Spybot Search & Destroy updates for Oct 28, 2009
Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.
Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on October 28, 2009, as listed below. 14 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 10 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.
Updating Spybot Search and Destroy
Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).
In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."
You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.
Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".
The description of the latest definition updates and false positive fixes are in my extended comments.
Additions to Spybot S&D malware definitions made on Oct 28, 2009:
All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection.
Hijacker
+ CoolWWWSearch.Svchost32
Malware
++ BPS.AdwareEraser
+ CoolWWWSearch.OleHelp
++ Fraud.ActiveSecurity
++ Fraud.PCScout
++ Fraud.SecurityTool
++ Fraud.SoftCop
++ Fraud.SoftSoldier
++ Fraud.SoftVeteran
++ Fraud.TREAntivirus
+ Lop
+ Win32.Agent.chh
++ Win32.Autorun.Protector
+ Win32.FraudLoad.edt
++ Win32.VB.svh
Security
+ Microsoft.Windows.RedirectedHosts
Trojans
+ Fake.FlashPlayer
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.FraudLoad.pd
++ Win32.OnLineGames.ufye
++ Win32.OnLineGames.ugek
++ Win32.OnLineGames.uncy
++ Win32.OnLineGames.urst
+ Win32.Rungbu.a
+ Win32.TDSS.reg
+ Win32.ZBot
Total: 1602285 fingerprints in 569618 rules for 4997 products.
False positive detections reported, discussed, or fixed this week:
There were 2 possible new false positive reported this week. However, if you are still using an older version of Spybot you are likely to see false positives of all kinds. When I say old version I mean any version that is not the most current release (see below). The Spybot engine now gets changed radically with each new update, to help it deal with stubborn new types and variations of modern spyware.
Two people reported that they received a TeaTimer (Resident) notification that cygrunsrv.exe and tail.exe, part of the Cygwin program, contained Fraud.SoftCop. The same detection was reported after they downloaded fresh setup files for CygWin, from the maker. This is new and not resolved as of this posting time.
There is a confirmed false positive detection in Setup Factory 6.0, of "TeamTaylor.ScreenSaver" detected in irunin.bmp and irunin.lng. This has been fixed with today's updates.
There is an unresolved possible false positive detection of a Trojan in C:\Windows\System32\winsys2.exe. The reporter stated that this file is the executable associated with his MSI graphics card tools utility. The file was sent to Team Spybot for analysis two weeks ago, but they have not posted their findings. If you also get this file reported as a Trojan you should report it in the thread about this file on the Spybot False Positives forum.
Note. Spybot 1.5 x is now an OLD version and is unreliable in detections and removals!
If you keep getting a report of "Virtumonde," in c:Windows/system32/zipfldr.dll and you are running a version of Spybot S&D older than version 1.6.2, it is a probable false positive. That is a Windows system file that is automatically restored if you delete it. Any version of Spybot older than 1.6.2.46 will give false positive detections of Virtumonde and other threats, as the engine is now outdated and unable to comprehend new malware definitions. The fix: Update to the current version of Spybot S&D!
Some people running Windows 98 and ME have reported false positives of Virtumonde. They were not aware that the use of Spybot S&D on Windows versions older than W-2000 is no longer supported and is subject to many false positives and failed removals.
TeaTimer update issues and remedies:
TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:
Right click the (TeaTimer) Resident tray icon
Select "Reset lists"
If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.
When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"
If you keep getting false positive detections and broken programs, due to TeaTimer issues, try disabling that module. You can toggle TeaTimer off and on by switching into Advanced Mode > Tools > Resident.
False Positives are reported and discussed in the Spybot S&D False Positives Forum.
As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.