Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What is SW.EXE and why will it not halt on shutdown?


  • Please log in to reply

#1
whatssw

whatssw

    New Member

  • Member
  • Pip
  • 1 posts
I have been directed here via the Avira Support Forum and the four + year old link - http://www.geekstogo...end-program-sw/


The question I posted on the Avira forum was:

I am running a system under Windows 2000 SP4 - for historical reasons.

Recently, when shutting down, I have had a message displayed saying that a running program has not stopped and asking if I want it shut down.
The program is named SW.EXE.
It doesn't appear in Task Manager (with processes for ALL users shown).
I can't find any such program anywhere on my system
I can't find any mention of it in the registry.
I have Googled details which only seem usefully to reference "Spyware.SilentSpy". Following the associated instructions, I am pretty sure that this is not the cause of the problem.

Could it have anything to do with ShockWave? Why is it not shown on Task Manager?


Subsequent to this, I have found the key
SW\{B7EAFDC0-A680-11D0-96d8-00AA0051E51D}\{9B365890-165F-11D0-A195-0020AFD156E4} under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kmixer\Enum

Googling kmixer, I am advised that it relates to Windows legacy audio components and as a result, I am reluctant to delete it.

For further information, the motherboard is a MSI MS-6570 with a nForce2 chipset and on-board Realtek ALC650 6-channel audio.


I keep coming back the questions: "What is SW.EXE" & "Why can I find no trace of it anywhere?"


Any help and advice would be greatly appreciated.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,029 posts
  • MVP
Probably a keylogger of some kind that is in stealth mode. I found this on it:

http://www.mcafee.co....aspx?id=100906

Been a while since I worked on a Win2K so if something I tell you to do doesn't work let me know and we will think of something else. I'm giving you the short instructions since I have the feeling you know your way around a computer but if something is not clear let me know.

Start off by rebooting into Safe Mode - Command Prompt
(most stealth software doesn't bother to hide from DOS so this might work)
Type with an Enter after each line:
cd  \windows\system32

attrib  -r  -s  -h  sw.exe

del  sw.exe

mkdir  sw.exe

regedit

(I use two SPACES in the code box so you will be sure to see where 1 SPACE goes. I'm not positive you can run regedit from here so if it doesn't work then boot into regular safe mode and try it from there.)

navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and look in the right pane for Scanreg

If you find it delete it.

If it doesn't find the file at C:\windows\system32 then from the Safe Mode Command prompt:
cd  \
dir  /a  /s  sw.exe

This will take about 10 minutes to search your whole drive for sw.exe. If it finds it, then use the first set of commands with the appropriate cd to the directory where it lives.

The mkdir command just puts a directory of the same name where the file was so that it can't come back. Probably not necessary but if it works it definitely proves that the file is not hiding in the directory.

IF the above doesn't work then try GMER. It claims it works on Win2K:

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.


Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP