Blog Home

July 1, 2009

Spybot Search and Destroy Definitions Updated on July 1, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on July 1, 2009, as listed below. Some new and altered fake security programs were added to the detections, plus several new Trojans, rootkits and modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Continue reading "Spybot Search and Destroy Definitions Updated on July 1, 2009" »

June 25, 2009

Spybot Search and Destroy Definitions Updated on June 24, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 24, 2009, as listed below. Lots of new and altered fake security programs were added to the detections, plus several new Virtumonde Trojans and new or modified spam bots.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Continue reading "Spybot Search and Destroy Definitions Updated on June 24, 2009" »

June 17, 2009

Spybot Search and Destroy Definitions Updated on June 17, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 17, 2009, as listed below. Some new fake security programs, new Virtumonde Trojans and new or modified bots and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Continue reading "Spybot Search and Destroy Definitions Updated on June 17, 2009" »

June 10, 2009

Spybot Search and Destroy Definitions Updated on June 10, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 10, 2009, as listed below. Some fake security programs, new Virtumonde Trojans and new or modified rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Continue reading "Spybot Search and Destroy Definitions Updated on June 10, 2009" »

June 3, 2009

Spybot Search and Destroy Definitions Updated on June 3, 2009

If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 3, 2009, as listed below. Some fake security programs, Botnet executables and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Continue reading "Spybot Search and Destroy Definitions Updated on June 3, 2009" »

May 27, 2009

Spybot Search and Destroy Definitions Updated on May 27, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 27, 2009, as listed below. Somef fake security programs and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Continue reading "Spybot Search and Destroy Definitions Updated on May 27, 2009" »

May 20, 2009

Spybot Search and Destroy Definitions Updated on May 20, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 20, 2009, as listed below. A slew of fake security programs and rootkits were added to the latest definitions.

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Continue reading "Spybot Search and Destroy Definitions Updated on May 20, 2009" »

May 13, 2009

Spybot Search and Destroy Definitions Updated on May 13, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 13, 2009, as listed below. A slew of fake security programs and rootkits were added to the latest definitions.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Continue reading "Spybot Search and Destroy Definitions Updated on May 13, 2009" »

May 9, 2009

Spybot Search and Destroy Definitions Updated on May 6, 2009

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on May 6, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

Continue reading "Spybot Search and Destroy Definitions Updated on May 6, 2009" »

April 24, 2009

Spybot Search and Destroy Definitions Updated on 4/22/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 22, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 22, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.PCHealth
+ Win32.Alman.a


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
+ Virtumonde.Dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.TDSS.bae
+ Win32.TDSS.cl
+ Win32.TDSS.dt
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.rid

Total: 1594677 fingerprints in 507675 rules for 4619 products.

False positive detections reported or fixed this week:

A false positive detection of Spambot.mib, in Keepass's Plugin KeeForm, has been fixed with this week's updates.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

I recommend NOT installing the TeaTimer module at this time, unless you are an advanced user! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 4/22/09" »

April 15, 2009

Spybot Search and Destroy Definitions Updated on 4/15/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 15, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 15, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.MalwareDefender2009
+ Fraud.PrivacyCenter
+ Fraud.SpywareRemover2009
+ Fraud.SystemGuard2009
+ Fraud.VirusDoctor
+ Win32.Agent.lta
+ Win32.Buzus.amit


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.Dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bhi
+ Win32.Agent.boym
+ Win32.Agent.yjl
+ Win32.Dialer.bkm
+ Win32.Parsi.z
+ Win32.PcClient.afun
+ Win32.TDSS.dt
+ Win32.TDSS.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.TDSS.vot
+ Win32.ZBot
+ Zlob.Downloader

Total: 1588012 fingerprints in 505617 rules for 4614 products.

False positive detections reported or fixed this week:

Last week's updates included both Immunization and HOSTS file entries that blocked AdultFriendFinder.com and Cams.com. Both additions were made in error and will be corrected with an upcoming update.

A confirmed false positive detection of Virtumonde.sdn, in the file C:\WINDOWS\system32\toyhide.bmp, was fixed today.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

I recommend NOT installing the TeaTimer module at this time! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 4/15/09" »

April 8, 2009

Spybot Search and Destroy Definitions Updated on 4/8/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 8, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also, the TeaTimer module was recently updated to version 1.6.6. If you use the Spybot Tea Timer you may want install this update (as an administrator) (Or maybe not! See notes below concerning false positives in TeaTimer.).

Additions made on April 8, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ DNSFlush.cws
+ Fraud.AntiSpywarePro
+ Fraud.AntivirusPlus
+ Fraud.SysCleanerPro
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
+ Fraud.XPAntivirus
+ Goldun
+ Smitfraud-C.
+ Spambot.mib

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)Spyware
+ Win32.Iksmas.ai

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.pa
+ Win32.Bredolab.B
+ Win32.Buzus
+ Win32.KillAV-KQ
+ Win32.Rbot.fx
+ Win32.TDSS.pe
+ Win32.TDSS.qa
+ Win32.TDSS.rtk
+ Win32.ZBot
+ Zlob.VideoBox

Total: 1560284 fingerprints in 496663 rules for 4610 products

False positive detections reported or fixed this week:

Team Spybot has yet to respond to a reported possible false positive detection of "Royal.Dice.Casino.PT" in C:\Program Files\Java\jre6\bin\jqs.exe.

A false positive detection of "Fraud Virus Doctor," by the updated TeaTimer module, has been reported by several people in various files and folders, all of which are confirmed false positives.

A false positive detection of "PerfectKeylogger," in WD Drive Manager Setup, was confirmed and will be fixed.

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. Disregard this alert and don't let it delete the file.

I recommend NOT installing the TeaTimer module at this time! There are just too many false positives since the updated version was released. If you are unsure about the validity of a TeaTimer pop-up alert regarding a process having been terminated, do not select the option to delete the file.

You should send feedback about TeaTimer false positives to Team Spybot, after registering with the Safer-Networiking forum.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 4/8/09" »

April 2, 2009

Spybot Search and Destroy Definitions Updated on 4/1/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on April 1, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the TeaTimer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator) (or maybe not! see notes below.).

Additions made on April 1, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.Antivirus360
+ Fraud.AntivirusXP
+ Fraud.GeneralAntivirus
+ Fraud.PCHealth
+ Fraud.VirusDoctor
+ Fraud.XPAntivirus
+ WMVideoPlugin
+ Win32.Delf.oc

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ WindowsPerformance

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Tofsee.f
+ Win32.ZBot
+ Zlob.Downloader

Total: 1537030 fingerprints in 488763 rules for 4592 products.

False positive detections reported or fixed this week:

Team Spybot has yet to respond to a reported possible false positive detection of "Royal.Dice.Casino.PT" in C:\Program Files\Java\jre6\bin\jqs.exe.

A false positive detection of "Fraud Virus Doctor" - in c:\hp\kbd\kbd.exe - was confirmed in TeaTimer.

TeaTimer again! False Positive confirmed with Keepass's Plugin KeeForm, labeled as Spambot.mib by TeaTimer

Again, TeaTimer: A false positive was confirmed and fixed for mIRC 6.0.3 reported as IRC.Zapchast.

Another false positive detection by TeaTimer. TSCash in C:\Garmin\Spanner.exe. Fixed with today's updates.

Here's another one: A false positive was reported of "PerfectKeylogger" in C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe.

I recommend NOT installing the TeaTimer module at this time!

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. It is being investigated but cannot be reproduced by Team Spybot.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the TeaTimer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 4/1/09" »

March 26, 2009

Spybot Search and Destroy Definitions Updated on 3/25/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on March 25, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 25, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.Downloader.gen
+ Fraud.MalwareDefender2009
+ Fraud.SystemGuard2009
+ Fraud.TotalAntispyware
+ Spambot.mib

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ GameVance

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Fraud.VirusRemover2009
+ SpambotLoad.cn (Botnet)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Waledac.cn (Botnet)
+ Win32.Koutodoor.aik
+ Win32.Poison.pg
+ Win32.Small.ajbq
+ Win32.Small.NCA
+ Win32.TDSS.rtk (Rootkit)
+ Win32.Virut.bg

Total: 1525689 fingerprints in 484951 rules for 4580 products.

False positive detections reported or fixed this week:

A false positive detection was reported in Tea Timer, of Ardamax, in the Windows System file Cleanmgr.exe. It is being investigated.

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. It is being investigated.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 3/25/09" »

March 18, 2009

Spybot Search and Destroy Definitions Updated on 3/18/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on March 18, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 18, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.Antivirus2008
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
+ Win32.WiniGuard


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Banload
+ Fraud.AntiSpyware2008XP
+ Fraud.XPShield
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bm
+ Win32.CPEX.f
+ Win32.Delf.acv
+ Win32.Gobot.y (Botnet)
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (Botnet)

Total: 1478612 fingerprints in 468339 rules for 4570 products.

False positive detections reported or fixed this week:

A false positive detection of Cydoor and Virtumonde has been reported in the updated (1.6.6) Tea Timer module, for the recently updated Adobe Reader 9.1 installer for Adobe Air. The actual file wrongly flagged is Airshareinstaller.exe. It is still being investigated to find out why this happened.

There was a confirmed false positive detection of "MalwareC" in a ComboFix file named swxcacls.exe. ComboFix is a specialized tool used in malware removal forums. It removes malware. This has been fixed with today's F/P updates.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 3/18/09" »

March 11, 2009

Spybot Search and Destroy Definitions Updated on 3/11/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule on March 11, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 11, 2009:
Adware
+ eZula HotText

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ CMVideo
+ Fraud.Antivirus2010
+ Fraud.MSAntispyware2009
+ Fraud.SpywareGuard2008
+ Fraud.SystemGuard2009
+ MalwareRemovalBot
+ TotalVirusProtection
+ Vrl32software
+ Win32.Autoit.D
+ WinSpywareProtect
+ XPPoliceAntivirus


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Bredolab.B
+ Win32.Brontok.q
+ Win32.Lost.jau
+ Win32.Mudrop.kt
+ Win32.TDSS.bae
+ Win32.TDSS.rtk (TDSS is a Rootkit)
+ Win32.VB.cb

Total: 1453845 fingerprints in 460163 rules for 4584 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of Mizuphone classed as a casino dialer This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 3/11/09" »

March 4, 2009

Spybot Search and Destroy Definitions Updated on 3/4/09

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule on March 4, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on March 4, 2009:

Hijackers
+ Hyperlinker

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SystemAntivirus
+ RegistryFox
+ Win32.Agent.pn
+ Win32.Beloy.a

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ QuadRegistryCleaner

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bagle.dlj
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fox
+ Win32.Agent.lpb
+ Win32.Agent.mds
+ Win32.Agent.sd
+ Win32.Banload.aoo
+ Win32.Brontok.q
+ Win32.IRCBot.bkr
+ Win32.TDSS.bae (TDSS is a nasty rootkit!)
+ Win32.TDSS.clt
+ Win32.TDSS.dy
+ Win32.TDSS.mlt
+ Win32.TDSS.rtk
+ Win32.TDSS.tit
+ Win32.TDSS.vot
+ Win32.VB.fnk

Total: 1438055 fingerprints in 454664 rules for 4587 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Win32.Agent.wls" is being reported as hiding in the registry under PGP encryption software's keys This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

Oh boy! Here we go; get on your hard hats!

Spybot S&D is now flagging installations of McAfee and Trend Micro security software as "PUPs, or Potentially Unwanted Programs (see this forum thread). This was done in retaliation against those companies for requiring their customers to uninstall Spybot while installing their products. Team Spybot has tested its program with both of these security suites, and others, and finds no evidence of any incompatibilities or struggles between them.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 3/4/09" »

February 25, 2009

Spybot Search and Destroy Definitions Updated on 2/25/2009

Hey, you! If you use Spybot Search and Destroy to protect your computer against spyware, it is time to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule and are listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on February 25, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.MSAntispyware2009
+ Win32.TDSS.cls
+ Win32.TDSS.rtk

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyRegistryCleaner
+ OriginalSolitaire

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ BraveSentry
+ InternetAntivirusPro
+ Virtumonde.atr
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.ark
+ Win32.Agent.fbx
+ Win32.Agent.sd
+ Win32.Anel
+ Win32.Delf.axb
+ Win32.TDSS.alt
+ Win32.TDSS.clt
+ Win32.TDSS.eit
+ Win32.TDSS.flt
+ Win32.TDSS.rtk
+ Win32.TDSS.vlt
+ Win32.VB.qq

Total: 1406313 fingerprints in 444173 rules for 4561 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Brontok.Ab" in a user's desktop ini file. This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

Oh boy! Here we go; get on your hard hats!

Spybot S&D is now flagging installations of McAfee and Trend Micro security software as "PUPs, or Potentially Unwanted Programs (see this forum thread). This was done in retaliation against those companies for requiring their customers to uninstall Spybot while installing their products. Team Spybot has tested its program with both of these security suites, and others, and finds no evidence of any incompatibilities or struggles between them.

If you have purchased McAfee or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.



Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 2/25/2009" »

February 18, 2009

Spybot Search and Destroy Definitions Updated on 2/18/2009

Hey, you! If you use Spybot Search and Destroy to protect your computer against spyware, it is time to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule and are listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on February 18, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ Smitfraud-C.
+ Win32.Bomka.r
+ Win32.Constructor.DOS.Vkit
+ Win32.Flooder


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fox
+ Win32.Agent.frl
+ Win32.Agent.ju
+ Win32.Asprox (Botnet)
+ Win32.TDSS.rtk
+ Win32.VB.qu
+ Zlob.Downloader.suo
+ Zlob.Downloader.vet
+ Zlob.Downloader.vot
+ Zlob.VideoCompressionCodec

Total: 1343105 fingerprints in 384000 rules for 4559 products.

False positive detections reported or fixed this week:

Nothing new to report at this time, except that after ongoing dialogs, SpywareCease still remains classified as malware, by Spybot S&D. This may change in the future, but for now that program is treated as unwanted software.

Read my extended comments for more details about using Spybot S&D and for program development announcements.

Continue reading "Spybot Search and Destroy Definitions Updated on 2/18/2009" »

February 11, 2009

Spybot Search and Destroy Definitions Updated on 2/11/2009

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. A preview of Spybot 2.0 will also be available as soon as servers have adjusted to the additional 1.6.2 release load. Version updates are discussed in my extended comments.

Additions made on February 11, 2009:

Hijackers
+ MyPoints

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ RapidAntivirus
+ Smitfraud-C.
+ Win32.TDSS.rtk
+ WinSpywareProtect
+ XPPoliceAntivirus

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Live-Player
+ MyWay.MyWebSearch

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ KillAV
+ Speedrunner
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Webshow
+ Win32.Agent.aiae
+ Win32.Agent.bakf
+ Win32.Agent.fbx
+ Win32.Bagle.av
+ Win32.Clicker.vp
+ Win32.Rbot.fx
+ Win32.Renos.ik
+ Zlob.Downloader.miu
+ Zlob.Downloader.ned
+ Zlob.Downloader.pit

Total: 1332704 fingerprints in 381260 rules for 4550 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

A confirmed false positive was reported and fixed this week regarding the blocked domain myvnc.com. It was removed from the Restricted Sites Zone on Feb 11, 2009, in the optional "F/P" update.

A HOSTS file DSN block on the domain redtube.com was removed on September 17, 2008, but some users have not re-immunized their Spybot databases and that website is still blocked for them. Update your definitions, including new "immunizations," then use the "Immunize" button to apply the changes. Immunizing both adds and removes entries, as new threats are discovered or old threats are resolved (bad sites sometimes turn into good sites, or remove questionable downloads or links to malware).

Friendly advice:
Stop using Heuristics scans for now. There are too many false positives with this type of scan. You can rely upon the definitions scans a lot more than Heuristics.

"The default scan with Spybot S&D is more accurate and recommended over the single file scanner. Especially the heuristics part of the single file scanner is prone to false positives."

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 2/11/2009" »

February 4, 2009

Spybot Search and Destroy Definitions Updated on 2/4/2009

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. A preview of Spybot 2.0 will also be available as soon as servers have adjusted to the additional 1.6.2 release load. Version updates are discussed in my extended comments.

Additions made on February 4, 2009:

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Banload
+ CMVideo
+ MalwareBot
+ RegSweep
+ Smitfraud-C.gp
+ TotalProtect2009
+ Win32.AutoRun.ey

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ Go-Astro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ NeoControlRed
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bhcs
+ Win32.Agent.fbx
+ Win32.Bitar.a
+ Win32.ControlTotal.l
+ Win32.FraudLoad.cxj
+ Win32.Tibia.ci
+ Zlob.DNSChanger.Rtk
+ Zlob.Downloader.bit
+ Zlob.Downloader.ger

Total: 1317330 fingerprints in 376606 rules for 4544 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

Confirmed False heuristics hit on Symantec file nppbho.dll showing virtumonde. Fixed with today's updates.

Confirmed F/P Virtumonde.SCI detected on NAV Helper BHO. Fixed with today's updates.

Brontok.Ab in a Windows desktop ini file is under investigation right now, but is probably a F/P.

Stop using Heuristics scans for now. There are too many false positives with this type of scan. You can rely upon the definitions scans a lot more than Heuristics.

"The default scan with Spybot S&D is more accurate and recommended over the single file scanner. Especially the heuristics part of the single file scanner is prone to false positives."

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 2/4/2009" »

January 28, 2009

Spybot Search and Destroy Definitions Updated on 1/28/2009

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6.2 was just released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 28, 2009:


Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Fraud.ISafeAntivirus
++ Fraud.MyFasterPC
+ Fraud.SpyProtector
+ Fraud.SpywareGuard2008
+ Rogue.IEAntivirus
++ Rogue.WinAntivir2008
+ SpywareQuake
++ Win32.Agent.zbr
+ Win32.Banker
+ WinWebSecurity

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ HotTV

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde
+ Virtumonde.Dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.cyt
+ Win32.Agent.fbx
++ Win32.Agent.wls
++ Win32.Iksmas.ai
++ Win32.Lager.bi
++ Win32.SdBot.ays
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.jot
++ Zlob.Downloader.rut
+ Zlob.Downloader.tfr
++ Zlob.RouterChanger

Total: 1307319 fingerprints in 373362 rules for 4544 products.

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There were no new false positives confirmed or fixed this week.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 1/28/2009" »

January 21, 2009

Spybot Search and Destroy Definitions Updated on 1/21/2009

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 21, 2009:

Adware
+ Win32.TrafficSol.c

Keyloggers
+ SCKeylogger
++ Win32.Keylogger.s

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AntiSpamBastion
++ AstrumAntivirusPro
++ Fraud.eAntiSpy
+ Fraud.XPAntivirus
+ Win32.AOLPass.i

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ EuroGrand.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.agent.jr
++ Win32.Banbra.hp
+ Win32.Iksmas.ai
+ Win32.Small.ay
++ Win32.Tibia.ci
++ Win32.VB.df
++ Win32.Xorer.dr
+ Zlob.DNSChanger
+ Zlob.Downloader
+ Zlob.Downloader.vet
+ Zlob.Downloader.wot
+ Zlob.VideoActiveXObject
+ Zlob.VideoCodec2007
+ Zlob.VideoKeyCodec

Total: 1278173 fingerprints in 365193 rules for 4531 products.

My entry for last week's definitions update went to the bitbucket due to the failure of my server, which had to be restored from a backup from a previous date. So, here are the Spybot S&D updates from January 14, 2009:

Malware
+ AdDestination + Fraud.AntiVirusTrigger + Fraud.PCHealth ++ Fraud.UltraAntivirus2009 ++ InternetAntivirusPro + RapidAntivirus ++ SpywareCease + Vcodec

Trojan
+ Virtumonde + Virtumonde.sci + Virtumonde.sdn ++ Win32.Banker.xe + Zlob.Downloader.miu

The domain "Spywareinfo.com" was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic detection of virtumonde.sdn in c:\windows\system32\ackpbsc.dll. This was first fixed on Jan 14, 2009, then again on January 21, 2009. The file is legitimate and is used by the built in camera on some HP laptop computers.

A confirmed false positive in Avira Premium Security Suite Firewall detected as Win32.Delf.qmw was fixed on Jan 14, 2009.

Finally, two confirmed false positives detected on the E-Sword CD were fixed with today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 1/21/2009" »

January 7, 2009

Spybot Search and Destroy Definitions Updated on 1/7/2009

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on January 7, 2009:


Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SpywareGuard2008
+ Smitfraud-C.
+ Win32.Bomka.r

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ MyWay.MyWebSearch

Spyware
+ WebCompass.Searchbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ IRC.crt
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Delf.qmw
+ Zlob.Downloader

Total: 1320313 fingerprints in 372884 rules for 4518 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July 2008. Older versions of Spybot are no longer being updated and cannot deal with many of the new malware definitions and removal routines.

False positive detections reported or fixed this week:

There is a confirmed false positive heuristic detection of "Win32.Sober" in the "conhost.exe" in beta versions of Windows 7. It will be fixed soon.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 1/7/2009" »

December 31, 2008

Spybot Search and Destroy Definitions Updated on 12/30/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 30, 2008:

Adware
++ IThink.SideSearch

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Avrlabs
++ Fraud.Antivirus360
++ Fraud.WinDefender2009
+ IEDefender
+ SpywareBot.SpywareStop
+ Smitfraud-C.
+ Win32.TDSS.rtk
++ WinWebSecurity
+ WinSpywareProtect
++ WMVideoPlugin

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Fraud.AntiVirusTrigger
++ ISearchTechnology.WinButler
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.IEMon
+ Win32.Delf.oko
++ Win32.Agent.pi
++ Win32.Agent.sp
++ Win32.Agent.adb
++ Win32.Agent.fkl
++ Win32.Bankobao.b
+ Win32.Rungbu.a

Total: 1306995 fingerprints in 369046 rules for 4518 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 369046 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There is a confirmed false positive heuristic detection of "Darkonia" in zlib1.dll. This file is part of the external libraries required for Notepad++'s XML Tools. It has been fixed in the latest updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 12/30/2008" »

December 24, 2008

Spybot Search and Destroy Definitions Updated on 12/23/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 23, 2008:

Adware
++ Win32.Toolbar.World2

Hijackers
+ PrimeSoft.SafeSearch

Keyloggers (Keyloggers steal your typed logins and passwords)
+ PerfectKeylogger (2)
++ Redneck

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ BPS.Gen
++ BPSAntiSpywareGuard
++ BPSMalwareGuard
++ ExtraAntivir
+ FakeAlert.cc
+ FakeBill.CourtCologne
+ Fraud.AntivirusTrigger
++ Fraud.PerfectDefender
+ Fraud.VirusTrigger
++ NanoAntivirus
+ SaferSurfing
+ Smitfraud-C.
++ Win32.Agent.hc
+ Win32.Renos

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Fake.HTML.BHO
+ Fraud.AntiVirusTrigger
++ GFailure.Girlfriend135
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.arnx
+ Win32.Brontok.q
++ Win32.Delf.cof
++ Win32.Hider.i
+ Win32.Rays
+ Win32.TDSS.rtk
++ Win32.Tibia.dd
+ Zlob.Downloader
+ Zlob.Downloader.ol
+ Zlob.Downloader.vot
+ Zlob.Downloader.wot
+ Zlob.MovieCommander

Total: 1298391 fingerprints in 366315 rules for 4505 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 347101 detection patterns in this weeks update!

False positive detections reported or fixed this week:

None reported this week!

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 12/23/2008" »

December 17, 2008

Spybot Search and Destroy Definitions Updated on 12/17/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 17, 2008:

Hijackers
+ ISearchToolbar

Keyloggers (Keyloggers steal your typed logins and passwords)
+ ActMon-Pro
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpywareMaster
+ Fraud.PCProtectionCenter2008
+ FakeAlert.CC
+ Fraud.AntiVirusLab2009
+ Win32.PoisonIvy.j

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ PartnerBHO
++ RKdrv.rtk
+ Smitfraud-C.gp
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.amwr
+ Win32.Agent.bxh
+ Win32.Agent.pz
+ Win32.Agent.sd
++ Win32.Banload.ihm
++ Win32.CeeInject.Ik
++ Win32.Ciadoor.cj
++ Win32.Delf.oko
++ Win32.Poison.cpb
+ Win32.RAdmin
+ Zlob.Downloader
+ Zlob.Downloader.apl

Worm
++ VBS.LoveLetter.aq2 (2)

Total: 1212991 fingerprints in 347101 rules for 4491 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 347101 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a false positive report "WMDrive.sys" with Smitfraud-C, in c:\windows\system32\drivers\WMDrive.sys (189,952 bytes). This was fixed in today's F/P update.

There was a false positive detection of Smitfraud.C confirmed in a Zoom Modem file named "country.exe." This was fixed in today's F/P update.

There is a confirmed False Positive "Heuristic" detection of "Accoona" in several unwise.exe uninstaller files. It was fixed with today's F/P update.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 12/17/2008" »

December 10, 2008

Spybot Search and Destroy Definitions Updated on 12/10/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 10, 2008:

Adware
+ Win32.TrafficSol.c

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ AlphaWipe2008
+ AntiSpywareMaster
++ Fraud.AntiMalwareGuard
++ Fraud.AntiVirusSentry
++ Fraud.PersonalDefender
++ Fraud.SpyProtector
++ Fraud.SpywareGuard2008
++ Fraud.VirusTrigger (4)
++ Fraud.WinDefender (5)
+ IEDefender
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
++ TracksFree
++ Win32.Adload.db
+ Win32.VB.ck
+ Zlob.Downloader

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ AdAtoms.MyCentria
+ MyWay.MySearch

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ MegaUploadToolbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ Dropper.Agent.apfv
+ Refpron
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.amwr
+ Win32.Agent.ark
++ Win32.Agent.clk
+ Win32.Agent.xv
+ Win32.Autoit
++ Win32.AutoRun.dfs
++ Win32.AutoRun.va
+ Win32.Bagle.A
+ Win32.Bagle.E
+ Win32.Bagle.F
+ Win32.Bagle.G
+ Win32.Bagle.H
+ Win32.Brontok (2)
+ Win32.Delf.rtk
++ Win32.GrayBird.aj
++ Win32.Hidden.RTK
+ Win32.TDSS.rtk
+ Zlob.Downloader.sit

Total: 1208743 fingerprints in 345764 rules for 4472 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 345,764 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic only detection of "Win32.ActiveKeyLogger" in a common, legitimate uninstaller file named, "Unwise.exe." Normal scans show the file is clean. This was fixed in today's updates.

