Spybot Search and Destroy Definitions Updated on 7/30/2008
If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.
If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.
If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.
* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."
Spybot Updates - published every Wednesday
News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.
Additions made on July 30, 2008:
Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ Carima Enterprises
+ Coulomb Ltd.Content Access Plugin
Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger
Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts)
+ FakeAlert.cc
+ Fraud.XPAntivirus (2)
+ Smitfraud-C.
++ Smitfraud-C.bs
+ Smitfraud-C.gp
++ SpyGuarder
+ Vcodec.eMedia
+ Win32.BHO.je
++ Win32.Delf.ayz (2)
++ Win32.Small.mz
+ WinSpywareProtect
PUPS (Possibly Unpopular Software or Unwanted Programs)
++ LuckyToolBar
Security
+ Microsoft.Windows.AppFirewallBypass
Spyware
++ SpyArsenal.HomeKeyLogger
Trojans
++ Backdoor.Catfriend
++ FakeUPSInvoice
++ Haxdoor.hm
+ Hupigon13
+ IRC.Zapchast
+ Smitfraud-C.MSVPS
++ Synatix.Peppi
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.sxi
++ Win32.AutoRun.beh
++ Win32.Brontok
+ Win32.Exchanger.ch
++ Win32.GipWizard
++ Win32.Papras.en
++ Win32.VB.lu
++ Win32.VB.PW
+ Zlob.Downloader.wet
+ Zlob.Downloader.vdt
++ Zlob.Downloader.tfr
+ Zlob.HomepageMonitor
Total: 1049809 fingerprints in 270679 rules for 4101 products.
False positive detections reported or fixed this week:
False positive registry entry detections of "TacOnlyOne" and "WinSpywareProtect" that have been reported were fixed in this week's F/P updates.
Spybot 1.6.0.30 with updates of 2008.07.23 on an XP Pro SP2 machine gives a false positive for c:\windows\pkzipc.exe (command line zip utility, version 4.00) as Win32.Agent.aou. It was fixed in the July 30 updates.
The website securitylab.ru was removed from the HOSTS file blocklist with this week's updates.
A false heuristic scanning infection indication within the Mozilla Firefox v3.0.1 installer package was fixed this week.
If you are still using Spybot S&D 1.3, or 1.4, please read this!
I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.
These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.5.2 and newer.Apply the main update that shows up within the internal updater to upgrade to (1.6.x).
If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.
If you are using any version older than 1.5.2, please upgrade to the current version of Spybot S&D, which is now 1.6.0.
If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.
Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.
Spybot S&D is compatible with all versions of Windows from Windows 95 upward. Note that, starting with Windows NT onward, installing, un-installing and immunizing the program will require administrator privileges. From Windows 2000 onward this can be done by less privileges users via the right-click "Run As" command. Vista requires Administrator rights to run the program, so elevate your privileges to update and immunize.
Spybot S&D can run in Linux if you have Wine installed.
There is no support for Mac OS at this time.
Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.
After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).
Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".
English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History
See all security program update notices in this catagory
A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.
To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.
When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.
In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.
For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.
Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.
Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.