00%
"Other Filters" category: 10.00%
Herbal spam: 6.67%
Pharmaceutical spam: 6.67%
Yahoo Groups spam links: 6.67%
Casino spam: 3.33%
Hidden ISO, ASCII, or UTF subject: 3.33%
Dating spam: 3.33%
Blacklisted senders: 3.33%

The latest weekly updates to my custom MailWasher Pro filters were to the "Known Spam [From]" and "Hidden ISO, UTF, or Ascii Subject" filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 10, 2009

Spybot Search and Destroy Definitions Updated on 9/09/2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on September 9, 2009, as listed below. 23 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to Spybot S&D malware definitions made on September 9, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
++ M.R.Advertising
+ SmartShopper
++ Startline
+ SurfAccuracy
++ ThunderAdvise

Dialer
++ AdultContent

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
++ Fraud.ANGAntivirus2009
+ Fraud.AntivirusPlus
++ Fraud.AntivirusPlus2009
++ Fraud.HDriveSweeper
++ Fraud.IE-Security
++ Fraud.MySupervisor
++ Fraud.PrivacyComponents
++ Fraud.PrivacyGuardPro
++ Fraud.SysAntivirus2009
++ Fraud.SystemCop
+ Fraud.SystemGuard2009
++ Fraud.SystemGuardCenter
++ Fraud.SystemTuner
++ Fraud.TotalDefender
+ Fraud.TotalSecurity
++ Fraud.TrustNinja
+ Fraud.VirusDoctor
+ Fraud.VirusRemover2009
++ Fraud.Win-Antivirus
+ Fraud.WinCleaner
++ Fraud.WindowsPolicePro
++ Fraud.XpyBurner
+ Lop
+ SurfSideKick
+ TotalProtect2009

PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
++ FastBrowserSearchToolbar
++ Pandobar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
++ Haxdoor-m
+ Virtumonde.sci
++ Win32.Agent.ipr
+ Win32.Agent.mut
+ Win32.Agent.nmy
++ Win32.Agent.wel
++ Win32.Agent.wnt
++ Win32.Agent.xwr
+ Win32.Fakealert.ttam
++ Win32.Onlinegames.apyj
+ Win32.OnLineGames.ubha
++ Win32.Onlinegames.ulur
+ Win32.Podnuha.rtk
+ Win32.ZBot

Total: 1468999 fingerprints in 513576 rules for 4898 products.

False positive detections reported, discussed, or fixed this week:

There was a confirmed false positive detection of Virtumonde.sdn in C:\WINDOWS\system32\ialmcoin.dll. This was fixed with today's updates.

A false positive detection of Win32.Agent.ws in C:\Windows\system32\winsys2.exe, which is part of NVIDIA GeForce 9500 GT video card utilities, was fixed today.

A few users reported various "Virtumonde" false positives, but, they were using older versions of Spybot S&D. After upgrading to the current version these false detections disappeared.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 6, 2009

My Spam analysis for Aug 31 - Sept 6, 2009

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam levels have increased for two weeks in a row.This probably means that the Bot Masters running spam Botnets have regained access to their command and control servers, which have reactivated sleeping zombie computers. Those zombie PCs are now sending out large volumes of spam, as commanded by their Bot Masters.

Almost all spam is now sent from zombie computers in spam Botnets, under the control of Bot Masters who rent the use of their networks to spammers. Major changes in the overall volume of spam indicate problems or successes of the Bot Masters with command and control over their robotic armies of spamming PCs. Sometimes their command and control servers are shut down by the efforts of security organizations, forcing them to look for other spam-friendly hosting companies. Other times, Microsoft's monthly Windows Updates, featuring an updated MSRT, or other security products, will clean Bot infections from millions of zombie computers. When this happens the overall volume of spam drops, as it has this week.

However, Bot Herders don't give up easily. If they lose one Command and Control server they will hunt for another one, often in China or Eastern Europe. Once they get those hostile servers back online, with other spam friendly hosts, the zombies are awakened and we see lots more spam. If the Botnet loses zombies after a major cleanup, they will acquire more through compromised or hostile websites exploiting vulnerabilities in browsers and their plug-ins and add-ons.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week, especially the "Other Filters" and "Known Spam Domains" categories, was for male enhancement scams and fake Viagra. There was also a bunch of spam for illegal casinos and the fake Canadian Pharmacy.

In case anybody doesn't already know, virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets. All email sender addresses are forged, so there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

See my extended comments for this week's breakdown of spam by category, for Aug 31 - Sept 6, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Aug 31 - Sept 6, 2009. Spam amounted to 17% of my incoming email this week. This represents a +2% change from last week.
finger pointing right MailWasher Pro by Firetrust
"Other Filters" category: 14.71%
Blacklisted Senders: 14.71%
Casino spam: 11.76%
Viagra spam: 8.82%
Weight Loss spam: 8.82%
Nigerian 419 Scams: 5.88%
Canadian Pharmacy Scams: 5.88%
Known Spam Domains (a great filter!): 5.88%
Known Spam FROM: 5.88%
Known X-Mailer Spam: 5.88%
Herbal spam: 5.88%
Pills spam: 5.88%

The latest weekly updates to my custom MailWasher Pro filters were to the Herbal Spam, Casino and Google Reader Spam Link filters. Everything else is working as it should. Without MailWasher Pro filtering out all the junk mail I would waste a lot more time deleting it my email program's inbox. If you're not already using MailWasher Pro to filter out spam, read on...

