Updates - April 8, 2009

(Please note my comments in the lower portion of this post...)

SpyBot 2009-04-08
Malware
+ DNSFlush.cws + Fraud.AntiSpywarePro + Fraud.AntivirusPlus + Fraud.SysCleanerPro + Fraud.SystemGuard2009 + Fraud.SystemSecurity + Fraud.XPAntivirus + Goldun + Smitfraud-C. + Spambot.mib
Spyware
+ Win32.Iksmas.ai
Trojans
+ Virtumonde.atr + Virtumonde.sci + Virtumonde.sdn + Win32.Agent.pa + Win32.Bredolab.B + Win32.Buzus + Win32.KillAV-KQ + Win32.Rbot.fx + Win32.TDSS.pe + Win32.TDSS.qa + Win32.TDSS.rtk + Win32.ZBot + Zlob.VideoBox
Total: 1560284 fingerprints in 496663 rules for 4610 products

for those who use SpyBot's IMMUNIZATION** feature ---  which, in my opinion, is the main reason for average* users (XP and earlier) to keep spybot around nowadays --- be sure to RE-immunize after updating.

(*):  I am also a "fan" of SpyBot's TeaTimer.   However, TeaTimer requires that the user respond to its occasional prompts to allow or deny various system changes.   Unless the user feels comfortable/confident doing so, it is preferable that a person NOT use TeaTimer, rather than risk using it haphazardly.

I do *NOT* advocate SpyBot for its scanner --- I believe MBAM and SAS are far superior.

EDIT:

(**):  Please be advised that there is currently an issue with SpyBot's Immunization of Restricted Sites slowing down IE8.   If you experience this problem, you will have to decide between the pros and cons, of extra protection vs. system slowdown.

Here's a "partial" solution:   SpyBot itself offers multiple layers of protection:  its SDHelper BHO for IE, its Immunization of Restricted Sites & Cookies (for specified/compatible browsers), and its HOSTS file protection (for all manners of internet access).   Admittedly, there are overlapping redundancies here, with each covering many of the same things.   Why?  Because, quoting PepiMK (the creator of SpyBot)  "There is malware attacking each layer, but rarely all [three], so we prefer multiple [redundant] layers".

HOSTS file protection is the first thing that "kicks in".   If a website is blocked by your HOSTS file (by virtue of a 127.0.0.1 local loopback entry for that site), no program [web browser, anti-virus / anti-malware, instant messenger, &etc.] will be able to access that particular website.   Meaning that, as long as your HOSTS file remains intact, IE will not have to "worry" about considering a duplicated list of restricted sites.   In other words, if you use SpyBot's Immunization to add its sites to your HOSTS file, then you don't also have to immunize against the same collection of multiple thousands of restricted sites that are currently interfering with IE8 running smoothly.   Be explicitly advised, however, that if you don't (also) immunize the restricted sites, and if malware somehow manages to attack and alter your HOSTS file, it will then leave these non-immunized restricted sites open to further attack you... meaning that this is not a "perfect" solution to the "congestion" problem... but it's certainly better than not using SpyBot's immunization at all.

Personally I  like the Radar Screen at

http://securitywizardry.com/radar.htm

The free radar page is constantly updated to display the latest Information Security Threats and News.

Designed and built to cater for the demands of Government and Military networks requiring near real time information on new and emerging cyber threats. It's public availability and lack of corporate identity has resulted in almost every industry,

McAfee's Stinger tool for removal of all known variants of W32/Conficker has been updated:
http://vil.nai.com/vil/averttools.aspx#002

Go for the version 10.0.1.548 posted 04/08/2009
Stinger MD5: 1197769be617ac41240102de1fb5841c

Joe53, would you recommend that we run this program to check our computers for Conflicker?

"Go for the version 10.0.1.548 posted 04/08/2009
Stinger MD5: 1197769be617ac41240102de1fb5841c"

ky331, In reference to Spybot, do the updates appear to cause a slowdown in IE 7?  I just updated my interent package to speeds of 16mbs and do not notice a difference in what I had before. So I am wondering if maybe this has something to do with Spybot.

WinPatrol 2009: 16.0.2009.1

.

Note:  The changes only affect Vista and Windows 7 users ; so XP (or earlier) users, who have version 16.0.2009.0 already installed, don't have to update at this time.

• Improved HOSTs change detection in Vista
• Fixed Exit dialog (if checked) when switching to UAC mode.
• Remove redunant switching to UAC mode dialog. All versions
• AutoUpdate and UAC change detected included in Option with HOST file changes

Annie,

the particular issue under consideration here, of Spybot "flooding" Internet Explorer's restricted sites zone and slowing down [or even crashing]  IE, is specifically in reference to the "finalized" release of IE8.   That is to say, it did not happen in the earlier (Beta, nor Release Candidate) versions of IE8; nor with IE7.

