Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Swdumon picked up by AdwCleaner, keeps coming back afther system reboot


  • This topic is locked This topic is locked
21 replies to this topic

#1 Maximo40000

Maximo40000

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 14 March 2017 - 02:17 PM

Dear experts,

 

I've tried several programs to remove swdumon, but it keeps coming back. I have already asked help on the support page of another website, but got no answer there since it seems to be managed by one guy. So I recently came across a post on this forum which covers a similar problem.

 

I have attached the needed logfiles. The displaylanguage on my pc is dutch, so I've tried my best on translating but skipped most the application and system errors(Addition.txt). I will, however, translate it if you so desire.

 

Thank's in advance

 

Maximo40000

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 15 March 2017 - 08:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\igfxcui: igfxdev.dll [X]
IFEO\AcroRd32.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\activate_matlab.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\AdAppMgr.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\deactivate_matlab.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\dropbox.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\dropboxuninstaller.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\privacyiconclient.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> no file
FF Plugin: @microsoft.com/GENUINE -> disabled [no file]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.29 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [no file]
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [no file]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [no file]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [25608 2017-03-14] (SlimWare Utilities, Inc.)
S3 DrvAgent64; \??\C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS [X]
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{0215A4C0-5431-4FD0-9B06-46589B5C4939}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{048ED0E0-12CF-4C0F-9FFA-947C2FBE8C8E}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{071339A1-1946-44B2-B63E-50459B15DB86}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{08A60FF7-BB37-44F4-9759-0ADA6C7B9CC9}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{0B38CACA-3D3C-48EA-BEB5-7D95F4F6EE15}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{0C3393F8-94F5-4B79-8C01-49A2D0CC0FE9}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{0D555CE0-304A-47A6-858B-B145209A3982}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{12545889-6D32-4424-9967-1E1D7BD1F809}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{14679E3B-C952-4998-8E13-4B1286E6DD99}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1481B385-759A-4B00-9257-E96357563999}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{162EF0A1-5A33-46F2-ACCF-CA388B084A09}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1D625598-C876-4C51-8EF5-F9D8F96F62AA}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1D6DFD6A-9E16-435A-9327-6FFEC6BA372F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1E5724EA-3423-4BD3-ABD6-46E650D2DC66}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1E8A29BA-827D-4031-A4A3-AE7999B402F6}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1EA072EE-57FD-495E-889C-8243C3BDBDBC}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{1FD7F53F-7ED5-439C-9A77-A3821CD09E98}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{20E47D5B-529A-45BD-8E77-BF1A3064A008}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{2709544A-5B24-4F9F-A5DA-CEC7297D3A4E}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{2BCA857B-A18B-4AFA-B183-CC0E49C12058}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{2C74F89E-7421-46B4-BA54-F86F1BD9F237}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{2C7D1157-7D50-4A88-9777-5EBBA3189AB8}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{3497C2EC-5684-4B21-AF74-F6760E0221DC}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{38C8B14E-7879-4DA9-8C3F-8CAAC359293A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{3FCEB42C-9B98-486A-BED7-FD7F3ADB7291}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{40770568-0D5E-49D4-BE47-BC47A4F0B0A4}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{44A52280-AE56-490D-890C-89FB7279ED6B}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{46C56738-39C6-4240-8B9B-008CCD769A84}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{47179DDE-10AC-4737-97C9-8CE5379343EA}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{475C7B4A-6964-4F9E-9708-05A16EAC31D0}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{48270F9E-CCF6-4C79-B6FF-267C960E6425}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{48FEFCD7-5D7C-4E4A-9F11-60E69A31D4B1}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{49998808-648A-4A9C-A7A5-B1672775D9AB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{4A756F5F-CBA4-428B-B17F-AF80C0C8502D}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{4B40437B-8972-4444-BBE3-1588FF55F203}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{4BD03680-3C0F-4501-AFF7-3D008586917F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{5544903C-2CCC-487C-91BB-F310B72A8E9B}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{59A224A2-BEF8-4C89-96E0-83A5411ABB6C}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{622F6193-E4DD-46E6-BC66-2ED88E9FD28D}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{6451051B-AD22-4C6A-ACCE-013A0E1DDBC3}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{64B99FDB-1D85-447F-98C7-569DBDA723DB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{6BCE6F6E-C050-4F39-BD98-E2743949F724}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{6F56D7C9-18DD-4C15-9FA8-C54E3610EC40}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{70DBCAE8-8C2B-450C-9E1D-43E4686C6512}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{713C0E8A-5AE8-4695-B442-5ED6C4FE5C42}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{7293E009-3015-4AD3-96EC-D42C36B5FCE3}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{72EFC580-D085-4B81-8C55-26A79E445338}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{750AEC19-2E4C-4ED9-9B9F-F9CAFCD060F3}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{794199C5-827C-41C8-8CB2-3A1EA056AF5E}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{798391FE-4AF2-4851-9DDA-1F0D70C02A9E}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{7BA16B3F-1AB3-4BD7-B959-52C4B8504EE9}\InprocServer32 -> AcInetUI.