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 2, 2009

Spybot Search and Destroy Definitions Updated on 9/02/2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on September 2, 2009, as listed below. 22 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 15 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. There was also 1 Internet Worm added to this week's detections.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Additions to Spybot S&D malware definitions made on September 2, 2009:

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Adware
+ Ask.MyGlobalSearch
++ Attune.HelpExpress
+ CouponBar

Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ Fraud.AdvancedVirusRemover
++ Fraud.AntiSpywarePro2009
++ Fraud.AntivirusAgentPro
+ Fraud.AntivirusPro
++ Fraud.BlockDefense
++ Fraud.ComputerDefender2009
++ Fraud.FileFixProfessional
+ Fraud.GeneralAntivirus
++ Fraud.Pantispyware2009
+ Fraud.PCAntispyware2010
+ Fraud.PersonalAntivirus
++ Fraud.SafeDefense
++ Fraud.SafetyCenter
++ Fraud.SaveKeep
++ Fraud.SaveSoldier
++ Fraud.SmartVirusEliminator
++ Fraud.SpywareFighter
++ Fraud.SystemProtector
++ Fraud.TotalSecurity
++ Fraud.VirusAlarm
++ Fraud.VirusSweeper
+ Fraud.XPAntivirus
+ Lop
+ Virantix
++ Win32.Agent.hqa
+ Win32.FraudLoad.edt
++ Win32.FraudLoad.ffp
+ Win32.VB.oz

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.la
++ Win32.Agent.ms
++ Win32.Agent.msd
+ Win32.Agent.nmy
+ Win32.Agent.ws
+ Win32.Fakealert.ttam
+ Win32.TDSS.blk
+ Win32.TDSS.clt
+ Win32.TDSS.dt
+ Win32.TDSS.gen
++ Win32.TDSS.ntf
+ Win32.TDSS.rtk
+ Win32.ZBot

Worm
++ Realbot

Total: 1468454 fingerprints in 513261 rules for 4866 products.

False positive detections reported, discussed, or fixed this week:

A few users reported various "Virtumonde" false positives, but, they were using older versions of Spybot S&D. After upgrading to the current version these false detections disappeared.

No new actual false positives were reported this week.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

September 1, 2009

Hotmail POP access method changed on Sept 1, 2009

On September 1, 2009, Microsoft changed the way their Hotmail email servers communicate with POP3 - SMTP desktop email clients. As of this day you cannot send or receive Hotmail through Outlook Express, period; finito, kaput! You must change to a different desktop email client, like Windows Live Mail. Microsoft Outlook users can download and install the Microsoft Outlook Connector to continue to access Hotmail. The details about these changes and what you need to do follow.

If you use Microsoft Office Outlook to send and receive through Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

New Mail Server Names:
There are also changes to the names of the Hotmail POP3 and SMTP mail servers, which now use a technology known as "Delta Sync." The new incoming POP server is: pop3.live.com and the new outgoing SMTP server is: smtp.live.com. You must also change the incoming and outgoing ports, as outlined in my extended content, under "New mail servers and ports."

MailWasher Pro is also affected by the Hotmail server changes

If you use MailWasher Pro, or a similar spam filter before your email client, you must make changes to your Hotmail account settings. If you don't make these changes you will be unable to check for mail on your Hotmail accounts. If you have been importing your old email accounts into various updated versions of MailWasher, or MailWasher Pro, you may have imported the old HTTP Hotmail server settings. These are no longer valid, as of Sept 1, 2009. Attempting to access Hotmail with the old HTTP settings will result in a 403 Forbidden response from the Hotmail servers.

MailWasher Pro by Firetrust

With a current version of MailWasher open (current version is 6.51), and the active window, press F8 to open Email Accounts. Locate each Hotmail account, click once to highlight it, then press the "Remove Account" button below the accounts field. Do this for each Hotmail account, after noting your Hotmail user names and passwords. Close MailWasher (Pro) to get the changes to take.

New mail servers and ports:

Re-open MailWasher Pro and verify that the Hotmail accounts are gone. If they are you should re-create the accounts, inputting the new POP3 and SMTP servers. They are the same ones listed earlier in this article, namely: pop3.live.com for incoming and smtp.live.com for outgoing mail. The incoming port must be set to 995, with SSL enabled. The SMTP port should be set to 587, also with SSL checked, and with SMTP Authentication - using the same login as the POP server. Be sure to type in your passwords and have MailWasher Pro remember them.

With these changes made you should be able to continue to use MailWasher Pro to receive (and delete) your Hotmail email, before downloading it to your regular desktop email client.

BTW: The term "Email Client" refers to any free-standing desktop application used to send and receive email via the POP3, IMAP and SMTP mail server protocols. This is very different than the HTTP protocol used by web browsers when they are used to read and send email. Browser-based email is known as "WebMail." Some mail systems like AOL and Yahoo charge for POP Client access to their mail servers, while others, like Hotmail, have chosen to allow this to be done for free. Kudos to the Hotmail team for free POP access!

Facebook Twitter LinkedIn Pinterest Instapaper Google+ Addthis

back to top ^

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.


CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion



About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter


Malwarebytes' Anti-Malware is the most frequently recommended malware removal tool in malware removal forums, like Bleeping Computers. It is extremely effective for removing fake/rogue security alerts, Bots, Spyware and the most prevalent and current malware threats in the wild. Learn about Malwarebytes Anti-Malware.


MailWasher Pro is an effective spam filter that protects your desktop email client. Using a combination of blacklists and built-in and user configurable filters, MailWasher Pro recognizes and deletes spam before you download it. MailWasher Pro reveals the actual URL of any links in a message, which protects you from most Phishing scams. Try it free for 30 days.





Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.
Powered by Movable Type

back to top ^