Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Mpgcom

Adware.Mpgcom

Updated:
February 13, 2007
Risk Impact:
Medium
File Names:
Mpgcom.dll,Msnarrator.exe
Systems Affected:
Windows

Behavior


Adware.Mpgcom is a Browser Helper Object that sends data to and receives data from a remote Web site.

Symptoms


Existence of the file names %Windir%\mpgcom.dll or %Windir%\msnarrator.exe.


Notes:
  • %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
  • This detection was reclassified from a Trojan horse (it was originally named Trojan.Narat) to a security risk on January 2, 2004.


Behavior


This adware may be installed when browsing certain Web sites.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version January 05, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date January 07, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Adware.Mpgcom is an adware component that runs as a Browser Helper Object (BHO), which means that the component will be active when Internet Explorer is running.

When this component is active, it sends data that may contain personal identifiable information to a third-party server.

Adware.Mpgcom also has the ability to display pop-up advertisements, and it can update itself.

When it installs itself, Adware Mpgcom does the following:
  1. Creates the following registry keys:

    HKEY_CLASSES_ROOT\Mpgcom.zoom

    HKEY_CLASSES_ROOT\Mpgcom.zoom.1

  2. Creates the file, %Windir%\Msnarrator.exe, and then executes it.


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates the file in that location.

  3. Adds the value:

    "msnarrator" = "%Windir%\msnarrator.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when you start Windows.

  4. Adds the values:
    • "PingMDID" = <number>
    • "PingSDID" = <number>

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      WindowsUpdate

  5. Attempts to send confidential information back to a third-party server.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Unregister the .dll files so that they can be deleted.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete any files detected as Adware.Mpgcom.
  5. Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. Updating the definitions
This detection was reclassified from a Trojan horse (it was originally named Trojan.Narat) to a security risk on January 2, 2004.

2. Unregistering the .dll files
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type, or copy and paste, the following text:

    regsvr32 /u "%Windir%\mpgcom.dll"

    then click OK.


    Note: If you type the text (instead of copying and pasting it), make sure that you type it exactly as shown and that you include the quotes.

  3. After a few seconds, you should see one of the following messages:

    (Load Library Failed, <filename>.dll was not registered)

    (Load Library Succeeded)

    In either case, click OK.

3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • For Windows NT 4 users, restart the computer in VGA mode.


4. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Adware.Mpgcom, click Delete.

5. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)

  2. Type regedit and then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    msnarrator

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    WindowsUpdate

  6. In the right pane, delete the values:

    PingMDID
    PingSDID

  7. Exit the Registry Editor.