Wiz's Computer and Website Security Blog

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 28, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario
+ Awola.Anti-Spyware
+ BPS.Gen
+ Fraud.Antivirus2008
++ PrivacyRedeemer
++ RegistryFixIt
++ RegistryHelper
++ SaferScan
+ Smitfraud-C.gp
++ SpyHazard
+ SpywareScraper
++ SpywareSeizer
++ SpyWarp
++ StopingSpy
++ TheSpywareDetective
++ TheSpywareShield
++ TrustSoftAntiSpyware
+ Vario.Antivirus
++ VirusIsolator
++ VsSpy
+ Win32.Agent.pz
+ Win32.BHO.je
+ Zlob.Downloader.jau (2)
+ Zlob.Downloader.vcd (127)

PUPS Possibly Unpopular Software or Unwanted Programs
++ GVWorldWideOnlineCasino

Security
++ Microsoft.Windows.CryptSvc

Trojans Includes 4 new Zlob* Trojan detections
+ Bifrose.LA (2)
++ Delf.Spool.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.ddc
+ Virtumonde.dll
+ Win32.Agent.AEW
++ Win32.Agent.cn.abmk
++ Win32.Agent.yfq
++ Win32.Mapson.d
++ Win32.Small.ivo
+ Win32.VB.tr
+ Zlob.Downloader
++ Zlob.Downloader.fot
++ Zlob.Downloader.iit
+ Zlob.Downloader.vdt

Total: 614689 fingerprints in 161129 rules for 3960 products !

False positive detections fixed this week:
A detection of "RegistryFixIt" and "SpyAgent" in C:\WINDOWS\unvise32.exe were false positives that have been fixed in this week's updates. Unvise.exe is an uninstaller for various programs, but is also used by certain malware programs, so caution is necessary with this file. If you get an alert about that file you should submit it to Team Spybot for analysis.

Also fixed this week is a false positive for a piece of malware called SpyLocked. The false positive was in a "Logs" folder in the Program Files directory which belongs to a legitimate application, but not to SpyLocked.

A third false positive fixed this week was for "SmartPCKeylogger" in the file C:\WINDOWS\system32\Memman.vxd. This is an old program that is not a keylogger at all.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 1:03 PM | Permalink

back to top ^

After taking a few weeks off from reporting my spam categories I thought I would resume the exercise today. This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page. I am no longer stating the overall percentage of spam to good email, due to the huge effect my cPanel mail server filters on reducing the overall volume of junk mail. What does get through my server filters is still representative of what types of spam others are seeing and the same categories occupy the top positions for me as they do for you.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category.

MailWasher Pro spam category breakdown for May 19 through 25, 2008.

Other filters: (See my MWP Filters page)	22.09%
Nigerian 419 Scams:	20.93%
Male enhancement spam (subject and body):	15.11%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills):	10.47%
Counterfeit Watches:	9.30%
Blacklisted (by pattern matching):	8.14% (Mostly Nigerian 419 scams)
Counterfeit clothing and shoes:	5.81%
HTML Tricks:	3.49%
Casino Spam:	3.49%
Bayesian learning filter:	1.16%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 4:02 PM | Permalink

back to top ^

Back in mid-April, 2008, while I was downloading email from my Hotmail account, using Outlook Express, I received a message from Microsoft announcing the impending end of Hotmail support for Outlook Express users. This same notice went out to untold numbers of other Hotmail users who use the POP3 email protocol and Outlook Express, to send and receive messages through the Hotmail servers. The gist of the message was that Outlook Express used the soon to be deprecated Web DAV protocol to poll the Hotmail servers for new messages. Hotmail intends to do away with support of this protocol, for technical reasons related to the sizes of the mail boxes now offered to Hotmail users. Changing Outlook Express would require too much of an overhaul, so they came up with a plan to replace that program entirely, with another POP3 capable email client named "Windows Live Mail." The cutoff date for Outlook Express users to still connect to their Hotmail accounts was set at June 30, 2008. After that only Windows Live Mail, or certain other email clients would be able to access Hotmail, via POP3 protocol.

Well, sometimes good things don't have to end, after all. Today, May 22, 2008, I got this email message from Microsoft, in my Hotmail account:

The Windows Live Hotmail team did e-mail some users, letting them know that Microsoft was planning to disable the DAV protocol that Outlook Express uses to access your Hotmail inbox. Many of you e-mailed us, expressing strong feelings on this matter, and we heard you loud and clear! The DAV protocol will NOT be discontinued at this time, and you can continue to use Outlook Express beyond the June 30 transition deadline previously announced. The Hotmail team will provide an update in the coming months. We apologize for any inconvenience this may have caused.

