Resident SDHelper is a second layer of protection for Internet Explorer. The immunize function blocks installers by their ActiveX ID, whereas SDHelper blocks badware that tries to enter using a different method. Thus Internet Explorer cannot download bad files. You start SDHelper by clicking on Tools → Resident on the left navigation bar (therefore Spybot-S&D has to run in Advanced Mode). There you can tick the checkboxes next to Resident “SDHelper” (Internet Explorer bad download blocker) active in order to activate SDHelper.
In order to revert to a registry backup, run Windows in Safe Mode.
Be sure that hidden files are shown.
Now execute the two files (or maybe it is just one of them) regusers.reg and reglocal.reg in the following folder:
Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search&Destroy\Backups\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search&Destroy\Backups\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search&Destroy\Backups\
Windows Vista: C:\ProgramData\Spybot – Search &Destroy\Backups\
Answer Yes when prompted to add its contents to the Registry. Then reboot.
There are two options to download Spybot-S&D:
You choose a download location on our website. The displayed mirrors are partners who provide places to host Spybot-S&D for us. You can download from them, it is secure and they all contain the same data.
You choose the direct installation file.
Please search for new updates after installing Spybot-S&D.
Please make sure you have all updates installed.
Restore the files you deleted with Spybot – Search & Destroy: Run Spybot-S&D, select Spybot-S&D → Recovery from the left bar and restore all the files and entries which are in association with the item that should be restored.
After following these steps please try again. Be sure that all the Explorer windows are closed. You might to have to restart your computer for the changes to take effect.
Click the Tools section
Select the System startup tool
Click your right mouse button somewhere on the list
Choose Export… from the context menu that will appear. A dialog will pop up where you can select the name of the text file you want to save the report to.
The option to change languages in Spybot 1.6 is on the the third menu.
For instructions to change the language in Spybot 2, please see here.
Spybot-S&D will uninstall from the Windows Add/Remove Software control panel without problems.
If you want to completely get rid of Spybot-S&D and the Add/Remove does not help, you can delete the installation folder (usually C:\Program Files\Spybot – Search & Destroy\).
If you just want to upgrade to a newer version, please follow the same instructions like above and then install the new version.
After following these instructions please restart your system so that the changes can take place.
Also, neither the automated uninstall nor the manual uninstall like described above will remove the following directories, which you will have to remove by hand:
Windows 95 or 98: C:\Windows\Aplication Data\Spybot – Search & Destroy\
Windows ME: C:\Windows\All Users\Application Data\Spybot – Search & Destroy\
Windows NT, 2000 or XP: C:\Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\
Windows Vista: C:\ProgramData\Spybot – Search & Destroy\
(Please note that the Application Data Folder is hidden. So if you cannot find this folder please check your folder properties.)
Explanation: this folder contains the backup (the quarantined files) that Spybot-S&D creates. If the Uninstall would remove this folder as well, this would mean that those backups would be gone. We saw it a few times that new users uninstalled Spybot-S&D in panic after they have experienced a small problem, thus removing the backup that would have undone any changes.
As you may have read, we are working full-time on this free project, but we have got to pay hosting bills and develop software. So we would be glad if you could donate a small amount to our cause. Thank you 🙂
If you have a fresh installation of Spybot-S&D, you may not see functions like the Tools or Settings section.
Spybot-S&D has two different modes. From the menu bar item Mode you can choose between Default Mode with the basic functions and Advanced Mode where you will find the Tools and the Settings section.
Some of you may have noticed a new file blindman.exe inside the Spybot-S&D folder, and have asked yourself what it is for. In short words: it does nothing.
