Wiz's Computer and Website Security Blog

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on December 30, 2009, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections (plus 5 other malware entries), plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

The latest new or modified "Malware" category threats are all fake security programs and scans. The names used by Spybot S&D are as follows:
Fraud.GuardPCs
Fraud.MalwareDefense
Fraud.SecurityTool
Fraud.Sysguard
Fraud.TheDefend
Fraud.VolcanoSecuritySuite
Fraud.XPPoliceAntivirus
Lop, Microsoft.Windows.RedirectedHosts
Win32.Agent.ieu
Win32.Delf.rm
Win32.Fraudload.md
Win32.LisboaAerea

The latest "Trojans" that were added or updated are:
Virtumonde.sci
Virtumonde.sdn
Win32.OnLineGames.bkpf
Win32.OnLineGames.down
Win32.OnLineGames.gjwa
Win32.OnLineGames.mfar
Win32.OnLineGames.mfas
Win32.OnLineGames.mffk
Win32.OnLineGames.mfft
Win32.OnLineGames.ulja
Win32.OnLineGames.ultz
Win32.OnLineGames.ulvo
Win32.OnLineGames.unxp
Win32.ZBot

Spybot S&D currently has 1797852 fingerprints in 694008 rules for 5101 products.

False Positives Reported

In addition to definitions being added there were some adjustments that were made to fix false positive detections that can break harmless programs. This week's false positive reports and fixes are as follows:

1: A false positive detection in the TeaTimer module, flagging "ArcMediaService.exe" as malware, a week ago, was actually fixed on Dec 30, 2009.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 1:47 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 3% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for pirated software, counterfeit watches, the fake Canadian Pharmacy and other fake pharmacies, illegal-to-import Viagra from China and India, HTML positioning tricks, plus some Nigerian 419 scams. Monday, Dec 21 was the "spamiest" day this week. Further, my blacklisted senders list proved very effective this week.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 21 - 27, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Dec 21 - 27, 2009. Spam amounted to 14% of my incoming email this week. This represents a -3% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Blacklisted Senders list. I added a new Blacklist entry for: [email protected], an account used by a Nigerian 419 scammer. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 2:31 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on December 23, 2009, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 11 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

The latest new or modified "Malware" category threats are all fake security programs and scans. The names used by Spybot S&D are as follows:

Fraud.AntiTroy, Fraud.MalwareDefense, Fraud.ProtectPCs, Fraud.SafetyAntiSpyware, Fraud.SecurityTool, Fraud.SoftCop, Fraud.SysDefence, Fraud.WindowsEnterpriseDefender, Fraud.XPProtectionCenter, FSonlinescanner and Win32.FraudLoad

The latest "Trojans" that were added or updated are:

Virtumonde.dll, Virtumonde.sci, Virtumonde.sdn, Win32.OnLineGames.mfax, Win32.OnLineGames.mfay, Win32.OnLineGames.mfgb, Win32.OnLineGames.uhbx, Win32.OnLineGames.unal, Win32.OnLineGames.urwo, Win32.ZBot and Zlob.Downloader.anz

False Positives Reported

In addition to definitions being added there were some adjustments that were made to fix false positive detections that can break harmless programs. This week's false positive reports and fixes are as follows:

1: A false positive detection of "Fraud.MalwareDefense" in the video drivers located at "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" and in the Registry key - "HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}" - was fixed on Dec 23, 2009, with a second release of the definition updates.

2: A false positive detection in the TeaTimer module, flagging "ArcMediaService.exe" as malware, was fixed on Dec 23, 2009.

3: A user reported that when performing a right-click scan, using "Heuristics," on a folder containing all images, they were falsely flagged as "Virtumonde.dll" or "Virtumonde.sdn." This is being investigated as a false positive.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

Posted by Wiz at 1:56 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 6% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including spam for the fake Canadian Pharmacy and other fake pharmacies, illegal-to-import Viagra from China and India, acai berry weight loss scams, counterfeit watches, loan scams and lottery scams. Also continuing this week was a run of pornographic spam subjects. Thursday, Dec 17 was the "spamiest" day this week.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 14 - 20, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Dec 14 - 20, 2009. Spam amounted to 17% of my incoming email this week. This represents a -6% change from last week.

