What malware does Spybot +AV protect against?

You will find the up to date list of detections by clicking here.

This list is constantly being updated as we detect new malware or find new varients of existing malware.

FAQ Category:

How to create a bootable CD

Creating a bootable CD involves a handful of steps that are explained in detail here.

Requirements

Windows Automated Installation Kit

The first thing you need is the Windows Automated Installation Kit, also called WAIK. This software includes all the Windows files that need to be put onto the CD, and tools to create that CD, which we cannot use, for legal reasons, from your current installation.

Trac3595 SDBootCD WAIK missing 300x114 How to create a bootable CD

If the WAIK is not installed, Boot CD Creator will offer you to download it. The download will happen in the form of a file ending with the extension .iso. To install the AIK, there are multiple ways, depending on your preferences:

  • use your favorite DVD burning software to burn this image to a real DVD; for example, with Windows Explorer itself, right-click the downloaded file, and press ”Burn” after having inserted a blank DVD.Trac3595 Explorer on WAIK ISO 300x94 How to create a bootable CDTrac3595 Explorer burn WAIK ISO 300x283 How to create a bootable CD
  • use a packer to extract the .iso to a subfolder; for example using 7-Zip,
    or WinRAR.
    Trac3595 SDBootCD iso extract 286x300 How to create a bootable CD
  • use an image mounting software like Daemon Tools to mount the image.

Once you’ve got there, you need to start installation from the place where you’ve burned or extracted or mounted the image.

Sometimes, the installation of the WAIK needs other software to be installed first. If it asks you to installed DotNET, look for the exact version of DotNET requested, and install just that. Newer versions are not downwards compatible, but can co-exist. The WAIK install CD menu should offer installation of the correct DotNET.

Trac3595 SDBootCD WAIK found 300x57 How to create a bootable CD

Once the WAIK is installed, the Prerequisite panel within the Boot CD Creator will be shown with a green bar, and all other panels can be used.

Configuration

Applications

Trac3595 SDBootCD application list 300x64 How to create a bootable CD

In Applications to include, you can select other applications that should appear on the CD. To do that, click the arrow button at the right to expand it. For standard malware cleaning, the standard setup to include Spybot 2 is sufficient.

Settings

Trac3595 SDBootCD settings 300x61 How to create a bootable CD

All Settings can be skipped as well if you want to, they just provide you an option to customize the CD. The Shell selection allows you to let the CD start up like old Spybot CDs would do, but the new Safer-Networking Shell, which is default starting with Spybot 2.3, is recommended.

You can also select whether your computer will boot from the CD right away, or only if you press a key within a short amount of time. This is useful if you’ve got your boot order set to always boot from CD first and forget the CD within the drive.

Finally, by setting a language and country, you can control that the CD will for example accept your keyboard input instead of having a foreign mapping. This should default to your current systems language.

CD creation

Once you’re done checking the list of Applications and Settings, or right away if you just want to go ahead and skip them, the CD image creation panel is the one where you’ll get your CD. You can just accept the default location and press the Create CD image button. It might take a few minutes for Boot CD Creator to combine all the necessary files and create an .iso image of your bootable CD.

Trac3595 SDBootCD creation 300x214 How to create a bootable CD

Again, burn this to a CD using your favorite application, or even use Windows Explorer, see above instructions on how to burn the WAIK ISO imagine, just do it on the file just created, usually stored at C:\SpybotBootCD\SpybotBootCD.iso.

CD usage

Make hardware boot the CD

To use your CD as a startup medium for your computer, you might need to tell it to look for bootable media in your CD-ROM drive. Most computers offer a key you can press right after powering it on.
Trac3595 BIOS BootKey hl 300x160 How to create a bootable CD

Once that key is pressed, you’ll get a menu representing all drives that could be used for booting, including the CD or DVD one.

Trac3595 BIOS BootKeyMenu hl 300x110 How to create a bootable CD

By selecting this drive, your computer will start the Windows version included on the CD.
Trac3595 SDBootCD cd booting 300x112 How to create a bootable CD

Using the CD

In contrast to your regular system, the CD will show a toolbar representing all actions that might be of help when it comes to using Spybot to clean or repair your computer.

Trac3595 SDBootCD CD showing shell 300x150 How to create a bootable CD

Adding up to date signatures

If you want to use the CD regularly without having to recreate it with up to date signatures every time, you can update them by running updates from an attached USB stick.

Since Spybot is completely in memory when running from the CD, you should recreate an up to date CD from time to time to avoid updates to signatures getting to big and taking up too much memory.

Antimalware

Antimalware signature updates can be added using the manual 1.6 updater. This updater can be found on our Download page at the bottom.

Antivirus

To update antivirus signatures, you can download the full signature installer.

Scanning and cleaning

At the bottom in the ”Spybot 2 Basic” menu, you can initiate a ”System Scan”. From this point, you can follow the instructions in another howto.

FAQ Category: How to

How to configure Notifications

Notifications Configuration

Notifications can be configured from the ”Notifications” tab in Spybots Settings. Pressing ”Edit” will open a details window where you can add, change or remove different notifications.

For the home user, the easiest and yet most powerful notifications are probably Pushover and Boxcar. Depending on the delivery methods you choose, you might need to provide some details for new notifications.

The Settings tab includes a ”Test” button you can use to check whether notifications are delivered as expected.

Boxcar

To set up delivery via Boxcar (e.g. to your iPhone, iPod or iPad), install Boxcar from the iTunes Store, then enter the email address you using to set it up in Spybot.

Email via SimpleMAPI

If you’ve got a mail program installed and don’t just use email through a webmail interface, your computer most likely supports Simple MAPI. You need to set up the email address that should be used as the sender, and the one to receive the notification.

One disadvantage (and advantage from another point of view) of this method is that the computer might first ask the user if the message should be send, so it won’t notify right away on unattended computers.

Email via SMTP

The second email method avoids the user confirmation, but needs more details. Next to the sender and receiver email address, you need to specify the SMTP server information, including host name and, if necessary, username and password. You can find these details if your seard your email providers documentation for the keyword ”SMTP”.

Growl

Growl is a desktop computer notification system well known on Macintosh computers, but also available for Windows. If you want a local Growl installation to notify you, you don’t need to enter any details. You can also set up remote computers running Growl to receive notifications, but in this case, they still need to be without password (we’ll be updating this feature to support password protected Growl installations in the future).

HTTP

HTTP notifications might be of interest to network administrators, since they allow easy communication with other existing services. To set up a HTTP notification, you just need to enter a URL to be contacted, and specify how details are transmitted. For example


http://localhost:22280/tell?title=<$TITLE>&text=<$TEXT>&url=<$URL>&urltitle=<$URLTITLE>

The templates that can be used as part of the URL are:

  • <$TITLE>: will be replaced with title of notification.
  • <$TEXT>:will be replaced with text of notification.
  • <$URL>: will be replaced with URL of notification, if specified.
  • <$URLTITLE>: will be replaced with title of URL of notification, if specified.

Jabber/XMPP

XMPP is the protocol used by Google Talk (if you haven’t started using Hangout) or Facebook Messenger, as well as many independent providers. To set it up, you need the same details you would need to set it up in any other Chat application (like for example Pidgin).

  • host (required): specify Jabber server hostname.
  • port (optional): specify Jabber server port, defaults to 5222.
  • username (required): specify username to log into server.
  • password (required): specify password of user to log into server.
  • to (required): comma-separated lists of receivers.

Logfile

You can have all notifications written to a file as well, to be able to check what you should have received, for example. You’ll need to specify the name of the file notifications should be appended to, and can optionally adjust how each notification should look like using the following templates:

  • <$TITLE>: will be replaced with title of notification.
  • <$TEXT>: will be replaced with text of notification.
  • <$URL>: will be replaced with URL of notification, if specified.
  • <$URLTITLE>: will be replaced with title of URL of notification, if specified.
  • <$CRLF>: a line break

Pushover

To set up delivery via Pushover (e.g. to your Android smartphone or tablet, iPhone, iPod or iPad), install Pushover Notifications from the iTunes Store or Google Play Store, then enter your Pushover key. You can find this key by starting Pushover and looking for it on its Settings page.

Skype

This delivery will only work if Skype is running and logged in on the machine that should send notifications, which is a restrictions made by Skype. You only need to enter the Skype screen name of the notification recipient in Spybot, since the sending account is handled by Skype itself.

SNPP

The Simple Network Paging Protocol is for the tech savvy administrator and can be used to communicate with existing network paging. There also are SNPP to SMS services on the Internet that could be used to set up SNPP to inform you via Short Message Service. Setup needs the host name and pager ID, with optionally a port if it’s not the default. These settings are provided by the SNPP provider.

Spybot Tray

This is the default notification – Spybots tray icon will show text in the lower right corner of your screen whenever new notifications are distributed.

Syslog

Syslog is another service for network communication of system messages, in use only by tech savvy administrators. Host and optionally port can be provided here.

Windows Alert message

This simple notification method will simple have a Windows message be shown on your desktop. If the computer in question is running Terminal Services, the session ID can be specified as well. Unless you are looking for special Terminal Services solutions, you probably should simply be using the Spybot Tray notification if you want a message on your desktop.

Windows Event Log

This notifiaton method needs no configuration – when added, it will write entries the Windows’ event log. This can help administrators to get a better understanding of relations of malware appearance to other system events.

FAQ Category: How to

How to start your system using Spybots Boot CD?

The allows you to create a bootable CD to repair or clean your computer.

Some computers are set up to prefer booting from bootable removable media if it inserted, others do have this feature disabled to protect the computer from infections coming from untested media.

Most computers allow you to press a special key while booting to select the device to boot up from:

Trac3569 BIOS BootKey hl How to start your system using Spybots Boot CD?

Press key during boot

If you manage to identify which key it is and press it in time, you’ll get a choice of bootable devices; pick the CD-ROM there:

Trac3569 BIOS BootKeyMenu hl How to start your system using Spybots Boot CD?

Pick CD-ROM from boot menu

If you are unable to enter a boot menu, which allows you to boot from something else than the hard disk in that single instance, you can change the general boot order. Enter the BIOS first by pressing the BIOS key in step 1, then locate the boot order setting and move the CD-ROM to the top:

Trac3569 BIOS ChangeBootOrder hl How to start your system using Spybots Boot CD?

BIOS boot order

FAQ Category:

Why do I see “Internet protection: basic” in Spybot’s Start Center?

SDDisableProxyResult Why do I see Internet protection: basic in Spybots Start Center?If your Internet protection is set to ‘Basic’ the most likely reasons are that when the software was installed the default setting was ‘Disabled’ or when updates were installed the setting was changed automatically. This setting can also be changed by the user.

The ‘Proxy’ feature filters all Internet traffic thus it can reduce your browsing performance. While this provides maximum protection it can sometimes be annoying. We therefore issued an update to 2.1 and released a new Software installer (Spybot 2.1.20 SR 1). This update turns off the Proxy and so the Start Center to display “Internet protection: basic” instead of “full”.

If speed is not an issue and you want all data coming from the internet to be filtered, you can enable the proxy by opening the Start Centre selecting ‘Settings’ clicking the “Internet Protection” tab and ticking the box ‘Use Spybot proxy’.

FAQ Category: 2.0 only, Known Issues, Spybot 2, Updates

How to write my own detection rules?

If you decide to create detection rules on your own, you should visit our Wiki,                          which offers an overview and descriptions to the available rules and file parameters.                    You should also visit our OpenSBI forum .

FAQ Category: 2.0 only, How to, Spybot 2

How to refresh the system whitelist?

When you first install Spybot +AV you will have the option to create a whitelist. This is a list of programs that are known to be safe. This will speed up the scanning process as these files will not be scanned in the future unless they have been altered in some way.

30 days after the time Spybot +AV was installed this option will no longer appear in the ‘Start Center’. The reason for this happening is that it is recommended not to create a whitelist on systems that have been in use for some time as you may ‘whitelist’ files that have become infected.

