Computer Help forum

General discussion

Silent Spy; sw.exe - I can't get rid of this keylogger

by notaguru / March 27, 2008 11:48 AM PDT

Okay Computer Gurus,

I first noticed a problem yesterday. As the computer was shutting down the "End Program" window displayed and I saw the letters "sw" so I googled them and found out about "sw.exe" or "Silent Spy." I found out here ( that I'm supposed to check 4 registry keys. Only 2 of the 4 appear in my registry. The first 2 do NOT appear. The last 2 do and I was able to remove them but they keep reappearing everytime I turn on the computer, no doubt due to the fact that the first 2 registry keys are nowhere to be found.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:00 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\My Documents\Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-21-725345543-1606980848-1957994488-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-725345543-1606980848-1957994488-1004\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit (User '?')
O4 - Global Startup: ZyXEL G-220 v2 Wireless Adapter Utility.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chinese Checkers -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} ( Configuration Class) -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - (no file)

End of file - 4905 bytes

Post a reply
Discussion is locked
You are posting a reply to: Silent Spy; sw.exe - I can't get rid of this keylogger
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Silent Spy; sw.exe - I can't get rid of this keylogger
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
reply to: Silent Spy; sw.exe....
by caktus / March 27, 2008 12:22 PM PDT

The following are unnecessary but harmless. Still it would not hurt to remove them.

03 Toolbar (no name)
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra button: AOL Toolbar -
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

The following may relate to malware, perhaps porn related. Then again, it may be useless and unnecessary as it does not seem to point to any thing. In either case I would remove it.

O24 - Desktop Component 0: (no name) - (no file

Check Start > Run > msconfig > Startup tab. Look for and unsellect anything that seems related to sw.exe and restart the computer. Also check Start > Control Panel > Add or Remove Programs. Uninstall any programs related the sw.exe and restart the computer. Then check for the Registry entries. If they still exist, again remove them and restart the computer.

If still no luck, post the problem in the Spyware, Virus and Security Forum and link to this threasd to show what you have tried so far.


Collapse -
by notaguru / March 27, 2008 2:11 PM PDT


I sincerely thank you for looking into my problem. I did all that you suggested yet when I restarted my computer the SW registry keys still appeared. My main concern is that this is a keylogger.

As always I can rid myself of the problem by doing a clean install for my entire computer but I'd rather not go through that hassle if I can avoid it.

Collapse -
RE: reinstall
by caktus / March 27, 2008 4:36 PM PDT
In reply to: Charlie

Definitely a last resort. Hopefully someone over at the Spyware, viruses, & security forum can help you get this worked out with out reinstalling.


Collapse -
Tried This Yet?
by Grif Thomas Forum moderator / March 28, 2008 11:46 AM PDT
In reply to: Charlie

Download, install, then update the free spyware removal tool from the link below:

SUPERAntispyware Removal Tool

Once that's done, restart the computer into Safe Mode and run a full system scan using the tool. Delete anything it finds.

How To Start In 'Safe Mode'

Hope this helps.


Collapse -
i ran superantispyware
by notaguru / March 28, 2008 4:56 PM PDT
In reply to: Tried This Yet?


Thanks for responding. I did everything you suggested. Unfortunately, superantispyware didn't even detect the SW keys in the registry.

I, of course, still do not know for certain whether SW is a threat but all of the websites I've visited say it is dangerous and needs to be removed. When I look at the keys in the registry there are log folders.

Any other suggestions?

Collapse -
RE: Unfortunately.....
by caktus / March 29, 2008 4:25 AM PDT
In reply to: i ran superantispyware
Housecall online tool is often removes viruses, spyware, etc. that other's won't. Definitely worth a try.

Collapse -
Then Is There A Problem At This Time..
by Grif Thomas Forum moderator / March 29, 2008 5:06 AM PDT
In reply to: i ran superantispyware

Is the "sw.exe" file gone? Have you tried manually searching the registry for the entries?

Most importantly, is the computer functioning normal now?

Hope this helps.


Collapse -
by notaguru / April 5, 2008 1:53 PM PDT

The computer has always functioned normally. I'd just rather not have someone tracking everything I type or do on the computer.

I don't know if you've read my comments in this thread but yes, I have manually searched the registry and there are two keys for SW. Each time I remove them they reappear when I startup so I need to find whatever registry keys are triggering the production of the keys that I remove. So far I've been unsuccessful in finding them.

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.