I guess an explanation is needed why a file that does exactly nothing comes with Spybot-S&D. Spybot-S&D offers a tool to control the System startup in its Tools section. This includes the ability to disable or enable startup entries from the Autostart group (found in your Start menu under Programs). This group contains links to the actual files. Windows stores those links as files with the extension .lnk. When Windows encounters a *.lnk file in that folder upon startup, it will start the linked application. Now the easiest way to disable those entries is to change the extension. The System startup tool of Spybot-S&D does simply change the extension .lnk to .disabled. This easily prevents the linked application from being started. But as Windows does not know this extension, this could slow the startup down. So Spybot-S&D does link that extension to blindman.exe. Windows now tries to run the .disabled file with blindman.exe – and as blindman.exe does exactly nothing, there is no slow-down in booting.
Some people have suspected it could even be spyware itself. For those I will print the Delphi source code (blindman.dpr) here (the included resource file is blindman.res and contains just the icon):
Anyone knowing a very small bit of programming should see that this program is totally harmless (actually, the version shipped since Spybot-S&D 1.5 is a bit larger than the above, because one of Microsofts certification requirements is that every executable file need to call GetVersionEx at least once, and needs to crash on inserted code injections, even if just a 1 millisecond empty dummy).
Before you read this FAQ or other support documents, we would recommend that you use the updater and see if you have the most current updates for Spybot-S&D (we removed some FAQ entries for older versions to keep this FAQ up to date and clearly arranged).
If you already have the recent updates, we hope to be able to help you either here, on the support forum or by email.
Yes, if you have Windows 2000, XP, 2003 or Vista, Spybot-S&D does allow you to scan inactive Windows versions as well, including the registry of other installations!
To scan your system including installations on other partitions, right-click the link/icon you use to start Spybot-S&D, click on Properties, then on the tab shortcut and insert /allhives (separated by a space from the rest) in the box target. If you start Spybot-S&D through this link, it will automatically detect other installations, and scan their registries and files as well. From now on, that will happen every scan, so please delete the command /allhives if you do not want to scan several hives any longer.
On Windows Vista and Windows 7, Spybot-S&D might tell you that you are not authorized to perform some actions, since they require Administrator rights. You can solve this problem as follows:
- Launch Spybot as an Administrator.
- You can do this by right-clicking the Spybot icon and choosing the option to “run as administrator”. This must be done to give Spybot the permissions it needs to function correctly.
Spybot-S&D does support many common browsers.
As for resident protection, Spybot-S&D contains the Resident ‘ TeaTimer’ which is completely browser independent. It is a Spybot-S&D tool perpetually monitoring the processes called/initiated. In addition, TeaTimer detects changes to some critical registry values.
Spybot-S&D supports detection in cookies, history, start & search pages and bookmarks of these browsers (plus cache for Internet Explorer and Opera):
Firefox pre-0.9, 0.9, 1.x, 2.0, 3.x and old Firebird variants
Microsoft Internet Explorer 5.0, 5.5, 6.0, 7.0, 8.0
Netscape Communicator 4.x, 6, 7
Opera 4.x, 5.x, 6.x, 7.x, 8.x, 9.x
Seamonkey 1.0.x, 1.1.x
Thunderbird 1.x, 2.x (where applicable)
Using more than one anti-spyware program with a resident protection tool might cause conflicts. However, Spybot – Search & Destroy’s Resident protection is designed such that there should not be any compatibility issues.
In rare cases there could appear a problem because another security program detects our ‘TeaTimer’ and flags it as bad. This could be because TeaTimer is able to change registry settings because it is a realtime protection tool. (for more information about Resident TeaTimer see this FAQ entry).
Another issue could be that the Keylogger detection files Keyloggers.sbi and Keyloggers.*.nfo of Spybot-S&D are detected as an Activity Monitor Keylogger. These detected keyloggers are just the Spybot-S&D detection rules, which obviously need to contain the names of the threats. Please ignore these false positives. There is a related article on our website.
For more information there is compatibility overview, listing some software for which there have been questions on compatibility.
Items that have been removed and are now stored in the recovery area as zip files might be detected and flagged as bad. The zip files are needed for recovery in case something does not work after fixing a problem with Spybot-S&D.