If you want to refresh your whitelist and the option is no longer available in the ‘Start Center’ it can still be done manually. To do this navigate to the folder where Spybot is installed, locate the executable file ‘SDPrepPos.exe’ and run it. You will now be prompted to create a whitelist.

FAQ Category: 2.0 only, How to, Spybot 2

How to remove the system whitelist?

 

You can delete the whitelist file in the Includes sub-folder of the Spybot – Search & Destroy install folder, which is by default:
C:\Program Files\Spybot – Search & Destroy 2\Includes\PosSystem.sbs

 

FAQ Category: 2.0 only, How to, Spybot 2

How to create a report?

You have different options to create logs with Spybot – Search & Destroy.

1. The easiest would be after a scan. After performing a System Scan with Spybot 2 you can choose “Save scan log…” from the navigation bar on the left. You can now choose where to save the log.

2. You can also start from the Start Center to create a more detailed report. After choosing the “Advanced User Mode” by ticking the checkbox to activate it you can click on “Create Report”. Make sure the lastest logs are available and are activated. Now click on “Create log archive”. The log file archive is now on your Desktop.

3. If you also want to create a HijackThis log please open the Spybot 2 Start-Center.
Choose the “Advanced User Mode” by ticking the checkbox to activate it. Now click on “Startup Tools”. If being asked what you want to do choose “Save a log file”. Go the tab “Logs”. Make sure all 10 checkboxes are ticked on top. Now click on “Create SBSD log” and “Create HJT log”. Afterwards click on the “Save” button. You can now choose where to save the log.

FAQ Category: 2.0 only, How to, Spybot 2

How do I use the quarantine feature?

If you want to restore previously removed files for whatever reason you can do this via the Quarantine module. Quarantine can be either launched via the Start Center or can also be found in SDTray’s program list.
Just right click on the Spybot – Search & Destroy icon in your system tray beside the Windows clock and navigate to “Basic Tools“ → “Quarantine“. Once “Quarantine“ has been started feel free to select the product you want to restore and hit “Restore selected“.
If you want to get rid of fixed entries permanently just hit the purge selected button.

FAQ Category: 2.0 only, Spybot 2

In which languages is Spybot – Search & Destroy available?

Spybot 2.3 is currently available in the following languages:

  • English
  • French
  • German
  • Hungarian
  • Italian
  • Polish
  • Russian
  • Spanish

Spybot 2 is also being translated into other languages by volunteers, which will take some time. Other languages will be added in later versions of Spybot 2

FAQ Category: 2.0 only, General Questions, Spybot 2

How to enable/disable plugins?

You can manage the available plugins in the Settings module. You can either access the “Settings“ module via the Spybot’s Start Center (you have to switch to advanced mode previously) or via SDTray (the small Spybot – Search & Destroy icon beside your systems clock in the taskbar) → “Advanced Tools“ → “Settings“. Once “Settings“ has been opened switch to the “System Integration“ tab. Via the buttons to the right you can install or uninstall those plugins.

FAQ Category: 2.0 only, How to, Spybot 2

How to enable/disable services?

You can manage Spybot – Search & Destroy’s services in the Settings module. You can either access the “Settings“ module via the Spybot’s Start Center (you have to switch to advanced mode previously) or via SDTray (the small Spybot 2 icon beside your systems clock in the taskbar) → “Advanced Tools“ → “Settings“.
Once “Settings“ has been opened switch to the “System Services“ tab. Depending on your operating system you can change the status via a drop down menu (Windows Vista and higher).
If you are running Windows XP you can “Start“ or “Stop“ the services via the button to the right.
If you want to un-/install a service, just right click and select “Un-/Install“. With the checkbox “Active after every reboot“ you can change the service’s behavior on system start. Beside the configuration options in the Settings module, you can also edit the Services via the Windows service management console.

FAQ Category: 2.0 only, How to, Spybot 2

How to enable/disable non critical dialogs?

Spybot – Search & Destroy can show you plenty of assistant dialogs.
If you disabled those dialogs by mistake, you can re-enable these dialogs easily via “Settings“. You can either access the “Settings“ module via the Spybot’s Start Center (you have to switch to advanced mode previously) or via “SDTray“ (the small Spybot 2 icon beside your systems clock in the taskbar) → “Advanced Tools“ → “Settings“. Once Settings has been opened switch to the “Dialogs“ tab and make sure the checkbox “Show various non-critical dialogs“ has been marked.

FAQ Category: 2.0 only, How to, Spybot 2

How to exclude products from the search?

You can edit the ignore list in the “Settings“ module to exclude a product from further searches. In order to do so you have to run the Start Center, switch to “Advanced User Mode” and then open “Settings”. Now browse to the “Ignore List“ tab. Via the “Add“ button you will get a list of products to be excluded. Just select the product you want to exclude and hit “OK“.
Settings can also be launched via SDTray (the small Spybot – Search & Destroy icon beside your systems clock in the taskbar).

FAQ Category: 2.0 only, General Questions, How to, Spybot 2

How to switch to another language?

Spybot – Search & Destroy supports different languages. You can easily switch to your favorite available language.
You can either access the settings module via the Spybot’s Start Center (you have to switch to advanced mode previously) or via “SDTray“ (the small Spybot 2 icon beside your systems clock in the taskbar) → “Advanced Tools“ → “Settings“.
Once “Settings“ has been opened switch to the “Language“ tab and click on the desired language.

FAQ Category: 2.0 only, How to, Spybot 2

How to disable the proxy?

Here is how to disable the proxy:

  • Open the Spybot – Search & Destroy “Start Center“.
  • Click on “Advanced User Mode” at the bottom left of the “Start Center”.
  • Rightclick on “Settings“ and choose “Run as administrator”.
  • Choose the tab “Internet Protection”.
  • Here you can untick the checkbox in front of “Use Spybot proxy”.

You can also access this setting by choosing “Configure Proxy“ in the “Updater“ menu on the left.

FAQ Category: 2.0 only, How to, Spybot 2, Updates

How does the new update service work?

Updates are installed automatically when using a paid Edition.
Spybot – Search & Destroy will create a task to keep your Spybot 2 up to date automatically.
Regardless if you are logged in as an administrator or not, thanks to the Update Service Spybot 2 will be able to update every file without any further interaction.
To have a look or change the scheduler entries, please open the Updater and select “Configure schedules” from the navigation bar on the left.
You can also access this setting by opening the Start Center,clicking on Settings and choosing the tab Schedule.
Here you can Add, Edit or Remove Scheduler entries. It is recommended to use the default entries here that have been created by Spybot 2.

FAQ Category: 2.0 only, Spybot 2, Updates

Why do I get a bad checksum error?

If you search for updates and a ‘bad checksum’ error is displayed, this has a simple reason – millions of people trying to download from the same server. Please try again later.
Or download the updates manually.
Please use the Spybot – Search & Destroy program folder as Destination Folder to store the update:
(by default)
Windows XP: C:\Program Files\Spybot – Search & Destroy 2
Windows Vista or Windows 7 or Windows 8: C:\Programs (x86)\Spybot – Search & Destroy 2

FAQ Category: 2.0 only, Spybot 2, Updates

Why does Spybot – Search & Destroy freeze when doing an update?

SDUpdate can freeze up if the servers are reacting very slowly. This can happen the day new updates are released (usually on Wednesdays), when too many people try to download them at the same time. But Spybot 2 isn’t really freezed up, it’s just delayed. There are a few solutions for this problem:
1. Wait a minute, it should be active again.
2. You can still use the manual updater.
Download the current one and install it, and you’ll be up-to-date. Here is the direct-update-link where you can reach the latest update everytime.
Please use the Spybot 2 program folder as Destination Folder to store the update, by default:
Windows XP: C:\Program Files\Spybot – Search & Destroy 2
Windows Vista or Windows 7 or Windows 8: C:\Programs (x86)\Spybot – Search & Destroy 2

FAQ Category: 2.0 only, Spybot 2, Updates

What files do I need to update?

A general recommendation is that you download all updates presented when you do a “Search for updates”. Updates usually can be divided into the following categories:

Essentials
The files listed here are Spybot program files that are needed by Spybot to run properly. It is highly recommended to download files suggested for download in this section.

Support
These files are also important to be kept up to date. They are used e.g. for the Whitelisting.

Detection updates :
Responsible for the detection rate are these files. That is why it is highly recommended to download them whenever there are updates available.
These are usually named:
Detection rules, Advanced detection library, Detection support library or Some plugin.

Help updates:
As the name already indicates, these are for those who like to read up some information on Spybot 2.

FAQ Category: 2.0 only, Spybot 2, Updates

Why do I receive “Error retrieving update info file“?

1. The error message “Error retrieving update info file” usually appears when Spybot – Search & Destroy has accidently imported bad Internet Explorer proxy settings. In this case, it helps just to disable the proxy option in Spybot 2. You can access this setting by choosing “Configure Proxy“ in the Updater menu on the left. Or you open the Spybot 2 “Start Center“ and click on “Settings“. Choose the tab “Internet Protection“. Here you can deselect “Use Spybot Proxy“. Now click “Apply“ and “OK“.

2. Please check your firewall.
Most people who do not have problem #1 do have Spybot 2 accidentally blocked in their firewall.

3. If nothing else works, you can still use the manual updater, which is available on the website:  Detection Updates

FAQ Category: 2.0 only, Spybot 2, Updates

How to update?

Using a Home or higher Edition updates are automated. Spybot – Search & Destroy will create Windows task scheduler entries to keep your Spybot 2 up to date automatically. Regardless if you are logged in as an administrator or not, thanks to our Update Service Spybot 2 will be able to update every file without any further interaction from you. Of course manually updates like in the Free Edition are possible, too.
To perform the updates manually:
Please open the “Spybot 2 Start Center” by double clicking. Now activate the “Advanced User Mode” at the bottom by ticking the check-box. Under “Advanced Tools” you will find “Update” which you can simply tick.
Here you have two options:
You can use the “Update” button on the lower right or choose “Update” through the menu on the left. You also have the possibility to start the Updates through the Spybot 2 tray icon (on the lower right of your Desktop beneath your clock). Just rightclick the Spybot 2 tray icon and choose “Update”.

FAQ Category: 2.0 only, How to, Spybot 2, Updates

Are there any known compatibility issues?

There should be no problems with the compatibility.
If there are issues concerning realtime components, you can disable Live Protection or services that could cause this conflict in Spybot’s Settings.

FAQ Category: 2.0 only, Spybot 2

Why does SDCleaner/SDDelfile run on every startup?

Sometimes Spybot – Search & Destroy can not delete all files. Some files used by Windows are running in the background. If you would delete these files before the application they are involved in ends, your system might become instable. That is the reason why you sometimes have to restart your system to complete the cleaning process.
In this case the SDCleaner/SDDelfile destroys the found items, before they are activated. If you do not want this option you can easily disable it in the SDCleaner itself. Go to the Spybot 2 folder, by default:
Windows XP: C:\Program Files\Spybot – Search & Destroy 2
Windows Vista or Windows 7 or Windows 8: C:\Programs (x86)\Spybot – Search & Destroy 2
and open the SDCleaner.exe.

Uncheck the checkbox in front of “Run cleaner on system startup”.

FAQ Category: 2.0 only, General Questions, Spybot 2

How to switch to the free version?

Once your licence has expired Spybot – Search & Destroy will show you a dialog offering three choices. If you want to continue using Spybot 2 without renewing your licence just choose “Switch to Free Edition“.

FAQ Category: 2.0 only, General Questions, How to, Spybot 2

Is there any replacement for TeaTimer / Resident?

With each paid Spybot 2 Edition there is the new Live Protection available. This Live Protection monitors every process created or running on your system and scans each process. Malicious processes are blocked even before they start. If you have another antivirus engine running you can choose to disable Live Protection.
Live Protection allows the user to choose to run or suppress any starting process.

