If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 14, 2008:

Adware
++ CliprexDivXPlayer
++ CliprexDVDRipper

Hijackers
+ Inet Delivery

Keyloggers (Keyloggers steal your logins and passwords)
+ KGBKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat
++ BPS.Gen
++ Fraud.Antivirus2008
+ ISearchTech
+ MagicControl.Agent
+ Rogue.IEAntivirus
++ Rogue.ScanAndRepair2007
+ Smitfraud-C.
+ SpyShredder
++ Themida.Bot.tsj
+ Vario.AntiVirus
+ VirusHeat
++ Win32.Agent.kmf
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ CliprexDVDPro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 1 new Zlob* Trojan detections
+ Banker.PorSMTP
+ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Win32.Agent.cn
++ Win32.Agent.esq
++ Win32.Agent.qwq
+ Win32.Delf.eq
++ Win32.Konik
++ Win32.SlhClient
++ Win32.Small.dv
++ Win32.Small.imu (2)
++ Win32.Systembin
+ Zlob.Downloader.vdt

Total: 607566 fingerprints in 158897 rules for 3918 products!

False positive detections fixed this week:
SpyBossPro detected in ijl11.dll false positive fixed.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 7, 2008:

Hijackers
+ SearchALot

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyBossPro

Malware Includes fake anti-virus and anti-spyware programs
++ Delf.12.an (2)
++ Fake.SecurityAlert
+ MalwareBell
++ MalwareCore
++ Win32.Agent.cs
+ Win32.BHO.je (3)
+ Win32.Renos
++ WinIFixer

PUPS Possibly Un(popular|wanted) Software
+ Enter.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Conducent.TimeSink

Trojans Includes 5 new Zlob* Trojan detections
++ CNNIC.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agobot.aoi
++ Win32.Tibia.de
++ Win32.VB.bks
++ Win32.VB.me
+ Win32.Zhelatin.ah (a.k.a: Storm Trojan)
++ Zlob.Downloader.fvn
++ Zlob.Downloader.jau
++ Zlob.Downloader.vat
+ Zlob.Downloader.vdt
+ Zlob.ZipCodec

Total: 595073 fingerprints in 154556 rules for 3893 products!

False positive detections fixed this week:
False Positive for "ContraVirus" and "VirusBlast" has been fixed with this week's definition updates. Also removed from the immunizations list is Hotlinkfiles.com. This was done after they implemented anti malware scanning of all uploaded files.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As is usually the case, the category "Other Filters" has the second largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some lottery and financial fraud and phishing scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending May 4, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

Download MailWasher Pro Here

MailWasher Pro spam category breakdown for April 28 through May 4, 2008.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 30, 2008:

Adware
+ Wintouch

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
++ KeyloggerDouglas
++ KeyloggerSpy

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareBell
++ AntiVirProtect
+ IEDefender
++ Killsoft.V2008
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ EuroGrand.Casino.PT
++ Monaco.Gold.Casino.PT

Trojans Includes 4 new Zlob* Trojan detections
++ BachKhoaAntivirus
++ BaiduBar.HostsRep
++ Delf.Inject
+ Prorat-D
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.aou
++ Win32.Agent.ay
++ Win32.Mutant.jz.rtk
++ Win32.Shark.ae
+ Zlob.Downloader.bs
+ Zlob.Downloader.se
+ Zlob.Downloader.vet
+ Zlob.Downloader.vdt
++ YMCam

Total: 593837 fingerprints in 154855 rules for 3880 products!

False positive detections fixed this week:
No false positives to report at this time.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending April 27, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 21 through 27, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): +@freenet.de
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released a day later than usual, on Thursday, April 24, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are normally released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings, or in this instance, on Thursday. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

While immunizing your computer is generally a good security measure, there may be occasions where the immunization detections break a program you want to use, or block access to a website you choose to visit. If this happens to you after you immunize with new definitions, go to the Immunize tab and run UNDO, to remove the last immunizations. You can also use the checkboxes to selectively undo or redo immunizations. Right-clicking on the immunization list gives you the option to select all or select none, which helps with mass immunizations or undoing mass immunizations. Also, if you are going to uninstall Spybot S&D, always select all immunizations, then click on Undo. This will unblock everything before you delete the program.