The latest weekly updates to my custom MailWasher Pro filters were to the Phishing, Pills and Canadian Pharmacy spam filters. I also added new Blacklist wildcard entries for: +@*.hinet.net and +@+.cn - which match quite a few messages lately. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 1:58 PM | Permalink

back to top ^

December 16, 2009

I have just read security reports about a new critical vulnerability in Adobe's PDF programs, Acrobat and Reader, which is being actively exploited in the wild. This comes on the heels of a large security update that Adobe just released in early December, 2009, which patched those programs for other vulnerabilities. There seems to be no end to exploits targeting Adobe products (PDF programs, Shockwave and Flash).

Adobe announced in their security advisory APSA09-07 that a patch would be released by January 12, 2010, which is coincidentally the next Patch Tuesday for Microsoft users.

Here is a quote from advisory APSA09-07:

"Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild."

Adobe recommends customers use one of the workarounds below until a patch is available.

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the Adobe JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the aforementioned TechNote for more information. There is some doubt in security circles that this is really going to be effective.

Or, totally disable JavaScript in Adobe Reader or Acrobat, as follows.

1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the "Enable Acrobat JavaScript" option
5. Click OK

If your version of Windows supports it, enabling "DEP" for Acrobat or Reader limits the potential of the attack to crashing the applications, rather than taking over the computer. It is a recommended step to take.

Be sure to watch for the official patch on January 12, 2010, or sooner. If you have disabled JavaScript in Adobe Acrobat and/or Reader, and wish to start using it again, undo the option listed above after applying the upcoming patch.

Posted by Wiz at 5:22 PM | Permalink

back to top ^

December 16, 2009

Today, Mozilla released an update for the Firefox browser: version 3.5.6. This is basically a security release as it plugs 7 recently reported vulnerabilities in Firefox (and in Seamonkey). Three os the vulnerabilities were rated as Critical. There were also several stability issues resolved with this release.

Fixed in Firefox 3.5.6

MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)

You can update Firefox right from your browser, using the Help menu > "Check for Updates" link. I found that while I was able to download the update I was unable to apply it, as I operate as an XP Pro Power User. To update via the browser I closed Firefox, then right-clicked on the desktop icon for it, then chose Run As, inputted my administrator credentials and opened Firefox as the Administrator. I was then able to perform the in-browser update. In past releases I was able to update Firefox as a Power User, so something has been changed in this release.

Alternately, you can download the latest version of Firefox from Mozilla's Firefox landing page, save it and run it with whatever permissions it demands. Since Firefox is installed into your Program Files directory, and creates accounts for all users, Windows demands administrator credentials or permissions to allow the installation.

If you are not yet a Firefox user you should try it. Use the link in the previous paragraph to download and install it. Leave the default option set to automatically check for updates. You will be given an option to import your cookies and Favorites into Firefox, both during installation and anytime afterward. Note, Favorites are called Bookmarks in Firefox and all other Mozilla based browsers. Only Internet Explorer and AOL's browsers refer to saved websites as Favorites.

Posted by Wiz at 4:16 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on December 16, 2009, as listed below. 14 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 6 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on December 16, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware (Mostly fake anti-virus, or security scans)
++ Fraud.AdditionalGuard
++ Fraud.AntiAdd
++ Fraud.AntiKeep
++ Fraud.AntiTroy
++ Fraud.IGuardPc
++ Fraud.KeepCop
++ Fraud.PersonalSecurity
++ Fraud.ReAnti
++ Fraud.REspyware
+ Fraud.SecurityTool
++ Fraud.SideAdware
+ Fraud.Sysguard
+ Fraud.WindowsEnterpriseDefender
++ Win32.AV.md

Trojans (Win32.OnlineGames.--- is a trojan that captures passwords for certain online games.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Banker.fgv
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1770770 fingerprints in 685316 rules for 5067 products.

False positive detections reported, discussed, or fixed this week:

There were 2 false positives reported this week, in the Spybot forums. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

The first false positive confirmeded was "Fake.MSAntivirus" in an MSX emulator called RuMSX. This has been fixed.

The second confirmed false positive was for "PerfectKeylogger" in Microsoft's .NET Framework 1.1 Service Pack 1. This has been fixed with this week's updates.