FAQ Category: 2.0 only, Spybot 2

Does Spybot – Search & Destroy Support Windows 8?

There should be no problems with the compatibility under Windows 8 (also 64 bit):

http://www.safer-networking.org/about/compatibility/

For all those using Windows 8.1, please use Spybot 2.2 or later. Spybot 2.2 solves any incompatibility issues and allows to run Spybot on Windows 8.1 systems.

 

 

 

FAQ Category: 2.0 only, General Questions, Spybot 2

Are there any command line parameters that can be used?

Depending on the installed version of Spybot – Search & Destroy you can use command line parameters to automate Spybot’s tasks.
To get a list of the available command line parameters run cmd.exe and browse to the Spybot 2 directory.
That is by default for Windows XP:
C:\Program Files\Spybot – Search & Destroy 2
and for Windows Vista, Windows 7 or Windows 8:
C:\Programs (x86)\Spybot – Search & Destroy 2

Now type “modulename.exe /help”, e.g.“SDScan.exe /help“.

FAQ Category: 2.0 only, Spybot 2

Why do other spyware programs appear to find spies in Spybot – Search & Destroy’s directory?

Please have a look at the path where such a program has found the spyware.
As Spybot 2 has no spyware integrated, this must be a false alarm.
The reason for such a false alarm is simple: Spybot 2 saves quarantine files of the problems you have fixed, to make it possible to recover them in case something has stopped working after the fix.
If the file found is in the Quarantine directory which would be here:

Windows XP: C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Quarantine

Windows Vista or Windows 7 or Windows 8: C:\Users\All Users\Spybot-Search & Destroy\Quarantine

it is such a quarantine file. It is no longer of any harm, as the file cannot be started anymore.
But once you are sure you do not need the backup, go to the Quarantine section inside Spybot 2 and purge those files.
Current versions compress the quarantine files into password-protected zip archives,
thus avoiding other spyware applications will give false alarms.
Some programs might notify you that they cannot access these zip archives – this can easily be ignored.

As the quarantine files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

FAQ Category: 2.0 only, Spybot 2

Is Spybot – Search & Destroy compatible with WinPE/BartPE bootable?

Yes, Spybot 2 offers full support for PE in general and PEBuilder.
You can download the necessary plugin here, or just run Spybot-S&D from your harddisk after booting a PE disk.
Once run from your bootable PE CD, Spybot 2 will automatically scan all registry and drives it can find. Furthermore we have our own bootable edition.
Spybot 2 Personal Edition includes the BootCD Creator which makes creating a Boot CD child’s play.

FAQ Category: 2.0 only, Spybot 2

Is Spybot – Search & Destroy compatible with other resident protection?

Usually there are no problems with the compatibility.

If you also plan to use the Live Protection of Spybot +AV together with your already installed antivirus software, you might experience a decrease in system speed.
In general we recommend to run only one AV solution.

FAQ Category: 2.0 only, Spybot 2

What is the Repair Environment?

Executing the Repair Environment opens a new Windows Desktop in which the Start Center runs to allow the use of Spybot – Search & Destroy in a way where other software cannot interact and manipulate it as easily.
The Windows Login screen and the User Account Control dialogs use the same technology to prevent keyloggers and other malware to have access and control.
A practical use of the Repair Environment would be where Spybot 2 itself cannot be started any more, where it repeatedly closes out of the blue, seems to take actions on its own, or where malware that is known to exist on the system and that is known to be detectable does not appear in Spybot’s results.

FAQ Category: 2.0 only, Spybot 2

Why does Spybot – Search & Destroy flag changes in the Windows Security Center?

Spybot 2 detects registry changes associated with Microsoft Security Center;
they are listed as “Windows Security Center”. This is neither a false positive nor a bug.
It is just an information about a potential threat – Spybot 2 only wants to bring to your attention that someone or something disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date.
If you changed the settings yourself you can safely tell Spybot 2 to exclude those detections from further scans.
In order to do so you have to run the Start Center, switch to advance mode and start Settings.
Now browse to the “Ignore List“ tab. Via the “Add“ button you will get a list of products to be excluded. Just select the product you want to exclude and hit “OK“.
Settings can also be launched via SDTray (the small Spybot 2 icon beside your systems clock in the taskbar).
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security).
These programs disable announcements of Window Security Center in order to signal things by themselves.
The reason why the changes are flagged by Spybot 2 is that there are also malware programs that disable the notifications so the user does not take note of his security tools not being effective.
More information is available in our forum: Windows Security Center

FAQ Category: 2.0 only, Detections, Spybot 2

What can I do if Spybot – Search & Destroy freezes during the scan?

1. Please disable all other security programs that you run and close all other programs during the work with Spybot 2.
2. Also run a scan in safe mode.
3. It should also help to deactivate the scanning for usage tracks and Cookies.
In order to do so you have to run the Start Center, switch to advance mode and start Settings.
Now browse to the “Categories“ tab. Here untick the checkboxes in front of “Malware detection –  Cookies.sbi“ and “Usage Tracks – Tracks.uti“.
Afterwards hit “Apply“ and “OK“. Settings can also be launched via SDTray
(the small Spybot 2 icon beside your systems clock in the taskbar).
4. If this does not help, please delete the contents of your Windows temp folder and try it again.
5. Also, you might want to disable the “Create system restore point“ when fixing spyware/usage tracks option.
Therefore run the Start Center, switch to advance mode and start Settings.
Now browse to the “Dialogs“ tab. Disable the checkboxes in front of Cleaner:
“Offer to create a system restore point.“ and “Create restore point if dialog not shown.“.
Afterwards hit “Apply“ and “OK“.

FAQ Category: 2.0 only, General Questions, Spybot 2

Why does Spybot – Search & Destroy also remove IE toolbars that seem useful to me?

Nearly all add on IE toolbars make the web access easier for you.
Sadly, to tailor their information to your needs, they need to collect data about you;
and most privacy statements are unclear about how they do use this data beside sending you what they think is what you want.

FAQ Category: 2.0 only, Detections, Spybot 2

What is the immunization feature and what are the other permanent protection options?

Spybot – Search & Destroy offers the Immunization – a feature to allow you to immunize your computer against certain spyware.
It also allows you to use native browser settings to block cookies, malware installations,
bad websites and other threats via ActiveX.

FAQ Category: 2.0 only, General Questions, Immunization, Spybot 2

Which browsers does Spybot – Search & Destroy support?

Spybot – Search & Destroy has dedicated support for most browsers.
It can, for example immunize these browsers, or create restricted access shortcuts for your safety.
Where we list product versions, these are the ones that have been tested;
other versions are likely to be supported depending what changes have been made to them.
Unlisted browsers that are clones of listed browsers are also likely to be supported
(e.g. most IE based browsers and many Google Chrome variants use the same cache location and formats).

Internet Explorer & clones

Mozilla based browsers

Opera browsers

Opera (4, 6.x, 7.x, 8.x, 9.x, 10.x)

Webkit based browsers

Other browsers

FAQ Category: 2.0 only, General Questions, Spybot 2

Why did the Whitelist link disappear (from the Start Center)?

The option to create a whitelist is only being offered on systems that are not older than 30 days.
If your system has been installed more than 30 days ago, the Whitelist Creator can not be started via the Start Center. If you still want to create a whitelist you can use the ‘SDPrepPos’ in the Spybot – Search & Destroy program folder, by default:
Windows XP: C:\Program Files\Spybot – Search & Destroy 2
Windows Vista or Windows 7 or Windows 8: C:\Programs (x86)\Spybot – Search & Destroy 2

Warning:
A Whitelist should only be created on a system that is known to be uninfected.
We recommend that you only use it on a new system, after all software has been set up,
but before connecting it to the Internet.

FAQ Category: 2.0 only, Spybot 2, Start Center

Why are some of my favourite internet sites blocked?

In that case the immunization has to be undone. To do so run the Start Center and click on “Immunization“. On the navigation bar on the left you can “Undo immunization“.
Please note: Now the bad downloads will not be blocked any longer! You may have to restart your computer. Then try again to open your favourite pages. Do not forget to Immunize again after visiting that page.

FAQ Category: 2.0 only, Immunization, Spybot 2

Why does the immunization “not work”?

On Windows Vista / Windows 7 / Windows 8, you need to run the immunization with elevated privileges, otherwise all global immunizations will fail.
To elevate, right-click the Spybot – Search & Destroy shortcut and choose Run as Administrator.
Spybot 2 will offer you to run the Immunization elevated if you do not run it as described above.
If you have chosen to not have this dialog shown again when it was previously shown,
you can re-enable it by using the Dialogs tab of the Settings window.Immu Check System 300x225 Why does the immunization not work?

If you think nothing has been immunized, please make sure you have clicked on “Check system” which can be found on the navigation bar on the left. This will check for already applied immunization.

In order to immunize correctly please close all open browsers.
Also using more than one security software with resident protection can cause conflicts.
Please take a look at this thread in our forum: Various reasons for incomplete immunization

FAQ Category: 2.0 only, Immunization, Spybot 2

Why did the Startup Tools assistant dialog disappear?

This dialog will only be displayed for a limited period of time.
Once Startup Tools has finished loading all registry and file details,
the dialog will disappear and Startup Tools will switch to the main window.

FAQ Category: 2.0 only, Spybot 2, Start Center

How to revert to a backup?

In order to revert to a registry backup, run Windows in Safe Mode.

Be sure that hidden files are shown.
Now execute the two files (or maybe it is just one of them) regusers.reg and reglocal.reg in the following folder:

Windows XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\Backups\

Windows Vista or Windows 7 or Windows 8: C:\ProgramData\Spybot – Search & Destroy\Backups\

Answer Yes when prompted to add its contents to the Registry.
Subsequent please reboot.

FAQ Category: 2.0 only, General Questions, How to, Spybot 2

How to download Spybot – Search & Destroy?

There are two options to download Spybot 2:

  1. You can choose a download location on our website. The displayed mirrors are partners who provide places to host Spybot 2 for us. You can download from them, it is secure and they all contain the same data.
  2. You can also choose the direct installation file.

Please search for new updates after installing Spybot 2.

FAQ Category: 2.0 only, How to, Spybot 2, Updates

Are the found items really Rootkits?

Malware sometimes uses rootkit technology to hide itself at system level.
This makes it undetectable
for standard tools. Our plugins help Spybot – Search & Destroy to detect this form of malware.
Our Rootkit Scan tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other
information it does not want the user to see in any case. So please keep in mind that a Rootkit Scan only flags suspicious stuff, not identifying just bad stuff. If you get ‘No admin in ACL’ this thread in our forum should help explaining. If you are not sure about the found items, please ask for ‘help’ in our RootAlyzer Forum before you delete anything. The deletion is final and can not be recovered through the Quarantine. If you still want to remove the found items it is strongly recommended to create a system restore point before doing that.

FAQ Category: 2.0 only, Detections, RootAlyzer, Spybot 2

How to uninstall?

Spybot – Search & Destroy will uninstall from the Windows Add/Remove Software control panel without problems. The following directories will not be removed during the uninstall procedure, if you want those folder to be deleted, you will have to remove them by hand:

Windows XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\
Windows Vista or Windows 7 or Windows 8: C:\ProgramData\Spybot – Search & Destroy (Please note that the Application Data Folder is hidden. So if you cannot find this folder please check your folder properties.)

Explanation: this folder contains the backup (the quarantined files) that Spybot 2 creates. If the Uninstall would remove this folder as well, this would mean that those backups would be gone. We saw it a few times that new users uninstalled Spybot 2 in panic after they have experienced a small problem, thus removing the backup that would have undone any changes.

FAQ Category: 2.0 only, How to, Spybot 2

How to use Scripting?

The script editor allows you to create complex malware detection patterns using our OpenSBI syntax and the Pascal language. A most simple script that you also implement using a simple .sbi file as well would be this:

begin sbiFile(‘<$FILE_DATA>’,’\Malware.txt’,’filesize=182,md5=83C36C493D7A254F9DE2ED63B3F92548′); end.

