Hi,
Some time in the past I think I downloaded SpywareBot (stupid me!). As soon as I realised my error I removed it. I thought that was it. I've just changed AV to Avira free.It came up with a number of files it could not scan. When I checked the report they were listed as SpywareBot 1,2,3 etc. I googled this and discovered that SpywareBot contained trojans (saw this also on another post here). I did a Windows file search for them and then right clicked on them to look at properties.The results claimed that they were Spybot S&D. Is this correct,or are they really part of SpywareBot?

If they are legitimate Spybot S&D,why the confusing information on properties?
If they aren't,could you advise how to remove them?
Thanks,
Will

Will, be warned that this "SpywareBot" is a cheap, ripoff version of the genuine Spybot-Search&Destroy. The one that has installed on your machine is a FAKE, rogue.
http://forums.spybot.info/showpost.php?p=235374&postcount=3
-
Malware Writers are making up this crappy bull, so unaware people will unknowingly install it, thinking that it is the legitimate Spybot, then coming to the forums for help -_-.

Do you have Spybot-Search&Destroy installed on your computer?
Please download the latest version of Spybot-SD from SaferNetworking Severs and eradicate this rogue threat:
http://www.safer-networking.org/en/mirrors/index.html
-

Hi, Yes I do have Spybot S&D installed and regularly use it/update it. It does not detect or remove these files, but maybe this is because they are legitimately connected with it (please see earlier post)? This is really what I wanted to know, because when Avira detects them it shows as SpywareBot. The Windows search facility also refers to the files by the name SpywareBot, yet when I right click on them to view 'properties' they show Spybot S&D. I am trying to find out what these files are. Is the description in 'properties' false,ie are they nothing to do with Spybot S&D? If so,as Spybot S&D does not detect or remove them,have you any advice as to how to do so safely?

Sorry if I wasn't clear enough in my first post.
Will

The Properties of the "SpywareBot" files are falsely posing as the legitimate Spybot-Search&Destroy. In other words, they are not claiming to be something they're not.

It does not detect or remove these files, but maybe this is because they are legitimately connected with it (please see earlier post)?
Wrong! (Exclamation for emphasis :santa:) Problem is that either the malicious files are in use or locked, thus Spybot cannot remove them directly.

Avira AntiVir is a good AV, because it also detects malware along with viruses. However, my question is that does it remove SpywareBot successfully?

In addition, have Spybot-Search&Destroy run in 'Safe Mode' and remove Spywarebot from there.

If not, you'll have to start your thread in the Malware Removal Forums.

Please report back on how it goes and your decision.

Will358:

Please indicate the location (path) and names of the files that are not being scanned.

Hi,
Tried to cut and paste the AV scan report for you, but each time I tried it said I wasn't authorised and took me to the login screen. This time I saved the report to a file in mydocs and tried to upload it with this submission. It didn't work,but provided me with a link to contact the administrator,which I have now done. Will
I have copied and pasted the relevant excerpts. I hope these provide the answer.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\
Immunization.ini
ProcCache.sbc
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
AdwareAlert.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBOT.zip
[0] Archive type: ZIP
--> SpywareBot.url
[WARNING] The archive is encrypted
SpywareBot1.zip
[0] Archive type: ZIP
--> unins000.exe
[WARNING] The archive is encrypted
SpywareBot10.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBot11.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBot12.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBOT13.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBOT14.zip
[0] Archive type: ZIP
--> sbRecovery.reg
[WARNING] The archive is encrypted
SpywareBot2.zip
[0] Archive type: ZIP
--> Scheduler.exe
[WARNING] The archive is encrypted
SpywareBot3.zip
[0] Archive type: ZIP
--> Launcher.exe
[WARNING] The archive is encrypted
SpywareBOT4.zip
[0] Archive type: ZIP
--> CustomScan.stg
[WARNING] The archive is encrypted
SpywareBOT5.zip
[0] Archive type: ZIP
--> sbRecovery.ini
[WARNING] The archive is encrypted
SpywareBOT6.zip
[0] Archive type: ZIP
--> sbRecovery.ini
[WARNING] The archive is encrypted
SpywareBOT7.zip
[0] Archive type: ZIP
--> log_2007_01_30_22_53_25.log
[WARNING] The archive is encrypted
SpywareBOT8.zip
[0] Archive type: ZIP
--> DataBase.ref
[WARNING] The archive is encrypted
SpywareBOT9.zip
[0] Archive type: ZIP
--> SpywareBot on the Web.lnk
[WARNING] The archive is encrypted

Hi.
Avira finds the spywarebot files, but does not offer the means to try and remove them. Please see my other post. Thanks, Will

Will358

Each time Spybot removes/fixes items it puts them in a recovery file which is a compressed zip file. These zip file are encrypted/passworded so they are not able to be accessed by other programs as protection, and that is what your scan has told you, it can't access them, which is as it should be.

As you alread know, in your case these are stored in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery folder.

At any time you wish you can clean these out. Open Spybot and click on the Recovery icon. Items which have been "fixed/removed" are shown with checkboxes next to them. Tick those you want to purge (remove completely) and click on the "Purge Selected items". Be careful not to click on recover selected items, or it will put them back into your system.

The above acts like a quarantine. When "fixed" the items are placed in the encryped zip files where they can't do any harm, and can be left there. If you find that has crippled something on your PC, or that they were removed as the result of a false positive, then they can be recovered, otherwise from time to time they can be purged or cleaned out.

Hope this helps

Hi, Thanks for that. Could you possibly tell me why Avira reports them under the name of SpywareBot (the name of a well known adversary!)? Is this a question I should address to Avira? Thanks, Will

Could you possibly tell me why Avira reports them under the name of SpywareBot (the name of a well known adversary!)
Er, well the malware is literally named "SpywareBot".

Sorry! Guess I misunderstood previous post. Have I understood this time? You're saying that Spybot S&D has dealt with the SpywareBot and that the files are named thus because thats what they contain (in quarantine) and that its safe for me to remove them using the method described? Sorry again if I'm displaying ignorance, but I am a bit of a PC novice, as I'm sure my postings show! Will

SpywareBot is a rogue, Will. I'm assuming that Spybot has purged this threat right? Does Avira still find it?

Just a quick question about the detections from Avira AntiVir. Where does your AV find Spywarebot? In Spybot's Quarantine/Recovery?

Each time Spybot removes/fixes items it puts them in a recovery file which is a compressed zip file. These zip file are encrypted/passworded so they are not able to be accessed by other programs as protection, and that is what your scan has told you, it can't access them, which is as it should be.
The point of the Recovery portion of Spybot is that if the User has accidentally removed something that was important (maybe a false positive), they can undo it. Say like now, if SpywareBot is in Quarantine, it cannot do any further damage to your machine. So it's like being in jail.

You are not displaying ignorance or any of that kind. We're here to help and I'm learning too just like everyone else. :santa:

.... and that its safe for me to remove them using the method described?...

Simple answer is Yes - use the purge option described in my previous post