Adware.Navipromo.M

SYMPTOMS:

An instance of explorer.exe may exist in memory , but not in the task bar. In windows directory following library file may appear msclock32.dll.

TECHNICAL DESCRIPTION:

Adware.Navipromo.M was written in MFC. Once executed, it runs explorer.exe and inject in explorer.exe process. After injection, it removes the original file from disk.

It creates the following key: [HKEY_LOCAL_MACHINE\Software\mc] where some information about this adware is stored (such as remove, install, etc).

It copies itself in system directory using the name mstmpreg32.dll.

The following files may be written to windows directory: mslagent.exe, mslagent_.exe and uninstall.exe.

It also modifies following registry keys in order to run itself on startup:

a)      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

b)      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 

If internet connection is avaible, the adware can download components from different web sites.

 

MSClock32.dll contains cod that can override functionality of several system functions (for registry, dialing, etc) witch makes Adwar.Navipromo difficult to detect.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dragos Gavrilut, virus researcher