A False Positive detection of Beast False Positive in the file extension .bst was fixed today.

A False positive detection of Sumom.a was fixed today. The file containing it was the AltNet adware component of Kazaa.

There is a confirmed False Positive "Heuristic" detection of "Accoona" in several unwise.exe uninstaller files. It will be fixed with later updates.

A False Positive has been confirmed in the following: Win32.Agent.bzs: C:\WINDOWS\system32\userinit.exe. It has been fixed in today's F/P update.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 12/10/2008" »

December 3, 2008

Spybot Search and Destroy Definitions Updated on 12/3/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.

Additions made on December 3, 2008:


Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ FakeAlert.cc
+ Fraud.VirusResponseLab2009
+ Fraud.AntiVirusLab2009
+ Fraud.XPAntivirus
+ Fraud.Antivirus2008
+ IEDefender
+ Smitfraud-C.
++ SpywareGuard2008
+ WinSpywareProtect

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ Keenfinder
+ MyWay.MySearch
++ StaffCop

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ GSearchTB.QuickAccessToolbar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ BackOrifice2k
++ NVideoSupport
+ Pigeon
+ Smitfraud-C.MSVPS
++ Tsearch.msn
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.amwr
+ Win32.Agent.ll
++ Win32.Agent.bzs (2)
++ Win32.Agent.cid
++ Win32.Agent.cso
+ Win32.Agent.sd
++ Win32.AutoRun.abt (2)
+ Win32.Bandok
+ Win32.Brontok
++ Win32.Brontok.ab
++ Win32.Drefir.a
+ Win32.Exchanger.ch
++ Win32.Hidden.RTK
++ Win32.KeySave
+ Win32.TDSS.rtk
+ Win32.Webdir.b
++ Wot32

Total: 1199581 fingerprints in 343003 rules for 4445 products.

In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 343,003 detection patterns in this weeks update!

False positive detections reported or fixed this week:

There was a confirmed false positive heuristic only detection of "Win32.ActiveKeyLogger" in a common, legitimate uninstaller file named, "Unwise.exe." Normal scans show the file is clean. This will fixed in later updates, possibly tomorrow, or next week. In the meantime, if you run a heuristic scan of a folder and Spybot flags unwise.exe - it may be a false positive, so don't quarantine the file. Do scan the director or file with your anti virus scanner, or an online virus scanner. If you allow files with this name to be deleted and they were not in fact hostile, you will be unable to uninstall that program later on.

Several other possible false positives are currently under review. Sometimes a F/P update is released out of cycle, so check back over the next few days for additional definition updates for Spybot S&D.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 12/3/2008" »

November 26, 2008

Spybot Search and Destroy Definitions Updated on 11/26/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 26, 2008:

Adware
++ Win32.BHO.hxp

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fraud.AntiSpywareXP
+ Smitfraud-C.

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ FunWebProducts + MyWay.MyWebSearch + WildTangent

Security
+ Microsoft.Windows.AppFirewallBypass


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Beast
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.amwr
++ Win32.Agent.amyy
++ Win32.Agent.ddl
++ Win32.Agent.gpr
++ Win32.Agent.ik
++ Win32.AutoRun.AW
++ Win32.AutoRun.im
++ Win32.AutoRun.Malas
+ Win32.Bagle.A
+ Win32.Bagle.C
+ Win32.Bagle.F
+ Win32.Bagle.G
+ Win32.Bagle.H
+ Win32.Brontok.q
+ Win32.Exchanger.ch
++ Win32.HermanAgent
++ Win32.Omega.aik
++ Win32.RA.51122
+ Zlob.DNSChanger
+ Zlob.Downloader
++ ZombieRat

Total: 1193059 fingerprints in 340806 rules for 4414 products.

There is a big increase in the number of Trojans added to the detections database, with the November 26 updates. These programs do not come in peace and they do mean you harm! Please update your definitions, then apply all immunizations to all of your user accounts on your PC.

False positive detections reported or fixed this week:

There was a confirmed false positive detection of "MailSkinner.rtk" in 4 Registry keys (OutlookAddin.Addin), plus files in some BlueTooth program folders, and in the Kaspersky anti spam toolbar for Microsoft Outlook. This was fixed in today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 11/26/2008" »

November 19, 2008

Spybot Search and Destroy Definitions Updated on 11/19/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 19, 2008:

Adware
+ Win32.TrafficSol.c

Hijackers
++ Win32.Startpage.nil

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CarpeDiem Vars
+ Fraud.XPAntivirus
++ Gool
++ MadInjection.rtk
+ PornBHO.ru
+ Smitfraud-C.
+ Win32.Renos
+ Win32.Small.buy

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Facegame
++ Fake.Javacore
+ IRC.Zapchast
+ PWS.Small.bs
++ Speedrunner
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Webtools.tCPV6
++ Win32.Agent.di
++ Win32.Agent.hk
++ Win32.Agent.ll
++ Win32.Agent.sd
++ Win32.Agent.yvr
++ Win32.AutoRun.SilentSoftech
+ Win32.Bagle.AV
++ Win32.Delf.hj
++ Win32.Delf.kp
+ Win32.Exchanger.ch
++ Win32.LdPinch.adk
++ Win32.Mailbot.dc
++ Win32.Renos.au
+ Win32.Small.rc
+ Zlob.Downloader
++ Zlob.Downloader.eit
++ Zlob.Downloader.ger
++ Zlob.Downloader.miu
++ Zlob.Downloader.rot
++ Zlob.Downloader.sit
++ Zlob.Downloader.swo

Total: 1187003 fingerprints in 338944 rules for 4407 products.

There is a big increase in the number of Trojans added to the detections database, with the November 19 updates. These programs do not come in peace and they do mean you harm! Please update your definitions, then apply all immunizations to all of your user accounts on your PC.

False positive detections reported or fixed this week:

There was a confirmed false positive detection of "Spybouncer" in empty zip files. This was fixed in today's updates.

There was a confirmed false positive detection of "win32.anilogo.i" in a file named Domino.exe, which is a legit file used by a usb camera. This was fixed in today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 11/19/2008" »

November 12, 2008

Spybot Search and Destroy Definitions Updated on 11/12/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 12, 2008:

Adware
++ PlayMP3z

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Keylogger-Pro
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ ErrorClean
+ Fraud.XPAntivirus
+ Smitfraud-C.
++ Win32.KillFiles.ip
+ ZenoSearch

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ FunWebProducts
+ MyWay.MyWebSearch

Spyware
++ SuperYahooMessengerArchiveDecoder
++ Win32.Outlooker

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Smitfraud-C.MSVPS
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Brontok
++ Win32.Delf.NKB
++ Win32.OnLineGames.dr
++ Win32.TDSS.rtk
+ Zlob.Downloader
+ Zlob.Downloader.ger

Total: 1096518 fingerprints in 293830 rules for 4396 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Spyware Cease" as "Malware." This was fixed in today's updates. The program is not a threat at all.

There were reported false positives of a Vitumonde.sdn infection within C:\Windows\system32\ptipbmf.dll and also in c:\windows\system32\psqlpwd.dll. These were fixed with today's F/P optional updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Continue reading "Spybot Search and Destroy Definitions Updated on 11/12/2008" »

November 8, 2008

Spybot Search and Destroy Definitions Updated on 11/5/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 5, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpyCheck
+ AntiSpywareMaster
+ Fake.MSAntivirus
+ FakeAlert.cc
++ FakeBill.CourtCologne
+ Fraud.Antivirus2008
++ Fraud.AntiVirusLab2009
+ Fraud.PC-Antispy
+ Fraud.PCHealth
++ Fraud.PCProtectionCenter2008
++ Fraud.PowerAntivirus
+ Fraud.SystemAntivirus
++ Fraud.VirusResponseLab2009
+ Fraud.XPAntivirus
+ MicroAntivirus
+ PCCleanPro
++ RapidAntivirus
+ Smitfraud-C.
+ Smitfraud-C.gp
+ SpywareBOT
++ SpywareCease
+ UltimateAntivirus2008
+ VistaAntivirus2008
++ Win32.mIRC.603
++ Win32.VB.dn
+ Win32.Renos
+ XPSecurityCenter
+ YourWebSafe

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ Joke.Password
++ MSNFlood
+ FunWebProducts
+ MyWay.MyWebSearch
+ WildTangent

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Facegame
+ Hupigon
+ Netbus
++ PoisonIvy
++ Rbot.XXY
+ RS32UPS.ru
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.aec
++ Win32.Agent.aiae
++ Win32.Agent.jg
+ Win32.Agent.alo
++ Win32.Agent.nmy
++ Win32.Agent.wf
++ Win32.Anilogo.i
+ Win32.Autoit.p
++ Win32.BHO.gok
+ Win32.BHO.je
++ Win32.Delf.phh
++ Win32.DNSChanger.axi
++ Win32.Drefir.e
++ Win32.Pakes.kso
++ Win32.Rbot.vd
++ Win32.Rbot.viy
+ Win32.SdBot.aad
++ Win32.VB.bco
+ Zlob.Downloader
+ Zlob.Downloader.bit

Total: 861687 fingerprints in 264737 rules for 4396 products.

False positive detections reported or fixed this week:

There is a confirmed false positive detection of Virtumonde.sdn: [SBI $68FD4395] Library (File, nothing done), in C:\WINDOWS\system32\tphklock.dll. This was fixed with this week's F/P optional updates.

A customer ran the "right-click Spybot scan" in explorer over Symantec Ghost Solution Suite v2.5 and SpybotSD 1.6.0.30 with detection updates from October 15 through 29, 2008 reported that one file "gdiplus.dll" contained "Caishow" under the "Heuristics" section. This is a false positive that is fixed with this week's F/P updates.

There is a discussion underway between Frank Bauer, Co-owner of ViralURL.com, and Team Spybot, regarding the blacklisting of his website, which is in Spybot's HOSTS file immunizations. At this point the URL remains blacklisted. If this changes I will so inform you. If you have business with that website, and use Spybot S&D, you will have to manually remove its entry from your HOSTS file.

Continue reading "Spybot Search and Destroy Definitions Updated on 11/5/2008" »

October 29, 2008

Spybot Search and Destroy Definitions Updated on 10/29/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on October 29, 2008:

Hijackers
+ MT-Dials

Keyloggers (Keyloggers steal your typed logins and passwords)
++ LightLogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ AntispywareProXP
+ Fraud.PCHealth
++ Fraud.SystemAntivirus
+ Fraud.XPAntivirus
+ MicroAntivirus
+ Smitfraud-C.
+ Win32.Agent.cmn

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ WGDTEAM.GoldCashHack

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Network Essentials.Hopper
+ RS32UPS.ru
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.agee
+ Win32.Agent.frl
+ Win32.Brontok.q
++ Win32.Delf.gycn
+ Win32.Exchanger.ch
++ Win32.Small.Ybe
++ Win32.VB.ayo
++ Win32.VB.bg
++ Win32.VB.bj
+ Zlob.Downloader
+ Zlob.Downloader.wet

Total: 944259 fingerprints in 242323 rules for 4324 products.

False positive detections reported or fixed this week:

There were no false positives reported this week.

Continue reading "Spybot Search and Destroy Definitions Updated on 10/29/2008" »

October 23, 2008

Spybot Search and Destroy Definitions Updated on 10/22/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 22, 2008:

Adware
+ AdDestination
++ Win32.SmartPops.c

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Command Service
+ MicroAntivirus
++ PornBHO.ru
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
++ TotalSecure2009
+ Win32.Renos
++ UltimateSpyKiller

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ Joke.BadGame
++ Joke.Train
+ MyWay.MyWebSearch
+ Network Monitor
++ Sleepy

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Comfile.HideExtension

Spyware
+ webHancer
++ Spy-net

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ IRC.crt
++ OIN.Analytics
++ RS32UPS.ru
++ SysVenFakP
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.aach
+ Win32.Agent.ark
++ Win32.AutoRun.dcw
++ Win32.AutoRun.diq
++ Win32.Delf.aam
++ Win32.Delf.ake
++ Win32.Delf.yj
+ Win32.Delf.zq
+ Win32.Exchanger.ch
++ Win32.MSN.Autoruner
+ Win32.Mutant.yf
++ Win32.Qhost.aei
++ Win32.SDBot.wus
+ Win32.Small.buy
++ Win32.VB.as
++ Win32.XPACK.Gen
+ Zlob.Downloader
+ Zlob.HQCodec

Total: 1152094 fingerprints in 286970 rules for 4336 products.

False positive detections reported or fixed this week:

One reader reported a false positive detection of "Caishow" in the Windows system file "gdiplus.dll," under the "Heuristics" section. This is a confirmed FP that has been fixed this week.

Again, some users of version 1.4 of Spybot S&D are reporting various false positives. Those folks have been advised to upgrade to the current version, 1.6.0.30, which eliminates those false positives. If you have any version older then 1.6 you should remove all immunizations and uninstall the product, then download the current version and install/update it.

