I think I have removed worm.
I googled for rpcxsys.exe, and found a link
rpcxsys.exe manual removal. However I couldn't open it (virus prohibited opening certain sites), so I asked a friend to email that page to me. I followed all steps there, after that I was able to open symantec website, download Intelligent antivirus definitions updater. Restarted PC, and NAV has caught the worm. Now rpcxsys.exe is sitting in quarantine.
However, I still couldn't retrieve virus definitions with LiveUdate. I had the following error.
Initializing...
Unable to connect to host
LU1814: LiveUpdate could not retrieve the catalog file of available Symantec product and component updates. Please verify that you are able to connect to the Internet and run LiveUpdate again.
LiveUpdate session is complete.
So I took admin's suggestion, reinstalled LiveUpdate, and now everything works smoothly. I have no complaints, but still here is the log, maybe you'll find smth i don't see
Logfile of HijackThis v1.98.2
Scan saved at 12:05:02 PM, on 11/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
C:\Programos\StrokeIt\strokeit.exe
C:\WINNT\system32\internat.exe
C:\Programos\Hotmail Popper\hotpop.exe
C:\Programos\BestCrypt 7.10.3\BCResident.exe
V:\download\software\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.iccf-webchess.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 62.212.199.54 gg.muchina.com
O1 - Hosts: 62.212.199.54 ogg.muchina.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programos\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [StrokeIt] C:\Programos\StrokeIt\strokeit.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\PROGRA~2\SERV-U~1.1\SERVUT~1.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Hotmail Popper.lnk = C:\Programos\Hotmail Popper\hotpop.exe
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Programos\BestCrypt 7.10.3\BestCrypt.exe
O4 - Global Startup: Zone Labs Security.lnk = C:\Programos\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Programos\flash\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programos\flash\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO20 - AppInit_DLLs: hplun.dll
Oh, and thanks for the links, but I guess there is no need to run those scans now.