YEA for the little guys! We can continue to use Outlook Express to access our Hotmail accounts, if we want to. Some, like me, have already upgraded to Windows Live Mail, as was recommended by Microsoft. What are we gonna do? I'll give you my take on Windows Live Mail, compare it to Outlook Express and tell you whether I will go back to Outlook Express having switched to Windows Live mail already.

Outlook Express (OE) is a POP3 email client that was first introduced with the release of Windows 98. It has been patched and improved slightly over the years, but is truly a dated program, with a very limited future. The last version of Outlook Express is the one that shipped with Windows XP; version 6.0.0.2900. XP service packs add four more digits to the version number. I have upgraded to Service Pack 3 and my full version of Outlook Express is 6.0.0.2900.5512. Microsoft has no further plans to distribute this email client, in any newer version of Windows. It is not included in Windows Vista. It is soon to become part of Internet antiquity. That said, it works fine, as is! It displays a list of folders on the left side bar, to which you can add as many custom folders as you wish. You can create sub-folders of folders, so you might add a Sent Items folder to a folder for incoming messages for your website, keeping all related incoming and outgoing messages in one section. You are able to create manual filter rules to deal with spam, or to sort legitimate messages into your preferred folders.

Windows Live Mail is the newest POP3 email client from Microsoft and is meant to replace Outlook Express (OE). It is an improvement on the Windows Mail client that shipped with Windows Vista. Windows Live Mail (WLM) offers improvements over Outlook Express in appearance and function. It offers to import your email accounts, folders and rules from your Outlook Express installation, which is very useful. It comes with a built-in junk mail filter that uses intelligence, live updates and analysis to flag spam messages. It does flag a lot of false positives though, so it's not that smart. You can still create your own filter rules or import rules from Outlook Express, if you had any. WLM provides a new folders pane on he left that shows all of your email accounts, from the top down, then all of your personal folders, following the accounts. This is a bit confusing for OE users, you are only used to seeing folders on the left side. I have about 24 POP3 accounts and the list is quite long, on the left side, pushing my folders way down. The accounts can be expanded to show separate sub-folders for Inbox, Drafts, Sent, Junk, and Deleted messages, for each account. This gets noisy when you have lots of accounts. In this case it's best to collapse the accounts to only show each account name, not the contents. The same can be done for the folders; they can be expanded or collapsed. Unfortunately, I have not found any way to hide the accounts and just display the folders, in the Folders Bar. This is the major thorn in my side.

So, could I go back to Outlook Express, now that Microsoft has given it a reprieve? I couldn't import the newer messages from it, as they are stored in a different format than Outlook Express uses. I would have to drag and drop all new emails from Windows Live Mail into the corresponding Outlook Express folders, using drag and drop. It's doable, but time consuming. Also, once you reach a certain unspecified number of accounts in Outlook Express - adding new ones tends to mess up existing accounts, for reasons unknown. Windows Live Mail doesn't seem to suffer from that problem. While the Windows Live Mail junk filter gets it wrong sometimes it doesn't really do any damage. The messages it flags are placed into Junk folders, and you can click o button to tell Windows Live Mail that they are not junk, removing them from the junk database. Outlook Express has no junk filter at all, but then I don't care, because I use MailWasher Pro to screen all incoming email and only allow desirable messages to be delivered to my email client. If anything would drive me back to OE, it would be those damned annoying email account folders, places above my custom folders. For now I will stay with Windows Live Mail and see how things go. Life is about change and Windows Live Mail is a big change from Outlook Express. All future changes will be along the lines of improving Windows Live Mail, not Outlook Express. If I only had a few accounts I would go back, but with two dozen it is a big issue.

Another feature I do like about Windows Live Mail is that is has a customizable Quick View feature. Enabling the Quick View in the Folder bar allows you to display ALL unread, inbox, sent, deleted items and more. In all there are 12 options you can add to or subtract from the Quick View menu. I find it to be the most useful feature of Windows Live Mail. Messages shown as Unread are still sorted into the folders I set up using Email Rules imported from Outlook Express, or created anew, but, instead of having to jump from folder to folder, to read new messages, they are all available in one place. As you read them the unread count decrements to zero, in the status bar. If you switch to read items in another folder and return to the unread folder, it will eventually be empty, when all new messages are read. That is neat.

