SmilieCentral - WIN32:Trojan-gen. {other}

Viruses and worms
1

Hi, like a fool… always got told SmilieCentral had spyware attached to it, but the curiosity got me. I went to their website, and as soon as it got to the install page… Avast went off and nearly scared me to death. It claims the system was infected with WIN32:trojan-gen {other}. I selected delete, and the box disappeared. But I still was nervous and did a scan of my temp internet files and Avast went off again, this time selecting moving it to the virus chest. I seen other post saying scan the file else where… but how do you once its in the chest. I am hoping its a false positive. I havent used Avast too long so not too familiar with it… how do i reaccess the virus chest, and what should i do with the file in it?

here is a export of my Avast log.

11/4/2004 1:22:25 AM NT AUTHORITY\SYSTEM 1220 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\Emanon\Local Settings\Temporary Internet Files\Content.IE5\KHUZCHM7\SmileyCentralInitialSetup1.0.0.8[1].exe” file.

11/4/2004 1:27:51 AM N-YEY896AOUNOQ8\Emanon 1344 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\Emanon\Local Settings\Temporary Internet Files\Content.IE5\KHUZCHM7\SmileyCentralInitialSetup1.0.0.8[1].exe” file.

Note: I just updated yesterday…
Avast Build : Jun2004 (4.1.501)
VPS file 0445-0 Complied 02.11.2004

2

SmileyCentral (and many things like that) do come with malware. It is not a false positive. Read their terms/conditions carfully and you would see.

3

emanon

If you go to the link in Eddys signiture (post above) you will find many usfull tools to remove the anoying spyware from your system.

–lee

4

Delete your Temporary Internet files and scan again.

5

Hi,

Its not the malware/spyware that i am worried about, As I didnt get as far to install SmilieCentral. As soon as I got to the webpage to install… Avast went off warning of a virus… that is the info I need… On the virus… wheather or not it is one or a false positive. Thanks

6

That is NOT a false warning since their homepage inmediatly tries to install MyWebSearchToolBar as soon as you open that webpage.

7

"That is NOT a false warning since their homepage inmediatly tries to install MyWebSearchToolBar as soon as you open that webpage. "

Ok then I am safe seeing it never executed, Avast stopped it, and was moved to the virus chest. Correct?

I use Ad-aware and Spy-bot all the time… even tho I never really install that much on my PC. I have been spyware clean for 10 years… I am wise on that part.
I just never knew that spyware would be considered a virus.

here is my HiJackThis log…

Seems clean to me…

Logfile of HijackThis v1.98.2
Scan saved at 11:44:47 AM, on 11/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - C:\Program Files\MoreGoogle\MoreGoogle.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092945841866
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip..{4B681299-F333-4D41-B1C1-39BD457D9C00}: NameServer = **IP IS REMOVED ON MY PART

8
I have been spyware clean for 10 years.
No you are not.

ViewMgr.exe is an advertising program by Viewpoint. This process monitors your browsing habits and distributes the data back to the author’s servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.

And mooregoogle is adware.

9

Aswell as that im suspicious of this plug in “O4 - HKLM..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE”, but Eddy would be a better judge then me.

–lee

10

Anyone know where I can get some crow? lol guess thats what i am eating for dinner tonight… Thanks for pointing out viewpoint… I install AIM a few days ago and viewpoints directory is the same date and time as AIMS. I did a deep scan in ad-aware and a full system scan in Spy-Bot. And neither one catches it. So I am confuzzled about that. And as far as the SM1BG.exe… It came with Napster…

Process File: SM1BG or SM1BG.EXE
Process Name: Cypress USB Mass Storage Adapter

Description:
SM1bg.exe is a process belonging to the Cypress USB Mass Storage Adapter. It is installed with iTunes, Napster and USB devices. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

System Process: No
Background Process: No
Uses Network: No
Hardware Related: Yes
Common Errors: N/A

Security Risk (0-5): N/A
Virus: No
Spyware: No
Trojan: No