Now imagine you want some user input or custom calculation, because malware is individual to your system.

var sName, sFilename: String;
begin
    InputQuery(‘Username’, ‘Please enter’, sName);
    sFilename := ‘C:\Users\’ + sName + ‘\test.txt';
    sbiFile(‘test’, sFilename, ‘filesize=10′);
    ShowMessage(‘Did look for ‘ + sFilename);
end.

This demonstrates interaction with the user. In reality, you could of course just use the proper path template for scanning all users directories (see the OpenSBI Wiki). Also, the use of scripting will be more in complex calculations and conditions than user interaction.

FAQ Category: 2.0 only, Detections, General Questions, How to, Spybot 2

How can I get administrator rights under Windows Vista / Windows 7 / Windows 8?

To open Spybot as administrator, simply right click on the Spybot desktop icon or the start menu icon and click “Run as Administrator”:

Admin Rights1 300x175 How can I get administrator rights under Windows Vista / Windows 7 / Windows 8?

Then you can right-click on the module’s icon you are about to run and select “Run as administrator”

.admin rights1 300x277 How can I get administrator rights under Windows Vista / Windows 7 / Windows 8?

FAQ Category: 2.0 only, General Questions, Spybot 2, Start Center

How to renew my licence?

Once your licence is about to expire there are different ways to easily get a renewal. You can either use our order form or run the Start Center and select “Renew licence” in the “Your licence is expiring soon” dialog.

FAQ Category: 2.0 only, General Questions, How to, Spybot 2, Start Center

Where will I find documentation for the Spybot-S&D Update and Configuration Server?

The manual for the Spybot S&D Update and Configuration server is copied to your disk when when you install the product. If you want to you can also download a copy from this location: Spybot S&D UCS manual

 

FAQ Category: 1.6 only, Corporate Edition

What is SDHelper?

Resident SDHelper is a second layer of protection for Internet Explorer. The immunize function blocks installers by their ActiveX ID, whereas SDHelper blocks badware that tries to enter using a different method. Thus Internet Explorer cannot download bad files. You start SDHelper by clicking on ToolsResident on the left navigation bar (therefore Spybot-S&D has to run in Advanced Mode). There you can tick the checkboxes next to Resident “SDHelper” (Internet Explorer bad download blocker) active in order to activate SDHelper.

FAQ Category: 1.6 only, General Questions

Why do I get a “HTTP Error 403″ or “bad checksum” error?

If you search for updates and a “HTTP Error 403″ or “bad checksum” is displayed, this has a simple reason – millions of people trying to download from the same server.

In order to overcome the problem, please have a second look at the update menu bar after searching for new updates. Therefore choose Update from the navigation bar on the left. Now you will see the update menu bar. It has a pull-down item to select a mirror. Click the arrow beside it, and select a different location (first try the ones located nearest to you), where you will most probably have better chances to download.

You can also download the updates manually, either from our Website or by using the direct download link. Just download and run that file – it is self-installing.

FAQ Category: 1.6 only, Updates

ActiveX

ActiveX is a Microsoft technology that allows Internet applications that are more powerful than simple scripts. ActiveX applications do work only in Internet Explorer, so the use of ActiveX on websites is not recommended. Due to the huge amount of influence ActiveX apps can have on the system (ActiveX apps have access to the same files you have access to, meaning all files in the case of most private computers), it is recommended to be very careful if dealing with ActiveX.

There are two types of ActiveX apps – signed and unsigned. The code of unsigned ActiveX apps hasn’t been certified and should never be trusted. Signed ActiveX apps are certified, but can still contain malicious code! Signed ActiveX apps should be trusted only if coming from trusted websites and only on a prompt base (meaning that IE settings will ask every time a website wants to load an ActiveX app).

Many dialers and hijackers install themselves using ActiveX applications.

FAQ Category: Glossary of terms used

BHO, Browser Helper Object

Also called BHO. A BHO is a small program that extends Microsoft’s Internet Explorer. Examples of BHO usage include visible add-on toolbars in IE, but can also be hidden functions. Ad- and spyware as well as browser hijackers often use BHOs to display ads or follow your moves across the internet, because a BHO has access to each URL you visit and can redirect you or display other pages than you requested (ads, for example).
BHOs often use ActiveX installation programs.

 

FAQ Category: Glossary of terms used

Dialer

A dialer is a very small program, often installed using the ActiveX technology. Dialers often promise access to free porn, free games or free cracks for commercial software. Once installed, a dialer offers to use your dial-up device to call in to the service, usually calling a quite expensive toll number. Some dialers explain the costs of the connection they will be making, like it is required by local law in some countries, but many dialers just display a button offering to connect, without informing the user of what is happening behind it. In the worst case, the dialer sets up the expensive number as the default Internet connection, meaning the user will have to pay high rates for being online, without even knowing it until receiving the next bill.

FAQ Category: Glossary of terms used

Browser hijacker

A browser hijacker is a small program or registry setting that is responsible for changed IE start and search pages. If your browser starts with a different start page (one you haven’t changed yourself), you most probably got hijacked. Intelligent hijackers do not only change these pages, but also add a small file that will restore the hijacked settings upon each system start. Hijackers often use ActiveX installation programs and/or security holes.

FAQ Category: Glossary of terms used

Hosts file

The hosts file is a plain text file on your computer that is used by the operating system to map hostnames to IP addresses. The hosts file could be compared to a telephone directory; you look up a name in the directory and you find a number to call to contact that person.

When you type in a hostname in your Internet browser your system first checks its local hosts file to see if it has an IP address that corresponds to the hostname. If the entry exists you are redirected to that IP address otherwise your system checks elsewhere to try to resolve the hostname to an IP address.

So if you want to block an internet website, you could simply associate the sites hostname to a safe IP address in your hosts file. For example you could associate www.evil.com with the IP address 127.0.0.1 which is the local address of your computer.

FAQ Category: Glossary of terms used

Java applet

A Java applet is capable of doing more than just a JavaScript, but hasn’t got the full access to your machine like a full Java application.
An applet still needs the browser to be run in, while a full Java application could run stand-alone (using just the runtime engine).

FAQ Category: Glossary of terms used

Java script

A Java script is a  small program that is runs on your computer when visiting websites that have embedded such a script on the web page.
Java scripts have little access to your computer, but can modify your browser.

FAQ Category: Glossary of terms used

Keylogger

The name keylogger was defined back in old DOS times, where computers where handled just by using a keyboard. The most basic keyloggers back from that time just log the keys you press. The spy, a person with physical access to your machine, could get that log at a later point and see everything you typed.

Modern keyloggers are much improved. They do not only log the keys you press, but make also screenshots to show the spy what Windows you are working with, the capture information about your internet use, and much more. The spy doesn’t even need physical access to your machine because many current keyloggers send their logs by mail.

FAQ Category: Glossary of terms used

LSP, Layered Service Provider

A Layered Service Provider is a system driver linked deep into the networking services of Windows. It has access to every data entering and leaving the computer, as was as the ability to modify this data. A few such LSPs are necessary to allow Windows to connect you to other computers, including the Internet. But Spyware may also install itself as an LSP, thus having access to all the data you transmit. LSP are currently used by CommonName, New.Net, NewtonKnows and webHancer.

FAQ Category: Glossary of terms used

Mirror

On the Internet, a mirror site hosts copys of files of another Internet site. Mirrors are most commonly used to provide multiple sources for the same download, and are a way to distribute large amounts of data traffic among multiple Internet hosts.

FAQ Category: Glossary of terms used

Passwords

To protect the privacy of data on a system passwords or pass phrases along with a username. This allows you to identify yourself to the system and to verify that you are who you say you are.

There are some very important things to remember about passwords:-

1. Do not tell your passwords anyone. If you are asked by someone for your password, and you are in doubt about their identity the best reaction is to say ‘no’. if they tell are a system administrator they are more than likely not telling the truth as they should already have access to this information.

2. When choosing your password, don’t choose something that others could simply guess. Don’t use the name of your spouse or cat, or the company name printed on your computer or monitor. While the best thing would be a random string of characters and numbers and even special characters, if you really need something that is easy to remember, take parts of words and combine them into something that you can still speak, but that gives no sense. Attach a few numbers to it to be on the safer side.

3. Don’t write your password down on a ‘post-it’ attached to your screen, or anywhere on your workspace. If you need to write it down, put the paper with it into your wallet, but never anywhere visible.

4. Don’t save a file with all your passwords on your computer. If you can’t remember them all, write them down. If you really want to save them in a file, encrypt that file. There are many good free utilities that will allow you to safely store your passwords. One such program is available from this site: http://keepass.info/.

FAQ Category: Glossary of terms used

PUPS

The acronym PUPS stands for Possibly Unpopular Software and defines software that shows dubious behavior and is likely to be unwanted. In many cases it is hard to find sufficient factual proof for malware status even though its malevolence is rather obvious by intuition.

FAQ Category: Glossary of terms used

Registry

The registry could be described as  a database, located on your computer, that stores most configuration data (beginning from low-level configurations like which drivers for which graphics card are to be loaded up to program-specific configurations like which start page Internet Explorer should display).
The registry is hierarchically structured, meaning it is built like a tree.

If you want to have a look at your registry, you can do so by typing regedit at a command prompt. But be warned: do not change anything until you feel very comfortable with the registry contents!

 

FAQ Category: Glossary of terms used

Scripts

Scripts are programs written to automate tasks that would normally require human intervention. For example a script could contain a series of commands that are part of a command interpreter.

Scripts can also contain commands specific to the application you want to control, for example to tell a spreadsheet application to take the values from every third row, sum them up and create a graphic.

FAQ Category: Glossary of terms used

Skins

Skins are files that allow you to change the appearance of Spybot-S&D. These appearance changes are mostly color changes, so you could also call them Color Schemes instead of Skins.

FAQ Category: Glossary of terms used

Spyware

Spyware is software that transmits personally identifiable information from your computer to a location on the internet without your knowledge.

Spyware is typically not the product you install itself, but small add-ons, that you may or may not disable during install. In some cases a EULA may refer to these add-ons. Typically most users don’t read the complete EULA and might not know they have spyware on their system.

Adware is a less threatening sort of program. Adware is similar to spyware, but does not transmit personally identifiable information, or at least the collector promises not to sell it. Instead, aggregated usage information is collected, and sent somewhere on the internet.

Adware is also often a side-effect of spyware, as both monitor you for a sole purpose – delivering you advertisements that are especially tailored to your habits.

Another kind that is detected under the spyware category is tracking cookies. Cookies are used all over the internet in useful and less useful places. Advertising companies often set cookies whenever your browser loads a banner from them. In that case and if that cookie contains a GUID, the company gets a notice about every site you visit that contains their ads.

FAQ Category: Glossary of terms used

Trojan horse

A ‘Trojan Horse’ or Trojan is named after the Greek myth. It is a program that has been installed on you computer without your knowledge.

It usually carries a payload of malicious code, that could for example allow surreptitious external connections to your computer. Some trojans leave ports open so as anyone can connect to your computer, others restrict access to certain users.

Once access is gained the intruder can do anything from monitor your behaviour to taking complete control.

There are many ways Trojans can infect your computer. A person with physical access to your machine can place it there, but you can also accidentally install it yourself by opening an infected email attachment.

FAQ Category: Glossary of terms used

Usage tracks

Usage tracks are the history of websites you visited, web pages pages you have opened, documents you have read or edited, programs you have run and other information recording your activities that is stored on your computer.
This information is useful as it can speed up access to data. It is stored on your system in locations where users would not normally see it (for example the registry).

One of the downsides to storing your usage tracks is that attackers may use this information to steal your identity and compromise your system. The advanced features in Spybot S&D can remove some of the most important and common tracks on your system.