Continue reading "Spybot Search and Destroy Definitions Updated on 10/22/2008" »

October 15, 2008

Spybot Search and Destroy Definitions Updated on 10/15/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 15, 2008:

Adware
+ AdDestination
+ Winzix

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax (2)

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SmartAntiVirus2009 (2)
+ Smitfraud-C.
+ Swizzor
++ TotalSecure2009 (2)

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ SniffPass

Spyware
+ CommonName

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Bifrose.LA
+ Refpron (2)
+ Virtumonde.sdn
+ Win32.Agent.cmn
+ Win32.Agent.wo
++ Win32.Bifrose.zxe
+ Win32.Exchanger.ch
+ Win32.Small.axy
+ Win32.Sohanad.as
++ Win32.VB.atg
++ Win32.VB.bda
++ Win32.WPA_Kill.AK
+ Zlob.Downloader
+ Zlob.Downloader.vdt
+ Zlob.Downloader.wet

Total: 1148843 fingerprints in 286076 rules for 4310 products.

False positive detections reported or fixed this week:
None reported as of today.

Continue reading "Spybot Search and Destroy Definitions Updated on 10/15/2008" »

October 8, 2008

Spybot Search and Destroy Definitions Updated on 10/08/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 8, 2008:

Adware
++ InternetGameBox

Hijackers
+ MediaTickets

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.PCHealth
++ MicroAntivirus
+ Smitfraud-C.

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ FuckMailBomber

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Refpron
+ Virtumonde
+ Virtumonde.sdn
++ Win32.Agent.fbx
+ Win32.Agent.JH
++ Win32.Bifrose.boa
+ Win32.Buzus.jqw
++ Win32.Buzus.ytg
++ Win32.Delf.abk
++ Win32.Ikmet.c
++ Win32.MataAVG
+ Win32.Small.fb
+ Win32.Sohanad.as
++ Win32.Virut.q
+ Zlob.DNSChanger
+ Zlob.DNSChanger.rtk
++ Zlob.Downloader.bit

Total: 1147480 fingerprints in 285772 rules for 4296 products.

False positive detections reported or fixed this week:

abyssmedia.com has been removed from the HOSTS blocklist, with this today's updates.

Continue reading "Spybot Search and Destroy Definitions Updated on 10/08/2008" »

October 1, 2008

Spybot Search and Destroy Definitions Updated on 10/01/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 1, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ PerfectKeylogger
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AdRotate
++ AntispywareProXP
++ MicroAntivirus
++ MySideSearch
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
++ Win32.VB.ij


Security
++ Microsoft.Windows.Disabled.DispSettings


Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Refpron
++ Stration.dtp
++ Virtumonde.atr
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Autoit
++ Win32.AutoRun.ET
++ Win32.AutoRun.HomeVideo
+ Win32.Delf.rtk
++ Win32.Small.axh
++ WinDestroyerGolden
++ Zlob.ARg

Total: 1141725 fingerprints in 284288 rules for 4285 products.

False positive detections reported or fixed this week:

There is a confirmed false positive detection of Troyan Win32.Small.fb in Wine, which is a Windows translation layer used on Linux computers, to allow (some) Windows programs to be run on Linux. The displayed report was: "Win32.Small.fb: [SBI $3B3DD39E] <$WINSOCK>" This false positive has been fixed in this week's updates.

There is still an as yet unconfirmed, possible false positive of "FakeAlert" in the Windows System file "msvideo.dll." According to the user who reported this, "the description SpyBot gives indicates that FakeAlert creates an autorun entry but I don't see anything that arouses my suspicion." If it is a FP it will be corrected in next week's updates. If Spybot flags this file on your computer use caution and check with the Spybot False Positives Forum before allowing it to be deleted.

Continue reading "Spybot Search and Destroy Definitions Updated on 10/01/2008" »

September 24, 2008

Spybot Search and Destroy Definitions Updated on 9/24/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 24, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ ActiveToolBand
+ AntiSpywareMaster
++ AntispywareProXP
+ BookedSpace
++ Cleaner2009
+ Fake.MSAntivirus
+ Fraud.AntiMalwares
+ Fraud.AntiSpyware2008XP
+ Fraud.Antivirus2008
+ Fraud.PC-Antispy
++ Fraud.SmartAntiVirus2009
++ InternetSpeedMonitor
++ PCCleanPro
+ Smitfraud-C.
+ Virantix (8)
+ Win32.Agent.pz
++ Win32.Hangame
+ Win32.Renos
+ Win32.VB.lu
+ WinSpyKiller
+ WinXDefender
+ Worldsecurityonline.FakeAlert

Spyware
++ EBlaster

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Adclicker
+ Command Service
+ Fake.IKEA-Bill
++ Popguide
++ ProGroup.ProRat
+ Vanbot
++ Virtumonde.atr
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ WebBuyingAssistant
++ Win32.Agent.hz
+ Win32.Agent.msgr
++ Win32.Antilam.20
++ Win32.AutoRun.dmh
+ Win32.BabyDel
++ Win32.BHO.fdj
+ Win32.BHO.df
+ Win32.ConHook.ah
++ Win32.Delf.gxz
++ Win32.Rays
+ Win32.Small.buy
++ Win32.VB.aoo
+ Zlob.Downloader.apl
+ Zlob.Downloader.mot
+ Zlob.Downloader.vdt
+ Zlob.Vcodec
+ Zlob.XPasswordManager

Total: 1137868 fingerprints in 283533 rules for 4288 products.

False positive detections reported or fixed this week:

There is an as yet unconfirmed, but reported false positive of "FakeAlert" in the Windows System file "msvideo.dll." According to the user who reported this, "the description SpyBot gives indicates that FakeAlert creates an autorun entry but I don't see anything that arouses my suspicion." If it is a FP it will be corrected in next week's updates. If Spybot flags this file on your computer use caution and check with the Spybot False Positives Forum before allowing it to be deleted.

RegCleaner by Jouni Vuorio is a confirmed false positive and was fixed with the updates last Wednesday.

Continue reading "Spybot Search and Destroy Definitions Updated on 9/24/2008" »

September 17, 2008

Spybot Search and Destroy Definitions Updated on 9/17/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 17, 2008:

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ EGDAccess

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpywareMaster
+ CoolWWWSearch.OleHelp
++ Fraud.PCHealth
+ DyFuCa.InternetOptimizer
+ ISearchTech.ISTsvc
+ MagicControl.Agent
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
+ Win32.Agent.pz
+ WinSpywareProtect
+ ZenoSearch

Spyware
+ 180Solutions.SearchAssistant
+ TargetSaver

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Agent.Clicker
+ CoolWWWSearch.GonnaSearch
+ Fraud.AntiMalwares
++ IRCBot.svchost
++ ProGroup.ProRat
++ Win32.Agent.hnk
+ Win32.Agent.hz
++ Win32.Delf.jl
++ Win32.Delf.gkw
++ Win32.Delf.rtk
+ Win32.Flux.fm
++ Win32.Joleee.K
+ WebBuyingAssistant
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Virtumonde.Crack

Total: 1219618 fingerprints in 292344 rules for 4237 products.

False positive detections reported or fixed this week:

RegCleaner by Jouni Vuorio is a false positive and was fixed with the updates this Wednesday.

Continue reading "Spybot Search and Destroy Definitions Updated on 9/17/2008" »

September 10, 2008

Spybot Search and Destroy Definitions Updated on 9/10/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 10, 2008:

Adware
++ Give4Free.BHO
++ zztoolbar

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ eGroup.InstantAccess

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ ActiveToolBand
+ AdwareAlert
+ AdwarePro
+ AntiSpyCheck
+ ErrorSmart
+ ErrorSweeper
++ Fake.MSAntivirus
+ Fraud.AntiMalwares
++ MalwarePro
++ Redtube
+ RegClean
+ Smitfraud-C.
+ Spyhunter
++ Win32.Agent.ys
+ Win32.BHO.je
+ Win32.Renos

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ FunWebProducts
+ MyWay.MyWebSearch
++ RegCleanr

Spyware
++ SolutionClass.pws

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Fake.PCTools
++ RightMedia
++ StormCodec
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ VisualBreeze
+ Win32.Autoit
++ Win32.AutoRun.buv
++ Win32.BHO.kv
++ Win32.Hupigon.eez
++ Win32.LdPinch.fzw
++ Win32.Small.ba
++ Win32.VB.bbd
+ Zlob.Downloader.apl

Total: 1215016 fingerprints in 291150 rules for 4227 products.

Continue reading "Spybot Search and Destroy Definitions Updated on 9/10/2008" »

September 3, 2008

Spybot Search and Destroy Definitions Updated on 9/03/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 3, 2008:


Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
++ Win32.KeyLogger.ap

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ 1ClickPCFix
+ ErrorSafe
+ Fraud.AntiMalwares
++ Fraud.AntiSpyXP
++ Fraud.Antivirus
++ Fraud.XPAntivirus.gen
+ Power-Antivirus-2009
+ Smitfraud-C.bs
++ Smitfraud-C.ul
++ Virantix (7)
++ WinReanimator
++ XPSecurityCenter

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ FunWebProducts
+ MyWay.MyWebSearch
++ Win32.HackTool.Aid (652)

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ CashBar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ CSR.tr
++ Fake.HostProcess
+ Hupigon
+ Maran.J
++ Nebuler.BHO
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.ark
++ Win32.Agent.ayo
++ Win32.Agent.es
++ Win32.Banker.egt
++ Win32.BHO.bc
++ Win32.Bzub.fh (579)
++ Win32.Delf.if
++ Win32.Disabler.i
++ Win32.Fujack.b
++ Win32.Nosok.b
++ Win32.Pigeon.DLA
++ Win32.VBS.Generic.23
+ Win32.Webdir.b
++ Zlob.Downloader.got
+ Zlob.Downloader.vdt
+ Zlob.Downloader.wet

Hosts file additions to note
SweetIM is a fancy smiley program used by a lot of people addicted to instant messenger conversations. SweetIM.com has been blocked in the latest Hosts file update. It is regarded as Adware and is virtually impossible to remove by normal procedures. Attempting to remove it is known to cause a barrage of popups protesting your decision. Treat is as possible spyware, as it tracks the websites you visit to throw targeted ads at you.

Total: 1209640 fingerprints in 290002 rules for 4232 products.

False positive detections reported or fixed this week:

A couple more false positive heuristic detections were fixed with today's Spybot updates. These include "FixPolicies.exe" and "DCProSetup.exe." This is an ongoing problem where a normal scan using definitions shows nothing wrong, but a heuristic manual scan shows all kinds of infections. When in doubt, believe the definitions scan, rather than any heuristic scan. The same thing applies to your anti virus scanner. Mine gives occasional false positives with generic names, using heuristics, when in fact no infection exists in those files.

Continue reading "Spybot Search and Destroy Definitions Updated on 9/03/2008" »

August 28, 2008

Spybot Search and Destroy Definitions Updated on 8/27/2008

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 27, 2008:

Adware
++ BannerStyles.Optimizer
++ RXToolbar
+ SmartShopper
+ Zango
+ Zango.ShoppingReport
++ MorpheusToolbar

Hijackers
++ CoolWWWSearch.Aff.Madfinder

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fakealert.gen
+ Fraud.XPAntivirus
+ Fraud.Antivirus2008
+ IEDefender
+ MalwareProtector2008
++ WinDefender
+ WinSpywareProtect
++ XPSecurityCenter

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ Joke.FakeFormat
++ WildTangent

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ ShopAtHome

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ CSR.tr
++ Fraud.AntiSpyware2008XP
++ Fraud.Installer.as
+ Hupigon13
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bm
++ Win32.Agent.cui
++ Win32.Agent.dj.rtk
++ Win32.Agent.rso
++ Win32.Agent.uzf
++ Win32.AutoRun.bck
+ Win32.BHO.je
++ Win32.Brontok.q
++ Win32.Bzub.fh
++ Win32.Delf.vb
++ Win32.Disabler.i
+ Win32.Exchanger.ch
++ Win32.Injecter.adv
++ Win32.Mutant.yf
+ Win32.Poison.k
++ Win32.ShowPass
++ Win32.Small.aafc
++ Win32.VB.el
++ Wukill.B
+ Zlob.Downloader.Gen
++ Zlob.Downloader.mot
++ Zlob.rtk

Worms
+ Win32.Socks.T (1471)

Total: 1188431 fingerprints in 286605 rules for 4213 products.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

August 21, 2008

Spybot Search and Destroy Definitions Updated on 8/20/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 20, 2008:

Adware
+ Zango.ShoppingReport

Hijackers
++ FM.Toolbar (2800)
++ SearchPixieBar
++ Win32.Control.pg

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AdvancedXPFixer
+ AntiSpyCheck
+ BrowserAid
+ Fraud.Antivirus2008
+ Fraud.XPAntivirus
++ Power-Antivirus-2009
+ RegistrySmart
+ Smitfraud-C.
+ SpyShredder
++ UltimateAntivirus2008
+ VistaAntivirus2008
+ Win32.Agent.pz
+ Win32.BHO.je
++ Win32.FraudLoad
+ Win32.Renos
++ Win32.Stud.a
+ Win32.VB.ck

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ CasinoRoyal.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ Win32.FirefoxPSW.k

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ AntiLamerBackDoor
++ Fake.AntiSpywareCheck
++ Pigeon
+ Smitfraud-C.MSVPS
++ TargetedBanner.Optimizer
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Archivarius.a
++ Win32.Autoit.E
++ Win32.Beastdoor
++ Win32.Delf.ajx
++ Win32.LdPinch.r
++ Win32.Poison.aem
++ Win32.ScarMorph
++ Win32.Tibia.cn
++ Win32.VB.afa
++ Win32.VB.drc
++ Zlob.Downloader.apl
+ Zlob.Downloader.vdt

Worms
++ Win32.Socks.T (7559)

Total: 1172617 fingerprints in 283863 rules for 4186 products.

