Monday 26 February 2007

Surreptitious Software Install - SpyDawn

A client called complaining about some sort of spyware warning he was getting:

As you can see, Windows Defender is down and nothing is picked up as being out of the ordinary by Norton either.

Double click on the Windows Defender icon, and this is what happens when we click, "Remove All":

Heh, after a reboot the Malware was still there blinking away, and directing one to their, "Buy our Software" site when the blinker is clicked on.

So, onto the next step: Find out if there are others who have killed it.

It took some weeding to find a site that actually has info on it.

I came up with the instructions and a link to a utiltiy to kill it at

Essentially one needs to do this:
  • Download the Removal Tool to the desktop.
  • Reboot into Safe Mode (F8)
  • Logon using the infected user profile
  • Run the tool from the desktop

  • Run option 2: Clean
  • Answer YES to the registry clean option
  • Disk Cleanup may or may not run
  • Once finished, do not reboot yet
  • Disable the System Restore to clean out any possiblity of re-infection
  • Run Disk Cleanup: Start-->Run-->CleanMgr [Enter]
  • Choose all drives if necessary and let the utility run
  • Go back to the SpyDawn Cleaning Utility and hit the space bar to reboot
  • Enable the System Restore once into the user's profile

The system should be Malware clear after this.

Now, one must ask the question, "Is the system safe to leave the shop at this point?"

Based on the research that I have done on this particular Malware threat, it is reasonable to say yes. Has the software's writers implemented some sort of Trojan? There is no 100% guarantee that they haven't. So, the client must be made aware of this.

Now, onto the logic behind this particular scenario:

Someone browses to a Web site and picks this software up without their knowledge.

The situation BEGS the following questions:

  • When the person goes to the SpyDawn Web site, purchases their "Product", downloads it, and installs it, are they truly protected from threats?
  • Given, in my opinion, the below the boards method for delivering the product "advertizement" in the first place, and the subsequent trap into purchasing the "product" ... how can we expect that installed product to behave above board?

What else can be said?

A legitimate software product, or method of advertizing, gives the end user the option to install the product or respond to the ad.

In all cases of software installed on a user's system, an option should be there to totally remove the software product from their system. The user should not have to pay a professional to do it for them!

UPDATE: Okay, so I misspelled Surreptitious in the title on my original post! It has been one of those days! :D

Philip Elder
Microsoft Small Business Specialists


Anonymous said...

Great info! You can also find removal instructions here:

Philip Elder Cluster MVP said...

Thank you for your comment.

I checked out the instructions, and they are not really complete for those who would prefer to do it themselves.

Also, the "tool" is over 3.2MB for this one task? I must admit that I am a little more than hesitant to download and use it.

The instructions themselves suggest the tool versus anthing else.

The download is 720KB, and is purposed just for this task. IT WORKS.

Why would we do anything else?

And one last point: the 411 site didn't show up in my search results.

I guess I am just a little more than skeptical.

Philip E.

Anonymous said...

Be sure to test out the manual removal instructions on

It provides a more complete summary.

Philip Elder Cluster MVP said...


Thanks ... but no thanks.

Remember folks ... there are a lot of sites out there claiming to have spyware/malware removal tools etc.

Be very wary.

Again, the tool is too large, and the instructions are convoluted ... always pointing back to the tool to download.

Nope, not this guy ... and I would recommend anyone else against it.

Philip E.