I'm assuming you submitted vtzip.zip
. That file is related to the Vundo family of Trojans and is actually quite common. I know it may be new to you but this post has been moved from the Breaking Virus & Security News
forum as that is mostly for news events of a wider scope such as new outbreaks and trends.
The behavior you describe has also been happening for almost three years now--hooking into Windows by the Winlogon notify key and other related infections use that technique. Most antivirus and other malware scanners/cleaners aren't designed to deal with it. Manual removal is rather involved, so some special removal tools have been developed to make removal easier. More info can be found here: How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b
I've Googled this file name and got several hits, mostly from the latter part of 2005. So it's not even a new version or variant. We thank you for the submission, but I hope that you understand that it is mostly for new and unknown infections that may need new removal methods. Submittals are usually requested in conjunction with malware removal sessions using HijackThis as a starting point for analyses, both here
and in other forums. As you might imagine, if we rook submittals for every suspicious file, we would soon be inundated, so it helps us a lot if some research is done on them first.
Also, from your introduction post, you appear to have searched for a place to submit the file when Norton wouldn't take it. Some of our analysts do submit to vendors but in general we don't work for them. I'm a bit surprised that Syamantec makes it so hard for end users to submit a file, with others it is very easy, so you may want to consider switching to something else. For example, I reported a false positive to Kaspersky thru their interface and got a notice that it was removed from the definitions in short order.
You can also kill two birds with one stone by submitting files to Jotti's
They will usually tell you if the file is bad or not, and the file is submitted to the AV vendors listed so they can update their database. I submitted the file you submitted at jotti's and got these results:
Scan taken on 17 Jan 2007 00:43:52 (GMT)
Found not-a-virus:AdWare.Win32.Virtumonde.fp (4, 1, 400)
Norman Virus Control
Now this file may still have changed, altho the name is old so we will look into it. So thanks again and I hope this answered your question. I would still strongly recommend that your co-worker submit a HijackThis log, even if the removal tool(s) are used. To do so follow the instructions in this thread
and post the log in the HJT forum, not here, as that will ensure you get advice only from those trained in the malware removal area.