If a spy is removed, the application that has installed it may no longer work . Spybot-S&D is able to replace a few spies with harmless dummies, but sometimes this is not possible. In this case you should either search for a good alternative that comes without spy- or adware, or use the Recovery option in Spybot-S&D to restore the spy.
In the later case, you can do it step by step, until you find the files that are absolutely necessary for the spy. So you can keep at least some files from your system, like the data saved about you
Please refer to this faq for more information: http://accs-net.com/hosts/faq.html#19
This problem may be caused by the Immunization or the bad download blocker in Spybot – Search & Destroy. Please open the Tools menu in your Internet Explorer and choose Spybot – Search Destroy Configuration. There you will find a drop down menu where you should select Ask for blocking confirmation. If you want to visit a blocked website choose Allow.
If this does not solve the problem, please run Spybot-S&D and select Spybot-S&D → Immunize in the navigation bar on the left. Please click Undo. Then run Spybot – Search & Destroy and switch to the Advanced mode via the menu item Mode. Now select Tools → Resident from the navigation bar on the left. Please untick the checkbox in front of the Resident “SdHelper” (Internet Explorer bad download blocker) active.
But please note: Now the bad downloads will not be blocked any longer! Maybe you have to restart your computer now. Then try again to open your favourite pages. Do not forget to Immunize again after visiting that page.
On Vista, you need to run the immunization with elevated privileges, otherwise all global immunizations will fail. To elevate, right-click the Spybot-S&D shortcut and choose Run as Administrator.
Spybot – Search & Destroy 2 will offer you to run the Immunization elevated if you do not run it as described above. If you have chosen to not have this dialog shown again when it was previously shown, you can re-enable it by using the Dialogs tab of the Settings window.
Computer Associates Yahoo! Anti-Spy blocks a few immunization entries in category Internet Explorer (32/64 bit). One of the unimmunized domains would be koolynoody.net currently. CA AntiVirus 8.4.0 might block a larger amount of entries.
More information about this can be found in threads tagged immunization vs. ca.
AVG Antivirus users
AVG Antivirus blocks immunization of about 30 to 120 entries in the Internet Explorer category.
More information about this can be found in threads tagged immunization vs. avg.
ZoneAlarm blocks all immunization of the area Windows: Global (Hosts) by protecting this file against changes. To overcome this protection, you could temporarily lift the lock from ZoneAlarms Firewall > Advanced tab. Don’t forget to relock it after immunization.
More information about this can be found in threads tagged immunization vs. za.
STOPzilla blocks all immunization of the area Windows: Global (Hosts) by protecting this file against changes. To overcome this protection, you could temporarily lift the lock. To do so:
Click “Real-time Protection”
Click “Active Enforcers”
Click “Hosts File” to uncheck it
Do not forget to reverse this procedure after you’ve completed immunization. Thanks go to forum user michaelbmcgee for this instructions.
More information about this can be found in threads tagged immunization vs. stopz.
Firefox 2 users
Firefox profiles can be both for Firefox 2 and Firefox 3 at the same time, and just based on the profile folder, it might be a bit difficult to guess which one the user is using. Spybot-S&D 1.6.0 therefore tried to be future-compatible and assumed that a profile would be for Firefox 3 if it has not been clearly identified.
There is a trick though how you can enforce it to be identified as a Firefox 2 profile. Go to C:\Documents and Users\Username\Application Data\Mozilla\Firefox\Profiles\something.default, which is your profile folder (path might be slightly different depending on the OS).
If there is no file named hostperm.1 but one named permissions.sqlite with a filesize of 0 bytes, rename the latter hostperm.1.
If both files exist, delete the file permissions.sqlite.
If only pemissions.sqlite exists and is larger than 0 bytes, delete it and create an empty file named hostperm.1 .
More information about this can be found in threads tagged immunization vs. ff2.
Spybot-S&D 1.6.1 and 2.0 will recognize Firefox 2 vs. Firefox 3 using other criteria which should be less error-prone.
Probably not all file sets are activated for the scan. You can solve this problem as follows:
Please run Spybot – Search & Destroy and switch to Advanced mode via the menu bar item Mode, then select Settings → File Sets in the left bar. There, please right-click somewhere into the list and choose Select all available checks.
Internet Explorer tells you to contact your administrator when you try to access the IE settings?
This can happen if you use Spybot-S&D in advanced mode and you have used the Immunize feature without reading all the text.
Please start Spybot-S&D again in advanced mode (usually from the Start menu group Spybot – Search & Destroy, until you have already changed the desktop icon to advanced mode).
Select Tools in the left bar, then IE tweaks.
There you will see a group Recommended miscellaneous locks. Untick the checkboxes in front of both Lock IE… options.
You may need to close all Explorer windows, and maybe even restart Windows before these changes take place.
Hint: this lock function has been added mostly for multi-user environments in which you would not want other users of your computer to change your IE settings. If you are the only user of your computer, there is no real need to enable them.
Scanning network shares sounds like a good idea at first – the scanner needs to be installed only on a single machine and one person can do the scan. To simply remove installers, this is not a bad idea at all, so Spybot-S&D allows to add network shares as well in its Download directories setting.