FAQ Category: Glossary of terms used

DDoS (Distributed Denial of Service) attack

A DDOS attack is an attempt to make a computer or network resource unavailable.
A network of compromised systems (which are usually infected by a Trojan virus) is used to target a single system. The targeted system is flooded with traffic and thus becomes unavailable.’

FAQ Category: Glossary of terms used

Rootkits

A rootkit is a type of malware that can hide the existence of certain processes or programs.

These processes or programs can evade normal methods of detection. If your computer is infected with a rootkit it will reload itself each time your computer is restarted.

If an attacker can gain root or Administrator access they can install a rootkit. This can be done by exploiting a known vulnerability, aquiring a password or by social engineering. Emails with attachments are one of the most common attacks. A seemingly innocent attachement can carry a dangerous payload. Once the malware is installed it becomes possible to hide the intrusion as well as to maintain privileged access. Most rootkits disable or circumvent software that might otherwise be used to detect it.

A ‘clean boot’ and scan or reinstallation of the operating system may sometimes be the only available solution to this type of infection.

FAQ Category: Glossary of terms used

ISO

An ISO or disk image is a file that contains a complete copy of a CD. ISO images are often provided so you can burn your own bootable CD.
Once you download an ISO image to your hard drive, you can burn your own copy of the CD providing you follow the correct instructions for burning an ISO, it is not sufficient to just copy the file to a CD.

FAQ Category: Glossary of terms used

How to make a backup

In order to revert to a registry backup, run Windows in Safe Mode.
Be sure that hidden files are shown.

Now execute the two files (or maybe it is just one of them) regusers.reg and reglocal.reg in the following folder:

Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search&Destroy\Backups\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search&Destroy\Backups\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search&Destroy\Backups\
Windows Vista: C:\ProgramData\Spybot – Search &Destroy\Backups\
Answer Yes when prompted to add its contents to the Registry. Then reboot.

FAQ Category: 1.6 only, How to

How to disable Spybot-S&D temporarily

You only need to disable the resident feature of Spybot-S&D. And that is the way to deactivate it: Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode → hit Yes → select Tools in the navigation bar on the left → Resident and there you can untick the checkboxes in front of the two tools.

But warning! Then you will not have resident protection!

 

FAQ Category: 1.6 only, How to

How to download Spybot-S&D

There are two options to download Spybot-S&D:

You choose a download location on our website. The displayed mirrors are partners who provide places to host Spybot-S&D for us. You can download from them, it is secure and they all contain the same data.
You choose the direct installation file.
Please search for new updates after installing Spybot-S&D.

FAQ Category: 1.6 only, How to

How to exclude products from the search

Click on a problem in order to highlight it.

Then right-click on it  to see how to exclude it from further searches.

FAQ Category: 1.6 only, How to

How to disable the proxy

Open the Settings section and go to the Settings page. Locate the Use proxy entry in the Automation – Web update category, and disable it.

proxy en How to disable the proxy

FAQ Category: 1.6 only, How to

How to make a recovery

Please make sure you have all updates installed.
Restore the files you deleted with Spybot – Search & Destroy: Run Spybot-S&D, select Spybot-S&D → Recovery from the left bar and restore all the files and entries which are in association with the item that should be restored.

After following these steps please try again. Be sure that all the Explorer windows are closed. You might to have to restart your computer for the changes to take effect.

FAQ Category: 1.6 only, How to

How to enable the Select all button

Go to Settings → Settings → Expert settings. Enable both options (3) to get the Select all buttons.

FAQ Category: 1.6 only, How to

How to export the Startup list

Click the Tools section
Select the System startup tool
Click your right mouse button somewhere on the list
Choose Export… from the context menu that will appear. A dialog will pop up where you can select the name of the text file you want to save the report to.

FAQ Category: 1.6 only, How to

How to switch the language

The option to change languages is on the  the third menu.

FAQ Category: 1.6 only, How to

How to uninstall

Spybot-S&D will uninstall from the Windows Add/Remove Software control panel without problems.

If you want to completely get rid of Spybot-S&D and the Add/Remove does not help, you can delete the installation folder (usually C:\Program Files\Spybot – Search & Destroy\).

If you just want to upgrade to a newer version, please follow the same instructions like above and then install the new version.

After following these instructions please restart your system so that the changes can take place.

Also, neither the automated uninstall nor the manual uninstall like described above will remove the following directories, which you will have to remove by hand:

Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search & Destroy\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search & Destroy\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\
Windows Vista: C:\ProgramData\Spybot – Search & Destroy\
(Please note that the Application Data Folder is hidden. So if you cannot find this folder please check your folder properties.)

Explanation: this folder contains the backup (the quarantined files) that Spybot-S&D creates. If the Uninstall would remove this folder as well, this would mean that those backups would be gone. We saw it a few times that new users uninstalled Spybot-S&D in panic after they have experienced a small problem, thus removing the backup that would have undone any changes.

 

FAQ Category: 1.6 only, How to

How to update

Since version 1.5 Spybot-S&D is kept up to date by the Updater, a separate tool. To start it, please click on Update in the navigation bar. If you want to, you can also click on the button Search for Updates – then the window showing additional update types (2.) is skipped and you start immediately with the server list (3.).
If you have clicked on Update a new window opens. There you can select two additional update types: beta and language updates. To go on, please click on Search.
Select a download location (the nearer to you the better) and click on Continue.
Select all available updates who are relevant for you (detection updates are already preselected). By clicking on Download you download them. Updates will be installed without any further action needed.

FAQ Category: 1.6 only, How to

How can I prevent users from changing the options in Spybot S&D?

You can deny users access to Spybot S&D’s configuration by defining the Settings password.

See section Generic client settings in the web interface of Spybot S&D Update and configuration Server. After this the user is prompted for this password before he or she can change Spybot S&D’s configuration.

FAQ Category: 1.6 only, Corporate Edition

Why does reconfiguring paths in the Server configuration section of Spybot S&D Update and Configuration Server not work for me?

When reconfiguring the paths in the Server configuration section, the corresponding directories must exist.
If the directories do not exist any changes you make will not be saved.

FAQ Category: 1.6 only, Corporate Edition

Why can my clients not reach the Spybot S&D Update and Configuration Server?

Check the firewall settings of the computer the Spybot S&D Update and Configuration Server is running on.
Also make sure the port it is listening on (port 80 by default) is not used by another network service like a general purpose web server.

FAQ Category: 1.6 only, Corporate Edition

How can I monitor the scans performed on the client PCs?

Configure your email address and your account data for the SMTP server in the web interface of the ‘Spybot S&D Update and Configuration Server’ (UCS). Logs of the scans on the clients will be emailed to the email account you selected.<br><br>

If you are running Spybot S&D as a scheduled task, you must configure it to use the SMTP protocol directly instead of the installed system default mailer. This can be done via the option Mailer application on the Client settings page of the Spybot S&D UCS.

FAQ Category: 1.6 only, Corporate Edition

Why do I receive the error message that there is a problem in Hijackers.sbi and I should look into the Include errors.log file?

This error usually is the result of updates you have missed or installed only partially. To solve the problem, please install all updates checked by default at least, if not all. If you do not want to use the update function of Spybot-S&D, take a look at the download page here and download all manual updaters.

The background of this problem are extensions to the detection engine which provide new ways of detecting malware. These updates are usually labeled Plugin, contrary to the weekly Detection update, and might therefore be overlooked. Since version 1.4 Spybot-S&D allows you to hide these messages, but this is generally not recommended since missing plugins might mean missing or reduced chances to find the latest malware.

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “ws2_32.dll missing” (and others)?

Spybot – Search & Destroy 1.4 was incompatible with Windows 95, while version 1.3 or earlier and version 1.5 and later are compatible. However, the lack of following updates usually causes problems:

HTML Help 1.3
If you receive the message “Error message: HHCTRL.OCX is missing”, you are probably using an old version of Internet Explorer, thus the needed HTML help components are not installed.
Winsock2
If you receive the message “Error message: WS2_32.DLL is missing”, you need a Winsock update for Windows 95. More information is available in Microsoft’s knowledgebase.
Active Accessibility 1.3
Spybot-S&D tries to support solutions for disabled people, so you need to install the Active Accessibility runtime package if you receive complaints about problems in oleacc.dll.
Common Controls
Spybot-S&D might also need this update if things are not probably displayed or you receive messages about other missing functions.
Shell Folders
If you are running one of the older Windows 95 releases and do not even have Internet Explorer 4, you need this update for a newer SHFolder.dll, which is responsible for the Application Data folder used by many applications to store data.
We recommend these Windows 95 updates in any case, and we have included an option to download and install missing updates in the installer of Spybot-S&D 1.5 and later.

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “No Zip File specified” when I update or fix?

This happens if you have ZipMagic from Aladdin Systems (to my knowledge it came from Ontrack before) installed. ZipMagic displays all zip files as folders, and even denies other applications access to the real zip file.

To allow another application direct access to zip files, ZipMagic has a setting somewhere on its Options page. You need to add SpybotSD.exe there. Instructions from kind user follow:

Open the ZipMagic properties.
Click on the icon Applications at the left.
Check the option These applications see Zip files as files.
Press the Add… button.
Select the SpybotSD executable in the dialog appearing (usually C:\Program files\Spybot – Search & Destroy\SpybotSD.exe).
This will tell ZipMagic to allow Spybot-S&D access to zip files again.

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “framedyn.dll is missing”?

You will find more information on this error on Microsofts support pages or on our Forums.

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “User abort”?

Did you use a beta version of Spybot – Search&Destroy earlier? We recommend a fresh install of Spybot – Search&Destroy. Please uninstall your version of Spybot – Search&Destroy considering this information. It is important to use the very small fix described there.

Then, make a fresh install of Spybot – Search&Destroy. You will find links to several download locations on our download page. You will also have to update your new version using the integrated updater (or download the manual updaters as well). This should solve the problem.

More informations about this problem is available in our forum:

SB Automatically “User Aborts”
Spybot Scan aborts itself
scan aborted by user
Scan aborted ny S&D with no input, please HELP
User Abort
Scan aborts prematurely

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “Problems in the include file (Trojans.sbi)”?

Probably you use a dated version of Spybot-S&D. Please download our current version Spybot – Search & Destroy 1.6.2. That should fix it. You will find links to several download locations on our download page.

FAQ Category: 1.6 only, Error Messages

Why do I receive the error message “Server name or address could not be resolved”?

During the installation Spybot tries to download the updates. Whenever a connection attempt to the update server fails, such a message is displayed.
You can disable this function in the wizard itself.
Just untick the checkbox in front of “download updates during installation” or “Download Updates immediately”.
The updates can be downloaded later on.

There is a ‘How To’ on our website that explains in greater detail how you go about downloading updates.

FAQ Category: 1.6 only, Error Messages

Why do i receive the error message “No disk in the drive”?

This is a known problem which can occur in Windows. The problem is usually caused by having Drive C assigned to a device with removable media. If you have that situation then either put media in Drive C or reassign the device to another letter.

For instructions for reassigning the device to another letter please refer to Microsofts website.

FAQ Category: 1.6 only, Error Messages

What should I do if my Internet programs stopped working?

If a spy is removed, the application that has installed it may no longer work . Spybot-S&D is able to replace a few spies with harmless dummies, but sometimes this is not possible. In this case you should either search for a good alternative that comes without spy- or adware, or use the Recovery option in Spybot-S&D to restore the spy.

In the later case, you can do it step by step, until you find the files that are absolutely necessary for the spy. So you can keep at least some files from your system, like the data saved about you

FAQ Category: 1.6 only, Known Issues

Why does my network react very slowly after inserting the Hosts File?

Please refer to this faq for more information: http://accs-net.com/hosts/faq.html#19

FAQ Category: 1.6 only, Known Issues

Why are some of my favourite Internet sites blocked?