Spybot Updates - published every Wednesday, except this week

Additions made on April 24, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your logins and passwords)
+ Winsession Logger
++ XPCSpyPro

Malware Includes fake anti-virus and anti-spyware programs
+ ContraVirus
++ Fake.Antispyware.TheSpybot2007
+ MalwareCrush
+ PestTrap
+ Smitfraud-C.
+ SpywareQuake
+ Swizzor
+ TitanShield
+ TrustCleaner
+ VirusBlast
+ VirusBurst
+ VirusProtectPro

PUPS Possibly UnPopular Software
+ 32Vegas.PT (4)
+ Deskbar
+ Europa.Casino.PT (13)
+ Vegas.Red.Casino.PT (20)

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Exefile.HideExtension

Trojans Includes new or updated Zlob* Trojan detections
+ BraveSentry
+ Fraud.ProtectionBar
+ Hupigon (11)
++ Hupigon.evc
++ Hupigon.Gen
+ Nuclearwinter
+ SafetyBar
+ Virtumonde.dll
++ Warpcom
++ Win32.Agent.af
++ Win32.Agent.ip
++ Win32.Agent.vye
+ Win32.Autorun
++ Win32.Backdoor.ajhb
++ Win32.Bifrose.blr
++ Win32.Delf.asz
++ Win32.mIRC
++ Win32.Pakes.cgn
+ Win32.Qhost.ake
++ Win32.Settec
++ Win32.Soundmix
++ Win32.VB.tr
+ Zlob.Downloader.bs (2)

Total: 575727 fingerprints in 137545 rules for 3893 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 20, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 14 through 20, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): +@freenet.de
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Details
After immunizing Firefox, with the updates from 17/4/08, upon attempting to open SpywareBlaster this error message popped up:

Error: Access violation at 0x005F71FC (tried to read from 0x04F3032C), Program termminated

Some users performed an immunization "Undo" on the Firefox protection only and it worked,
just using SpywareBlaster to immunize Firefox. Normally, these programs get along quite well, but this time there was a glitch. I applaud Team Spybot for rushing out a sudden patch to correct this problem, as I also use SpywareBlaster and Firefox on some of my computers and was similarly affected.

For those who don't know the details about these programs, both Spybot Search and Destroy, by Patrick M. Kolla, and SpywareBlaster, by Javacool Software, are well known freeware security programs that have a feature they call "Immunization," which is a proactive form of protection against known hostile ActiveX controls, dangerous domains, browser hijackers and even advertiser's cookies, placed by websites you visit. By "Immunizing" after updating you protect against exploits from the controls, files, websites and other items in the definitions. If these unwanted items are on your computer already they get nullified by the immunization. Otherwise, once immunized, these applications cannot install themselves unless you knowingly override your already applied protection. This is done by unchecking a particular immunization rule, or by undoing all immunizations, en-masse.

Both programs require users to perform manual checking for updates, although SpywareBlaster does offer automatic updates for a small fee. Spybot S & D is always updated on Wednesdays and users must run a manual check for updates. I usually do this on Wednesday evenings, or on Thursday afternoon, just in case a faulty definition was released then patched, like just happened here. SpywareBlaster's latest definitions were released on 4/6/2008, so their update schedule is less regular than Spybot's.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 16, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax (2 variants)

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpywareDeluxe
++ AntiSpywareShield
+ Awola.Anti-Spyware
+ FakeAlert.cc
+ Smitfraud-C.gp
+ VirusHeat
+ Win32.BHO.je (2)
++ Win32.Agent.bk (2)
++ Win32.Agent.xg (2)

PUPS Possibly Un(popular|wanted) Software
++ 24kt.Gold.Casino.PT
++ 32Vegas.PT
++ 50.Stars.Casino.PT
++ African.Palace.Casino.PT
++ Bakara.Casino.PT
++ Cameo.Casino.PT
++ Carnival.Casino.PT
++ Casino.Bellini.PT
++ Casino.Del.Rio.PT
++ Casino.Las.Vegas.PT
++ Casino.Tropez.PT
++ Casino365.PT
++ CasinoKing.PT
+ CasinoRoyal.PT (100)
++ City.Club.Casino.PT
++ Club.Dice.Casino.PT
++ Craps.com.PT
++ Diamond.Club.Casino.PT
++ Enter.Casino.PT
++ EuroGrand.Casino.PT
++ Europa.Casino.PT
++ Flamingo.Casino.PT
++ Golden.Palace.Casino.PT
++ Grand.Online.Casino.PT
++ Hotel.Casino.Network.PT
++ Indio.Casino.PT
++ Joyland.Casino.PT
++ Kiwi.Casino.PT
++ Magic.Box.Casino.PT
++ Mansion.Casino.PT
++ Mega.Sport.Casino.PT
++ New.York.Casino.PT
++ Playgate.Casino.PT
++ Prestige.Casino.PT
++ Royal.Dice.Casino.PT
++ SIA.Casino.PT
++ Sierra.Star.Casino.PT
++ Sky.Kings.Casino.PT
++ Slots.PT
++ Swiss.Casino.PT
++ USA.Casino.PT
++ Vegas.Red.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans Includes 4 new or updated Zlob* Trojan detections
+ Hupigon
+ Smitfraud-C.MSVPS
++ Win32.Agent.frl (2)
++ Win32.Banbra.anp
+ Win32.BHO.acw
+ Win32.Bifrose.aci
+ Win32.Delf.zq
++ Win32.Qhost.ake
++ Win32.Shark.if
++ Win32.Small.tnt
++ Win32.Small.vy
++ Win32.VB.bmr
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.DNSChanger
+ Zlob.Downloader.vdt
+ Zlob.VideoAccess
++ Zlob.Downloader.vet

Total: 573372 fingerprints in 136752 rules for 3857 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This has been removed in the current updates for the HOSTS file.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

On to the spam analysis at hand!

