How to use Spybot Search & Destroy to fight malware
About Spybot Search & Destroy
Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.
Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.
Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).
No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.
Updating Spybot Search and Destroy
Spybot S&D is updated once a week, on Wednesdays and you must download the updates manually. In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again.
The reason I recommend launching the Updater first and separately, is because sometimes it downloads program updates to the main Spybot interface. The program needs to be closed and restarted for those changes to take affect.
The other method is to launch Spybot S&D from a desktop icon and use the "Search For Updates" button on the main interface. This launches the separate Updater box described above, where you can choose your downlaod mirror and get the latest updates.
When all updates have completed successfully and have a green check mark next to them, click Exit to close the Updater. If you used the Update link from the program you can go on to the Immunize and Check for Problems steps. If you launched the Updater by itself, use your desktop link to launch the main program.
Immunizing and scanning with Spybot S&D
With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.
There is a button labeled "Undo" in the Immunization screen. It is used to remove Immunization from the selected items. It is also possible to undo the "fixing" of items during a scan for problems by using the "Recovery" button, in the left sidebar of the program interface. The Undo functions sometimes come in handy when a mistake has been made by the program (false positive or wanted item). Some programs are labeled as PUPS (Potentially Unpopular Programs), during a scan, but they may be useful to you. Uncheck them before Fixing Problems. You can highlight any entry in the Problems Found list and right click on it, then choose to Ignore it, or even exclude it from further detections.
UPDATE:
When I first published this article there was an ongoing issue where immunizing Internet Explorer 8.0 would cause that browser to crash upon opening. The remedy, at that time, was to undo immunizations of Domains and other items in Internet Explorer, leaving it vulnerable to attack. Microsoft has finally released a fix for this issue. The update was released on June 9th, 2009, the day before I wrote this and I was unaware of this fact. If you experienced problems with IE8 and Spybot's immunization, please download update "KB969897" via Windows updates, or download a copy directly from Microsoft.
Update #2:
Part of the weekly updates to the Spybot S&D definitions are additions or subtractions to the Windows HOSTS file. This file is used to block potentially bad IPs and URLS by redirecting requests for them to the local machine IP address 127.0.0.1. This results in your browsers displaying an error page telling you that the page cannot be displayed. Spybot does not currently alert you when it is responsible for blocking a website via HOSTS entries. Therefore, many users are unaware that the program is blocking websites they may wish to visit. If you used to be able to go to some website and after updating Spybot's definitions you find that the page cannot be displayed, it may have been added to the HOSTS blocklist by Spybot updates. You can edit the file manually, in Notepad, or in a HOSTS editor program, or uncheck the option for HOSTS in the Immunization list and reimmunize. That will remove all entries from HOSTS that were added by Spybot S&D.
After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."
Sometimes Spybot S&D cannot delete "problems" that are active in memory, or which are protected by rootkits. In these instances the program will ask you if you would like to have the program run automatically when you restart Windows. If you select Yes, then restart, Spybot will launch as you log into your user account in Windows and will perform a complete scan before allowing the desktop icons to load. During this time you cannot use the computer.
You can also reboot into Safe Mode, by restarting and tapping the F8 key, until a startup options menu appears. Choose Safe Mode, or Safe Mode With Networking if you need to download updates from there. Log into your user account, or the Administrator account, then scan for problems. Many types of malware will not startup in Safe Mode and many a good fight is won there.
Additional Information about Spybot S&D and links
Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.
Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.
If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.
If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.
About False Positives
If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.
Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.
If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.