Do you have to switch? No, not unless you are using Outlook Express to retrieve Hotmail, and not until Microsoft finally does end support for the DAV protocol, someday. If you are using it for non-hotmail accounts there is no reason to stop using it. But, if you are looking for something more modern looking, with a built-in junk filter, and one that links to your other Windows Live services, like MSN Messenger, by all means try Windows Live Mail. You can read all about it here: http://get.live.com/wlmail/overview and download it if you wish.

Posted by Wiz at 3:55 PM | Permalink

back to top ^

Steel Guitar Forum goes offline.

On May 19, 2008, the external RAID hard disk drive unit powering the popular website - The Steel Guitar Forum (SGF) - suffered a catastrophic failure, taking the entire website offline. It remains offline as of May 22, 2008, while a new RAID setup is being installed and data recovery attempted. We are hoping to have the server back online as soon as possible, with as little data loss as possible. As many of you already know I do security for the SGF and act as moderator of the "Computers" section of the forum. I have assisted the owner/Administrator, Bobby Lee Quasar, in procuring a suitable replacement.

The Steel Guitar Forum is a (paid) members only community consisting of over 4000 professional and amateur pedal and non-pedal steel guitarists, located around the World. Most of the World's top steel players are members of this community, where information, techniques and music business discussions take place on a daily basis, as well as the exchange of equipment. For many of these members this website is their primary destination on the Internet and I know that they are missing it's presence during this outage. We are doing everything we can to get the SGF back online. In the meantime I recommend that all affected steel guitarists spend some extra time practicing their instruments!

The SGF is back online, as of the afternoon of May 23.
As it turned out both Western Digital hard disks in the WD MyBook Pro Edition II, external RAID enclosure failed at the same time!

Posted by Wiz at 3:29 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 21, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ KGBKeylogger
++ KGBKeylogger.REFOG
++ SmartPCKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat and Vario
++ AntiSpyCheck
++ BugDoctor
+ ConOpt.BHO (3)
++ DeusCleaner
++ DoctorCleaner
++ EliteProtector
+ ErrorDoctor
+ FakeAlert.cc
++ LiveAntispy
++ MalwareDestructor
+ MyNetProtector
++ PCSleek.FreeErrorCleaner
+ Smitfraud-C.
++ Spyburner
++ SpyKill
+ Trojan-Guarder
+ Vario.AntiVirus
+ Win32.BHO.je
+ Win32.Renos
+ WinSpyKiller
+ Worldsecurityonline.FakeAlert

PUPS Possibly Unpopular Software or Unwanted Programs
++ SpyPry

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 0 new Zlob* Trojan detections
+ Smitfraud-C.MSVPS
+ Virtumonde.ddc
++ Win32.Agent.abd
++ Win32.Agent.ark
++ Win32.Agent.byc
+ Win32.AutoRun
++ Win32.Delf.bj
++ Win32.Friendown
+ Win32.PcClient.agu
+ Win32.Small.ih

Total: 609774 fingerprints in 159642 rules for 3951 products!

False positive detections fixed this week:
Win32.auotrun.avi detected on a computer that is also running Webroot Windows Washer version 6.o is a false positive that has been removed today. However, if you have Windows Washer 6.5 or newer, or don't have Windows Washer at all, and see this item, it may well be a Trojan Horse. Many Trojans are disguised using the file names of legitimate applications and support files. The experts at Team Spybot can analyze logs created after a scan to determine if a flagged file is legitimate, or a threat.

Also fixed this week is a false positive for folders named C:\Program Files\MW, but which do not contain known malware files (or are empty). This was triggered by a detection for a threat named Malware Wipe, which used the folder name MW and is a real threat to your security.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 12:11 AM | Permalink

back to top ^

For the last week I have been seeing a lot of people visiting my blog looking for information about a program called SpyBoss Pro. Apparently, they have discovered it on their computers and don't know how to get rid of it. Let's learn a few things about the program and how it can be removed.

First of all, this is not your typical piece of malware. It is a commercial keylogging application, selling for $25 and up, requiring a license to use it after 30 days. It is distributed by a company in Ohio and is actually targeted at company security departments, to track employees' use of the Internet, or to allow concerned parents to track where their children go and what they type in chats and IMs. According to the manufacturer, here is what it is designed to do.

Records chats, instant messages, emails, web sites visited, what is searched for, what is done on MySpace.com, pictures posted and looked at, keystrokes typed, the programs run and more.