From version 1.2, Spybot-S&D has had a feature to allow you to immunize your computer against certain pieces of spyware. It also allows you to use native browser settings to block cookies, malware installations, bad websites and other threats.
SDHelper is an Internet Explorer plugin that adds a second layer for blocking threats.
For more information please check the TeaTimer FAQ entry.
Here is a list of command line parameters that the Spybot-S&D main executable (SpybotSD.exe) supports:
Runs Spybot-S&D completely hidden (no window, no taskbar icon), so make absolutely sure you use it only in combination with /autoclose (otherwise it would remain in memory sitting idle). Useful only in combination with /autocheck, /autoupdate or /autoimmunize, as it cannot be controlled when completely invisible.
Starts the window minimized.
Uninstalls Spybot-S&D. This command line parameter is very outdated – unins000.exe should be used instead!
Starts with support for blind users (special menus).
Scans all Windows installations on your system, even inactive ones (for an alternative solution see this FAQ entry).
Does an update after starting the program.
Starts scanning immediately.
Fixes problems after scan.
Closes program after it has scanned or updated.
Runs the immunization at program start.
Fixes only spyware (red) entries with /autofix, leaving all usage tracks as they are.
Starts with easier interface for beginners.
Updates the English.sbl language file with the newest texts; useful only for translators.
And here is a list of command line parameters that the Spybot-S&D installer (spybotsd16.exe) supports:
Will skip the first page of the installation wizard (Do you wish to continue? …)
Will display the progress during installation, but not the wizard.
Even the progress will not be shown. Errors etc. would still be shown.
Will use standard actions for message boxes (no overwriting of files, cancelling where the alternative would be retrying…)
/log (or /log=”filename”)
Creates a log file in the temp folder that contains detailed information about actions taking place during the installation.
Disables the Cancel and Close button. Useful with /silent.
Suppress reboots even if they were necessary at the end of the installation.
If a restart is needed, the setup would return the specified exit code.
/loadinf=”filename” (and /saveinf=”filename”)
Can be used to use a saved setup configuration (or save one).
Overrides the language dialog with a predefined language. Use ISO 2 letter language describers here.
Installs into that directory instead of the default one.
Installs into a program group of that name instead of the default one.
Avoids creation of any icons for the installed software.
Starts installation with a give type. Supported types are
/components=”comma separated list of component names”
Installs the given components instead of the default ones. Supported components are:
º blind (icons for blind users)
º language (all language files)
º updatedl (for downloading updates as part of the installation)
º updatew95 (to download prerequisites on Windows 95)
º SDWinSec (to install the Security Center integration on Vista)
º SDShredder (to install the stand-alone shredder)
º SDDelFile (to install the file removal helper).
/tasks=”comma separated list of tasks”
Specifies a list of tasks that should be executed. Tasks currently supported are:
/mergetasks=”comma separated list of tasks”
Same as /tasks, just with the exception that standard tasks are not disabled by default.
Note: Please be aware that the Spybot-S&D path has to be in quotation marks and multiple parameters have to be separated by a space.
Example: “C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe” /taskbarhide /autoclose /autocheck /autofix /onlyspyware
A rootkit is a type of malware that can hide the existence of certain processes or programs.
These processes or programs can evade normal methods of detection. If your computer is infected with a rootkit it will reload itself each time your computer is restarted.
If an attacker can gain root or Administrator access they can install a rootkit. This can be done by exploiting a known vulnerability, acquiring a password or by social engineering. Emails with attachments are one of the most common attacks. A seemingly innocent attachment can carry a dangerous payload. Once the malware is installed it becomes possible to hide the intrusion as well as to maintain privileged access. Most root kits disable software that might otherwise be used to detect or circumvent it.
A ‘clean boot’ and scan or re-installation of the operating system may sometimes be the only available solution to this type of infection.
The Spybot S&D liveCD can often fix this type of problem as it will allow you to do a clean boot of Windows. Doing a clean boot using Linux and running a scan is not as effective as it will not scan all the registry hives.