nmc.win32.agent.gwu

Hermy · 12-08-2014 8:53am #1

When I scan with EMCO Malware Destroyer it finds nmc.win32.agent.gwu which it removes but it keeps coming back. Can anyone tell me what it is and how to keep it gone.

I'm still using Windows XP so maybe that's my problem right there!

jsa112 · 12-08-2014 11:13am

can you post a log from emco ?

Hermy · 12-08-2014 1:30pm

I don't know how. Don't see any option for that.

I also can't update AVG at the moment which may be related.

jsa112 · 12-08-2014 1:41pm

can you download malwarebytes

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

update it and run a quick scan and post that log

Hermy · 12-08-2014 1:44pm

I have Malwarebytes - I'll try that.

Hermy · 12-08-2014 1:47pm

Is this it?

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/08/2014
Scan Time: 10:01:17
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.12.03
Rootkit Database: v2014.08.04.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303866
Time Elapsed: 20 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

jsa112 · 12-08-2014 2:01pm

looks good, can you download DDS, run a scan and post the log it gives.

http://www.bleepingcomputer.com/download/dds/

Hermy · 12-08-2014 2:10pm

Will do - thanks very much.

Hermy · 12-08-2014 2:13pm

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Owner at 15:11:12 on 2014-08-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.1015.270 [GMT 1:00]
.
AV: AVG AntiVirus Free Edition 2014 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\avastUi.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.ie/?gws_rd=cr&ei=hDFpUpWCCLCB7QbDs4Ao
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{61E07FCE-5389-4107-A3B3-1854E8FA2207} : DHCPNameServer = 192.168.1.254
Notify: igfxcui - igfxsrvc.dll
Notify: SDWinLogon - SDWinLogon.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\dkt9alhd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.boards.ie/#tabs-latest
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_14_0_0_145.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-8-12 192352]
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-9-2 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-9-2 241944]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-8 27416]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-8-12 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-8-12 414392]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-9-25 121624]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [2014-6-17 190232]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-9-2 188696]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 197400]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-8-12 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-8-12 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-8-12 50344]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2014-6-17 289328]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-7-19 110296]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-8-12 49944]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2014-6-27 3241488]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-10-12 1817560]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-10-12 1033688]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-10-12 171928]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2014-07-20 08:53:36 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-20 08:53:36 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-17 15:22:02 188696 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-06-17 15:21:22 197400 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-06-17 15:18:00 241944 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-06-17 15:17:58 147736 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-06-17 15:17:56 190232 ----a-w- c:\windows\system32\drivers\avgidsdriverlx.sys
2014-06-17 15:06:38 121624 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-06-17 15:06:22 27416 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 15:06:20 21272 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
.
============= FINISH: 15:11:54.60 ===============

.

jsa112 · 12-08-2014 2:34pm

looks good, if you cant get a log from EMCO then you can just ignore it. malwarebytes and dds would show any infections

Hermy · 14-08-2014 7:09am

Just scanned with Malwarebytes and nmc.win32.agent.gwu is back again?
Is there any point in rerunning the other scans while it's still showing up?

jsa112 · 14-08-2014 2:50pm

I need to see the log from malwarebytes when it finds it

there is a log tab in the program

Hermy · 14-08-2014 4:28pm

Sorry but I can't find a log file.
Anyone like to advise?

jsa112 · 14-08-2014 7:42pm

MBAM scan logs are saved to the following locations:

-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Hermy · 15-08-2014 8:04am

Hermy wrote: »

Just scanned with Malwarebytes and nmc.win32.agent.gwu is back again?
Is there any point in rerunning the other scans while it's still showing up?

Sorry - I said Malwarebytes when I should have said EMCO.
It's only EMCO that finds this entry and it's EMCO that I can't find a log file for.

jsa112 · 15-08-2014 10:36am

Just ignore it then, if malwarebytes isn't finding anything then its more than likely a false positive from emco

Hermy · 15-08-2014 11:37am

Thanks for your patience jsa112.

nmc.win32.agent.gwu

Comments