The same slowdown can occur in IE8, for people who use IE-SpyAd and/or SpywareBlaster, which likewise place "lots" of restricted sites into IE.   However, SpywareBlaster's impact might be somewhat [or even significantly] less, in that its collection of restricted sites is much smaller than the amount added by Spybot.

see here for more:  http://msmvps.com/blogs/donna/archive/2009/03/20/ie8-issues-if-immunization-by-spybot-s-amp-d-is-enabled.aspx

So if you're having a problem with SpyBot and IE7, it would appear to be a separate issue from the one we're discussing here.   Can you elaborate on precisely what's happening?    In your consideration of SpyBot as being the "culprit" in slowing down IE7, have you tested your theory by disabling Spybot's various components and concluding that IE7 then runs faster?  If you wish to pursue this, keep in mind that SpyBot offers several resident and passive  aspects which you need to test separately:

1)  The IE8 issue is specifically with SpyBot's immunization inserting "tons" of sites in IE's restricted zone.   While reports indicate this should not be a problem with IE7, you can test it by UNDOing the immunization of anything listed as IE  "Domains" in SpyBot... there should be several such entries.

2) SpyBot's immunization, if applied in full, also places sites in your HOSTS file [or Windows / Global (Hosts) , as SpyBot refers to it].   This is a completely separate feature/component from placing sites in IE's restricted zone, and it is not the problem currently being reported above.   However, a "large" HOSTS file can itself cause problems on some systems... this has been known for years.   So, if you use SpyBot (or any other program) to customize your HOSTS file, you should separately consider this as a possibility for your slowdowns.   [see http://www.mvps.org/winhelp2002/hosts.htm#Note ]

3) SpyBot offers SDHelper, a BHO (Browser Helper Object) for IE.   While I have rarely encountered problems with it, I believe Joe53 did have significant issues with it a while back.   So you can try disabling SDHelper (you may have to activate ADVANCED mode in SpyBot, to locate SDHelper under Tools/Resident).

4) Finally, SpyBot offers TeaTimer (also under ADVANCED/Tools/Resident) which runs continually.   I have long enjoyed TeaTimer, but strongly advise it only for users who can handle its prompts.   But a new factor has recently arisen with TeaTimer... newer versions are taking up more and more RAM, which can interfere with system performance.   I've recently (and reluctantly) disabled TeaTimer on my  older WinME system (128 MB RAM)... and I'm currently trying to determine the impact , if any, TeaTimer might be having on my wife's XP system with 512 MB RAM (I don't notice any impact on my XP system with 1 GB RAM).

EDIT:   Let me re-stress that each of these four aspects of SpyBot's protection are completely independent of each other.   Meaning that, if you determine any one [or any particular combination] to be the culprit causing your IE7 slowdown, you can disable just that one [or combination], and still retain the protection offered by the others.

Joe53, would you recommend that we run this program to check our computers for Conflicker?   "Go for the version 10.0.1.548 posted 04/08/2009 Stinger MD5: 1197769be617ac41240102de1fb5841c"

Annie:

Stinger is just a "second opinion" standalone scanner. I see no harm in running it. I just ran it myself, even though I have no reason to believe I have Conficker.

It scanned over 500,000 files in about 35 minutes, and ruled out the presence of 12 variants of Conficker.

ky331. I decided to uninstall Spybot and run the speed tests again at speedtest.net.  After uninstalling Spybot, rebooting,  and running the speed test my results are quite different. My downwlaods speeds are now between 12 and 13 mbs. This is what they should be for the service that I have.  I am using IE 7 on this computer.

I really would like to reinstall Spy-Bot but am afraid that the problem of the slow download speeds will re-occur.

ky331,  I do use Spy-bot for immunization. I also use SpywareBlaster. My problem may or may not be related to these programs. I do not use Teatimer on Spy-bot. I am running XP on a Dimension 8300.

 My problem is this on this particular computer. I have a very fast cable modem connection-up to 16 mbs-at least that is what I am paying for. My downloads speeds are under 2 mbs. I have had several techs from my cable company check out the cabling, and replace the modem and after hours of troubleshooting could not resolve the slow problem. The INTERNET is not super slow however it is not at the speeds I am paying for.  I am using a wireless N -USB Network Adapter and a N -ultra Wireless Gigabit Router.  I have updated the firmware on the router. I am at a loss as to what else I can check and so are the techs that I have worked with on this problem.