If you have discovered this program on an office computer you should tell your superior. It may or may not have been installed by your company. If it was you are being monitored officially. If not, somebody may be stealing confidential company information. If you find it on your home computer and did not knowingly purchase it, it was installed by stealth by persons up to no good. They may have used trickery to get this program onto your computer for two reasons. First, they might be affiliates earning commissions for every installation containing their affiliate codes. Second, they will be able to capture logins to your banks and other financial institutions where they will steal your money, or sell your information (and identity) to the highest bidder.

How to remove SpyBoss Pro.

You're gonna hate it when I tell you that since this is a legitimate program, albeit misused by hackers and overzealous affiliates, it comes with a standard Windows Uninstaller. Go to Start > Settings > Control Panel > Add/Remove Programs. Look through the list of programs until you find SpyBoss Pro and uninstall it using the "Remove" button, then reboot. This is assuming that the program hasn't been tampered with (cracked), but in case it has been altered by hackers, you should download, install and update Spybot Search and Destroy, then "immunize," then "check for problems." If the uninstaller failed to remove all or any of SpyBoss Pro - Spybot will finish the job for you. Best of all, Spybot S&D is free, supported totally by donations from grateful users. The latest definitions already detect and will remove this keylogger.

It is good practice to turn off Windows System Restore when disinfecting a PC, because many infectors hide their components by modifying critical system files, or registering their files as system files. Those files are backed up in the System Restore folder and tend to be reinstalled if fond to be missing, on the next reboot. That's why some viruses and spyware keep coming back; they were backed up in your System Restore folder. If the uninstaller does remove SpyBoss Pro and Spybot doesn't find any further instance of it, you're probably good to go. But, if it still lurks after running the uninstaller, turn off System Restore, disinfect the computer, scan again, then turn on System Restore, when all is clear.

Follow-up actions

Since you know that there was an unwanted keylogger on your computer you need to change the login passwords to any banking, payments companies, auction sites, or online store accounts that you may have used while the keylogger was active. Check all balances and report any discrepancies to the fraud departments of these companies you do business with. You may have to cancel your debit or credit card and have a new one issued. If you cannot login to an account which you could before, go to the home page and search for contact information. They probably have a phone number you can call to report that you have become the victim of a keylogger. Many banks and payment portals will reverse any fraudulent transfers and get your money back, after you prove you are really you.

How did it get on your computer?

I don't know how you acquired the SpyBoss keylogger, but if you don't know either it is fairly safe to surmise that it came in through one of the following means:

• It may have been bundled with a free program, which you accepted the EULA for without reading every word.


• It may have been disguised as a movie or mp3 file that you downloaded from a peer to peer filesharing service.


• It could have been downloaded without warning and installed, using a hidden script on a compromised website. This happens a lot lately, using iframes and JavaScript redirects to download malware without any warning, for people using Internet Explorer, or Safari browsers.


• It might have been installed by somebody you know, or who had access to your computer and wants to spy on you, or steal your logins.


• It may have been installed as a component of a program you got on a CD or DVD, or thumbdrive, that was purposely infected.

How to prevent unwanted malware installations.

There are several steps you can take to lock down your computer, assuming you own it (don't mess with your office computer - let IT take care of disinfecting it). Here is a rundown of the best procedures you can follow.

1. Don't run as an administrator! From your normal account, open Control Panel > Users and Passwords (whatever) and create a new Computer Administrator level account, with a strong password. Log off the normal account and into the new administrator level account (with the new password), then open Control Panel, find the Users and Passwords (whatever) icon and open that utility. Find your normal account by name and double-click to open it for editing. Change the "type" of your normal account from Computer Administrator to Limited or Power User. Save the changes. Log off the Administrator level account and into your regular account. You'll keep all of your personalized files and settings, but won't be as much at risk from Internet threats as you'll no longer have permission to alter system files and folders, or to install services like keyloggers or rootkits.


2. From this point onward only use the Administrator level account to run Windows Updates, or to perform disk management, or to install or uninstall programs requiring administrator privileges. Read my blog article about how reduced user privileges protect PC users from malware.


3. Install a commercial anti virus and anti-spyware security program that has regular automatic updates and which monitors files as they are downloaded, or opened, and which scans all incoming and outgoing email for threats, and which scans web pages as you access them for hostile content, or scripted redirection exploits. I recommend Trend Micro Internet Security 2008 (a.k.a. PC-cillin). In fact, I have a discount coupon available from the good folks at Trend Micro. Save 10% Off a 1 year subscription to Trend Micro Internet Security 2008. Use Coupon Code: TrendIS08.


