Mirar and friends got a hold on me

t weyman · May 3, 2005

I am infected, its detected but it won't go away.

I followed the "do this scan first procedure" at majorgeeks with a couple of exceptions:

1. I scanned in normal mode, not Safe Mode.
2. For some reason Trend Micro's on-line scan would not work and PCcillen would not download.
3. Symantec's on line scan did not report any details; it just told me I was vulnerable and tried to sell me software.
4. I got AV Personal virus alerts poping up during several scans; including during:

St1inger
SpyBot
HS Remove

Symptoms that led me to tackle this problem:

1. My Add/Remove Programs list contains "Related Page" - a hijacking program that will not allow itself to be removed. Instead it pop's up a Mirar removal page which then directs me to a website that wants to sell me more software.

2. On my Desktop is an interesting new icon (lower right) in the active programs section of the tool bar: a flashing, upside down yield sign with exclamation (!) mark in the center. I used this icon to mark my post. That icon gives me an occasional alert with the word "exploit" in the message and sometimes it sends a "critical system message" pop up to the middle of the desktop. If I double click on the flashing icon it opens a pop up window titled "MSN", underneath which is a list of anti-ad-ware advertising.

3. I get a pop up when I boot up (it is a blank window called MSN Messenger). I get sporadic popup advertisements while on the web (like right now it happened).

I got a few reports during the comprehensive Majorgeeks recommended scan. I list these below. What is interesting is that my HijackThis log shows many URL's and files that do no show in the HijackThis scan window. I recognize many problems listed in the log but when I run HijackThis,the problems are not visible so I cannot Fix them.

Here are the many messages I got during the scans:

NoAdware found and said it removed this:
Troj_Agent_Local_Machine\Software\lvRegKey

But that has been found and removed several times before and continues to reappear.

During Spybot, St1nger etc, the following Alert was displayed by AV Personal:

C:\Windows|Popuper.EXE is the Trojan: TR/Drop.Puper.D.1

and also, this:

C:\Windows\System32\INTMONP.EXE is the Trojan: TR/Drop.Puper.D.2

These two alerts appear regulary during scans and other times.

Thanks in advance for any help

tw

chaslang · May 3, 2005

You should not be running the scans in safe mode. The procedure is meant to be run as written. If you cannot run the online scans in safe mode, they can be run in normal mode. All the other scans should have been run in safe mode.

For your popuper and intmonp problem, see what was done here: Popuper.exe and other issues unresolved

If you still have problems after trying that, follow the steps below.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Log in or Sign up

Mirar and friends got a hold on me

t weyman Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member