Please, anyone got info on zam.exe "trojan downloader generic BEJ"

Mauro-Nahoum

Hi,
my computer is acting weird. I checked the AVG virus vault and it mentions this certain "zam.exe" trojan, and details it as: "healable=NO"; "source=moved object" and "status=infected".

I ran a full AVG scan and Trendmicro's online House Call, and both did not find anything. One main lead is that I cannot open another window in IE, for example, and the machine does not shut down normally.

Here is my HJT log as of today. Any help is welcome. Thanks for the attention.

Logfile of HijackThis v1.99.1
Scan saved at 16:13:35, on 11/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\ARQUIVOS DE PROGRAMAS\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\WINDOWS\SYSTEM\E_S4I4C1.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\ARQUIVOS DE PROGRAMAS\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\ARQUIVOS DE PROGRAMAS\IOMEGA\TOOLS\IOWATCH.EXE
C:\ARQUIVOS DE PROGRAMAS\SCANNERP\KYESCAN.EXE
C:\ARQUIVOS DE PROGRAMAS\ANTI-BO\ANTI-BO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX\FIREFOX.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARQUIVOS DE PROGRAMAS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = +s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charutojazz.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\SYSTEM\E_S4I4C1.EXE /P23 "EPSON Stylus C63 Series" /O5 "LPT1:" /M "Stylus C63"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [ADService] C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\ARQUIVOS DE PROGRAMAS\AHEAD\NERO BACKITUP\NBJ.EXE"
O4 - HKCU\..\RunOnce: [^SetupICWDesktop] C:\ARQUIV~1\INTERN~1\Assistente para acesso\icwconn1.exe /desktop
O4 - Startup: CottnCal.lnk = C:\Arquivos de programas\Cotton\Calendar\CottnCal.exe
O4 - Startup: Iomega Watch.lnk = C:\Arquivos de programas\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Arquivos de programas\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Refresh.lnk = C:\Arquivos de programas\Iomega\Tools\refresh.exe
O4 - Startup: KYESCAN.lnk = C:\Arquivos de programas\ScannerP\Kyescan.exe
O4 - Startup: Anti-BO v1.5b.lnk = C:\Arquivos de programas\Anti-BO\Anti-bo.exe
O4 - Startup: Folding@home 4.00.lnk = C:\Arquivos de programas\Folding@Home\winfah.exe
O4 - Startup: SpywareBlaster.lnk = C:\Arquivos de programas\SpywareBlaster\spywareblaster.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\ARQUIVOS DE PROGRAMAS\HELLO\PICASACAPTURE.DLL
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\ARQUIVOS DE PROGRAMAS\HELLO\PICASACAPTURE.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Mauro-Nahoum

Wow,
this time things are really steamin'! With this Zotob surge, I cannot even connect to some online anti-virus services.
Please, if someone have a tip on this zam.exe plague, let me know. I am still getting clues it cannot be removed!
Thanks.