4. Install a software firewall like ZoneAlarm Personal Firewall.
   


5. Stop using Internet Explorer for your daily browsing and switch to Firefox. It is more secure, especially since it doesn't use or run ActiveX controls. Much of the automatic malware being installed by stealth occurs via ActiveX exploits, in Internet Explorer. Firefox can import your IE Favorites, which will become "Bookmarks" and your saved cookies (with you logins). Firefox is a tabbed browser, with links opening in new tabs instead of new windows.


6. Set Windows Updates to Automatically download and install, but check manually, from your Administrator level account, on the second Tuesday of every month, which is known as Patch Tuesday, at Microsoft.


7. Use extra caution regarding any links in emails, especially unsolicited messages from unknown senders. Many of them lead to Trojan downloads that may make your computer a member of a Botnet. Be especially wary of "phishing" scams that try to scare or trick you into clicking on a link to "update" your information, supposedly from your bank, or Ebay, or PayPal. By hovering your mouse over the link in an email you can read the destination in the status bar, at the bottom. Still, many phishing scams include huge amounts of characters, making it difficult to ascertain the actual destination domain in the link. It is always best to login directly from your browser and see if indeed there are any messages awaiting you, at your financial institution.


8. Scan for viruses, spyware and other malware threats that may be lurking in downloaded files, or your browser's cache, every night.


9. If you can't afford a paid anti virus program try AVG Free Anti Virus, or Avast! Home Edition (free).


10. If you can't afford a commercial anti spyware program get Spybot Search and Destroy. You will have to check for updates manually, every Wednesday or Thursday (Spybot is updated weekly, mostly on Wednesdays), using the separate Spybot updater link, then immunize, then check for problems. It's not nearly as effective as a commercial program that gets updated automatically on a daily basis and scans in real time, but it is better then nothing at all and does remove much of the malware in the wild.

Posted by Wiz at 3:08 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 14, 2008:

Adware
++ CliprexDivXPlayer
++ CliprexDVDRipper

Hijackers
+ Inet Delivery

Keyloggers (Keyloggers steal your logins and passwords)
+ KGBKeylogger

Malware Includes fake anti-virus and anti-spyware programs, like VirusHeat
++ BPS.Gen
++ Fraud.Antivirus2008
+ ISearchTech
+ MagicControl.Agent
+ Rogue.IEAntivirus
++ Rogue.ScanAndRepair2007
+ Smitfraud-C.
+ SpyShredder
++ Themida.Bot.tsj
+ Vario.AntiVirus
+ VirusHeat
++ Win32.Agent.kmf
+ Win32.BHO.je

PUPS Possibly Un(popular|wanted) Software
+ CliprexDVDPro

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans Includes 1 new Zlob* Trojan detections
+ Banker.PorSMTP
+ ShudderLtd.AntiVirusPro
+ Smitfraud-C.MSVPS
++ Win32.Agent.cn
++ Win32.Agent.esq
++ Win32.Agent.qwq
+ Win32.Delf.eq
++ Win32.Konik
++ Win32.SlhClient
++ Win32.Small.dv
++ Win32.Small.imu (2)
++ Win32.Systembin
+ Zlob.Downloader.vdt

Total: 607566 fingerprints in 158897 rules for 3918 products!

False positive detections fixed this week:
SpyBossPro detected in ijl11.dll false positive fixed.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 7:36 PM | Permalink

back to top ^

There is a new malware threat in the wild circulating among various file sharing networks. The threat is spread by duping file sharing users into downloading fake mp3 audio and mpeg movie files, which have very enticing filenames (some listed below in extended comments). All of these fake files have very small file sizes, which should be a giveaway that something is wrong with them. Despite that fact, almost 400,000 PCs are now infected in just a few days, after their users downloaded and opened some of these rigged files.

When a file sharing user double-clicks to play one of these files they get a surprise. Instead of seeing a movie or hearing a music file they are presented with a browser page that displays a EULA consisting of about 4800 words. The scam tells them that they must install a special media player, from fastmp3player.com - to playback the file they are trying to hear/see. Upon agreeing to the EULA the user is redirected to fastmp3player.com where a file download box appears, for a file named (at this time) "PLAY_MP3.exe." This file will install two separate adware and spyware applications; "FBrowsingAdvisor" and "SurfingEnhancer."

Apparently, in samples that have been analyzed in the last two days, these attacks are specifically designed to work in the Firefox browser. If Firefox is not found on the victim's computer, they will get a Windows error message and will be urged to download and install Firefox.

