PDA

View Full Version : Manual removal instructions for SpyDawn



PepiMK
2008-11-08, 17:53
The following instructions have been created to help you to get rid of "SpyDawn" manually.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Categories:

malware


Description:
Official demo version appears to install normally but finds a lot of false positives, most likely intentional to make the user buy the full version. SpyDawn is in close relation to SpywareQuake.
Important: There are more start menu items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.


Entries named "SpyDawn" and pointing to "<$PROGRAMFILES>\<$REGMATCH0>\Spy*Dawn*.exe*".
Entries named "SpyDawn" and pointing to "<$PROGRAMFILES>\<$REGMATCH0>\*.exe".
Entries named "SpyDawn" and pointing to "<$PROGRAMFILES>\<$REGMATCH0>\*.exe".



Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.


Products with a key that includes "SpyDawn" in its name or properties.



Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.


The file at "<$PROGRAMFILES>\<$REGMATCH0>\blacklist.txt".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\sd.dat".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\uninst.exe".
The file at "<$PROGRAMFILES>\<$REGMATCH0>\Lang\English.ini".
The file at "<$SYSDIR>\geplxss.dll".
A file with an unknown location named "sd_setup.exe".
A file with an unknown location named "sd_setup.exe".


Make sure you set your file manager to display hidden and system files. If SpyDawn uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.


The directory at "<$PROGRAMFILES>\<$REGMATCH0>".
The directory at "<$PROGRAMS>\<$REGMATCH0>".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Lang".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Logs".
The directory at "<$PROGRAMFILES>\<$REGMATCH0>\Quarantine".
The directory at "<$PROGRAMFILES>\SpyDawn".
The directory at "<$PROGRAMS>\SpyDawn".


Make sure you set your file manager to display hidden and system files. If SpyDawn uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.


Delete the registry key "{AED6F6A3-183C-488D-9F90-23DB99F56E7F)" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C1DF2728-8510-0773-96D8-5D0C1F27821B}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{A6ACAE64-F798-4930-AD86-BD3FB32038DB}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".


If SpyDawn uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.


If you have any further questions, please ask in our forum (http://forums.spybot.info/).

There are more files or system entries belonging to this product that <$SPYBOTSD> can remove, but that cannot be easily described in text. Please use <$SPYBOTSD> to make sure <$PRODUCTNAME> gets completely removed.