Many of the false positives that we see are caused by the Teatimer real time monitoring module. In the case of Teatimer false positives that are fixed by updates, Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 1:43 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 7% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week saw a large variety of categories of spam, including the return of male enhancement scams, spam for the fake Canadian Pharmacy, Illicit Viagra from China, weight loss scams, counterfeit watches, loan scams and identity theft phishing scams targeting bank and UPS customers. New this week was a run of very pornographic spam promoting a dating service with a very nasty name. Such websites are places where people have their credit or debit cards stolen, or where extremely hostile scripts are run against your browser, trying to infect your computer.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Dec 7 - 13, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Dec 7 - 13, 2009. Spam amounted to 23% of my incoming email this week. This represents a +7% change from last week.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 3:46 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on December 9, 2009, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 3 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans are Zbot and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on December 9, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware
+ Fakealert.gen
+ Fraud.EcoAntivirus2010
+ Fraud.MalwareProfessional
+ Fraud.Sysguard
+ Fraud.SystemSecurity
+ Fraud.VolcanoSecuritySuite
+ Win32.FraudLoad

Trojans (Win32.OnlineGames.--- is a trojan that captures passwords for certain online games.)
+ Win32.OnLineGames.ulvz
+ Win32.OnLineGames.unyi
+ Win32.ZBot

Total: 1764582 fingerprints in 683394 rules for 5067 products.

False positive detections reported, discussed, or fixed this week:

There were 2 false positives reported this week, in the Spybot forums. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

The first false positive reported was "Teatimer Encountered and terminated 2Search in C:\Program Files\DVD Decrypter\DVDDecrypter.exe." This should not have happened at all.

The second confirmed false positive was during a heuristic scan, where Spybot found Virtumonde.dll and/or .sdn when scanning any given image folder containing the Thumbs.db file(s). This has been fixed with this week's updates.

Many of the false positives that we see are caused by the Teatimer real time monitoring module. In the case of Teatimer false positives that are fixed by updates, Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 11:37 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various unlicensed prescription drugs from China, plus weight loss, male enhancement and phishing scams. The rise in Male Enhancement scams follows a total decline that occurred a month ago, after the takedown of the Mega-D Botnet. The spammers using that Botnet have hired other Botnets to distribute their enlargement scams.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Nov 30 - Dec 6, 2009 and the latest additions to my custom MailWasher Pro filters.

MailWasher Pro spam category breakdown for Nov 30 - Dec 6, 2009. Spam amounted to 16% of my incoming email this week. This represents a +2% change from last week.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Posted by Wiz at 4:11 PM | Permalink

back to top ^

Many of my readers are aware of the superior capabilities of Malwarebytes Anti-Malware when it comes to detecting and removing the latest malware and spyware threats. I write about it on my blog and in forums I frequent and use it myself, very successfully. In fact, I have dedicated an entire product page to describing how to use and update Malwarebytes Anti-Malware.

Malwarebytes Anti-Malware is affectionately known in the security trade as simply "MBAM." It is used in numerous malware removal help forums as a primary tool in the fight against Trojans, rootkits, fake security alerts and fake scanners. It also targets most keyloggers. Malwarebytes employs real researchers who capture malware in the wild, reverse engineer it, then develop and release new definitions to detect and remove it, using MBAM. These definitions are added to the database on user's computers, with out-dated definitions getting removed at the same time. This keeps the load on the computer to a minimum, as the definitions databases are relatively small.

The reason for the swapping out of old definitions for new ones has to do with the nature of the cat and mouse game being played out between security researchers and malware authors and distributors of spyware. Malware authors are constantly altering the packaging of their nefarious products, often in as little as 24 hours after initial release. They do this to avoid detection by the most common anti-virus and anti-spyware programs. By the time a standard anti-virus company has developed detection for an altered piece of malware, it may no longer be in common circulation.

MBAM is not a substitute for an anti-virus program, but is meant to run along side of one, giving you an additional layer of protection against the most recent threats in the wild. Your anti-virus program can take care of older threats that are in circulation for a long time without major alterations.

