Win32:Rpcnet (tool)

[blacksheepradio]

my avast anti-virus program keeps alerting me about an Win32:Rpcnet (tool) infection. even though i try to delete things or restore them it keeps coming back. my hjt file is below.
any advice?
if anyone needs more info just let me know.


Logfile of HijackThis v1.99.1
Scan saved at 4:43:34 PM, on 7/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\Program Files\Speed Disk\nopdb.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CFSServ.exe] C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[greyknight17]

Welcome to TSF.

Please print the below instructions or copy them to Notepad.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ). Make sure to close any internet browsers that may still be open.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\SYSTEM32\Rpcnet.exe (file missing)

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Procedure Call (RPC) Net and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in Remote Procedure Call (RPC) Net and hit OK.

Restart. Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply along with a new HijackThis log.

[blacksheepradio]

thanks for your time.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in Remote Procedure Call (RPC) Net and hit OK.
I had to call it Rpcnet to delete it.

------------------------------------------
after i restarted, an alert popped up
7/16/2006 11:13:38 AM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.

and when i downloaded the panda files
7/16/2006 11:21:06 AM SYSTEM 1812 Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.

here is the panda report
Incident Status Location

Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\orgsz965.default\cookies.txt[.did-it.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Steve\Cookies\steve@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Steve\Cookies\steve@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Steve\Cookies\steve@apmebf[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Steve\Cookies\steve@realmedia[1].txt

around this time i got another warning
7/16/2006 12:08:32 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\rpcnet.exe" file.

here is the new hijackthis report (not run in safe mode)
Logfile of HijackThis v1.99.1
Scan saved at 12:08:49 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CFSServ.exe] C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McafWelcome] c:\PROGRA~1\mcafee.com\agent\mcwelcom.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\system32\rpcnet.exe (file missing)
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[blacksheepradio]

After my responce to your reply I have received this new alert
New alert
7/16/2006 12:37:12 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\RPCNET.DLL" file.

--------

i just had an idea, i will post my avast log from the beginning of the infection
maybe this info will also shed some new light.

7/12/2006 7:13:36 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\RPCNET.DLL" file.
7/12/2006 9:30:06 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.dll" file.
7/12/2006 9:30:22 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.dll" file.
7/12/2006 9:36:35 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.exe" file.
7/12/2006 9:36:59 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.exe" file.
7/12/2006 9:58:47 PM Steve 1524 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\ntagent.web" file.
7/12/2006 10:08:56 PM Steve 1524 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\unp140157527.tmp" file.
7/12/2006 10:16:36 PM Steve 1524 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\unp67748007.tmp" file.
7/12/2006 10:59:18 PM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12C.tmp" file.
7/12/2006 10:59:45 PM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12D.tmp" file.
7/12/2006 11:32:26 PM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12E.tmp" file.
7/13/2006 12:54:42 AM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12F.tmp" file.
7/13/2006 1:11:52 AM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12E.tmp" file.
7/13/2006 1:12:08 AM Steve 2944 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\Temp\_avast4_\trz12F.tmp" file.
7/13/2006 1:20:09 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 1:32:06 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 6:48:09 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 7:03:10 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 7:18:05 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 7:33:08 AM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 1:54:59 PM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 2:10:52 PM SYSTEM 1816 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 3:35:18 PM SYSTEM 1744 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\RPCNET.DLL" file.
7/13/2006 3:35:18 PM SYSTEM 1744 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.exe" file.
7/13/2006 6:07:15 PM SYSTEM 1744 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\RPCNET.DLL" file.
7/13/2006 6:09:09 PM SYSTEM 1744 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\Rpcnet.exe" file.
7/13/2006 6:38:27 PM SYSTEM 2004 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 8:11:27 PM SYSTEM 2004 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 8:26:17 PM SYSTEM 2004 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 8:42:33 PM SYSTEM 2004 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 8:56:24 PM SYSTEM 2004 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/13/2006 9:42:23 PM SYSTEM 1748 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
7/13/2006 9:42:24 PM SYSTEM 1748 An error has occured while attempting to update. Please check the logs.
7/14/2006 6:17:04 AM SYSTEM 1880 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 7:36:29 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 7:49:00 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 8:04:51 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 8:20:02 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 8:34:58 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 8:50:54 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 9:20:03 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/14/2006 9:35:37 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/15/2006 3:13:16 AM SYSTEM 1784 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/15/2006 5:08:06 PM SYSTEM 1784 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/15/2006 5:23:05 PM SYSTEM 1784 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/16/2006 1044 AM SYSTEM 1760 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/16/2006 11:13:38 AM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\NTAgent.exe" file.
7/16/2006 11:21:06 AM SYSTEM 1812 Sign of "Win32:CTX" has been found in "http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
7/16/2006 12:08:32 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\system32\rpcnet.exe" file.
7/16/2006 12:37:12 PM SYSTEM 1812 Sign of "Win32:Rpcnet [Tool]" has been found in "C:\WINDOWS\SYSTEM32\RPCNET.DLL" file.

[greyknight17]

For McAfee is that your antivirus program also? If so, uninstall it now...you have Avast already.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download and install Ewido http://www.ewido.net/en/download/
Double-click the Ewido icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-sign...ll-current.exe
When you have finished updating, exit Ewido.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingcomputer.com/foru...howtutorial=61 ).

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\system32\rpcnet.exe (file missing)

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop Rpcnet
sc delete Rpcnet
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Locate and delete the following:

C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\SYSTEM32\RPCNET.DLL

CleanUp! deletes EVERYTHING out of your temp/temporary folders. It does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Run CleanUp! and click on the CleanUp! button. Let it run. After it's done, click the Close button and choose Yes to logoff.

Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

I want you to upload this file (C:\WINDOWS\system32\NTAgent.exe) to http://virusscan.jotti.org and report back what it found.

[blacksheepradio]

McAfee came with my toshiba laptop. even though i uninstalled it months ago I can't get rid of it completely (almost like another virus). I had it supressed till i set msconfig to allow all. If you need it gone you'll have to show me how.

I'll wait for your resopnce

[blacksheepradio]

Hi greyknight, hope everything is ok.
I deleted Mcafee months ago. it's not showing in my add/remove programs.
but parts of the program have lingered in my computer.
I know how to search the registry should i remove all mention of mcafee

[Vikesrock8411]

Sorry for the delay.

Do you know what version of McAfee you had installed? The fix is slightly different for 5, 6 and 7 then the one for 8 or 9.

[blacksheepradio]

thanks for the reply.
i'm sorry didn't wait i used hijack this to delete those startup files.
and ran the instructions gray.... left for me.

i uploaded the file to be scaned and got this:
File: NTAgent.exe.vir
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 8f221b14e29f555e5ffc64745f330474
Packers detected: -
Scanner results
AntiVir Found Dialer/31232.A.5 dialer
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:Dialer.Win32.Rpcnet.c
NOD32 Found nothing
Norman Virus Control Found W32/Dialer.OZO
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Dialer.Win32.Rpcnet.c

_______________________________________
i ran HJT and got:
Logfile of HijackThis v1.99.1
Scan saved at 10:20:50 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\SHORTK~1\shklite.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Outlook Express\msimn.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CFSServ.exe] C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: ShortKeys Lite.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {700EF03F-A472-4D26-8ACB-300F4D04FD96} (Recovery ActiveX Control Module) - https://www.lojackforlaptops.com/ctmweb/testoc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

______________________________________________

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:45:31 PM 7/20/2006

+ Scan result:



Nothing found.



::Report end

_______________________________________________

strangly enough its still slow.
on the restart i got

corrupt file C:\$Mft but i couldn't find that file there.

darn i just noticedm hjt
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Unknown owner - C:\WINDOWS\system32\rpcnet.exe

[Vikesrock8411]

Have you ever heard of the program Laptop Retriever?

Also let me know what version of McAfee you had, if you don't know that's fine just tell me that.

[blacksheepradio]

i don't know which one the Mcafee program is.

lojackforlaptops is installed is that the same as Laptop Retriever?
If not, i guess i have not heard of it.

I reran avast scan and found different files corrupted. It wouldn't let me copy the results. I changed the preferences and am running the scan again now, so i can list the results.


Thanks for helping out.

[blacksheepradio]

I couldn't get a print out of the corrupt files so I took a screenshot of them.

[Vikesrock8411]

RPCNet
Well it's good to know your antitheft software is resilient

RPCNet and NTAgent are both related to LojackforLaptops. You may want to contact Avast about the detection and see what they have to say.

Remove McAfee
Download VirusScan.zip. Unzip it to your desktop and double click VirusScan.reg. Click yes to merge the information into the registry.

Corrupted Files
Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be aborted. I reccomend you run it overnight. If this is not possible let me know and we will continue another way.

Click Start>Run and type in chkdsk /r
If it asks you to run chkdsk on restart please click yes, and restart your computer. This will check your hard drive for errors, and correct any minor errors it finds.

[blacksheepradio]

whew... lol

actually now avast quit alerting me about it.
i hope we didn't disable it.

i'll run the check disk

[blacksheepradio]

well well
it says it will run on the next startup but, it forgets to do it.

[Vikesrock8411]

Okay click Start>Run and type Chkdsk. This scan will go fairly quickly, but will not repair any errors it finds, let me know if it finds any errors.

[blacksheepradio]

Norton Disk Doctor
Sun Jul 23 15:30:35 2006

*************************
* Report for Drive C: *
*************************

DISK INFORMATION
----------------

The type of the file system is NTFS
Volume Name is Local Disk
Volume Serial Number is 606A9EA4



SYSTEM AREA STATUS
------------------

No errors in the system area



FILE STRUCTURE STATUS
---------------------

The 'Fix errors' checkbox was not checked.
Corrective actions indicated below were
not written to the disk.

Deleting corrupt attribute record (128, "")
from file record segment 152.

Deleted corrupt attribute list entry
with type code 128 in file 67160.

Deleted corrupt attribute list entry
with type code 128 in file 67160.

Deleting corrupt attribute record (128, "")
from file record segment 91974.

Deleting orphan file record segment 91747.

Deleting orphan file record segment 91749.

Deleting orphan file record segment 91753.

Deleting orphan file record segment 91754.

Deleting orphan file record segment 91755.

Deleting orphan file record segment 91756.

Deleting orphan file record segment 91759.

Deleting orphan file record segment 91761.

Deleting orphan file record segment 91763.

Deleting orphan file record segment 91764.

Deleting orphan file record segment 91767.


INDEXES STATUS
--------------

No index errors



SECURITY DESCRIPTORS STATUS
---------------------------

No security descriptor errors



FILE DATA STATUS
----------------

No file data errors



SURFACE TEST STATUS
-------------------

Surface test not performed

[Vikesrock8411]

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now try chkdsk /r

If it does not work try chkdsk /x

Let me know if you can get either of those to run.

[blacksheepradio]

nope, both say they will do it on the restart but never do.

[Vikesrock8411]

Okay, you are clean of malware and the Hardware guys should have a much better idea of how to fix your Hard Drive issues. Please post your corrupt file problem in a new thread here. Let them know that the Security Team has declared you clean.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.

• Tick the checkbox - Turn off System Restore on all drives
• Click Apply
• Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.