I’m using the Home Edition on my personal laptop, a Toshiba M45-S2693.
I have had a constantly recurring Malware warning for the last few days that seems to be caused by a locating service I use in case of theft called Lojack for Laptops (http://www.lojackforlaptops.com). This is a service that was offered directly by Toshiba when I purchased the system.
The first “avast! Warning” I received was for the LfL service pinger (c:\windows\system32\rpcnet.exe). This program connects to the LfL website several times a day so my laptop location can be tracked/located.
I am now receiving an “avast! Warning” every few minutes for c:\windows\system32\NTAgent.exe. Even if I choose to delete the file, another warning always appears a few minutes later.
In both cases, the Malware name that is being reported is “Win32:Rpcnet [Tool]”. The current VPS version is “0628-5, 07/14/2006”.
To quote one of my old favorite Jetsons cartoons, “Jane, stop this crazy thing!”. Any help in resolving this issue would be MOST appreciated!
There are 2 places to exclude the file, one for the on-access protection and the other for on-demand scans.
Right click the a-icon
Click On-Access Protection Control
Highlight Standard Shield
Click Customize, then click Advanced, then click Add
Type the path and file name you want to exclude and hit Enter
OK your way out
Next, right click the a-icon again
Click Program Settings
Click Exclusions, then click Add
Type the path and file name again and hit Enter
Click OK
Edit: You might also consider sending the file to avast! as a false positive.
I think the key in the detection is the word [Tool] some tools have an evil as well as good purpose, the problem being identifying the intent.
Deletion is never a good first option as you have no other options left, ‘first do no harm,’ move to the chest and investigate as you are doing. From the chest the file can do no harm, it can be restored or deleted later if required.
A google search for NTAgent.exe returns many hits many of them show this in a hijackthis log fle entry as.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives
I will perform the online virus scans as suggested and follow the provided instructions to exclude the files if I verify they are false positives. I will also file a “false positive” report if I determine that to be the case.
First, to answer a question from DavidR I overlooked previously, I’m not aware of any Computer Associates software, particularly ArcServe, being installed on my system. So I don’t believe that is the source of the “NTAgent.exe” found on my machine.
I used the two online scanners that were recommended and received an odd response. Both of them reported “ntagent.exe” and “rpcnet.exe” might be malware because 0 bytes were transferred in both cases.
I then randomly selected a couple of other files for testing. They were transferred successfully and no malware was reported. This would lead me to believe it might be a valid problem.
Next, I tried the free online virus scanners from Symantec and Trend Micro to see if they would find a problem with the files. Neither of them reported any infected files. This would lead me to believe it was a false positive.
So, I’ve gotten mixed results upon further testing. Should I consider this to be a false positive or is there any additional testing you could recommend?
You can run hijackthis and it should indicate exactly what is running on your system.
You can’t upload the file from the chest (it is a protected area so nothing can assess the file) as I mentioned “You can’t do this with the file in the chest, you will need to move it out.”