Spybot Search and Destroy Definitions Updated on August 5, 2009
If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on August 5, 2009, as listed below. Many new and altered fake security programs were added to the "Malware" detections, plus several new Trojans, rootkits and modified spam bots were added to the "Trojan" list.
Updating Spybot Search and Destroy
Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).
In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."
You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.
Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".
The description of the latest definition updates and false positive fixes are in my extended comments below.
Additions to malware definitions made on August 5, 2009:
All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.
Dialer
+ eGroup.InstantAccess
Hijackers
+ W3adv
Malware (Includes rogue or fraudulent security programs, fake registry cleaners, and fake security alerts, plus other nasty programs)
+ BugDoctor
++ Fraud.AntiMalwareSuite
+ Fraud.AntivirusPlus
+ Fraud.AntivirusXP
++ Fraud.AVCare
++ Fraud.BadwareProtector
++ Fraud.BarracudaAntivirus
++ Fraud.HomeAntivirus2010
++ Fraud.PCSecurity2009
++ Fraud.ProtectionSystem
++ Fraud.SecurityMechanic
++ Fraud.SmartDefenderPro
++ Fraud.SmartProtector
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
++ Fraud.USAntispy
+ Smitfraud-C.
++ Win32.Agent.sim
+ Win32.FraudLoad.edt
+ Winsoftware.WinAntiVirusPro2007 (Fraudulent anti virus - back from the dead!)
PUPS (Possibly UnPopular Software or Potentially Unwanted Program - user discretion advised)
+ GameVance
+ MyWay.MyWebSearch
Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors, malicious download agents and Rootkits.)
+ KillAV
+ Win32.Agent.fbx
++ Win32.Agent.sc
++ Win32.Agent.wndm
++ Win32.Clicker.lc
++ Win32.Fakealert.ttam
+ Win32.Joleee.K
++ Win32.Monopod
+ Win32.Podnuha.rtk
++ Win32.RBot.sv
++ Win32.TDSS.blk
+ Win32.TDSS.gen
++ Win32.VBInject
+ Win32.ZBot
Worm
++ Win32.vb.aas
Total: 1418423 fingerprints in 491056 rules for 4802 products.
False positive detections reported, discussed, or fixed this week:
A user has reported a possible false positive detection of "Smitfraud-C" in a file named Enlocstr.exe, which may belong to SoundBlaster XFi software. We should know more by this weekend, after the uploaded file has been tested.
A false positive detection of "Eblaster" in vbcards.dll (in the system32 directory) was confirmed and fixed with the updates of 8/5/09. That file has to do with Freecell card game.
Another frustrated visitor to the Spybot False Positives forum reported a possible false positive of EBlaster in C:\Windows\System32\dinput8.dll. Unfortunately, he deleted the file before learning how to email it to Team Spybot for analysis! While we may never know if his particular file was infected with eBlaster, others may get this same detection. I Googled on that file and found that Dinput.dll is a DirectC DLL, which handles DirectInput. This gives functionality for multimedia input devices such as joysticks and should NOT be disabled or deleted! If this detection occurs when you scan with Spybot, please restart your PC in Safe Mode, navigate to the location where that file resides, copy it, then paste it into a zip file and email it to detections(at)spybot.info.
After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:
Right click the (TeaTimer) Resident tray icon
Select "Reset lists"
If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.
When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"
If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.
False Positives are reported and discussed in the Spybot S&D False Positives Forum.
As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.