False positive detections reported or fixed this week:

Confirmed False Positive:

For reasons unknown, tinyurl.com is inserted into the hosts file and redirected to 127.0.0.1 and bookmarks to the website are labeled as malware. This is a false positive that will be rectified next week, but you should disregard this detection if you use the TinyUrl toolbar, or have links to the tinyurl.com website.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 8/20/2008" »

August 13, 2008

Spybot Search and Destroy Definitions Updated on 8/13/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 13, 2008:

Adware
+ 2Search
++ Eroca
+ Zango

Hijackers
+ LoudMarketing.WinFavorites

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Goldeneye
+ SC KeyLog Pro
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Krepper-G
+ PPCHook
+ SpyAxe
+ SyperCrypt.Overwriter
+ Win32.Agent.pz
+ Win32.VanBot.ax
+ WinFixer2005
+ Smitfraud-C.
+ AntiSpyCheck
+ Win32.BHO.je
++ Softland.Antivirus2008XP
++ Power-Antivirus-2009

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ DriveCleaner 2006

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
+ AdSpy.TTC
+ BackOrifice2k
+ Banker.PorSMTP
+ Crypt.Spambot.qk
++ CTFmona
+ Dropper.Mondo
+ HotKeysHook
+ Irc.Agobot
+ KBui32.SMTP
++ Nurech
++ PSCMain
+ Psyme
+ Smitfraud-C.MSVPS
++ TargetBanner
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.abv
+ Win32.Agent.ac
++ Win32.Agent.agb
++ Win32.Agent.JH
++ Win32.Agent.o
+ Win32.Autoit
++ Win32.AutoRun.acs
+ Win32.ConHook.ah
+ Win32.IRCBOT.cmn
+ Win32.mIRC
+ Win32.Rbot.aeu
+ Win32.SdBot.bkx
++ Win32.SDBot.iuf
++ Win32.VB.v
++ Win32.VB.vw
+ Zlob.Downloader.ol
++ Zlob.Downloader.apl
+ Zlob.Downloader.tfr
+ Zlob.Downloader.vdt
+ Zlob.ImageActiveXAccess
+ Zlob.VideoActiveXAccess
+ Zlob.VideoAXObject

Worms
++ Win32.Bnuff (7296)
+ Win32.Socks.T

Total: 1162519 fingerprints in 282447 rules for 4157 products.

False positive detections reported or fixed this week:

Confirmed False Positive:

CoolWWWSearch.Aff.Madfinder: [SBI $5C09119C] Executable (File, nothing done)
C:\WINDOWS\system32\svc.exe.

This file belongs to SrvStart, a program to run command or programs as a service. SVC.EXE is a simple Windows NT command-line program to manage NT services.

An "Alexa Related" false positive in Google searches was fixed in this week's updates.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 8/13/2008" »

August 7, 2008

Spybot Search and Destroy Definitions Updated on 8/6/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 6, 2008:

Adware
++ Downloader.Trymedia (55397)

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ CarpeDiem Vars (177988)

Keyloggers (Keyloggers steal your typed logins and passwords)
++ DigitalKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts)
+ BannerRotator
+ Fraud.Antivirus2008 (2)
++ Fraud.PC-Antispy
++ PrivacyGuarantor
+ Win32.BHO.je

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ AlexaToolbar

Trojans
++ Gooochi.BHO
+ PWS.Small.bs
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ VirusExterminator
++ Win32.Agent.alo
+ Win32.Agent.ark
+ Win32.Bancos.zm
++ Win32.Crackpai.A
++ Win32.Delf.arv
++ Win32.JunkPoly
++ Win32.Klone.ao
++ Win32.OnLineGames.anyz
++ Win32.QQPass.aom
+ Win32.Sohanad.as
++ Win32.VB.sp
+ Zlob.Downloader.rid
+ Zlob.Downloader.tfr
+ Zlob.Downloader.wet
++ Zlob.ur

Total: 1147318 fingerprints in 280413 rules for 4112 products.

False positive detections reported or fixed this week:

False positive registry entry detections of "TacOnlyOne" and "WinSpywareProtect" that have been reported were fixed in this week's F/P updates.

"Alexa related" may be a false positive detection for a Google toolbar search function.

Zlib.dll, in GuardianMonitor, detected when scanning manually, under the Heuristic section only, is a false positive.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 8/6/2008" »

July 31, 2008

Spybot Search and Destroy Definitions Updated on 7/30/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on July 30, 2008:


Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ Carima Enterprises
+ Coulomb Ltd.Content Access Plugin

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts)
+ FakeAlert.cc
+ Fraud.XPAntivirus (2)
+ Smitfraud-C.
++ Smitfraud-C.bs
+ Smitfraud-C.gp
++ SpyGuarder
+ Vcodec.eMedia
+ Win32.BHO.je
++ Win32.Delf.ayz (2)
++ Win32.Small.mz
+ WinSpywareProtect

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ LuckyToolBar

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ SpyArsenal.HomeKeyLogger

Trojans
++ Backdoor.Catfriend
++ FakeUPSInvoice
++ Haxdoor.hm
+ Hupigon13
+ IRC.Zapchast
+ Smitfraud-C.MSVPS
++ Synatix.Peppi
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.sxi
++ Win32.AutoRun.beh
++ Win32.Brontok
+ Win32.Exchanger.ch
++ Win32.GipWizard
++ Win32.Papras.en
++ Win32.VB.lu
++ Win32.VB.PW
+ Zlob.Downloader.wet
+ Zlob.Downloader.vdt
++ Zlob.Downloader.tfr
+ Zlob.HomepageMonitor

Total: 1049809 fingerprints in 270679 rules for 4101 products.

False positive detections reported or fixed this week:

False positive registry entry detections of "TacOnlyOne" and "WinSpywareProtect" that have been reported were fixed in this week's F/P updates.

Spybot 1.6.0.30 with updates of 2008.07.23 on an XP Pro SP2 machine gives a false positive for c:\windows\pkzipc.exe (command line zip utility, version 4.00) as Win32.Agent.aou. It was fixed in the July 30 updates.

The website securitylab.ru was removed from the HOSTS file blocklist with this week's updates.

A false heuristic scanning infection indication within the Mozilla Firefox v3.0.1 installer package was fixed this week.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 7/30/2008" »

July 23, 2008

Spybot Search and Destroy Definitions Updated on 7/23/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on July 23, 2008:

Adware
+ WhenU.DAEMONTools.SearchBar
+ WhenU.Search

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners)
++ AdwareDelete
++ AntiSpywareMaster
++ AntivirusGold
+ Fraud.XPAntivirus
+ IEDefender
++ PCPrivacyCleaner
+ PSGuard
+ Smitfraud-C.gp
+ SpySheriff
+ SpywareIsolator
+ Win32.BHO.je
++ Win32.Delf.aph
+ Win32.ServU
+ WinSpywareProtect
++ YourWebSafe
PUPS (Possibly Unpopular Software or Unwanted Programs)>\+ WPA_Reset5

Trojans
+ Autorunreplacer
+ Nuclearwinter
+ Smitfraud-C.MSVPS
+ SystemDoctor2006
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.AutoIt.co
++ Win32.Fujacks.AB
++ Win32.Hupigon.ack
++ Win32.GGDoor
++ Win32.Reload.m
++ Win32.Sramler.c
+ Zlob.Downloader.rid
++ Zlob.Downloader.tfr

Total: 1038867 fingerprints in 267952 rules for 4080 products./strong>

False positive detections reported or fixed this week:

A false positive has been reported in BugDoctor, which for reasons unknown, Spybot flags with "Destination=HKEY_CLASSES_ROOT\.bdr." This will be fixed in next week's updates. It is a confirmed false positive.

False positives in Linux ISOs and Wireless Migrator have been fixed this week.

any of the current false positives are only displayed in the "Heuristic" scan analysis when you right-click on a file or folder and select Scan with Spybot Search & Dsstroy; not in standard scans from the program interface, or in the Malware (top) section of the right-click-scan window. Some of these false positives are being fixed this week, while others may take longer to isolate and fix.

The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to detections@spybot.info for analysis.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 7/23/2008" »

July 17, 2008

Spybot Search and Destroy Definitions Updated on 7/16/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on July 16, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners)
+ Fraud.XPAntivirus
+ IEDefender
+ Win32.BHO.je
+ Win32.Renos

Spyware
++ PassView

Trojans
+ Bifrose.LA
+ Smitfraud-C.MSVPS
++ Nurech
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.51
+ Win32.Agent.aaw
++ Win32.Agent.agh
+ Win32.Autoit.p
++ Win32.AutoRun.lx
++ Win32.Bifrose.da
++ Win32.Delf.Crypt.c
++ Win32.Delf.qc
++ Win32.VB.f
+ Win32.Rbot
+ Zlob.Downloader.pit
+ Zlob.Downloader.wet
+ Zlob.MovieBox

Total: 700725 fingerprints in 178431 rules for 4069 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users, including me, have reported what appears to be multiple false positive reports of Smitfraud-C and Worldsecurityonline.FakeAlert, with the July 9 2008 definition updates, but only after right-clicking and scanning a particular drive, folder, or file. The false positives are only displayed in the "Heuristic" scan analysis; not in standard scans from the program interface, or in the Malware (top) section of the right-click-scan window. Some of these false positives are being fixed this week, while others may take longer to isolate and fix.

The heuristics scan will be more reliable with the upcoming update, but changes still have to be made.
So if in doubt about a heuristics result (after the update today), you can also submit the file to detections@spybot.info for analysis.

There is a confirmed false positive detection of "Performance Optimizer" in a legitimate product named MySecurityCenter PC Performance Optimizer and possibly other "optimizers." The actual fake product being searched for is named "Sellmosofts Performance Optimizer." This has been narrowed to fix the problem with today's updates.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 7/16/2008" »

July 10, 2008

ZoneAlarm Firewall updated after DNS patch snafu knocks its users offline

Checkpoint, the owners of the famous ZoneAlarm Personal Firewall, has released a patched version of their firewall, to fix a problem caused when Windows 2000 and XP computers received the July 8, 2008 Windows Updates patch MS08-037. You can read about what happened to me and millions of other ZoneAlarm users on this blog article, which I wrote on July 8, after I used System Restore to get back online. It took several hours of troubleshooting to discover that the ZoneAlarm firewall was the cause of my loss of Internet access. As it turned out all one had to do to get reconnected was to lower a security slider from high to medium! Doh!

Before I go into the details about why this happened I want to give you a direct link to the ZoneAlarm download page, where you can download the appropriate upgrade to the program you are using, which caused a loss of Internet access after applying MS08-037.

The official statement from the ZoneAlarm folks, on July 8, was that you should uninstall the Microsoft patch to get back online! "Bullshit! What's that you say?" They began to change their tone yesterday and issued a patched version of five ZoneAlarm security products that are known to cause this loss of connectivity after installing MS08-037 on Windows 2000 and XP computers (see page linked to above).

So what actually caused ZoneAlarm for Windows 2000 and XP to freak out and deny Internet access to all their firewall users, on July 8? Was it a fundamental design flaw? Was it Microsoft's patch being flawed? None of those was the cause. It was because ZoneAlarm uses "undocumented hooks" into the Windows 2000 and XP "kernel" to enforce security against malware infections. Windows Vista closed this undocumented feature and forces security vendors to use other methods to perform their jobs, thus Vista users were not knocked offline on Tuesday.

So, what really happened is that ZoneAlarm did its job too well, because the "kernel" components that manage Internet connections got altered by the Windows Update "DNS Spoofing" patch, and the nature of that update was so profound that the ZoneAlarm firewall blocked all Internet access believing that the OS had been invaded by malware.

If you have already reduced your ZoneAlarm security slider to Medium, or have uninstalled the Microsoft patch to get back online, I recommend that you download the new ZoneAlarm program that was updated to address the problem, but set a System Restore Point first (XP only). That way if the updated ZoneAlarm program is still buggy you can roll back to the previous version and leave the slider at medium, until they produce a stable upgrade. If you uninstalled the MS08-037 patch you should reinstall it, via Windows Updates.

This is all in flux right now. I will post a follow-up to this once the dust settles.

July 9, 2008

Spybot Search and Destroy Definitions Updated on 7/9/2008. Version 1.6 released!

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was just released on July 8, 2008. Upgrade now!

Additions made on July 9, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AllInOneKeylogger
+ AntiSpyCheck
+ Fake.SecurityAlert
+ FakeAlert.cc
++ Fraud.XpCleaner
+ Win32.BHO.je (6)
++ Win32.AOLPass.i

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
+ CoolWWWSearch.hjg (5)
++ Fagianom
+ Smitfraud-C.MSVPS
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sdn
+ Win32.Agent.pn
++ Win32.Autoit.p
++ Win32.AutoRun.dli (63)
++ Win32.Buzus.jqw
++ Win32.Delf.Crypt.c
++ Win32.Delf.es
++ Win32.Emogen-K
++ Win32.Podnuha.ee
++ Win32.Small.UBV
++ Win32.VB.cj
++ Win32.Webdir.b
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.Downloader.lor
+ Zlob.Downloader.pit
++ Zlob.Downloader.wet

Total: 691992 fingerprints in 176938 rules for 4055 products.