But scanning for and removing files on other computers can be dangerous as well. Most threats are not only files, but also linked by registry entries – removing just the files would cause the ‘cleaned’ Windows to produce a lot of errors. But while those messages may be harmless (and remote registry cleaning could at least be added for NT/2000/XP/Vista), there is an even worse case – some threats need to be removed by using API calls. Removing LSP hijackers by just deleting their file will disable the network access of the cleaned machine, and repairing LSPs by fixing the registry is not fail-safe either.
That is why an anti-spyware tool needs to be run on each machine. We are developing a client/server scanning system that will work in network environments.
How can I disable the notifications popping up when a download was blocked (e.g. Avenue A, Inc., DoubleClick)?
This message is created by the bad download blocker for IE, a tool of Spybot-S&D. Since version 1.5 the feature of the silent bad download blocker is in a different place than in older versions.
Please open the Tools menu in your Internet Explorer and choose Spybot-S&D – Configuration. There you will find a drop down menu (see screenshot below) where you should select Block all bad pages silently. With that option set the notifications will no longer come up, but you will still have the protection.
CDilla and SideStep are listed in the ignore products by default. Please see the topic Why are CDilla & SideStep checked in Ignore Products? in our forum.
Please disable all other security programs that you run and close all other programs during the work with Spybot – Search & Destroy.
Also run a scan in safe mode:
That should fix it.
It should also help to deactivate the scanning for usage tracks and Cookies.
Please run Spybot-S&D and switch to “Advanced mode” via the menu bar item “Mode”. Now select “Settings” –> “File Sets” in the navigation bar on the left. The checkboxes in front of “Usage tracking, Beta.uti, NewTracks.uti and Tracks.uti” have to be unticked if you do not want to find usage tracks anymore. For excluding Cookies from the search deactivate the checkbox in front of Cookies.sbi.
If this does not help, please delete the contents of your Windows temp folder and try it again. Also, you might want to disable the Create system restore point when fixing spyware/usage tracks option on the settings page.
Maybe you run more than one security software that interferes with each other. The resident protection of Spybot – Search & Destroy monitors the processes the whole time, so that nothing bad gets on your system – that can slow down your pc a little bit. If you do not want to have this feature you only need to disable the resident protection.
Please run Spybot-S&D and select “Spybot-S&D” –> “Immunize” in the navigation bar on the left. Please hit “Undo”. Then open Spybot – Search & Destroy in the Advanced mode via the menu item Mode. Now select ‘Tools’ – ‘Resident’ from the navigation bar on the left. Please untick the checkboxes in front of the two tools.
Maybe you have automated your Spybot.
Open Spybot in the advanced mode via the menu item mode, go to ‘tools’->’System Startup’
Then mark the following entry and remove it: C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe” /autocheck
If this does not help maybe this is due to the message during the scan “It is recommended that you reboot and scan again to find items that may be uncovered only after a reboot.”
If you need to you can download the latest version of Spybot S&D from our website and also download a new advcheck.dll file.
Move those two files: SpybotSD.exe and advcheck.dll to your program installation folder, and accept to replace the old ones.
1. Please try to rename the SpybotSD.exe into iexplore.exe or firefox.exe and try to run it.
Using Windows Explorer navigate to:
C:\Program Files\Spybot – Search & Destroy
In the Tools menu select Folder Options
In the Folder Options dialog select the View tab.
Uncheck the following option:
Hide protected operating system file (Recommended)
Click the Apply button.
Click the OK button.
The SpybotSD.exe should be visible now.
Rightclick the file and choose rename.
Give it a different name like iexplore.exe or firefox.exe and try again to run it.
2. If this does not help you might be infected with a Rootkit. We need some logs now to locate the infection that is mostly hidden deep in your system. Please download our free RunAlyzer from our website.
Now, run the RunAlyzer and choose “Logs” from the menu bar above. Now create a “SBSD log” and a “hjt log” and choose “Save”. You can save the files to your desktop. Please attach these files to your e-mail.
3. Please download our RootAlyzer. Here is the direct download link: http://www.spybotupdates.biz/files/rootalyz-0.3.4.47.zip
Please set your computer to show all files.
Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear “Hide file extensions for known file types.”
Under the “Hidden files” folder, select “Show hidden files and folders.”
Clear “Hide protected operating system files.”
Click Apply, and then click OK.
Please select the tab ‘deep scan’ and let it fully scan your Pc. The scan will take a moment, please be patient. After the scan is done please click on ‘pack suspicious files’ which is located right at the bottom. This will create a .cab file on your desktop which contains the log and the suspicious files the scan has found. Please attach this .cab file to your next mail.
4. Please also download GMER: www.gmer.net and let it do a full scan on your pc. Subsequent you will be allowed to save the log created during the scan. Please also send us this log.
5. Please also try this tool: RootRepeal
Here is also the direct download link: http://ad13.geekstogo.com/RootRepeal.zip
Unzip the file to the folder
Select “Report” tab
Click “Scan” button
Select following scan options: Drivers, Files, Processes, Stealth Objects, Hidden Services
Click “OK” button
Select your hard drive with the installed operating System and click “OK” button
Save Report via Clipboard or click “Save Report Button” to save a text file
Please send the report files to our detections department. You will find the address on our website.