Most major anti virus and anti spyware companies can already detect and remove this threat, which has been elevated to a "medium threat" status by McAfee, for home users.

People who like to obtain copyrighted music or movies without paying a fair price for a licensed copy are left at risk from botmasters looking to increase their botnets, and criminals using affiliate programs to earn commissions for installing spyware and adware onto as many computers as possible.

What you can do to protect your computer from this threat.

1. Stop using file sharing programs like Limewire or Kaaza, or others, that allow people to distribute (share) copyrighted works illegally. They are riddled with malware files of all sorts. Instead, use one of the legitimate music or movie websites, like Apple's iTunes, Real Rhapsody, or Napster.


2. Install a modern, legitimate anti virus program that offers multiple daily updates and set it to receive automatic updates every hour. If you can't set it to an hourly schedule then run a manual check for updates as often as you think about it. Or, use Windows Task Scheduler to run the updater executable every hour. Reputable anti virus companies include Trend Micro, Symantec, McAfee, NOD32 and AVG.


3. Install a reputable anti spyware program and keep it updated as often as possible. Recommended companies include PCTools Spyware Doctor, Webroot's Spy Sweeper, Trend Micro PC-cillin, Lavasoft's Ad-Aware and anti-virus, and Spybot Search and Destroy.


4. Scan for threats every day, before you get busy online, or every night, before you turn off the computer for the night.

Posted by Wiz at 11:30 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on May 7, 2008:

Hijackers
+ SearchALot

Keyloggers (Keyloggers steal your logins and passwords)
+ SpyBossPro

Malware Includes fake anti-virus and anti-spyware programs
++ Delf.12.an (2)
++ Fake.SecurityAlert
+ MalwareBell
++ MalwareCore
++ Win32.Agent.cs
+ Win32.BHO.je (3)
+ Win32.Renos
++ WinIFixer

PUPS Possibly Un(popular|wanted) Software
+ Enter.Casino.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Conducent.TimeSink

Trojans Includes 5 new Zlob* Trojan detections
++ CNNIC.cn
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
++ Win32.Agobot.aoi
++ Win32.Tibia.de
++ Win32.VB.bks
++ Win32.VB.me
+ Win32.Zhelatin.ah (a.k.a: Storm Trojan)
++ Zlob.Downloader.fvn
++ Zlob.Downloader.jau
++ Zlob.Downloader.vat
+ Zlob.Downloader.vdt
+ Zlob.ZipCodec

Total: 595073 fingerprints in 154556 rules for 3893 products!

False positive detections fixed this week:
False Positive for "ContraVirus" and "VirusBlast" has been fixed with this week's definition updates. Also removed from the immunizations list is Hotlinkfiles.com. This was done after they implemented anti malware scanning of all uploaded files.

* The "Zlob Trojan" is a common infection that has been in the wild since 2005. It is often downloaded intentionally by people who are tricked into thinking that they are installing some missing ActiveX Video Codec, or other (Java) application, needed to view a presentation, or pornographic movie. Once installed on the target computer the Zlob Trojan allows hackers to deliver all manner of downloaders, adware, fake anti-spyware and backdoor components to it. The Zlob family of Trojans are constantly modified by it's maintainers to try to avoid detection by anti-malware applications. These criminals earn commissions for every computer they infect with the Zlob and its companion products. Spybot Search and Destroy can detect and remove most known variants of the Zlob Trojans, with new definitions being released every Wednesday to detect the latest incarnations of Zlob.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 9:36 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

In the beginning of this series I was using MailWasher Pro filters exclusively, to detect and delete incoming spam email. Since then I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

My analysis of this week's spam shows that male enhancement pills, Viagra and other pharmaceuticals occupy the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes, pirated software and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) falling further behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.

As is usually the case, the category "Other Filters" has the second largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some lottery and financial fraud and phishing scams. The spam main categories that rated a measurable percentage are listed below.

The current percentage of identified spam that made it through the filters on my mail server is 38% for the week ending May 4, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)

MailWasher Pro spam category breakdown for April 28 through May 4, 2008.

Male enhancement spam (subject and body):	23.86%
Other filters: (See my MWP Filters page)	21.59%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills):	12.50%
Counterfeit clothing and shoes:	13.64%
Counterfeit Watches:	7.95%
Blacklisted (by pattern matching):	7.95%
Pirated Software:	5.68%
Nigerian 419 Scams:	3.41%
Google Redirect Exploits (to hostile downloads):	3.41%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 3:33 PM | Permalink

back to top ^