False positive detections reported or fixed this week:

In Spybot v1.6.0 a few users have reported what appears to be multiple false positive reports of Smitfraud-C, with today's definition updates (7/9/08) but only after right-clicking and scanning a particular drive, folder, or file.

No fp's reported concerning version 1.5.2. Plenty concerning versions 1.3 and 1.4.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Continue reading "Spybot Search and Destroy Definitions Updated on 7/9/2008. Version 1.6 released!" »

July 2, 2008

Spybot Search and Destroy Definitions Updated on 7/2/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on July 2, 2008:


Keyloggers (Keyloggers steal your typed logins and passwords)
+ Goldeneye

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ Fraud.Antivirus2008
++ MalwareProtector2008
+ Marketflip.FakeSearchAndDestroy
+ Win32.Agent.pz
+ Win32.BHO.je
++ Win32.VB.eu

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ DAEMONToolsPro.Crack

Trojans (Includes 4 new or updated Zlob* Trojan detections)
+ CoolWWWSearch.hjg (5)
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Virtumonde.cls
++ Virtumonde.prx
++ Virtumonde.sdn (37)
+ Win32.Agent.arr
++ Win32.Agent.sfg
++ Win32.Autoit.p
++ Win32.Flux.fm
++ Win32.Lotto
++ Win32.OnLineGames.es
++ Win32.Xema.bn
++ Zlob.Downloade.wet
+ Zlob.Downloader
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 677387 fingerprints in 174120 rules for 4032 products !

False positive detections fixed this week:

Spybot blocked pcsleek.com in the HOSTS file and detected pcsleek free error scanner as malware, which it is not. This was fixed in the July 2, 2008 updates.

I have read several false positive reports from people still using the old version 1.3 of Spybot Search and Destroy. I must stress that you cannot trust this version to be 100% accurate when updated with current definitions. The engine in it is too old to understand the changes that have been made by both malware and the means of detecting it. If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 7/2/2008" »

June 26, 2008

Spybot Search and Destroy Definitions Updated on 6/25/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on June 25, 2008:


Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
++ Win32.Agent.hy
Keyloggers (Keyloggers steal your typed logins and passwords)
+ HellzLittleSpy

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
++ AntispySpider
+ FakeAlert.cc
++ VistaAntivirus2008
+ Win32.BHO.je
++ Win32.Delf.avc
++ Win32.Settec.a
++ Win32.VB.eu
+ ZenoSearch

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ WareSoft.Shutdown

Trojans (Includes 4 new or updated Zlob* Trojan detections)
+ Smitfraud-C.MSVPS
++ Virtumonde.cls
+ Virtumonde.dll
++ Virtumonde.prx
++ Virtumonde.sdn
++ Win32.Agent.bm
++ Win32.Bandok
++ Win32.CoiDung.a
++ Win32.Peed.Gen
+ Win32.PrivacySet
+ Zlob.Downloader
+ Zlob.Downloader.lor
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 663265 fingerprints in 171141 rules for 4049 products !

False positive detections fixed this week:

The baidu.com search engine toolbar was removed from Spybot's Hosts redirections to 127.0.0.1, with the latest updates. It is no longer considered a threat.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 6/25/2008" »

June 18, 2008

Spybot Search and Destroy Definitions Updated on 6/18/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on June 18, 2008:

Adware
++ My811.Toolbar
++ Pointfree
+ Zango.ShoppingReport Hijacker

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AntiSpyStorm
+ Fraud.Antivirus2008
+ SpyHunter
+ VirusHeat
+ Win32.Agent.ys
+ Win32.BHO.je
++ Win32.Lmir.asy
+ Win32.Renos
++ Win32.Small.buy
++ Win32.Virut.be
++ WinSpywareProtect
+ Zlob.Command Service

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ Network Monitor

Trojans (Includes 3 new or updated Zlob* Trojan detections)
++ BHO.CenterLock
++ FakeIkeaPlugin
++ FlashExploit
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
+ Win32.Agent.aou
++ Win32.Agent.awz
++ Win32.Bifrose.fmr
++ Win32.Delf.bd
++ Win32.Exchanger.ch
++ Win32.IRCBot.are
++ Win32.KillAVGenerator
++ Win32.KillFW
++ Win32.PCClient
++ Win32.PrivacySet
++ Win32.VB.cez
++ Win32.VB.h
++ Win32.Winlagons.co
+ Win32.Zhelatin.ah
++ Zlob.Downloader.lor
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 638393 fingerprints in 164156 rules for 4033 products !

False positive detections fixed this week:
A detection of "Zlob.Downloader.jau" in the SYSTEMAX.bmp desktop wallpaper is a false positive that has been fixed in this week's updates.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 6/18/2008" »

June 11, 2008

Spybot Search and Destroy Definitions Updated on 6/11/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on June 11, 2008:

Adware
++ HackNuke
++ Win32.Hacktool
+ Zango
+ Zango.ShoppingReport
+ Zango.WeatherDPA

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ Coulomb Ltd.Content Access Plugin

Keyloggers (Keyloggers steal your typed logins and passwords)
++ PerfectKeylogger

Malware (Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario and fake registry cleaners)
+ AdvancedCleaner
++ Munga_Bunga.HDDFormat
++ Netcom3Cleaner
++ RegistryPatrol
+ Win32.BHO.je
++ Windows.Antivirus2008

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ BitAccelerator

Security
+ Microsoft.Windows.RedirectedHosts

Trojans (Includes 3 updated Zlob* Trojan detections)
+ 180Solutions.SearchAssistant
++ CoolWWWSearch.hjg
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.ghs
++ Win32.Agent.LKF
++ Win32.Agent.SB
++ Win32.Serv-U.gen
+ Win32.Small.azl
+ Win32.Small.r
+ Zlob.Downloader
+ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 628606 fingerprints in 163231 rules for 3998 products !

False positive detections fixed this week:
A detection of "Zlob.Downloader.jau" in the SYSTEMAX.bmp desktop wallpaper is a false positive that has been fixed in next week's updates.

Also fixed this week is the detection of "RegistryHelper" in the Disk Cleaner program. If you have Disk Cleaner and Spybot broke it by removing necessary files, you should restore them from backups made by Spybot.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 6/11/2008" »

June 5, 2008

Spybot Search and Destroy Definitions Updated on 6/4/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on June 4, 2008:

Adware
++ Zango.ShoppingReport

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
++ Iopus.STARRMonitoring
+ Perfect Keylogger (2)

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario
+ Clickspring.Outerinfo (2)
+ FakeAlert.cc (2)
++ Moatsoft.AntiMalware
+ NousTech.SystemDefender
++ SpywareThis
+ WebSpyShield
+ Win32.BHO.je
++ X-ConSpywareDestroyer
+ Zlob.Downloader.jau
++ ZoneProtectAntispyware

PUPS Possibly Unpopular Software or Unwanted Programs
+ AP.SystemStable

Trojans Includes 1 new and 3 updated Zlob* Trojan detections
+ NNC.MGRS
+ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Win32.AutoRun.akc
++ Win32.Delf.uz
+ Win32.Delf.zq
++ Win32.Horst.aae
+ Win32.Poison.pg (2)
++ Win32.Sohanad.am
++ Win32.VB.btu
+ Zlob.Downloader
+ Zlob.Downloader.iit
++ Zlob.Downloader.pit
+ Zlob.Downloader.vdt

Total: 617677 fingerprints in 161700 rules for 3976 products !

False positive detections fixed this week:
A detection of "RegistryHelper" in the Disk Cleaner program is a false positive that will be fixed in next week's updates. If you have Disk Cleaner and Spybot broke it by removing necessary files, you should restore them from backups made by Spybot. If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Team Spybot has fixed some errors when the program is scanning and cannot create the file named "ntdoss04.sys."

Also fixed this week is a false positive for aamd532.dll and SpyPry.

A fourth false positive fixed this week was for "SpyBossPro" in the file C:\WINDOWS\system32\Memman.vxd. This is an old program that is not a keylogger at all and had a differnt false positive fixed in last week's detections. There is something about this old file that throws Spybot off.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 6/4/2008" »

May 28, 2008

Spybot Search and Destroy Definitions Updated on 5/28/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 28, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario
+ Awola.Anti-Spyware
+ BPS.Gen
+ Fraud.Antivirus2008
++ PrivacyRedeemer
++ RegistryFixIt
++ RegistryHelper
++ SaferScan
+ Smitfraud-C.gp
++ SpyHazard
+ SpywareScraper
++ SpywareSeizer
++ SpyWarp
++ StopingSpy
++ TheSpywareDetective
++ TheSpywareShield
++ TrustSoftAntiSpyware
+ Vario.Antivirus
++ VirusIsolator
++ VsSpy
+ Win32.Agent.pz
+ Win32.BHO.je
+ Zlob.Downloader.jau (2)
+ Zlob.Downloader.vcd (127)

PUPS Possibly Unpopular Software or Unwanted Programs
++ GVWorldWideOnlineCasino

Security
++ Microsoft.Windows.CryptSvc

Trojans Includes 4 new Zlob* Trojan detections
+ Bifrose.LA (2)
++ Delf.Spool.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.ddc
+ Virtumonde.dll
+ Win32.Agent.AEW
++ Win32.Agent.cn.abmk
++ Win32.Agent.yfq
++ Win32.Mapson.d
++ Win32.Small.ivo
+ Win32.VB.tr
+ Zlob.Downloader
++ Zlob.Downloader.fot
++ Zlob.Downloader.iit
+ Zlob.Downloader.vdt

Total: 614689 fingerprints in 161129 rules for 3960 products !

False positive detections fixed this week:
A detection of "RegistryFixIt" and "SpyAgent" in C:\WINDOWS\unvise32.exe were false positives that have been fixed in this week's updates. Unvise.exe is an uninstaller for various programs, but is also used by certain malware programs, so caution is necessary with this file. If you get an alert about that file you should submit it to Team Spybot for analysis.

Also fixed this week is a false positive for a piece of malware called SpyLocked. The false positive was in a "Logs" folder in the Program Files directory which belongs to a legitimate application, but not to SpyLocked.

A third false positive fixed this week was for "SmartPCKeylogger" in the file C:\WINDOWS\system32\Memman.vxd. This is an old program that is not a keylogger at all.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 5/28/2008" »

May 22, 2008

Spybot Search and Destroy Definitions Updated on 5/21/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 21, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ KGBKeylogger
++ KGBKeylogger.REFOG
++ SmartPCKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario
++ AntiSpyCheck
++ BugDoctor
+ ConOpt.BHO (3)
++ DeusCleaner
++ DoctorCleaner
++ EliteProtector
+ ErrorDoctor
+ FakeAlert.cc
++ LiveAntispy
++ MalwareDestructor
+ MyNetProtector
++ PCSleek.FreeErrorCleaner
+ Smitfraud-C.
++ Spyburner
++ SpyKill
+ Trojan-Guarder
+ Vario.AntiVirus
+ Win32.BHO.je
+ Win32.Renos
+ WinSpyKiller
+ Worldsecurityonline.FakeAlert

PUPS Possibly Unpopular Software or Unwanted Programs
++ SpyPry

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 0 new Zlob* Trojan detections
+ Smitfraud-C.MSVPS
+ Virtumonde.ddc
++ Win32.Agent.abd
++ Win32.Agent.ark
++ Win32.Agent.byc
+ Win32.AutoRun
++ Win32.Delf.bj
++ Win32.Friendown
+ Win32.PcClient.agu
+ Win32.Small.ih

Total: 609774 fingerprints in 159642 rules for 3951 products!

False positive detections fixed this week:
Win32.auotrun.avi detected on a computer that is also running Webroot Windows Washer version 6.o is a false positive that has been removed today. However, if you have Windows Washer 6.5 or newer, or don't have Windows Washer at all, and see this item, it may well be a Trojan Horse. Many Trojans are disguised using the file names of legitimate applications and support files. The experts at Team Spybot can analyze logs created after a scan to determine if a flagged file is legitimate, or a threat.

Also fixed this week is a false positive for folders named C:\Program Files\MW, but which do not contain known malware files (or are empty). This was triggered by a detection for a threat named Malware Wipe, which used the folder name MW and is a real threat to your security.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 5/21/2008" »

May 14, 2008

Spybot Search and Destroy Definitions Updated on 5/14/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 14, 2008:

Adware
++ CliprexDivXPlayer
++ CliprexDVDRipper

Hijackers
+ Inet Delivery

Keyloggers (Keyloggers steal your logins and passwords)
+ KGBKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat
++ BPS.Gen
++ Fraud.Antivirus2008
+ ISearchTech
+ MagicControl.Agent
+ Rogue.IEAntivirus
++ Rogue.ScanAndRepair2007
+ Smitfraud-C.
+ SpyShredder
++ Themida.Bot.tsj
+ Vario.AntiVirus
+ VirusHeat
++ Win32.Agent.kmf
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ CliprexDVDPro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 1 new Zlob* Trojan detections
+ Banker.PorSMTP
+ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Win32.Agent.cn
++ Win32.Agent.esq
++ Win32.Agent.qwq
+ Win32.Delf.eq
++ Win32.Konik
++ Win32.SlhClient
++ Win32.Small.dv
++ Win32.Small.imu (2)
++ Win32.Systembin
+ Zlob.Downloader.vdt

Total: 607566 fingerprints in 158897 rules for 3918 products!

