Shanehaggerty
asked on
what is vtzxkb.exe
I have vtzxkb.exe running in my processes list within the task manager on my Windows 2003 server. Has anyone heard of this? What is it? A google search for it proved useless.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have spybot and malwarebytes already installed, i will try the combofix today, after hours, as well.
Here is my log from hijack this.... any insight you may have will be extreamly apreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:03 AM, on 10/10/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Documents and Settings\shane\WINDOWS\Sys tem32\smss .exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
C:\WINDOWS\System32\svchos t.exe
C:\PROGRA~1\AVG\AVG8\avgam .exe
C:\Program Files\Common Files\GFI\ReportCenter\Fra mework v3.5\gfireporterservice.ex e
C:\WINDOWS\system32\inetsr v\inetinfo .exe
p:\ppart\pmsi.networking.s ervices.ap plications ervice.exe
p:\ppart\pmsi.networking.s ervices.da taservice. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\vssvc. exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\dmadmi n.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\taskmg r.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\system32\blank. htm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = C:\WINDOWS\system32\blank. htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Thomas Medical Associates
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-558781451-17 25058602-1 154686881- 1209\..\Ru n: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe (User 'jt')
O4 - HKUS\S-1-5-21-558781451-17 25058602-1 154686881- 1209\..\Ru n: [] (User 'jt')
O4 - HKUS\S-1-5-21-558781451-17 25058602-1 154686881- 1209\..\Po licies\Exp lorer\Run: [servises] C:\WINDOWS\system32\servis es.exe (User 'jt')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~1\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\shane\windows\sys tem32\msws ock.dll' missing
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://updates.installshield.com
O15 - ESC Trusted Zone: http://www.mozilla.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://view.atdmt.com (HKLM)
O15 - ESC Trusted Zone: http://updates.installshield.com (HKLM)
O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.3
O15 - ESC Trusted IP range: http://65.183.220.26
O15 - ESC Trusted IP range: http://192.168.1.3 (HKLM)
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0 E3A5CAA8CD 8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {254AA86E-5655-4518-AA87-1 85D7CC4180 1} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
O16 - DPF: {4D0A481A-7155-498C-84D8-9 CB84DEA237 E} (DVROcxEx Control) - http://65.183.220.26:2000/DVROcxEx.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0 000F8773BF 0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-4 7B7A707FAE 8} (GoToMeeting/GoToWebinar Web Starter) - https://www2.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-E E7CB610FCA 9} (BewitchedGameClass Control) - http://l.yimg.com/jh/games/web_games/sony/bewitched/main.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://ciscosupport.webex.com/client/T26L/support/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-A C9BF37916A 7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = Thomasmed.tma
O17 - HKLM\Software\..\Telephony : DomainName = Thomasmed.tma
O17 - HKLM\System\CCS\Services\T cpip\..\{6 ACC7AA9-E0 6F-420F-8E 79-F9DFF4E 4C5ED}: NameServer = 192.168.1.254,192.168.1.21 5,192.168. 1.1,206.22 2.97.82,20 6.222.97.5 0,209.163. 130.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = Thomasmed.tma
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = Thomasmed.tma
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\Net Utils\Cenl pd.exe (file missing)
O23 - Service: GFI LANguard 9.0 Attendant Service (gfi_lanss9_attservice) - GFI Software Ltd. - C:\Program Files\GFI\LANguard 9.0\lnssatt.exe
O23 - Service: GFI ReportCenter 3.5 (GFI_ReportCenter35) - GFI Software Ltd. - C:\Program Files\Common Files\GFI\ReportCenter\Fra mework v3.5\gfireporterservice.ex e
O23 - Service: IFE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\shane\LOCALS~1 \Temp\IFE. exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlad hlp.exe (file missing)
O23 - Service: OHAPVLSLFEGMQY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\shane\LOCALS~1 \Temp\OHAP VLSLFEGMQY .exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\ DRIVERS\W3 2X86\3\HPZ ipm12.exe
O23 - Service: PMSI Application Server - - p:\ppart\pmsi.networking.s ervices.ap plications ervice.exe
O23 - Service: PMSI Data Server - - p:\ppart\pmsi.networking.s ervices.da taservice. exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: XAudioService - Unknown owner - C:\WINDOWS\system32\DRIVER S\xaudio.e xe (file missing)
--
End of file - 8483 bytes
hijackthis.log
Here is my log from hijack this.... any insight you may have will be extreamly apreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:03 AM, on 10/10/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Documents and Settings\shane\WINDOWS\Sys
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\PROGRA~1\AVG\AVG8\avgwd
C:\WINDOWS\System32\svchos
C:\PROGRA~1\AVG\AVG8\avgam
C:\Program Files\Common Files\GFI\ReportCenter\Fra
C:\WINDOWS\system32\inetsr
p:\ppart\pmsi.networking.s
p:\ppart\pmsi.networking.s
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\vssvc.
