I got to work this morning and my work computer had the SAME Adware.mirar found on it!!!! Since my work system did not get DVRMSToolbox installed on it, that rules out that software. Furthermore, my work system has had no software installed lately (that I am aware of) so I am leaning more towards the latest definition update lead to a false positive.
Here is some common software between the computer (ignoring the normal, seemingly trusted stuff like AV clients, Office, WinZip, etc):
Since you're still experiencing issues try the hijack this forum.The link provides instructions on how to install HJT as well as how to post your HJT log.
cademetz wrote: "
I forgot to mention I ran HijackThis after Symantec did its thing. Nothing out of the ordinary."
I take that to mean you have enough experience/knowledge with HJT to know what to look for???
[P.S. If you're an HJT expert whose name I just don't recognize, I apologize.]
cademetz also wrote: "
I let Symantec AV do its thing, 'infection' gone.... (Maybe SAV did just an amazing job of removing it?)"
If symantec did indeed locate and FULLY remove mirar, then it was not a false positive.
I won't label myself an HJT expert, but I have used HJT in the past and know more than enough to make heads or tails of HJT's scan. No offense taken. :-)
The reason I think it was a false positive is because I had two (somewhat) isolated computers both detect Adware.mirar at the same time. Both computers detected Adware.mirar during a normal weekly scan
AFTER Symantec updated their definitions file.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99 Shows yesterday getting an update, and then
TODAY, they release "Rapid Release Version." So, either Adware.mirar suddenly became a sudden threat needing two definition releases in two days... or, maybe they made a mistake.
Furthermore, here is what Symantec says it cleaned on my system:
Now, from my understanding, if that's ALL it cleaned, it would not have rid my system of Adware.mirar.
that two isolated PCs both suddenly picked-up on the same threat after an anti-virus update, could simply be an indication that Symantec just now decided to target that "threat" --- which may in fact have been "residing" on your machine for an undetermined time period --- and that's why it first showed up now.
As an example, my wife had downloaded "Incredimail" onto one (or more) of our PC's a few years ago [I believe it's long-since been uninstalled... but apparently i/we had saved a copy of its
installation program on the PC]. Then, quite suddenly, on or about 17 July 2007, my AVG anti-virus was updated to target that program's old installer!! In fact, several anti-virus companies all decided to add that threat as well. The point being, it's possible that could explain what's happening in your case as well.
I agree that the 3 registry entries Symantec removed don't seem to be very much. You'll need to investigate the matter further... perhaps someone can definitively recognize the particular nature of these...
and while I cannot assert the following for a fact, here's [at least] a plausible explanation of what's going on:
if memory serves me, when mirar gets installed, it places (registry) entries in internet explorer's TRUSTED zone, to allow it fuller/unrestricted access to the internet. If the actual mirar program never got installed on your system --- or if it was installed for a while, and then removed --- but these remnants lingered in the "trusted zone", it might be that Symantec was recently updated to target these, and has now successfully removed them.
IF this is the proper explanation, it would explain why it found these three, and only these three, "threats".
Since I admit to this as being a conjecture on my part, I don't know that I'll be back to discuss the matter any further... unless I find out something more definitive. Perhaps someone else knows for sure.
If it looks like a FP, walks like a FP, quacks like a FP...
"There's false positive with NAV defs if Spybot S&D immunization is enabled... ... I enabled immunized with SS&D again then scan again.... there's a detection again for Adware.Mirar"
Since it was a false positive (by NAV) based on SpyBot's immunization, then I would speculate that SpyBot had placed these entries in IE's "
restricted" zone [or some other "protective" area]??
If so, then by quarantining them, the poster has in fact
lowered the security level (i.e., "invited" a potential threat, rather than removing one) --- in which case, the entries need to be removed from quarantine and re-instated to wherever they came from. Yes??
If it looks like a FP, walks like a FP, quacks like a FP...
"There's false positive with NAV defs if Spybot S&D immunization is enabled... ... I enabled immunized with SS&D again then scan again.... there's a detection again for Adware.Mirar"
Thanks joe53 -- I had been trying to do searches to see if anyone else had reported false positives. I feel a little better now. I do have Spybot 1.5.1 installed on both machines.
I went back and checked and the three websites mentioned in the quarantine report still in the Restricted Zone. I think I should be safe.
@ky331: I should think your conclusions are correct.
@ cademetz: If you didn't delete or quarantine these FPs, you should be OK. Until NAV corrects these FPs, there should be some way to tell it to ignore these detections in future.
@ cademetz: If you didn't delete or quarantine these FPs, you should be OK. Until NAV corrects these FPs, there should be some way to tell it to ignore these detections in future.
I think Symantec has already corrected the False Positives. As I mentioned earlier, my theory is that an updated, albeit wrong, definition was released on the 27th, systems used that definition and started throwing false positives, Symantec releases an updated definition on the 28th to correct it.
From the Symantec website about Adware.mirar definitions:
Initial Rapid Release version September 18, 2004
Latest Rapid Release version September 28, 2007 revision 020
Initial Daily Certified version September 18, 2004 revision 019
Latest Daily Certified version September 27, 2007 revision 002
Initial Weekly Certified release date September 22, 2004
cademetz
2 Intern
•
1.3K Posts
0
September 28th, 2007 13:00
tomron
2 Intern
•
966 Posts
0
September 28th, 2007 15:00
cademetz
2 Intern
•
1.3K Posts
0
September 28th, 2007 15:00
tomron
2 Intern
•
966 Posts
0
September 28th, 2007 16:00
ky331
3 Apprentice
•
15.6K Posts
0
September 28th, 2007 17:00
cademetz
2 Intern
•
1.3K Posts
0
September 28th, 2007 21:00
ky331
3 Apprentice
•
15.6K Posts
0
September 28th, 2007 22:00
Message Edited by ky331 on 09-28-2007 07:46 PM
joe53
2 Intern
•
5.8K Posts
0
September 28th, 2007 22:00
... I enabled immunized with SS&D again then scan again.... there's a detection again for Adware.Mirar"
Full post at: http://www.dozleng.com/updates/index.php?showtopic=15769
ky331
3 Apprentice
•
15.6K Posts
0
September 28th, 2007 23:00
Message Edited by ky331 on 09-28-2007 08:42 PM
cademetz
2 Intern
•
1.3K Posts
0
September 29th, 2007 01:00
joe53
2 Intern
•
5.8K Posts
0
September 29th, 2007 04:00
cademetz
2 Intern
•
1.3K Posts
0
September 29th, 2007 12:00