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{7C239DAB-BC87-45F3-B7B1-FCC1541A235B}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{834CE679-2E47-49DE-9E41-FEC87E9192EB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{849AFB5B-D6C9-4924-A712-F7118FF9611F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{85452F88-5071-492E-B850-2E3C586DCBD8}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{87F5CF8F-A06D-498F-A05F-E520E6B570DB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{89F0FC31-3B1D-494B-A75B-6BD4FA527B8A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{8AA16DFC-DFC6-4B51-8FA2-A5D812BE33BF}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{8ED07FEF-E1B0-4CC3-B2BA-D354828AB952}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{988F4102-E6E3-4282-ACAC-55270827F2A8}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{9906CDFC-DB2C-4126-9422-13139B148495}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{9A21C6C5-27FC-4442-8590-575E7AFD73BB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{9ECF83FB-23C5-43B6-83DE-93CFBDD74D4A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{A58F47CC-FF65-4152-B0B1-666C643A5BFC}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{A6A3D586-44CF-44C2-A92C-620BB713B4F2}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{ABBE3F83-D585-4A50-9B69-198B0F566F2E}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{AC5CECFA-F03A-41D2-A89C-704C44935941}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B1560245-190E-4BBD-81DF-9B642D0E5325}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B2A579E0-A797-40B1-8AEE-A8F6404719F8}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B47196BC-D4AB-41BB-A771-543D67CFC9F5}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B53CEF4B-1A13-49DE-BBC5-A7100FB2F38C}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B5EE2B68-9A23-4BCD-BB77-FEA6DFB24DD6}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{B80687F9-FA4C-4735-9DC4-E5715F2BC698}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{BAE5802A-CF21-4F9C-AE04-D98F4036AC31}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{BBF6A206-CB04-479D-96AE-349E1E83319A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{BC71DEA1-D6FB-48B8-AB06-D151C81BBCDD}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{BF224DC3-B602-4EEE-BFE9-9E4E0AED6837}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{BF4CC07E-E9BB-40D6-873F-855B211033B9}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{C061C82C-D041-4214-BB07-B608107CEFCB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{C2D4ACCC-A3D1-4A0A-AD59-0DD8BA3D5EE1}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{C8C18F89-794D-466B-8B97-95634D9890EF}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{C8EC7647-1E79-4F13-81D7-2EED803D0D22}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{CC23CA32-9892-4FBA-A108-FE31CA0F35A6}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{CD865713-70D6-4E15-BB7B-9B99AD9DEB85}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{D56F5AB3-9C4D-4F1A-A851-A671D9FE8C22}\InprocServer32 -> AcETransmit.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{D66873EA-AAE5-41CC-8DD2-8CE3228E9F89}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{D86B6C47-11F2-4D95-B635-EA575F0892FC}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{DB207560-8449-4FAF-BDC2-61676EB012D4}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{DE74F5AD-DA2F-429F-BAF9-850A2808D585}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{DF6525C2-6358-4B07-813D-708120C5FE1A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{E177A457-9EAA-43C3-A3CE-84874A28F6CA}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{E29F6C45-6927-4508-8F3F-34105FD3FC5F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{E4222C78-3670-4BB1-9AD4-7D8F3E581F2D}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{E70DE962-842A-4488-9481-1D0FD72A020F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{E9C07CEC-7B82-49E4-BBA2-7533B88E9D64}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{EA34A0C0-5CE7-4701-A6FA-117D25CD5EBB}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{EF01D98A-747B-4522-AD70-991B90855DBF}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F196F03F-651A-43AF-BE34-D11942F24445}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F2DB0EE3-7137-4CB0-8349-483C4FF2143A}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F40E2FF0-4D77-40B2-9A44-A3AEECCE8EFF}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F5522F0C-962A-48AC-9992-E81B07628F1F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F78DCF7C-043D-45FC-9D21-676FC307BA3F}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{F868EAEC-1B73-4F5E-BA73-90EBA94E75BE}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{FA97F7A7-FD19-4D55-ABF2-CFEFFF777426}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{FD51ED8A-D518-4554-B236-B6E9D234FD03}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{FE054BB2-AF94-40AC-88AA-2F59F7018B1D}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{FE317223-8EDE-4684-B424-E48B9EA90220}\InprocServer32 -> axdb.dll => Geen bestand
CustomCLSID: HKU\S-1-5-21-3025044064-27094235-1761949023-1000_Classes\CLSID\{FE718E8F-C3AA-4F30-9103-432450CF1DA1}\InprocServer32 -> axdb.dll => Geen bestand
AlternateDataStreams: C:\Users\Maxime:Heroes & Generals [38]
C:\Windows\System32\DRIVERS\SWDUMon.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

ADOBE AIR

Navigate to this page and follow the instructions and get the latest version.
https://get.adobe.com/air/

==============

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 19.0.0.241 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Java 8 Update 73 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)

Please post the Fixldog.txt and let me know what problem persists.

