what is mwmev.exe?

[xoxos]

i have a respawning file called mwmev.exe in my c:\WINDOWS directory on win XP. there are a few references to it on google which i am reluctant to visit.

can you tell me what it is? my system still works. i'm more interested in identifying it than removing it as i've been harassed by certain organisations.

[tashi]

Hello xoxos,

i'm more interested in identifying it than removing it

In order for a volunteer to advise you here in the malware removal forum please produce a log for analysis.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

as i've been harassed by certain organisations.

Please explain further.

Best regards.

[xoxos]

i'm not sure where spybot saves log files, my last scan didn't indicate saving one. i'm unsure about whether i'd like to post that information online as i have unscrupulous competitors in the music software industry.

microsoft's online 'onecare safety scanner' *did* identify mwmev.exe in c:\WINDOWS. spybot and malware bytes usually find no issues, nor does sophos' rootkit scanner. sometimes spybot quarantines it in a .zip titled 'virtumonde1'. mwmev.exe has respawned before connecting to the internet so i am happy to place it in a zip? on my website if requested. my nescient reading of the file in a hex editor wasn't informative.

fyi my toshiba is evidently full of worms, according to sysinfo.org's database - several .exes like csrss, ehsched, lsass and smss are listed there as worms. i took a screenshot of running processes after reformatting from oem disks and all of these processes were present before connecting to the internet.. so i question sysinfo.org's information

by 'certain organisations' i mean covert parties in the u.s. who forced me to leave that country last year. few people are willing to entertain the notion.

[xoxos]

more information :p

there's a file in c:\WINDOWS\Prefetch called MWMEX.EXE-000D1C67.pf

i can't find 'check.txt' or 'fixes.txt' on my system, logfile options are checked in 'options.'

'resident.log' reads as follows:

5/19/2010 4:25:17 PM Allowed (based on user decision) value "PadTouch" (new data: "") deleted in System Startup global entry!
5/19/2010 6:02:05 PM Allowed (based on user decision) value "TFncKy" (new data: "") deleted in System Startup global entry!
5/19/2010 6:02:27 PM Allowed (based on user decision) value "TDispVol" (new data: "") deleted in System Startup global entry!
5/19/2010 6:03:01 PM Allowed (based on user decision) value "THotkey" (new data: "") deleted in System Startup global entry!
5/19/2010 6:04:35 PM Allowed (based on user decision) value "SynTPEnh" (new data: "") deleted in System Startup global entry!
5/19/2010 6:05:43 PM Allowed (based on user decision) value "Tvs" (new data: "") deleted in System Startup global entry!
5/19/2010 6:06:09 PM Allowed (based on user decision) value "TPSMain" (new data: "") deleted in System Startup global entry!
5/19/2010 6:06:39 PM Allowed (based on user decision) value "SmoothView" (new data: "") deleted in System Startup global entry!
5/19/2010 6:07:47 PM Allowed (based on user decision) value "Pinger" (new data: "") deleted in System Startup global entry!
5/19/2010 6:09:15 PM Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
5/19/2010 6:11:15 PM Allowed (based on user decision) value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
5/19/2010 6:13:01 PM Allowed (based on user decision) value "MSN" (new data: "") deleted in System Startup global entry!
5/19/2010 6:45:52 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
5/21/2010 10:15:06 PM Allowed (based on user decision) value "MSN" (new data: "") deleted in System Startup global entry!
5/22/2010 4:51:52 PM Allowed (based on user decision) value "MSN" (new data: "C:\Windows\mwmev.exe") added in System Startup global entry!
5/22/2010 4:53:30 PM Allowed (based on authenticode whitelist) value "{5ED80217-570B-4DA9-BF44-BE107C0EC166}" (new data: "") added in ActiveX Distribution Unit!



thanks for your work, hth

[tashi]

Hello xoxos,

In order for a volunteer to advise you here in the malware removal forum please produce a log for analysis.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

That would be a DDS log.

i'm not sure where spybot saves log files, my last scan didn't indicate saving one.

FYI:

• Open SpyBot
• Check for problems, do not 'fix' any items found.
• Switch Spybot S&D to advanced mode
• Navigate to tools - view report
• Click "view report"
• Click "export" to save the report to a text file.

Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums

i'm unsure about whether i'd like to post that information online as i have unscrupulous competitors in the music software industry.

by 'certain organisations' i mean covert parties in the u.s. who forced me to leave that country last year. few people are willing to entertain the notion.

Please consider taking the machine to a local technician for analysis.

Best regards.