symantec antivirus finds Adware.Mirar after immunization

[galaad2]

Symantec antivirus finds Adware.Mirar active after immunizing with spybot

I'm pretty sure this is a false positive in symantec av itself but it was an unwelcome surprise to see the alert when i thought my computer was clean.
The alert only popped up today on the weekly manual scan though, not from the auto-protect realtime scan.

Scan type: Manual Scan
Event: Security Risk Found!
Risk: Adware.Mirar
File: Unavailable
Location: Quarantine
Computer: HOMEPC
User: HOMEPC\Me
Action taken: Quarantine succeeded
Date found: 30 septembrie 2007 09:55:34

 

[ETPETP]

See my post in the above thread, this lives in many places and will take a little effort to get rid of. Be sure to close IE out before the scan and the deletes. Then clean disk as well as clear all restore points. Once it is clean, create your new restore point. Good luck on this one.

 

[md usa spybot fan]

It is most likely a Symantec false positive. Spybot adds the following registry entries during its immunization process:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\net-nucleus.com]
*=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com]
*=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com]
*=dword:00000004

The dword:00000004 in these entries is adding the sites (net-nucleus.com, getmirar.com and mirarsearch.com) to Internet Explorer's restricted zone as described in the following Microsoft article:

• Microsoft Knowledge Base Article – 182569
  Description of Internet Explorer security zones registry entries
  http://support.microsoft.com/default.aspx?kbid=182569