PDA

View Full Version : Mirar and Antivirus Override



techpeasant
2007-07-16, 00:19
Immunized and got latest updates.

Checked for problems with Spybot S&D in default mode.

2 problems found: Mirar
Antivirus Override

Clicked fix selected problems.

Spybot S&D could not fix problems because they were running.

Restarted computer.

Ran Spybot S&D on startup.

Same problems found.:mad:

md usa spybot fan
2007-07-16, 05:07
Please post a log of the actual detections you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.

techpeasant
2007-07-16, 08:03
Looks like there's more crap now!

Mirar: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\www\*!=W=4

Statcounter: Tracking cookie (Internet Explorer: Anthony) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Anthony) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Anthony) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-20 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-11 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-11 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-07-11 Includes\HijackersC.sbi (*)
2007-07-11 Includes\Keyloggers.sbi (*)
2007-07-11 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-07-11 Includes\Malware.sbi (*)
2007-07-11 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-07-11 Includes\PUPSC.sbi (*)
2007-07-11 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-11 Includes\SecurityC.sbi (*)
2007-07-11 Includes\Spybots.sbi (*)
2007-07-11 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-11 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

md usa spybot fan
2007-07-16, 16:24
techpeasant:

re: Mirar detection

The detection indicates that there is a registry entry in HKLM putting www.mirarsearch.com in an Internet Explorer zone other than the restricted zone.

If you are running Spybot from a computer administrator user account, I don't understand why that registry entry can not be fixed. I was able to create a registry entry to simulate the problem, run a Spybot "Check for problems" followed by a "Fix selected problems" and the problem was fixed.

While logged on to computer administrator user account, run another Spybot "Check for problems" followed by a "Fix selected problems". Then run another "Check for problems" and see if the problem is corrected. If not we'll try something else.

____________________________

re: Tracking cookies

Advertising.com, DoubleClick and Statcounter are Tracking Cookies. Tracking Cookies are cookies stored on your computer by a 3rd party not directly related to the web site you're currently viewing. The intention of this cookie is to track your movement as you surf between sites.

If you are running Internet Explorer the storing of these particular Tracking Cookies can be prevented by enabling Spybot's Browser Helper Object (BHO). To do this go into Spybot-S&D > Immunize. Look in the last section labeled "Permanently running bad download blocker for Internet Explorer". Check the following:"Enable permanent blocking of bad addresses in Internet Explorer"

In the pull-down below "Enable permanent blocking of bad addresses in Internet Explorer" there are three options:
Block all pages silently
Display dialog when blocking
Ask for blocking confirmation
Many people find the messages that this facility can produce annoying. If you would like to keep the messages from popping and still block the tracking cookies, you can do that by selecting "Block all pages silently".

There is another way to prevent the downloading of Tracking Cookies in Internet Explorer (even those not blocked by Spybot's resident BHO) as well as the storing of Tracking Cookies in other WEB browsers. See:
Why do other anti-spyware applications detect so many more tracking cookies?
http://www.safer-networking.org/index.php?page=faq&detail=37

techpeasant
2007-07-18, 03:34
Every time I have ran a check for problems it was with the computer administrator user account. But, I ran it again. 1 entry found:Mirar. I Selected "fix Problems," and got this:

Some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory).

This could be fixed after a restart. May Spybot S&D run on your next system startup?

yes no


and it's an endless cycle of restarting and checking and restarting and checking like malware purgatory.

I did copy results to clipboard again but I copied and pasted "computer administer user account" earlier and lost it because I had already closed Spybot S&D and I don't feel like waiting for another 1 1/2 hours for another scan result. uhg I'm gonna throw this thing out the window soon.

md usa spybot fan
2007-07-18, 07:37
Try running Spybot in Safe Mode and see if it will delete the entry.

ETPETP
2007-09-30, 13:15
Try running Spybot in Safe Mode and see if it will delete the entry.
My Symantec is doing the same thing. But Spybot will not find it. Very strange! May try safe mode next. Symantec says to close windows EX before the scan as it is resident in explorer.


http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99

Type: Adware
Risk Impact: Low
File Names: MirarSetup.exe,WinDmy.dll,NN_Bar21.dll,installer.cab,WinNB[xx].dll ([xx] = Version Number)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Behavior
Adware.Mirar attempts to find Web pages that are related to the Web page currently being viewed. It also displays advertisements based on the URLs and search terms used while navigating the Internet. It will also attempt to download and install the Mirar toolbar from a predetermined Web site. This toolbar is also detected as Adware.Mirar.
Symptoms
The files are detected as Adware.Mirar.

ETPETP
2007-09-30, 14:01
Clearing out all restore points :bigthumb:and clean disk finally got rid of this for me. I also deleted all yahoo stuff just in case. Supposedly this was an authorized install, so it must be part of another program or I hit the accept button one too many times. LOL
Side note, since all these updates (1.5/symantec/ scans and deletes) none of my links to GOTAPEX.com for DELL sales work.:scratch: I am starting to wonder if gotapex.com has some special installs for the Dell sales.