#3 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 15 March 2017 - 01:47 PM

Hi nasdaq,

 

thank's for helping me out. I have completed all steps, but adwcleaner still picks it up.

 

I have attached the Fixlog(translated) as requested.

 

Kind regards,

 

Maximo40000

Attached Files


Edited by Maximo40000, 15 March 2017 - 01:48 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 16 March 2017 - 06:40 AM

Lets clean these remaining items.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

C:\Windows\SysNative\drivers\swdumon.sys
DeleteKey: HKLM\Software\SlimWare Utilities Inc
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

#5 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 16 March 2017 - 08:25 AM

Still no change in the adwC scan results.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 16 March 2017 - 12:50 PM

"C:\Windows\SysNative\drivers\swdumon.sys" => not found.
HKLM\Software\SlimWare Utilities Inc => key not found.


Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
SlimWare;swdumon.sys
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
===

Lets check the hard disk.

Please run the Farbar Recovery Scan Tool one more time and Enter \swdumon.sys in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#7 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 16 March 2017 - 05:18 PM

SearchReg.txt:

 

Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Maxime (16-03-2017 22:29:16)
Running from C:\Users\Maxime\Desktop\Malwarebytes\Farbar
Boot Mode: Normal

================== Search Registry: "SlimWare;swdumon.sys" ===========


===================== Search results for "SlimWare" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SlimWare Utilities Inc]


===================== Search results for "swdumon.sys" ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon]
"ImagePath"="system32\DRIVERS\SWDUMon.sys"

====== End of search ======

 

Search.txt:

 

Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Maxime (16-03-2017 22:46:40)
Started from C:\Users\Maxime\Desktop\Malwarebytes\Farbar
Boot Mode: Normal

================== Search files: "swdumon.sys" =============

C:\Windows\System32\drivers\SWDUMon.sys
[2016-11-02 17:21][2017-03-16 14:06] 0025608 ____A (SlimWare Utilities, Inc.) 4C2D24EB13F611AC742809A2AAA25BE1 [File is signed]

C:\Users\Maxime\AppData\Local\AVG Netherlands BV\AVG Driver Updater\SWDUMon.sys
[2016-11-02 17:21][2017-03-16 14:06] 0025608 ____A (SlimWare Utilities, Inc.) 4C2D24EB13F611AC742809A2AAA25BE1 [File is signed]

====== End of search ======



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 17 March 2017 - 09:29 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

DeleteKey: HKLM\SoftwareWow6432Node\SlimWare Utilities Inc
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon
C:\Windows\System32\drivers\SWDUMon.sys
C:\Users\Maxime\AppData\Local\AVG Netherlands BV\AVG Driver Updater\SWDUMon.sys

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

#9 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 17 March 2017 - 05:11 PM

Afther checking the fixlog i noticed a missing backslash, corrected it and tried again:

 

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:

DeleteKey: HKLM\Software\Wow6432Node\SlimWare Utilities Inc
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon
C:\Windows\System32\drivers\SWDUMon.sys
C:\Users\Maxime\AppData\Local\AVG Netherlands BV\AVG Driver Updater\SWDUMon.sys

Reboot:

End
*****************

Error: (0) Failed to create a restorePoint.
Process successfully concluded.
HKLM\Software\Wow6432Node\SlimWare Utilities Inc => key has been successfully removed.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon => key has been successfully removed.
C:\Windows\System32\drivers\SWDUMon.sys => has been successfully moved.
C:\Users\Maxime\AppData\Local\AVG Netherlands BV\AVG Driver Updater\SWDUMon.sys => has been successfully moved.


The system needs a reboot.

==== End of Fixlog 22:09:30 ====

 

I ran adwCleaner, which now picked u 2 new threats and was able to remove them. The 3 other threats keep coming back.


Edited by Maximo40000, 17 March 2017 - 05:29 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 18 March 2017 - 08:42 AM


These remnant items found by AdwCleaner are not active.

