View Full Version : what is mwmev.exe?
i have a respawning file called mwmev.exe in my c:\WINDOWS directory on win XP. there are a few references to it on google which i am reluctant to visit.
can you tell me what it is? my system still works. i'm more interested in identifying it than removing it as i've been harassed by certain organisations.
Hello xoxos,
i'm more interested in identifying it than removing it
In order for a volunteer to advise you here in the malware removal forum please produce a log for analysis.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
as i've been harassed by certain organisations.
Please explain further. :)
Best regards.
i'm not sure where spybot saves log files, my last scan didn't indicate saving one. i'm unsure about whether i'd like to post that information online as i have unscrupulous competitors in the music software industry.
microsoft's online 'onecare safety scanner' *did* identify mwmev.exe in c:\WINDOWS. spybot and malware bytes usually find no issues, nor does sophos' rootkit scanner. sometimes spybot quarantines it in a .zip titled 'virtumonde1'. mwmev.exe has respawned before connecting to the internet so i am happy to place it in a zip? on my website if requested. my nescient reading of the file in a hex editor wasn't informative.
fyi my toshiba is evidently full of worms, according to sysinfo.org's database - several .exes like csrss, ehsched, lsass and smss are listed there as worms. i took a screenshot of running processes after reformatting from oem disks and all of these processes were present before connecting to the internet.. so i question sysinfo.org's information :)
by 'certain organisations' i mean covert parties in the u.s. who forced me to leave that country last year. few people are willing to entertain the notion.
more information :p
there's a file in c:\WINDOWS\Prefetch called MWMEX.EXE-000D1C67.pf :)
i can't find 'check.txt' or 'fixes.txt' on my system, logfile options are checked in 'options.'
'resident.log' reads as follows:
5/19/2010 4:25:17 PM Allowed (based on user decision) value "PadTouch" (new data: "") deleted in System Startup global entry!
5/19/2010 6:02:05 PM Allowed (based on user decision) value "TFncKy" (new data: "") deleted in System Startup global entry!
5/19/2010 6:02:27 PM Allowed (based on user decision) value "TDispVol" (new data: "") deleted in System Startup global entry!
5/19/2010 6:03:01 PM Allowed (based on user decision) value "THotkey" (new data: "") deleted in System Startup global entry!
5/19/2010 6:04:35 PM Allowed (based on user decision) value "SynTPEnh" (new data: "") deleted in System Startup global entry!
5/19/2010 6:05:43 PM Allowed (based on user decision) value "Tvs" (new data: "") deleted in System Startup global entry!
5/19/2010 6:06:09 PM Allowed (based on user decision) value "TPSMain" (new data: "") deleted in System Startup global entry!
5/19/2010 6:06:39 PM Allowed (based on user decision) value "SmoothView" (new data: "") deleted in System Startup global entry!
5/19/2010 6:07:47 PM Allowed (based on user decision) value "Pinger" (new data: "") deleted in System Startup global entry!
5/19/2010 6:09:15 PM Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
5/19/2010 6:11:15 PM Allowed (based on user decision) value "HPDJ Taskbar Utility" (new data: "") deleted in System Startup global entry!
5/19/2010 6:13:01 PM Allowed (based on user decision) value "MSN" (new data: "") deleted in System Startup global entry!
5/19/2010 6:45:52 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "") deleted in System Startup user entry!
5/21/2010 10:15:06 PM Allowed (based on user decision) value "MSN" (new data: "") deleted in System Startup global entry!
5/22/2010 4:51:52 PM Allowed (based on user decision) value "MSN" (new data: "C:\Windows\mwmev.exe") added in System Startup global entry!
5/22/2010 4:53:30 PM Allowed (based on authenticode whitelist) value "{5ED80217-570B-4DA9-BF44-BE107C0EC166}" (new data: "") added in ActiveX Distribution Unit!
thanks for your work, hth :)
Hello xoxos,
In order for a volunteer to advise you here in the malware removal forum please produce a log for analysis.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
That would be a DDS log.
i'm not sure where spybot saves log files, my last scan didn't indicate saving one.
FYI:
Open SpyBot
Check for problems, do not 'fix' any items found.
Switch Spybot S&D to advanced mode
Navigate to tools - view report
Click "view report"
Click "export" to save the report to a text file.
Questions regarding Spybot-S&D support can be asked here: Spybot-S&D Forums (http://forums.spybot.info/forumdisplay.php?f=4)
i'm unsure about whether i'd like to post that information online as i have unscrupulous competitors in the music software industry.
by 'certain organisations' i mean covert parties in the u.s. who forced me to leave that country last year. few people are willing to entertain the notion.
Please consider taking the machine to a local technician for analysis.
Best regards. :)