My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals have reclaimed the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 13, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 7 through 13, 2008.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message

MailWasher Blacklist code: +@bestdebtrepair.net
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message

NEW MailWasher Blacklist code (3/27/08): +@freenet.de
Regular Expression for mail server filter use: .+@freenet\.de
Discard message

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 9, 2008:

+ CnsMin
+ CoolWWWSearch.OleHelp

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ FreeKeylogger
+ Perfect Keylogger

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpyKit
+ AntiVerminsPro
+ FakeAlert.cc
++ Fake.PC-Antispyware
++ PCCleaner
++ PlatinumPartner
+ Smitfraud-C.
++ Win32.Agent.pn
+ Win32.BHO.je
++ Win32.Krotten.ex
+ Win32.Renos
++ Win32.VB.bpv

Trojans Includes 67 new or updated Zlob* Trojan detections!
+ BackOrifice2k
+ Hupigon
++ Hupigon.dsx
+ Smitfraud-C.MSVPS
++ Win32.Agent.agx
++ Win32.Agent.AQ
++ Win32.Agent.bno
++ Win32.IRCBot.auf
++ Win32.Poison.pg
++ Win32.VB.aqt
++ Win32.Webmoner.co
+ Zlob.AdultAccess
+ Zlob.BrainCodec
+ Zlob.DigiPassword
+ Zlob.DirectVideo
+ Zlob.DNSChanger.rtk
+ Zlob.Downloader.bs
++ Zlob.Downloader.idt
+ Zlob.Downloader.mld
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.Downloader.vdt
++ Zlob.Downloader.vot
+ Zlob.EliteCodec
+ Zlob.FreeVideo.DVDCodec
+ Zlob.GoldCodec
+ Zlob.HomepageMonitor
+ Zlob.HQCodec
+ Zlob.HQvideo
+ Zlob.iCodecPack
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.iMediaCodec
+ Zlob.IVideoCodec
+ Zlob.JPEG-Encoder
+ Zlob.KeyCodec
+ Zlob.KeyGenerator
+ Zlob.Mediacodec
+ Zlob.MMediaCodec
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.MPVideoCodec
+ Zlob.MyPassGenerator
+ Zlob.NewMediaCodec
+ Zlob.PerfectCodec
+ Zlob.PornMagPass
+ Zlob.PornPassManager
+ Zlob.PowerCodec
+ Zlob.PPlayer
+ Zlob.PrivateVideo
+ Zlob.QualityCodec
+ Zlob.SilverCodec
+ Zlob.SiteEntry
+ Zlob.SiteTicket
+ Zlob.SoftCodec
+ Zlob.strCodec
+ Zlob.SuperCodec
+ Zlob.TrueCodec
+ Zlob.VAXCodec
+ Zlob.Vcodec
+ Zlob.VidCodec
+ Zlob.VideoAccess
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.VideoCodec2007
+ Zlob.VideoCompressionCodec
+ Zlob.VideoKeyCodec
+ Zlob.VideoPlugin
+ Zlob.WinMediaCodec
+ Zlob.XpassGenerator
+ Zlob.XPasswordManager
+ Zlob.ZCodec
+ Zlob.ZipCodec

Total: 578031 fingerprints in 129018 rules for 3855 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This will be removed in the next update cycle, or you can manually edit your HOSTS file and remove this domain from being redirected to 127.0.0.1 (your local machine IP).

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

NOTE
I just experienced something unusual and I suspect a lot more Spybot S&D users may have this happen also. I normally operate as a Power User, in Windows XP Professional. I switch to my administrator level account to upgrade programs like Spybot S&D and apply system-wide immunization, which cannot be as easily done from a Limited User account. After installing the available updates for March 26, 2008, I ran Spybot and let it remove some cookies it found. After that, having defragged and run Windows Update from the Admin account, I logged off that account and into what I thought was my regular account. When I got there most of my desktop icons were missing, the custom settings were gone and things were not right in "Who-ville." I quickly thought about what might cause this and instinctively I restarted the computer. After logging in at the Welcome screen all of my icons and settings were restored. Whew! If this happens to you, it is caused by the new anti-rootkit plug-ins, as I have since learned. After you update the Spybot S&D program in an Administrator level account, reboot before logging in to a lesser privileged account. This way you won't lose any personalized settings. I hope they fix this soon!

I just found this information posted by a member of Team Spybot, on the official Forum, regarding multiple account computers having profile corruption issues:

That's a problem when you run the update while Spybot-S&D is open. To avoid this completely, just run the updater from the start menu while Spybot-S&D is closed. But as I wrote, a restart will allow login again. 1.5.3 will have it fixed as well.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.