This problem may be caused by the Immunization or the bad download blocker in Spybot – Search & Destroy. Please open the Tools menu in your Internet Explorer and choose Spybot – Search Destroy Configuration. There you will find a drop down menu where you should select Ask for blocking confirmation. If you want to visit a blocked website choose Allow.

If this does not solve the problem, please run Spybot-S&D and select Spybot-S&D → Immunize in the navigation bar on the left. Please click Undo. Then run Spybot – Search & Destroy and switch to the Advanced mode via the menu item Mode. Now select Tools → Resident from the navigation bar on the left. Please untick the checkbox in front of the Resident “SdHelper” (Internet Explorer bad download blocker) active.

But please note: Now the bad downloads will not be blocked any longer! Maybe you have to restart your computer now. Then try again to open your favourite pages. Do not forget to Immunize again after visiting that page.

sdhelper en.2 Why are some of my favourite Internet sites blocked?

sdhelper confirmation en Why are some of my favourite Internet sites blocked?

FAQ Category: 1.6 only, Known Issues

Why are there some items left to immunize?

Vista users

On Vista, you need to run the immunization with elevated privileges, otherwise all global immunizations will fail. To elevate, right-click the Spybot-S&D shortcut and choose Run as Administrator.

Spybot – Search & Destroy 2 will offer you to run the Immunization elevated if you do not run it as described above. If you have chosen to not have this dialog shown again when it was previously shown, you can re-enable it by using the Dialogs tab of the Settings window.

Computer Associates Yahoo! Anti-Spy blocks a few immunization entries in category Internet Explorer (32/64 bit). One of the unimmunized domains would be koolynoody.net currently. CA AntiVirus 8.4.0 might block a larger amount of entries.
More information about this can be found in threads tagged immunization vs. ca.
AVG Antivirus users

AVG Antivirus blocks immunization of about 30 to 120 entries in the Internet Explorer category.
More information about this can be found in threads tagged immunization vs. avg.
ZoneAlarm users

ZoneAlarm blocks all immunization of the area Windows: Global (Hosts) by protecting this file against changes. To overcome this protection, you could temporarily lift the lock from ZoneAlarms Firewall > Advanced tab. Don’t forget to relock it after immunization.
More information about this can be found in threads tagged immunization vs. za.
STOPzilla users

STOPzilla blocks all immunization of the area Windows: Global (Hosts) by protecting this file against changes. To overcome this protection, you could temporarily lift the lock. To do so:
Open Stopzilla
Click “Real-time Protection”
Click “Active Enforcers”
Click “Network”
Click “Hosts File” to uncheck it
Click “Apply”
Click “OK”
Do not forget to reverse this procedure after you’ve completed immunization. Thanks go to forum user michaelbmcgee for this instructions.
More information about this can be found in threads tagged immunization vs. stopz.
Firefox 2 users

Firefox profiles can be both for Firefox 2 and Firefox 3 at the same time, and just based on the profile folder, it might be a bit difficult to guess which one the user is using. Spybot-S&D 1.6.0 therefore tried to be future-compatible and assumed that a profile would be for Firefox 3 if it has not been clearly identified.

There is a trick though how you can enforce it to be identified as a Firefox 2 profile. Go to C:\Documents and Users\Username\Application Data\Mozilla\Firefox\Profiles\something.default, which is your profile folder (path might be slightly different depending on the OS).

If there is no file named hostperm.1 but one named permissions.sqlite with a filesize of 0 bytes, rename the latter hostperm.1.
If both files exist, delete the file permissions.sqlite.
If only pemissions.sqlite exists and is larger than 0 bytes, delete it and create an empty file named hostperm.1 .
More information about this can be found in threads tagged immunization vs. ff2.
Spybot-S&D 1.6.1 and 2.0 will recognize Firefox 2 vs. Firefox 3 using other criteria which should be less error-prone.

FAQ Category: 1.6 only, Known Issues

Why has the number of scanned items been reduced (and now searches for only a few items)?

Probably not all file sets are activated for the scan. You can solve this problem as follows:

Please run Spybot – Search & Destroy and switch to Advanced mode via the menu bar item Mode, then select Settings → File Sets in the left bar. There, please right-click somewhere into the list and choose Select all available checks.

FAQ Category: 1.6 only, Known Issues

Why can I no longer access my IE settings?

Internet Explorer tells you to contact your administrator when you try to access the IE settings?

This can happen if you use Spybot-S&D in advanced mode and you have used the Immunize feature without reading all the text.

Please start Spybot-S&D again in advanced mode (usually from the Start menu group Spybot – Search & Destroy, until you have already changed the desktop icon to advanced mode).
Select Tools in the left bar, then IE tweaks.
There you will see a group Recommended miscellaneous locks. Untick the checkboxes in front of both Lock IE… options.
You may need to close all Explorer windows, and maybe even restart Windows before these changes take place.
Hint: this lock function has been added mostly for multi-user environments in which you would not want other users of your computer to change your IE settings. If you are the only user of your computer, there is no real need to enable them.

FAQ Category: 1.6 only, Known Issues

Why does Spybot-S&D not scan network drives (shares)?

Scanning network shares sounds like a good idea at first – the scanner needs to be installed only on a single machine and one person can do the scan. To simply remove installers, this is not a bad idea at all, so Spybot-S&D allows to add network shares as well in its Download directories setting.

But scanning for and removing files on other computers can be dangerous as well. Most threats are not only files, but also linked by registry entries – removing just the files would cause the ‘cleaned’ Windows to produce a lot of errors. But while those messages may be harmless (and remote registry cleaning could at least be added for NT/2000/XP/Vista), there is an even worse case – some threats need to be removed by using API calls. Removing LSP hijackers by just deleting their file will disable the network access of the cleaned machine, and repairing LSPs by fixing the registry is not fail-safe either.

That is why an anti-spyware tool needs to be run on each machine. We are developing a client/server scanning system that will work in network environments.

FAQ Category: 1.6 only, Known Issues

How can I disable the notifications popping up when a download was blocked (e.g. Avenue A, Inc., DoubleClick)?

This message is created by the bad download blocker for IE, a tool of Spybot-S&D. Since version 1.5 the feature of the silent bad download blocker is in a different place than in older versions.

Please open the Tools menu in your Internet Explorer and choose Spybot-S&D – Configuration. There you will find a drop down menu (see screenshot below) where you should select Block all bad pages silently. With that option set the notifications will no longer come up, but you will still have the protection.

FAQ Category: 1.6 only, Known Issues

Why are some products set to be ignored by default?

CDilla and SideStep are listed in the ignore products by default. Please see the topic Why are CDilla & SideStep checked in Ignore Products? in our forum.

FAQ Category: 1.6 only, Known Issues

What can I do if Spybot-S&D freezes during scan?

Please disable all other security programs that you run and close all other programs during the work with Spybot – Search & Destroy.

Also run a scan in safe mode:

http://www.computerhope.com/issues/chsafe.htm

That should fix it.

It should also help to deactivate the scanning for usage tracks and Cookies.
Please run Spybot-S&D and switch to “Advanced mode” via the menu bar item “Mode”. Now select “Settings” –> “File Sets” in the navigation bar on the left. The checkboxes in front of “Usage tracking, Beta.uti, NewTracks.uti and Tracks.uti” have to be unticked if you do not want to find usage tracks anymore. For excluding Cookies from the search deactivate the checkbox in front of Cookies.sbi.

If this does not help, please delete the contents of your Windows temp folder and try it again. Also, you might want to disable the Create system restore point when fixing spyware/usage tracks option on the settings page.

FAQ Category: 1.6 only, Known Issues

Why does Spybot – Search & Destroy slow down my System?

Maybe you run more than one security software that interferes with each other. The resident protection of Spybot – Search & Destroy monitors the processes the whole time, so that nothing bad gets on your system – that can slow down your pc a little bit. If you do not want to have this feature you only need to disable the resident protection.

Please run Spybot-S&D and select “Spybot-S&D” –> “Immunize” in the navigation bar on the left. Please hit “Undo”. Then open Spybot – Search & Destroy in the Advanced mode via the menu item Mode. Now select ‘Tools’ – ‘Resident’ from the navigation bar on the left. Please untick the checkboxes in front of the two tools.

FAQ Category: 1.6 only, Known Issues

Why does Spybot-S&D run automatically on every pc start?

Maybe you have automated your Spybot.
Open Spybot in the advanced mode via the menu item mode, go to ‘tools’->’System Startup’
Then mark the following entry and remove it: C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe” /autocheck

If this does not help maybe this is due to the message during the scan “It is recommended that you reboot and scan again to find items that may be uncovered only after a reboot.”

If you need to you can download the latest version of Spybot S&D from our website and also download a new advcheck.dll file.

Move those two files: SpybotSD.exe and advcheck.dll to your program installation folder, and accept to replace the old ones.

FAQ Category: 1.6 only, Known Issues

Why does Spybot-S&D not open anymore?

1. Please try to rename the SpybotSD.exe into iexplore.exe or firefox.exe and try to run it.

Using Windows Explorer navigate to:

C:\Program Files\Spybot – Search & Destroy

In the Tools menu select Folder Options

In the Folder Options dialog select the View tab.

Uncheck the following option:

Hide protected operating system file (Recommended)

Click the Apply button.

Click the OK button.

The SpybotSD.exe should be visible now.

Rightclick the file and choose rename.

Give it a different name like iexplore.exe or firefox.exe and try again to run it.

2. If this does not help you might be infected with a Rootkit. We need some logs now to locate the infection that is mostly hidden deep in your system. Please download our free RunAlyzer from our website.

Now, run the RunAlyzer and choose “Logs” from the menu bar above. Now create a “SBSD log” and a “hjt log” and choose “Save”. You can save the files to your desktop. Please attach these files to your e-mail.

3. Please download our RootAlyzer. Here is the direct download link: http://www.spybotupdates.biz/files/rootalyz-0.3.4.47.zip

Please set your computer to show all files.

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Clear “Hide file extensions for known file types.”

Under the “Hidden files” folder, select “Show hidden files and folders.”

Clear “Hide protected operating system files.”

Click Apply, and then click OK.

Please select the tab ‘deep scan’ and let it fully scan your Pc. The scan will take a moment, please be patient. After the scan is done please click on ‘pack suspicious files’ which is located right at the bottom. This will create a .cab file on your desktop which contains the log and the suspicious files the scan has found. Please attach this .cab file to your next mail.

4. Please also download GMER: www.gmer.net and let it do a full scan on your pc. Subsequent you will be allowed to save the log created during the scan. Please also send us this log.

5. Please also try this tool: RootRepeal

Here is also the direct download link: http://ad13.geekstogo.com/RootRepeal.zip

Unzip the file to the folder

Start RootRepeal.exe

Select “Report” tab

Click “Scan” button

Select following scan options: Drivers, Files, Processes, Stealth Objects, Hidden Services

Click “OK” button

Select your hard drive with the installed operating System and click “OK” button

Save Report via Clipboard or click “Save Report Button” to save a text file

Please send the report files to our detections department. You will find the address on our website.

FAQ Category: 1.6 only, Known Issues

How do I edit the Blacklist & Whitelist in resident TeaTimer?

Please right-click the Resident icon in the system tray Spybot-SD Resident and select Settings. There you will find four lists for remembered decisions (allowed/denied processes and registry changes). In order to remove an entry, just click on the cross next to it. TeaTimer will then “forget” this decision and you will be asked again the next time.

FAQ Category: 1.6 only, TeaTimer

How do I disable the TeaTimer notifications?

TeaTimer will inform you about all changes  in the registry whether they good or bad. There are so many registry keys that it is impossible to classify them by default. So the user needs to decide whether to allow it or not. The TeaTimer made snapshot files when you started it the first time and the tool is comparing the current registry with the snapshot files.

If you want to make new snapshot files please shutdown the TeaTimer with the Resident icon and then start it manually from the Spybot S&D program folder. There is no possibility yet to hide the popups which remind you which keys are blocked. As a workaround, you can only make new snapshot files.