False positive detections fixed this week:
SpyBossPro detected in ijl11.dll false positive fixed.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 5/14/2008" »

May 7, 2008

Spybot Search and Destroy Definitions Updated on 5/7/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 7, 2008:

Hijackers
+ SearchALot

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyBossPro

Malware Includes fake anti-virus and anti-spyware programs
++ Delf.12.an (2)
++ Fake.SecurityAlert
+ MalwareBell
++ MalwareCore
++ Win32.Agent.cs
+ Win32.BHO.je (3)
+ Win32.Renos
++ WinIFixer

PUPS Possibly Un(popular|wanted) Software
+ Enter.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Conducent.TimeSink

Trojans Includes 5 new Zlob* Trojan detections
++ CNNIC.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agobot.aoi
++ Win32.Tibia.de
++ Win32.VB.bks
++ Win32.VB.me
+ Win32.Zhelatin.ah (a.k.a: Storm Trojan)
++ Zlob.Downloader.fvn
++ Zlob.Downloader.jau
++ Zlob.Downloader.vat
+ Zlob.Downloader.vdt
+ Zlob.ZipCodec

Total: 595073 fingerprints in 154556 rules for 3893 products!

False positive detections fixed this week:
False Positive for "ContraVirus" and "VirusBlast" has been fixed with this week's definition updates. Also removed from the immunizations list is Hotlinkfiles.com. This was done after they implemented anti malware scanning of all uploaded files.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 5/7/2008" »

April 30, 2008

Spybot Search and Destroy Definitions Updated on 4/30/2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 30, 2008:

Adware
+ Wintouch

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
++ KeyloggerDouglas
++ KeyloggerSpy

Malware Includes fake anti-virus and anti-spyware programs
+ MalwareBell
++ AntiVirProtect
+ IEDefender
++ Killsoft.V2008
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ EuroGrand.Casino.PT
++ Monaco.Gold.Casino.PT


Trojans Includes 4 new Zlob* Trojan detections
++ BachKhoaAntivirus
++ BaiduBar.HostsRep
++ Delf.Inject
+ Prorat-D
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agent.aou
++ Win32.Agent.ay
++ Win32.Mutant.jz.rtk
++ Win32.Shark.ae
+ Zlob.Downloader.bs
+ Zlob.Downloader.se
+ Zlob.Downloader.vet
+ Zlob.Downloader.vdt
++ YMCam

Total: 593837 fingerprints in 154855 rules for 3880 products!

False positive detections fixed this week:
No false positives to report at this time.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Definitions Updated on 4/30/2008" »

April 24, 2008

Spybot Search and Destroy Malware Definitions Updated on April 24, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released a day later than usual, on Thursday, April 24, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are normally released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings, or in this instance, on Thursday. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

While immunizing your computer is generally a good security measure, there may be occasions where the immunization detections break a program you want to use, or block access to a website you choose to visit. If this happens to you after you immunize with new definitions, go to the Immunize tab and run UNDO, to remove the last immunizations. You can also use the checkboxes to selectively undo or redo immunizations. Right-clicking on the immunization list gives you the option to select all or select none, which helps with mass immunizations or undoing mass immunizations. Also, if you are going to uninstall Spybot S&D, always select all immunizations, then click on Undo. This will unblock everything before you delete the program.

Spybot Updates - published every Wednesday, except this week

Additions made on April 24, 2008:

Adware
+ BaiduBar

Keyloggers (Keyloggers steal your logins and passwords)
+ Winsession Logger
++ XPCSpyPro

Malware Includes fake anti-virus and anti-spyware programs
+ ContraVirus
++ Fake.Antispyware.TheSpybot2007
+ MalwareCrush
+ PestTrap
+ Smitfraud-C.
+ SpywareQuake
+ Swizzor
+ TitanShield
+ TrustCleaner
+ VirusBlast
+ VirusBurst
+ VirusProtectPro

PUPS Possibly UnPopular Software
+ 32Vegas.PT (4)
+ Deskbar
+ Europa.Casino.PT (13)
+ Vegas.Red.Casino.PT (20)

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Exefile.HideExtension

Trojans Includes new or updated Zlob* Trojan detections
+ BraveSentry
+ Fraud.ProtectionBar
+ Hupigon (11)
++ Hupigon.evc
++ Hupigon.Gen
+ Nuclearwinter
+ SafetyBar
+ Virtumonde.dll
++ Warpcom
++ Win32.Agent.af
++ Win32.Agent.ip
++ Win32.Agent.vye
+ Win32.Autorun
++ Win32.Backdoor.ajhb
++ Win32.Bifrose.blr
++ Win32.Delf.asz
++ Win32.mIRC
++ Win32.Pakes.cgn
+ Win32.Qhost.ake
++ Win32.Settec
++ Win32.Soundmix
++ Win32.VB.tr
+ Zlob.Downloader.bs (2)

Total: 575727 fingerprints in 137545 rules for 3893 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Malware Definitions Updated on April 24, 2008" »

April 19, 2008

Spybot Search and Destroy Definitions Updated on 4/17/ 2008, to fix incompatibility with SpywareBlaster and Firefox

After people began applying the Spybot Search and Destroy definition updates of April 16, 2008, then immunizing their computers through the Immunize function, those with both Firefox and SpywareBlaster installed began experiencing sudden terminations when trying to open SpywareBlaster. It turns out that one of the definitions in the Spybot immunization database was causing a memory conflict with SpywareBlaster, directly related to a Firefox immunization update. There was a heated discussion about this on the Spybot S & D forum and on April 17, 2008, a second update was released to fix the problem. If you use Spybot S & D, SpywareBlaster and Firefox, and you applied the April 16 updates, you need to download the patched definitions. Use the Spybot Search and Destroy Updater from your Start Menu > Programs to fetch the newest updates, then apply them, then open Spybot's user interface and re-apply immunization for Firefox.

Details
After immunizing Firefox, with the updates from 17/4/08, upon attempting to open SpywareBlaster this error message popped up:

Error: Access violation at 0x005F71FC (tried to read from 0x04F3032C), Program termminated

Some users performed an immunization "Undo" on the Firefox protection only and it worked,
just using SpywareBlaster to immunize Firefox. Normally, these programs get along quite well, but this time there was a glitch. I applaud Team Spybot for rushing out a sudden patch to correct this problem, as I also use SpywareBlaster and Firefox on some of my computers and was similarly affected.

For those who don't know the details about these programs, both Spybot Search and Destroy, by Patrick M. Kolla, and SpywareBlaster, by Javacool Software, are well known freeware security programs that have a feature they call "Immunization," which is a proactive form of protection against known hostile ActiveX controls, dangerous domains, browser hijackers and even advertiser's cookies, placed by websites you visit. By "Immunizing" after updating you protect against exploits from the controls, files, websites and other items in the definitions. If these unwanted items are on your computer already they get nullified by the immunization. Otherwise, once immunized, these applications cannot install themselves unless you knowingly override your already applied protection. This is done by unchecking a particular immunization rule, or by undoing all immunizations, en-masse.

Both programs require users to perform manual checking for updates, although SpywareBlaster does offer automatic updates for a small fee. Spybot S & D is always updated on Wednesdays and users must run a manual check for updates. I usually do this on Wednesday evenings, or on Thursday afternoon, just in case a faulty definition was released then patched, like just happened here. SpywareBlaster's latest definitions were released on 4/6/2008, so their update schedule is less regular than Spybot's.

April 16, 2008

Spybot Search and Destroy Malware Definitions Updated on April 16, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 16, 2008:

Hijackers
++ Dreamgroup.Fakemule

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax (2 variants)

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpywareDeluxe
++ AntiSpywareShield
+ Awola.Anti-Spyware
+ FakeAlert.cc
+ Smitfraud-C.gp
+ VirusHeat
+ Win32.BHO.je (2)
++ Win32.Agent.bk (2)
++ Win32.Agent.xg (2)

PUPS Possibly Un(popular|wanted) Software
++ 24kt.Gold.Casino.PT
++ 32Vegas.PT
++ 50.Stars.Casino.PT
++ African.Palace.Casino.PT
++ Bakara.Casino.PT
++ Cameo.Casino.PT
++ Carnival.Casino.PT
++ Casino.Bellini.PT
++ Casino.Del.Rio.PT
++ Casino.Las.Vegas.PT
++ Casino.Tropez.PT
++ Casino365.PT
++ CasinoKing.PT
+ CasinoRoyal.PT (100)
++ City.Club.Casino.PT
++ Club.Dice.Casino.PT
++ Craps.com.PT
++ Diamond.Club.Casino.PT
++ Enter.Casino.PT
++ EuroGrand.Casino.PT
++ Europa.Casino.PT
++ Flamingo.Casino.PT
++ Golden.Palace.Casino.PT
++ Grand.Online.Casino.PT
++ Hotel.Casino.Network.PT
++ Indio.Casino.PT
++ Joyland.Casino.PT
++ Kiwi.Casino.PT
++ Magic.Box.Casino.PT
++ Mansion.Casino.PT
++ Mega.Sport.Casino.PT
++ New.York.Casino.PT
++ Playgate.Casino.PT
++ Prestige.Casino.PT
++ Royal.Dice.Casino.PT
++ SIA.Casino.PT
++ Sierra.Star.Casino.PT
++ Sky.Kings.Casino.PT
++ Slots.PT
++ Swiss.Casino.PT
++ USA.Casino.PT
++ Vegas.Red.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts

Trojans Includes 4 new or updated Zlob* Trojan detections
+ Hupigon
+ Smitfraud-C.MSVPS
++ Win32.Agent.frl (2)
++ Win32.Banbra.anp
+ Win32.BHO.acw
+ Win32.Bifrose.aci
+ Win32.Delf.zq
++ Win32.Qhost.ake
++ Win32.Shark.if
++ Win32.Small.tnt
++ Win32.Small.vy
++ Win32.VB.bmr
+ Win32.Zhelatin.ah (Storm Trojan)
+ Zlob.DNSChanger
+ Zlob.Downloader.vdt
+ Zlob.VideoAccess
++ Zlob.Downloader.vet

Total: 573372 fingerprints in 136752 rules for 3857 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This has been removed in the current updates for the HOSTS file.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Malware Definitions Updated on April 16, 2008" »

April 10, 2008

Spybot Search and Destroy Malware Definitions Updated on April 9, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 9, 2008:

Hijackers

+ CnsMin
+ CoolWWWSearch.OleHelp

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ FreeKeylogger
+ Perfect Keylogger

Malware Includes fake anti-virus and anti-spyware programs
++ AntiSpyKit
+ AntiVerminsPro
+ FakeAlert.cc
++ Fake.PC-Antispyware
++ PCCleaner
++ PlatinumPartner
+ Smitfraud-C.
++ Win32.Agent.pn
+ Win32.BHO.je
++ Win32.Krotten.ex
+ Win32.Renos
++ Win32.VB.bpv



Trojans Includes 67 new or updated Zlob* Trojan detections!
+ BackOrifice2k
+ Hupigon
++ Hupigon.dsx
+ Smitfraud-C.MSVPS
++ Win32.Agent.agx
++ Win32.Agent.AQ
++ Win32.Agent.bno
++ Win32.IRCBot.auf
++ Win32.Poison.pg
++ Win32.VB.aqt
++ Win32.Webmoner.co
+ Zlob.AdultAccess
+ Zlob.BrainCodec
+ Zlob.DigiPassword
+ Zlob.DirectVideo
+ Zlob.DNSChanger.rtk
+ Zlob.Downloader.bs
++ Zlob.Downloader.idt
+ Zlob.Downloader.mld
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.Downloader.vdt
++ Zlob.Downloader.vot
+ Zlob.EliteCodec
+ Zlob.FreeVideo.DVDCodec
+ Zlob.GoldCodec
+ Zlob.HomepageMonitor
+ Zlob.HQCodec
+ Zlob.HQvideo
+ Zlob.iCodecPack
+ Zlob.ImageActiveXAccess
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.iMediaCodec
+ Zlob.IVideoCodec
+ Zlob.JPEG-Encoder
+ Zlob.KeyCodec
+ Zlob.KeyGenerator
+ Zlob.Mediacodec
+ Zlob.MMediaCodec
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.MPVideoCodec
+ Zlob.MyPassGenerator
+ Zlob.NewMediaCodec
+ Zlob.PerfectCodec
+ Zlob.PornMagPass
+ Zlob.PornPassManager
+ Zlob.PowerCodec
+ Zlob.PPlayer
+ Zlob.PrivateVideo
+ Zlob.QualityCodec
+ Zlob.SilverCodec
+ Zlob.SiteEntry
+ Zlob.SiteTicket
+ Zlob.SoftCodec
+ Zlob.strCodec
+ Zlob.SuperCodec
+ Zlob.TrueCodec
+ Zlob.VAXCodec
+ Zlob.Vcodec
+ Zlob.VidCodec
+ Zlob.VideoAccess
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.VideoCodec2007
+ Zlob.VideoCompressionCodec
+ Zlob.VideoKeyCodec
+ Zlob.VideoPlugin
+ Zlob.WinMediaCodec
+ Zlob.XpassGenerator
+ Zlob.XPasswordManager
+ Zlob.ZCodec
+ Zlob.ZipCodec

Total: 578031 fingerprints in 129018 rules for 3855 products!