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\dmadmi
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtr
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\taskmg
C:\WINDOWS\system32\wuaucl
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\rundll
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-21-558781451-17
O4 - HKUS\S-1-5-21-558781451-17
O4 - HKUS\S-1-5-21-558781451-17
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\shane\windows\sys
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://updates.installshield.com
O15 - ESC Trusted Zone: http://www.mozilla.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://view.atdmt.com (HKLM)
O15 - ESC Trusted Zone: http://updates.installshield.com (HKLM)
O15 - ESC Trusted Zone: http://www.mozilla.com (HKLM)
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.1.3
O15 - ESC Trusted IP range: http://65.183.220.26
O15 - ESC Trusted IP range: http://192.168.1.3 (HKLM)
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {254AA86E-5655-4518-AA87-1
O16 - DPF: {4D0A481A-7155-498C-84D8-9
O16 - DPF: {82774781-8F4E-11D1-AB1C-0
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-4
O16 - DPF: {BE319D04-18BD-4B34-AECC-E
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O16 - DPF: {E2883E8F-472F-4FB0-9522-A
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\Net
O23 - Service: GFI LANguard 9.0 Attendant Service (gfi_lanss9_attservice) - GFI Software Ltd. - C:\Program Files\GFI\LANguard 9.0\lnssatt.exe
O23 - Service: GFI ReportCenter 3.5 (GFI_ReportCenter35) - GFI Software Ltd. - C:\Program Files\Common Files\GFI\ReportCenter\Fra
O23 - Service: IFE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\shane\LOCALS~1
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlad
O23 - Service: OHAPVLSLFEGMQY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\shane\LOCALS~1
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\
O23 - Service: PMSI Application Server - - p:\ppart\pmsi.networking.s
O23 - Service: PMSI Data Server - - p:\ppart\pmsi.networking.s
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: XAudioService - Unknown owner - C:\WINDOWS\system32\DRIVER
--
End of file - 8483 bytes
hijackthis.log
Unfortunately that file you mentioned is not showing in the log. A lot of nasties can also hide from the Hijackthis scan.
O4 - HKUS\S-1-5-21-558781451-17 25058602-1 154686881- 1209\..\Po licies\Exp lorer\Run: [servises] C:\WINDOWS\system32\servis es.exe (User 'jt')
C:\WINDOWS\system32\servises.exe <- the above entry is Troj/Agent-JUJ and this file would need to deleted as hijackthis doesn't delete files.
Just use Combofix and attach the logfile here for us to check.
O4 - HKUS\S-1-5-21-558781451-17
C:\WINDOWS\system32\servises.exe <- the above entry is Troj/Agent-JUJ and this file would need to deleted as hijackthis doesn't delete files.
Just use Combofix and attach the logfile here for us to check.
It's also a good idea to install the Recovery Console while installing Combofix.
ASKER
i will do both. I did a search for that initial file and found it in the temp folder. I moved it into the recycle bin before running hijack this.
Good job you found that file, well done!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
Thanks!
But there are some virus that hide themselves by renaming the exe file they drop onto the machine as they infect it. Then if you see the process running you can not google it to find out what it is.
Update your anti virus and scan.
Download Spybot and scan with that.
http://www.safer-networking.org/en/download/