FAQ Category: 1.6 only, TeaTimer

What is the Resident TeaTimer?

The Resident TeaTimer is a tool of Spybot-S&D which constanty monitors the processes called/initiated. It immediately detects known malicious processes trying to start and terminates them giving you some options on how to deal with this process in the future. You can set TeaTimer to:

– inform you when the process tries to start again

– automatically kill the process

– or allow the process to run

There is also an option to delete the file associated with this process.

In addition, TeaTimer detects when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.

The TeaTimer is always running in the background.

FAQ Category: 1.6 only, TeaTimer

Why does Resident TeaTimer terminate the application before asking?

Because threats like toll dialers are time critical – they cost from the first second they have connected.

In order to protect you, these have to be terminated before they can connect.

FAQ Category: 1.6 only, TeaTimer

Why is TeaTimer called TeaTimer?

We used to forget that our tea when it was brewing. This led to us having to drink cold very strong tea. To overcome this serious problem we built a small tool with a system tray icon to remind us! We called this tool TeaTimer.

When we started to develop the Resident tool for Spybot-S&D, we also needed a system tray icon for this. As we do not like having too many icons in the system tray, we decided to put both tools together and kept the name TeaTimer.

A future version of the Resident tool might have the functions of the original TeaTimer again if our users request it!

FAQ Category: 1.6 only, TeaTimer

Why does TeaTimer crash during the Windows shutdown (System Settings Protection Error Message)

Please make sure that you have the most current version of Spybot-S&D installed – version 1.6.2.

To see which version number and/or updates of Spybot-S&D you are using please run Spybot-S&D and choose “Help”, “About” in the menu bar.

There you can see which version you have and which updates are installed.

FAQ Category: 1.6 only, TeaTimer

Why does the TeaTimer use so much memory / has such a high CPU load?

When the computer is running for a long time without a standby, reboot, or shutdown sometimes memory consumption of  can slightly increase.

If you think TeaTimer is consuming to much memory you could try rebooting. Usually TeaTimer will take up 35-50MB of RAM. Seeing that modern PCs built today have more RAM and resources, 80MB should be nothing.

If this does not help you can disable TeaTimer as follows:

– Go into Spybot – Mode – Advanced Mode – Tools – Resident.

– Uncheck the following: Resident “TeaTimer” (Protection of over-all system settings) Active.

FAQ Category: 1.6 only, TeaTimer

Why does Spybot-S&D also remove IE toolbars that seem useful to me?

Nearly all IE toolbars make the web access easier for you.
Sadly, to tailor their information to your needs, they need to collect data about you;
and most privacy statements are unclear about how they use this data beside sending you what they think is what you want.

FAQ Category: 1.6 only, Detections

Why do other spyware programs appear to find spies in Sypbot-S&D’s directory?

Please have a look at the path where such a program has found the spyware. As Spybot-S&D has no spyware integrated, this must be a false alarm.

The reason for such a false alarm is simple: Spybot-S&D saves backups of the problems you have fixed; to make it possible to recover them in case something stops working after the fix.

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file will not be found and loaded from there. But once you are sure you do not need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives – this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

In recent weeks there was a noticeably high number of cases where other anti-virus and anti-spyware programs wrongly detected parts of Spybot-S&D, which probably has to be traced back to insufficient testing at these companies.

FAQ Category: 1.6 only, Detections

Why can I not remove the Sti_Trace.log (or SchedLgU.txt) file?

The Sti_Trace.log file is opened on many machines; most often on Windows ME/2000/XP/Vista. The reason is that the ‘Still Image Monitor’ runs all the time, using this file. You can use msconfig to disable the Still Image Monitor, but as it is of no harm you can add  this log file to the single ignore list.

The same is valid for the SchedLgU.txt; it is the log file of the scheduler. If the scheduler is running, this file is kept open. If you are not using the scheduler, I suggest disabling it, this will not only allow you to back up this file, but also save some RAM.

(To add a problem to the single ignore list, simply right-click on it in the results list, and choose the appropriate menu item.)

FAQ Category: 1.6 only, Detections

Why do other anti-spyware applications appear to detect so many more tracking cookies?

Some anti-spyware applications have started to detect nearly every third-party cookie they find as a tracking cookie. In many cases, that is more or less correct, since many contain a GUID (Generic Unique Identifier).

But instead of bloating our detection database with thousands of cookies out there, we prefer recommending to change your browser settings a bit to block out all these third party cookies before they even come into your system:

Internet Explorer: Open “Internet Options…” from the “Tools” menu. Choose the “Privacy” tab, and raise the Settings to at least Medium; or use the “Advanced…” button to enabled “Override automatic cookie handling” and set “Third-party Cookies” to “Block”.

Firefox 1.x: Open “Options” from the “Tools” menu. Click the “Privacy” icon, and open the “Cookies” category. Under “Allow sites to set cookies”, just set the “for the originating web site only” option.
Firefox 2: Type “about:config” into Firefox’s address bar, then type “network.cookie.cookiebehavior” in the “Filter” box. That will leave one settings line visible; double-click it, type “1” in the “Enter integer value” box, then click OK.

Firefox 3: Open “Options” from the “Tools” menu, then click the “Privacy” icon. Deselect the checkbox next to “Accept third party cookies” in the paragraph “Cookies”.

Mozilla/Netscape: Open “Preferences…” from the “Edit” menu. Open the category “Privacy & Security” and click on its first entry “Cookies”. In the group “Cookie Acceptance Policy”, select “Allow cookies for the originating web site only”.

 

Opera: Open “Preferences” from the “Tools” menu. Click on “Privacy” in the list on the left, then open the pull-down list about “Third party cookies” on the right and set it to “Refuse all cookies”.

 

Opera 9: Open “Preferences” from the “Tools” menu, go to “Advanced” → “Cookies” and select “Accept cookies only from the site I visit.”.

FAQ Category: 1.6 only

Why does Spybot-S&D not detect running processes?

This is not correct and is often misunderstood as we do not display an extra list of running processes after the scan. But we do not consider that as necessary – every running process is identical to a file on the hard disk, because a process is more or less that file loaded into memory.

But when you use Spybot-S&D to fix problems, it will automatically terminate the bad processes detected before doing anything else. And if you are using our TeaTimer, TeaTimer will detect malware processes as soon as they are started and terminate them.

Our logs of course do include a full list of processes, and since version 1.4 Spybot-S&D even lists open network connections per process (except for on Vista), allowing you to easily see which processes are connecting to the outside and where to.

FAQ Category: 1.6 only, Detections

Why does MS AntiSpyware complain that Spybot-S&D adds bad sites to the trusted zone?

That is a mistake by Microsoft. Microsoft has since released knowledge base article 902956 that describes this known issue.

FAQ Category: 1.6 only, Detections

Why does Spybot-S&D flag changes in the Windows Security Center?

Spybot 2 detects registry changes associated with Microsoft Security Center;
they are listed as “Windows Security Center”. This is neither a false positive nor a bug.
It is just an information about a potential threat – Spybot 2 only wants to bring to your attention that someone or something disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date.
If you changed the settings yourself you can safely tell Spybot 2 to exclude those detections from further scans.
In order to do so you have to run the Start Center, switch to advanced mode and start Settings.
Now browse to the “Ignore Lists“ tab and switch here to „Products“. Via the “Add“ button you will get a list of products to be excluded. Just select the product you want to exclude and hit “OK“.
Settings can also be launched via SDTray (the small Spybot 2 icon beside your systems clock in the taskbar).
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security).
These programs disable announcements of Window Security Center in order to signal things by themselves.
The reason why the changes are flagged by Spybot 2 is that there are also malware programs that disable the notifications so the user does not take note of his security tools not being effective.
More information is available in our forum: Windows Security Center

FAQ Category: 1.6 only, Detections

What files do I need to update?

Updates usually can be divided into the following categories:

Detection updates and plugins: these updates are usually preselected when you use the updater, it is highly recommended to download them whenever there are updates available, since these are responsible for the detection rate. These are usually named Detection rules, Advanced detection library, Detection support library or Some plugin.
Localized updates: language files and localized product information. These files are not necessary if you use Spybot-S&D exclusively in English. If you use only one other language, you just need your local ones.

Beta updates: if you are willing to help us improve Spybot-S&D, you might download these as well. Do not forget the usual beta disclaimer though: there might be a bunch of new features, but there is also the risk of new bugs.

Malware documentation and help updates: as the name already indicates, these are for those who like to read up some information, on malware and on Spybot-S&D.

Full updates: rare, but when a new release comes out, it will usually be available through the updater.

The second and third option are not displayed by default; in version 1.4 you can enable these categories on the settings page, since version 1.5 there are two checkboxes for them on the start page of the new updater application.

FAQ Category: 1.6 only, Updates

Why is the integrated update not working?

The most common reason for this problem is that you need to use a proxy server to access the internet. If this is the case, the proxy server is already set up in your browser. You can check the settings here and use them for Spybot-S&D.

In Mozilla, you can find the Proxy settings if you open the Edit menu, choose Settings… at the bottom, and navigate to the section Advanced – Proxies.

In Internet Explorer, see the Menu Extras – Internet options, go to the tab Connections and click the Settings button at the bottom.

In Opera, see the Menu Tools – Preferences, go to the tab Advanced, section Network and click the Proxy servers button. Look for the HTTP proxy there.

Back inside Spybot-S&D go to the Advanced Mode (via menu Mode), then choose Settings → Settings, and scroll down to the entry Automation – Web update – Use proxy. Now check the box below it, and a dialog will appear where you can enter your proxy settings.

The format is host:port (the host is the name, the port the number you found in your browser). If you need to access your proxy using a login, you can use the format username:password@host:port.

FAQ Category: 1.6 only, Updates

Why does Spybot-S&D freeze when doing an update?

SDUpdate can freeze up if the servers are reacting very slowly. This can happen the day new updates are released (usually on Wednesdays), when too many people try to download them at the same time. But Spybot 2 isn’t really freezed up, it’s just delayed. There are a few solutions for this problem:

1. Wait a minute, it should be active again.
2. You can still use the manual updater.

Download the current file and install it, and you’ll be up-to-date. Here is the direct-update-link where you can reach the latest update everytime.
Please use the Spybot 2 program folder as Destination Folder to store the update, by default:
Windows XP: C:\Program Files\Spybot – Search & Destroy 2
Windows Vista or Windows 7 or Windows 8: C:\Programs (x86)\Spybot – Search & Destroy 2

FAQ Category: 1.6 only, Updates

Why do I receive a “Socket Error”?

Please take a look at the security settings of your firewall (if you are using one) and make sure that Spybot-S&D is not blocked. If it is blocked try un-block it. That should help to get into the updates. If Spybot-S&D is not blocked it is also possible that our server is temporarily not available. Please try again a few hours later.

If this does not help please download the manual updaters from our website. The manual updaters are self-installing, you just need to run them.

FAQ Category: 1.6 only, Updates

Why do I receive: “Error Retrieving Update Info File”?

1. The error message “Error retrieving update info file” usually appears when Spybot-S&D has accidently imported bad Internet Explorer proxy settings. In this case, it helps just to disable the proxy option in Spybot-S&D: Open the Settings section and go to the Settings page. Locate the Use proxy entry in the Automation – Web update category, and disable it. If you cannot see the Settings section, start Spybot-S&D in advanced mode (see your Start menu group for Spybot-S&D).

2. Please check your firewall. Most people who do not have problem #1 do have Spybot-S&D accidentally blocked in their firewall.

3. If nothing else works, you can still use the manual updater, which is available on the website. (Notice: if the Info page does not show the correct update date after installing the updates with the manual updater, please ignore that – this will be fixed with the next release)

FAQ Category: 1.6 only, Updates

Why do I receive “update error – select files from the list”?