False positive detections fixed this week:
http://www.accessorygeeks.com and .accessorygeeks.com is a false positive, blocked by the HOSTS file additions made when you immunize with the HOSTS file option selected. This will be removed in the next update cycle, or you can manually edit your HOSTS file and remove this domain from being redirected to 127.0.0.1 (your local machine IP).

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Malware Definitions Updated on April 9, 2008" »

April 3, 2008

Spybot Search and Destroy Malware Definitions Updated on April 2, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on April 2, 2008:

Hijacker + CoolWWWSearch.OleHelp


Malware Includes fake anti-virus and anti-spyware programs
+ MalwareWipe
++ Win32.Alman
++ ZlobDownloader.vdt


Security
++ Microsoft.Windows.FileExecution

Trojans
+ Bifrose.LA (2)
+ CoolWWWSearch.SearchToolbar (2)
+ Hupigon
++ Hupigon.cbs
++ Injector.u
+ PremiumSearch (1574)
++ RysioLogger
+ SubSeven
++ Wannnadoo
++ Win32.BKClient
++ Win32.GBDialer.j
+ Win32.Nakuru.a
++ Win32.OnLineGame.jun
++ Win32.VB.sj

Total: 563708 fingerprints in 125654 rules for 3757 products!

False positive detections fixed this week:
False positive on vxSystem.dll from the Vigilix remote monitoring product. It was being incorrectly reported as VX2.b.BDS

Continue reading "Spybot Search and Destroy Malware Definitions Updated on April 2, 2008" »

March 26, 2008

Spybot Search and Destroy Malware Definitions Updated on March 26, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 26, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyKeylogger
+ SpyMyPC
+ StaticX

Malware Includes fake anti-virus and anti-spyware programs
+ AlfaCleaner
+ AntiSpywareSoldier
+ AzeSearch
+ Cleanator
+ FakeAlert.cc
+ Fraud.XPAntivirus
+ MalwareWipe
+ Performance Optimizer
+ Smitfraud-C.gp
+ SpyCrush
+ SpyDawn
+ SpyHeal
+ SpyShredder
+ SpywareIsolator
+ TrustCleaner
+ Vcodec.Intcodec
+ Virtumonde.dll (incl: 5955 variants)
+ VirusBurst
+ Win32.BHO.je
+ Win32.Renos
+ WinXDefender

Trojans Featuring 12 updated detections of Zlob* Trojans
+ Smitfraud-C.
+ Smitfraud-C.MSVPS
+ Win32.Dropper.Agent.byv
+ Win32.EESbinder
+ Zlob.DirectVideo
+ Zlob.Downloader.se
+ Zlob.Downloader.sg
+ Zlob.GoldCodec
+ Zlob.HQVideoCodec
+ Zlob.ImageActiveXObject
+ Zlob.KeyGenerator
+ Zlob.MMediaCodec
+ Zlob.QualityCodec
+ Zlob.SiteTicket
+ Zlob.VideoAccess
+ Zlob.VideoKeyCodec

Total: 565762 fingerprints in 126261 rules for 3758 products!

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Malware Definitions Updated on March 26, 2008" »

March 19, 2008

Spybot Search and Destroy Malware Definitions Updated on March 19, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 19, 2008:

Adware ++ Alertline ++ BaiduBar ++ Doublepoint ++ Windots

Dialer
+ Aconti

Keyloggers (Keyloggers steal your logins and passwords)
++ SpyBuddy
+ SWAgent

Malware Includes fake anti-virus and anti-spyware programs
+ AntiVirGear
+ FakeAlert
++ FakeAlert.mhg
++ MalWarrior
+ Smitfraud-C.gp
+ SpyLocked
++ SpywareLocked
++ SpywareRemover
+ Vario.RogueAntiSpy
+ Vcodec.eMedia
+ Virtumonde.dll (24)
++ Virtumonde.mhg (2911)
+ Win32.BHO.je
+ Win32.Renos
++ WinPerformance
PUPS Possibly Unpopular Software
+ Accoona

Spyware
+ AdBreak

Trojans Featuring 20 new or updated detections of Zlob* Trojans!
++ Banker
+ CnsMin
+ Smitfraud-C.MSVPS
++ Win32.Gamec.cq
++ Win32.Zhelatin.vg
+ Zlob.DNSChanger.rtk (12)
+ Zlob.Downloader
++ Zlob.Downloader.bs
+ Zlob.Downloader.iec
+ Zlob.Downloader.oid
+ Zlob.Downloader.rid
+ Zlob.Downloader.se
+ Zlob.Downloader.sot
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot
+ Zlob.MovieBox
+ Zlob.MovieCommander
+ Zlob.PPlayer
+ Zlob.SecurityTools
+ Zlob.VideoAccessActiveXObject
+ Zlob.VideoActiveXAccess
+ Zlob.VideoAXObject
+ Zlob.VideoBox
+ Zlob.XXXAccess
+ Zlock.uc

Total: 554199 fingerprints in 123295 rules for 3731 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search and Destroy Malware Definitions Updated on March 19, 2008" »

March 13, 2008

Spybot Search & Destroy Malware Definitions Updated on March 12, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 12, 2008:

Adware + Wintouch

Dialer
+ Win32.Dialer.aeh


Keyloggers (Keyloggers steal your logins and passwords)
+ XPAdvancedKeylogger

Malware Includes fake anti-virus and anti-spyware programs
+ AntiSpyWare2007
+ NousTech.SysCleaner
+ NousTech.SystemDefender
+ RegClean
+ SpywareBOT.SpywareStop
+ Win32.BHO.je
+ Win32.VB.ck
+ WinSpyKiller


Trojans 6 new classes of Zlob* Trojans and 141 variants!
+ FakeAlert (273)
+ Smitfraud-C.MSVPS (28)
+ Win32.Agent.ahj
+ Win32.Agent.jmh
+ Zlob.DNSChanger.Rtk (13)
+ Zlob.Downloader.mld
+ Zlob.Downloader.se (115)
+ Zlob.Downloader.sg (5)
+ Zlob.Downloader.sot (8)
+ Zlob.Downloader.vdt

Total: 554374 fingerprints in 122623 rules for 3701 products.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on March 12, 2008" »

March 6, 2008

Spybot Search & Destroy Malware Definitions Updated on March 5, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on March 5, 2008: and false positive removals

Hijacker
+ CoolWWWSearch.Leftovers

Malware
+ Clickspring.Outerinfo
++ Fake.SpywareRemover
++ Marketflip.FakeSearchAndDestroy
++ RegistryClear
+ RegSweep
+ Smitfraud-C.
++ SpySnipe
+ SpywareBOT
+ Vario.AntiVirus
+ VirusHeat
+ Win32.BHO.je
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
++ DL.Small.ddp
+ NousTech.UDefender
++ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Spambot.kf
+ Virtumonde
++ Win32.Agent.icb
++ Win32.BHO.abo
+ Zlob.Downloader.se
++ Zlob.Downloader.sot
+ Zlob.Downloader.vdt

Total: 545636 fingerprints in 119654 rules for 3673 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on March 5, 2008" »

February 28, 2008

Spybot Search & Destroy Malware Definitions Updated on February 27, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 27, 2008: and false positive removals

Adware + Wintouch

Malware
+ AdwareAlert
+ AdwareBot
+ AntiSpyware2007
+ AntiSpyWare2007
+ AntiSpywareBOT
+ CoolWWWSearch.am
+ ErrorKiller
+ ErrorSmart
+ EvidenceEraser
+ Fake.SpywareRemover
+ MacroVirus
+ MalwareBOT
+ PrivacyControl
+ PWS.OnLineGames
+ RegClean
+ RegistryBot
+ RegistrySmart
+ RegRecall
+ Smitfraud-C.
+ Spyware-Secure
+ VirusHeat
+ Win32.Agent.bpb
+ Win32.BHO.je
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ PassStealer

Trojans
+ Hupigon
+ IE-Improver
+ Smitfraud-C.MSVPS
+ Win32.Banker.gen
+ Win32.Delf.dgb
+ Win32.Rungbu.a
+ Win32.Small.azl
+ Win32.Tibia.aj
+ Zlob.Downloader
+ Zlob.Downloader.anz
+ Zlob.Downloader.se
+ Zlob.Downloader.vdt
+ Zlob.VideoActiveXObject

Total: 542580 fingerprints in 119017 rules for 3652 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on February 27, 2008" »

February 21, 2008

Spybot Search & Destroy Malware Definitions Updated on February 20, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 20, 2008: and false positive removals

Keyloggers (Keyloggers steal your logins and passwords)
+ Goldeneye
++ SolidKeylogger
++ WinKey.StealthKeylogger

Malware
+ PWS.OnLineGames
+ Win32.BHO.je
+ Win32.Renos

Trojans
+ Hupigon
+ IE-Improver
+ Smitfraud-C.MSVPS
+ Virtumonde.generic
++ Win32.Agent.dlo
+ Win32.Delf.s
+ Win32.PolyCrypt.d
+ Win32.VNC.a
+ Zlob.Downloader
+ Zlob.Downloader.se
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 530848 fingerprints in 116890 rules for 3632 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on February 20, 2008" »

February 15, 2008

Spybot Search & Destroy Malware Definitions Updated on February 13, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 13, 2008: and false positive removals

Dialer
+ Maxadult

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ HellzLittleSpy
+ SpyLantern

Malware
+ Clickspring.Outerinfo
+ ErrorSweeper
+ Win32.Alphabet.ap


Spyware
+ SpyMail

Trojans
+ Hupigon
+ QQ-Pass
+ Smitfraud-C.MSVPS
+ Tibiabot.pk
+ Win32.Bifrose.LA
+ Win32.Delf.aoa
+ Win32.Delf.dch
+ Win32.Expiro
+ Win32.RJump.c
+ Win32.Small.azl
+ Win32.Sohanad.t
+ Zlob.Downloader.se

Total: 526414 fingerprints in 113946 rules for 3611 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on February 13, 2008" »

February 6, 2008

Spybot Search & Destroy Malware Definitions Updated on February 6, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 6, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ Elite Keylogger
+ Perfect Keylogger

Malware
+ AdvancedCleaner
+ Fraud.XPAntivirus
+ Smitfraud-C.
+ Win32.Agent.oh
+ Win32.Renos

Trojans (6 new Zlob variants)
+ CoolWWWSearch.SearchToolbar (They're baaack!)
+ Firehole
+ Hupigon
+ MalwareAlarm
+ Smitfraud-C.MSVPS
+ Zlob.Downloader.eaw
+ Zlob.Downloader.gen
+ Zlob.Downloader.oid
+ Zlob.Downloader.se
+ Zlob.Downloader.tnd
+ Zlob.Downloader.vdt
+ Win32.Agent.aga
+ Win32.Agent.bid
+ Win32.Agent.ea
+ Win32.Bandok.av
+ Win32.Delf.dsf
+ Win32.Delf.zq
+ Win32.Harnig.bn
+ Win32.Lineage.bus
+ Win32.Small.ih

Total: 525864 fingerprints in 113680 rules for 3602 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on February 6, 2008" »

January 30, 2008

Spybot Search & Destroy Malware Definitions Updated on January 30, 2008

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Jan 30, 2008: (and false positive removals)

Keyloggers (Keyloggers steal your logins and passwords) + Ardamax

Malware
+ AdwareAlert
+ Win32.Renos

Trojans (3 new Zlob variants)
+ Smitfraud-C.MSVPS
+ Win32.Agent.hjo
++ Win32.Delf.uv
+ Win32.Delf.zq
++ Win32.SDBot.BHLK
++ Win32.Small.BB
+ Zlob.Downloader.dcc
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 524620 fingerprints in 113219 rules for 3578 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on January 30, 2008" »

January 23, 2008

Spybot Search & Destroy Malware Definitions Updated on January 23, 2008

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

Updates - now published every Wednesday

Additions made on Jan 23, 2008 (and false positive removals)


Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ NiceSpy.Keylogger
+ NiceSpy.XPKeylogger

Malware
+ Fraud.XPAntivirus
+ Safestrip
+ VirusProtect
+ Win32.Renos


Spyware
+ WebWatcher

Trojans (4 new Zlob variants)
+ Hupigon
+ Smitfraud-C.MSVPS
+ Win32.Agent.bkd
+ Win32.Alphabet.ap (670)
+ Win32.Autorun (10)
+ Win32.Bagle.hi (2)
+ Win32.Small.hk
+ Win32.VB.ke
+ Zlob.Downloader.dcc
+ Zlob.Downloader.oid
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 522840 fingerprints in 112714 rules for 3569 products.

Continue reading "Spybot Search & Destroy Malware Definitions Updated on January 23, 2008" »

January 18, 2008

Spybot Search & Destroy Malware Definitions Updated on January 16, 2008

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program