Malwarebytes is a company dedicated to detecting and removing the current threats in the wild. They are very quick to capture new variants of malware, develop definitions and release updates. I have seen at least 6 updates on a slow day, during a prolonged fight against a fake security program (PC Police I think). I had to take the fight to Safe Mode (Windows XP) with Networking to win the battle, using only MBAM to conduct the battle.

The program is available for free if you want to use it manually, as an on-demand scanner. You must check for updates before scanning, then scan manually. Or, for a one-time payment of only $24.95 US, or equivalent in other currencies (+ VAT in EU) you can have it turn on frequent scheduled updating and scanning, plus real time monitoring to prevent malware from being installed in the first place. That one-time payment is for a lifetime license, no matter what version is released!

The current version of Malwarebytes Anti-malware is 1.42, released on December 3, 2009. My product page lists the changes. You can download the latest version from that page and install it over the previous version. Reboot and you're good to go!

However, as great as the $24.95 lifetime price is, they have gone one better, as a Holiday special. From now until the end of December, 2009, Malwarebytes Anti-Malware is on sale for 15% off, if you use my affiliate coupon. You will find the coupon on my MBAM product page, along with a description of its usage and recent changes in the current version. Go there, read about the program, copy the code from the third yellow highlighted section, use a link on the page to purchase it, then paste the code into the coupon field and apply it. There is a checkbox in the shopping cart to reveal the coupon code box.

Here's hoping you have a happy and safe holiday season, wherever you are! Keep your PCs secured from malware, using Malwarebytes Anti-Malware.

Posted by Wiz at 4:13 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on December 2, 2009, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 9 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. The new Trojans are mostly of the types Virtumonde, Botnet agents and OnlineGames.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments.

Additions to Spybot S&D malware definitions made on December 2, 2009:

If your computer is infected with any of the malware threats listed below, Spybot S& D should be able to remove them, after you update it. Always check to see if you have the latest version of Spybot S&D. You may need to schedule a second scan after a reboot, to remove threats that couldn't be deleted because they were active in memory. You may even need to restart in Safe Mode and scan from there.

All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.

Malware
+ Fraud.AntivirusBest
++ Fraud.AntivirusSystemPro
+ Fraud.Sysguard
++ MaxSecure.RegistryCleaner
+ SpywareDetector
+ Win32.FraudLoad
++ Win32.Violent.kbd

Trojans (These are the real bad guys: bots, rootkits, remote controllers, backdoors)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.OnLineGames.bill
++ Win32.OnlineGames.oql
++ Win32.OnLineGames.ulbe
++ Win32.OnLineGames.urpo
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Zlob.PornMagPass

Total: 1764133 fingerprints in 683377 rules for 5064 products.

False positive detections reported, discussed, or fixed this week:

False Positive! Avast anti virus detects parts of Spybot-S&D as the "Win32:Delf-MZG" Trojan Horse! This occurred on December 3, just as I was publishing my weekly Spybot definition updates. Apparently, Avast has already fixed the problem by issuing both new definitions and a new engine. Please update your Avast anti-virus from the previous version which has the issue: 091203-0, to the updated fix: 091203-1. Then update the program itself, from version: 4.8.1356, to the updated version: 4.8.1368. Restart your computer. That should fix the false positive, but Spybot S&D may have been damaged too badly to fix without a fresh installation.

To repair Spybot S&D, after a security program like Avast has trashed it, first update Avast, as detailed above, then try to restore the files that may have been quarantined in the Virus Vault. Here is a step-by-step guide on how to restore the files from the Virus Chest.

If restring quarantined files does not fix Spybot you will need to uninstall and reinstall it. Uninstall what's left of the program. Download a fresh copy of Spybot S&D from one of the official mirror sites. Install Spybot, update it, then use it as normal.

There were no false positives reported this week, in the Spybot forums. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.

Many of the false positives that we see are caused by the Teatimer real time monitoring module. In the case of Teatimer false positives that are fixed by updates, Teatimer will have to be restarted after the update is applied. Or, just disable TeaTimer if you really don't need its "protection." One way to not need TeaTimer is to run your PC with reduced privileges, as a Power User or Standard User, rather than as an Administrator.

Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!

If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!

Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.

TeaTimer update issues and remedies:

TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Posted by Wiz at 3:59 PM | Permalink

back to top ^