There was a problem with compatibility under Windows Vista.
You can solve the problem as follows:

1. Download this new SDUpdate.exe.

To use this beta file, extract the downloaded archive into the main application folder (usually C:\Program Files\Spybot – Search & Destroy\) and replace the old file with the new one.

2. If this does not help go to your SDUpdate.exe file in your program folder:
C:\Program Files\ Spybot – Search & Destroy\

Rightclick the file and choose properties.
Then choose the tab compatibilty.
Activate the checkbox in front of “Run this program in compatibility mode for” and select from the drop down menu “WindowsXP”. Now click “Apply” and “OK”.

That should fix the problem.

This problem has also been discussed in our forum.

FAQ Category: 1.6 only, Updates

How can I contribute to the cause?

As you may have read, we are working full-time on this free project, but we have got to pay hosting bills and develop software. So we would be glad if you could donate a small amount to our cause. Thank you icon smile How can I contribute to the cause?

FAQ Category: 1.6 only, General Questions

Where are features like the Tools or Settings section?

If you have a fresh installation of Spybot-S&D, you may not see functions like the Tools or Settings section.

Spybot-S&D has two different modes. From the menu bar item Mode you can choose between Default Mode with the basic functions and Advanced Mode where you will find the Tools and the Settings section.

FAQ Category: 1.6 only, General Questions

What is blindman.exe for?

Some of you may have noticed a new file blindman.exe inside the Spybot-S&D folder, and have asked yourself what it is for. In short words: it does nothing.

I guess an explanation is needed why a file that does exactly nothing comes with Spybot-S&D. Spybot-S&D offers a tool to control the System startup in its Tools section. This includes the ability to disable or enable startup entries from the Autostart group (found in your Start menu under Programs). This group contains links to the actual files. Windows stores those links as files with the extension .lnk. When Windows encounters a *.lnk file in that folder upon startup, it will start the linked application. Now the easiest way to disable those entries is to change the extension. The System startup tool of Spybot-S&D does simply change the extension .lnk to .disabled. This easily prevents the linked application from being started. But as Windows does not know this extension, this could slow the startup down. So Spybot-S&D does link that extension to blindman.exe. Windows now tries to run the .disabled file with blindman.exe – and as blindman.exe does exactly nothing, there is no slow-down in booting.

Some people have suspected it could even be spyware itself. For those I will print the Delphi source code (blindman.dpr) here (the included resource file is blindman.res and contains just the icon):

program blindman;
{$R *.res}
begin
end.
Anyone knowing a very small bit of programming should see that this program is totally harmless (actually, the version shipped since Spybot-S&D 1.5 is a bit larger than the above, because one of Microsofts certification requirements is that every executable file need to call GetVersionEx at least once, and needs to crash on inserted code injections, even if just a 1 millisecond empty dummy).

FAQ Category: 1.6 only, General Questions

Do I need this FAQ?

Before you read this FAQ or other support documents, we would recommend that you use the updater and see if you have the most current updates for Spybot-S&D (we removed some FAQ entries for older versions to keep this FAQ up to date and clearly arranged).

If you already have the recent updates, we hope to be able to help you either here, on the support forum or by email.

FAQ Category: 1.6 only, General Questions

I have two Windows installations on my hard disk. Can I scan both at the same time?

Yes, if you have Windows 2000, XP, 2003 or Vista, Spybot-S&D does allow you to scan inactive Windows versions as well, including the registry of other installations!

To scan your system including installations on other partitions, right-click the link/icon you use to start Spybot-S&D, click on Properties, then on the tab shortcut and insert /allhives (separated by a space from the rest) in the box target. If you start Spybot-S&D through this link, it will automatically detect other installations, and scan their registries and files as well. From now on, that will happen every scan, so please delete the command /allhives if you do not want to scan several hives any longer.

FAQ Category: 1.6 only, General Questions

How can I get Administrator rights under Windows Vista or Windows 7?

On Windows Vista and Windows 7, Spybot-S&D might tell you that you are not authorized to perform some actions, since they require Administrator rights. You can solve this problem as follows:

  1. Right-click the Spybot – Search & Destroy entry in your start menu, instead of just left-clicking to start it.
  2. Choose Run as administrator from the context menu.
spybot as admin on vista How can I get Administrator rights under Windows Vista or Windows 7?

Running Spybot-S&D with administrator rights from Vista’s start menu

FAQ Category: 1.6 only, General Questions

Is Spybot-S&D compatible with WinPE/BartPE bootable CDs?

Yes, Spybot-S&D offers full support for PE in general and PEBuilder.
You can download the necessary plugin here, or just run Spybot-S&D from your harddisk after booting a PE disk.
Once run from your bootable PE CD, Spybot-S&D will automatically scan all registry and drives it can find (if you want that feature without PE, check our FAQ entry).

Furthermore we have our own bootable edition: Spybot-S&D Personal Edition.

FAQ Category: 1.6 only, General Questions

Which browsers does Spybot-S&D support?

Spybot-S&D does support many common browsers.

As for resident protection, Spybot-S&D contains the Resident ‘ TeaTimer’ which is completely browser independent. It is a Spybot-S&D tool perpetually monitoring the processes called/initiated. In addition, TeaTimer detects changes to some critical registry values.

Spybot-S&D supports detection in cookies, history, start & search pages and bookmarks of these browsers (plus cache for Internet Explorer and Opera):

Beonex Communicator
Firefox pre-0.9, 0.9, 1.x, 2.0, 3.x and old Firebird variants
Flock
Google Chrome
K-Meleon
Microsoft Internet Explorer 5.0, 5.5, 6.0, 7.0, 8.0
Mozilla Suite
Netscape Communicator 4.x, 6, 7
Opera 4.x, 5.x, 6.x, 7.x, 8.x, 9.x
Safari 4
Seamonkey 1.0.x, 1.1.x
Thunderbird 1.x, 2.x (where applicable)

FAQ Category: 1.6 only, General Questions

Is Spybot-S&D compatible with other resident protection tools?

Using more than one anti-spyware program with a resident protection tool might cause conflicts. However, Spybot – Search & Destroy’s Resident protection is designed such that there should not be any compatibility issues.

In rare cases there could appear a problem because another security program detects our ‘TeaTimer’ and flags it as bad. This could be because TeaTimer is able to change registry settings because it is a realtime protection tool. (for more information about Resident TeaTimer see this FAQ entry).

Another issue could be that the Keylogger detection files Keyloggers.sbi and Keyloggers.*.nfo of Spybot-S&D are detected as an Activity Monitor Keylogger. These detected keyloggers are just the Spybot-S&D detection rules, which obviously need to contain the names of the threats. Please ignore these false positives. There is a related article on our website.

For more information there is compatibility overview, listing some software for which there have been questions on compatibility.

Items that have been removed and are now stored in the recovery area as zip files might be detected and flagged as bad. The zip files are needed for recovery in case something does not work after fixing a problem with Spybot-S&D.

FAQ Category: 1.6 only, General Questions

What is the immunization feature and what are the other permanent protection options?

From version 1.2, Spybot-S&D has had a feature to allow you to immunize your computer against certain pieces of spyware. It also allows you to use native browser settings to block cookies, malware installations, bad websites and other threats.

SDHelper is an Internet Explorer plugin that adds a second layer for blocking threats.

For more information please check the TeaTimer FAQ entry.

FAQ Category: 1.6 only, General Questions

Are there any command line parameters that can be used with Spybot S&D?

Here is a list of command line parameters that the Spybot-S&D main executable (SpybotSD.exe) supports:

/taskbarhide

Runs Spybot-S&D completely hidden (no window, no taskbar icon), so make absolutely sure you use it only in combination with /autoclose (otherwise it would remain in memory sitting idle). Useful only in combination with /autocheck, /autoupdate or /autoimmunize, as it cannot be controlled when completely invisible.

/minimized
Starts the window minimized.

/uninstall
Uninstalls Spybot-S&D. This command line parameter is very outdated – unins000.exe should be used instead!

/blinduser
Starts with support for blind users (special menus).

/allhives
Scans all Windows installations on your system, even inactive ones (for an alternative solution see this FAQ entry).

/autoupdate
Does an update after starting the program.

/autocheck
Starts scanning immediately.

/autofix
Fixes problems after scan.

/autoclose
Closes program after it has scanned or updated.

/autoimmunize
Runs the immunization at program start.

/onlyspyware
Fixes only spyware (red) entries with /autofix, leaving all usage tracks as they are.

/easymode
Starts with easier interface for beginners.

/createenglish
Updates the English.sbl language file with the newest texts; useful only for translators.

And here is a list of command line parameters that the Spybot-S&D installer (spybotsd16.exe) supports:

/sp-
Will skip the first page of the installation wizard (Do you wish to continue? …)

/silent
Will display the progress during installation, but not the wizard.

/verysilent
Even the progress will not be shown. Errors etc. would still be shown.

/suppressmsgboxes
Will use standard actions for message boxes (no overwriting of files, cancelling where the alternative would be retrying…)

/log (or /log=”filename”)
Creates a log file in the temp folder that contains detailed information about actions taking place during the installation.

/nocancel
Disables the Cancel and Close button. Useful with /silent.

/norestart
Suppress reboots even if they were necessary at the end of the installation.

/restartexitcode=N
If a restart is needed, the setup would return the specified exit code.

/loadinf=”filename” (and /saveinf=”filename”)
Can be used to use a saved setup configuration (or save one).

/lang=language
Overrides the language dialog with a predefined language. Use ISO 2 letter language describers here.

/dir=”x:\dirname”
Installs into that directory instead of the default one.

/group=”folder name”
Installs into a program group of that name instead of the default one.

/noicons
Avoids creation of any icons for the installed software.

/type=typename
Starts installation with a give type. Supported types are
full,
blind and
compact.

/components=”comma separated list of component names”

Installs the given components instead of the default ones. Supported components are:

º main
º blind (icons for blind users)
º language (all language files)
º skins
º updatedl (for downloading updates as part of the installation)
º updatew95 (to download prerequisites on Windows 95)
º SDWinSec (to install the Security Center integration on Vista)
º SDShredder (to install the stand-alone shredder)
º SDDelFile (to install the file removal helper).

/tasks=”comma separated list of tasks”
Specifies a list of tasks that should be executed. Tasks currently supported are:
desktopicon
quicklaunchicon
launchsdhelper
launchteatimer

/mergetasks=”comma separated list of tasks”
Same as /tasks, just with the exception that standard tasks are not disabled by default.

Note: Please be aware that the Spybot-S&D path has to be in quotation marks and multiple parameters have to be separated by a space.

Example: “C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe” /taskbarhide /autoclose /autocheck /autofix /onlyspyware

FAQ Category: 1.6 only, General Questions

Sometimes malware problems reappear when I reboot the computer, why is this and can it be fixed?

A rootkit is a type of malware that can hide the existence of certain processes or programs.

These processes or programs can evade normal methods of detection. If your computer is infected with a rootkit it will reload itself each time your computer is restarted.

If an attacker can gain root or Administrator access they can install a rootkit. This can be done by exploiting a known vulnerability, acquiring a password or by social engineering. Emails with attachments are one of the most common attacks. A seemingly innocent attachment can carry a dangerous payload. Once the malware is installed it becomes possible to hide the intrusion as well as to maintain privileged access. Most root kits disable software that might otherwise be used to detect or circumvent it.

A ‘clean boot’ and scan or re-installation of the operating system may sometimes be the only available solution to this type of infection.

The Spybot S&D liveCD can often fix this type of problem as it will allow you to do a clean boot of Windows. Doing a clean boot using Linux and running a scan is not as effective as it will not scan all the registry hives.

FAQ Category: 1.6 only, General Questions

Why do I get a critical license error after installing Spybot S&D Update and Configuration Server?

Make sure the program directory of Spybot S&D Update and Configuration Server contains the files license.txt and license.key and then restart the program.

The license files are contained in the installer. If you cannot locate your license details please contact our sales team.

FAQ Category: 1.6 only, Corporate Edition