I will try disabling parts of SPY-bot and see if this makes any difference.  I will post back after I do some testing.  Thank you for such a complete and detailed response. 

Annie,

let me begin by stating that the problem I was referring to earlier in this thread, of SpyBot's immunization of restricted sites in IE8, caused IE8 to open very slowly, use excessive CPU, and possibly crash.   To my understanding, there was not an issue with slowing-down bandwidth after IE finally opened.   Meaning that I believe you have a different problem.

You indicated you don't use TeaTimer, so that's not the culprit.   But you didn't mention whether or not you used the SDHelper BHO (and if disabling it made any difference in IE).    The fact that, upon uninstalling SpyBot --- which would remove all of its components --- made things run faster for you, would tend to indicate that something in SpyBot is likely the culprit... but we still don't know specifically which component(s) is[/are] at fault.    However, I don't know that you want to reinstall it, in its parts, to figure out which one it is.   (As you noted, I believe I've given you enough details what to test, should you be so inclined.)

I'm not familiar with details of "cable" --- I have Verizon DSL.   And I know that Verizon offers me a maximum speed, but makes no assurances that it will actually be attained.   In fact, DSL connections are dependent on how far one's home/computer is located from the main office --- the further away, the slower the connection will be.   Verizon's basic DSL is rated at .75 Mbps (768 Kbps) at maximum.   I just ran the speedtest program on this (WinME) system, and it came in at .72 Mbps for downloads.  It's often much lower than that, depending on the time of day --- I think Verizon "shares" bandwidth among its customers.   Also, DSL lines are typically optimized in one direction, usually for downloads... and so, my upload speed now was only .13 Mbps.   Like I said, I don't know if cable works any differently.

Here's a thought:   do you have any alternative browsers (e.g., Firefox or Opera) installed on your system?   If so, you could run the speed tests from these to see if they show any difference.   For example, SDHelper only attaches itself to IE.   So if SpyBot with SDHelper slows down IE, but Firefox runs okay under the same configuration, then the problem might be SDHelper.   If you use a HOSTS file, be it via SpyBot, or MVPHosts (or elsewhere), then this should impact all your browsers equally... and, as Beversoll just noted, disabling the DNS client is a likely fix to slowdowns resulting from a "large" HOSTS file.  Information about large HOSTS files, and disabling the DNS client, is contained in the link I cited above, http://www.mvps.org/winhelp2002/hosts.htm#Note

P.S.   In uninstalling SpyBot (and its immunization), I'm assuming you've kept SpywareBlaster's???

ky331, I have not uninstalled Spyware Blaster.  I do not have an alternate browser such as Firefox or Opera on this system. As far download speeds when Spybot was on this system the highest speed was 1.88 mbs. After uninstalling Spybot, my average speed is around 12 mbs. Like DSL there are variables to this download speed such as time of day. I am curious as to what part of Spybot may be responsible for slowing down my download speeds so may reinstall this program to experiment.  I have used Spybot for years on this computer so something must have changed recently. At this point I can only conclude that Spybot was slowing down my bandwidth, causing IE to delay opening, and sometimes not to open at all.  I really do not have experience with Host Files but I am reviewing all the information you sent to me.

The cable company has assured me that I should have downloads speeds of at least 8mps or higher, however I started this investigation when the highest downloads speeds were only 1.88mbs. I am assuming that all my equipment is operating well since the cable company has checked out the lines and the modem.

On a further note, a few weeks earlier I had to uninstall the newest Google toolbar because it stalled my IE from opening, and when IE did open it was very slow. So perhaps this is another clue.

beversol,  Before uninstalling Spybot my top download speed was 1.88 mbs, and often a bit lower. After removing Spybot my speeds increased to around 12 mbs. I am curious about using the MVP host file so when I am done experimenting with Spybot that may be the way to go.

I am interested in OpenDNS so I will do some more reading on this subject.  Thanks for the information that you have provided. 

Annie,

I'll try to get back later today, to give you my suggestions on how you can go about testing the individual spybot components.

As for the MVP Hosts file --- which is highly recommended by many users --- it's even larger than the SpyBot Hosts file.   So if your problem turns out to be size-of-HOSTS-file related, it should occur when using the MVP Hosts file as well... and if so, you can try the DNS client  "fix".

Curiously, I tried the speedtest again this morning (on my XP system, so it may not be a fair comparison??), and my download speed at the moment tested at over 1 Mbps.   Not only is that 38% (or more) faster than last night, but it's even faster than the maximum that Verizon is supposed to be supplying me!