If you wish to remove them completely I suggest you start a newt topic in the Malwarebytes - AdwCleaner forum

https://forums.malwarebytes.com/forum/187-malwarebytes-adwcleaner/

I'm sure that the experts would like to know what is the cause.
They can then add the required commands in the AdwCleaner in the next version.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#11 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 18 March 2017 - 06:26 PM

I ran ZHPCleaner which, again, detected 2 new threats allong with the 3 theats from before. It was able to remove 1 of them, which on first glance looked like one of the threats I found yesterday. The other one however, also keeps coming back and posseses the word "swdumon" in its path.

After reading into the links you provided, I decided to download Emsisoft internet security, but when I tried to install it, an error message popped up to inform me that an application stopped working. Now i get this message whenever I try to start an application, starting about 1 min after logging in.


Edited by Maximo40000, 18 March 2017 - 06:34 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 19 March 2017 - 08:22 AM

Please run the Farbar tool and post fresh FRST and Addition.txt logs.

We may possibly get information on these errors by looking at the Addition.txt log.

#13 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 19 March 2017 - 10:00 AM

I have attached the files.

 

I have listsed some more info, provided to me via the message boxes, below:

 

Problem signatures:

 

Event name problem:                    BEX64

Application name:                          cmd.exe

Application version:                       6.1.7601.17514

Timestamp of the application:        4ce798e5

Error module name:                       StackHash_b4ee

Error module version:                    0.0.0.0

Timestamp of the error module:     00000000

Exception margin:                          00000000000fee60

Exception code:                             c0000005

Exception details:                           0000000000000008

OS Version:                                   6.1.7601.2.1.0.256.48

Locale ID:                                      2067

Additional information1:                 b4ee

Additional information2:                 b4ee5de6a2322745523997a782b35692

Additional information3:                 277e

Additional information4:                 277e19c30fbd5f6bb531ec9e027c37c3

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:42 AM

Posted 20 March 2017 - 08:27 AM

Let try this.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon" /f
unlock: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SlimWare Utilities Inc
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SlimWare Utilities Inc" /f
Unlock: C:\Windows\System32\DRIVERS\SWDUMon.sys
FF HKLM-x32\...\Firefox\Extensions: [belgiumeid@eid.belgium.be] - C:\Program Files\Mozilla Firefox\extensions\belgiumeid@eid.belgium.be => not found
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [25608 2017-03-19] (SlimWare Utilities, Inc.)
C:\Windows\System32\DRIVERS\SWDUMon.sys
AlternateDataStreams: C:\Users\Maxime:Heroes & Generals [38]
FirewallRules: [{DAFC09CD-1AB5-46DD-8E35-2DC35ECA6207}] => (Block) c:\users\Maxime\appdata\local\temp\jds806010.tmp\jxpiinstall.exe
FirewallRules: [{18454A2B-E8D6-4E4A-8BFB-BE3530069FC8}] => (Block) c:\users\Maxime\appdata\local\temp\jds806010.tmp\jxpiinstall.exe
c:\users\Maxime\appdata\local\temp\jds806010.tmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

We will repair some important Windows services.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    17 - Repair Windows Updates
    18 - Repair CD/DVD Missing/Not Working
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    ===


#15 Maximo40000

Maximo40000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 20 March 2017 - 01:22 PM

I did this fix in safe mode, as this is less frustrating to do since yesterday. Is there a preferred mode to do the fixes/scans, or does it not make a difference?

Fixlog below:

fixlist content:
*****************
start
...
End
*****************

Error: Restorepoint can only be created in normal mode.
Process successfully concluded.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon" => key can not be unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWDUMon" /f =========

Error: The system can not find the specified registrykey or -value.

========= End of Reg: =========

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SlimWare Utilities Inc" => key can not be unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SlimWare Utilities Inc" /f =========

Error: The system can not find the specified registrykey or -value.

========= End of Reg: =========

"C:\Windows\System32\DRIVERS\SWDUMon.sys" => not found.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\belgiumeid@eid.belgium.be => value not found.
SWDUMon => service not found.
"C:\Windows\System32\DRIVERS\SWDUMon.sys" => not found.
"C:\Users\Maxime" => ":Heroes & Generals" ADS not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DAFC09CD-1AB5-46DD-8E35-2DC35ECA6207} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{18454A2B-E8D6-4E4A-8BFB-BE3530069FC8} => value not found.
"c:\users\Maxime\appdata\local\temp\jds806010.tmp" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 3149032 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Maxime => 8430 B
TEMP => 0 B
UpdatusUser => 0 B
guest => 0 B

RecycleBin => 0 B
EmptyTemp: => 3 MB temporary data removed.

================================

The system needs a reboot.

==== End of Fixlog 18:24:30 ====

 

As tweaking.com-WR discourages to run the repair whilst infected and the fix seems to have failed, I am somewhat reluctant to do repairs right away.

I have, however, done the pre-scan and attached the log.

Attached Files


Edited by Maximo40000, 20 March 2017 - 01:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users