Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.Slagent

Adware.Slagent

Updated:
February 13, 2007
Risk Impact:
High
File Names:
mslagent.exe 2_mslagent.dll navpmc.exe 2_navpmc.dll uninstaller.exe
Systems Affected:
Windows

Behavior


Adware.Slagent contacts a Web site for advertising purposes.

This adware program can terminate its own process, and then download and execute files from the Internet without notifying the user.

Notes:
  • Definitions dated March 8, 2005 or earlier may detect this threat as Adware.Slagent.B
  • Definitions dated April 25, 2004 or earlier may detect this threat as Trojan.Simcss.B.


Symptoms


One or more files is detected as Adware.Slagent.

One or more of the following folders may exist:

  • %Windir%\navpmc
  • %Windir%\mslagent

Behavior


Bundled with certain adware-enabled software.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version July 14, 2017 revision 005
  • Initial Daily Certified version March 10, 2004 revision 002
  • Latest Daily Certified version July 14, 2017 revision 008
  • Initial Weekly Certified release date March 10, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

When Adware.Slagent is executed, it attempts to perform the following actions:
  1. May create the %Windir%\mslagent folder, and then drop the following files within it:
    • mslagent.exe
    • uninstall.exe
    • 2_mslagent.dll (A zero-byte file.)

  2. May create the %Windir%\navmpc folder and drop the following files:

    • 2_info_persist
    • 2_navpmc.dll
    • acknowledged.mc2
    • CompManagerPersist.mc2
    • except.mc2
    • navpmc.exe
    • OrderPersist.mc2
    • TimePersist
    • uninstall.exe


      Note: %Windir% is a variable. The Adware component locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates a folder at that location.

  3. May create the following copies of itself:

    • %System%\msegcompid.dll
    • %System%\msklive.dll


      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


  4. May add the values:

    "mslagent" = "%windir%\mslagent\mslagent.exe"
    "mslagent" = "%windir%\navpmc\navpmc.exe"

    to one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  5. May create one or more of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{4A6FA2EB-F381-4503-87D0-BE4CC57DEB8E}
    HKEY_CLASSES_ROOT\CLSID\{75A603E7-8BB7-4272-ABBE-9846FF1241C1}
    HKEY_CLASSES_ROOT\CLSID\{DE614603-6320-4046-A7A7-6A69CEC26F14}
    HKEY_CLASSES_ROOT\CLSID\{D7A82A12-05F5-42D8-B30D-6EF995075D2D}
    HKEY_CLASSES_ROOT\Interface\{1EF28CC5-8D97-4310-B71B-CA34EE15B897}
    HKEY_CLASSES_ROOT\Interface\{43CDAD65-AA0D-4701-8108-117F86613B69}
    HKEY_CLASSES_ROOT\Interface\{510C3373-4842-4944-8729-0AFF6725A132}
    HKEY_CLASSES_ROOT\Interface\{6D3F48F4-B40A-4C3F-A95C-85E23C3A8A91}
    HKEY_CLASSES_ROOT\TypeLib\{5630B768-1C09-4105-9E03-E35985E36B0B}
    HKEY_CLASSES_ROOT\TypeLib\{82C0673C-F1D1-47BA-B904-AB0DE82300BC}
    HKEY_CLASSES_ROOT\TypeLib\{BA49BD6A-039C-428E-AF33-8C1288D75A7B}
    HKEY_CLASSES_ROOT\TypeLib\{CA72BD3D-6044-4429-8C9A-76D90F4B29A8}
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent.1
    HKEY_CLASSES_ROOT\mslagent.3
    HKEY_CLASSES_ROOT\mslagent.3.1
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject.1
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring.1
    HKEY_LOCAL_MACHINE\Software\mc

  6. May create one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Uninstall\mslagent
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Uninstall\navmpc

  7. Attempts to verify the availability of an Internet connection by contacting a predefined Web site.

  8. May download additional components from the Internet without notifying the user. This activity is described in the EULA.



The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Restart the computer in Safe mode or VGA mode.
  3. Run a full system scan and delete all the files detected as Adware.Slagent.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To restart the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode. For instructions, read the document, "How to start the computer in Safe Mode ."

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Adware.Slagent, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, note the path and file name. Then use Windows Explorer to locate and delete the file.
4. To delete the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the following values if they exist:

    "mslagent" = "%windir%\mslagent\mslagent.exe"
    "mslagent" = "%windir%\navpmc\navpmc.exe"

  5. Navigate to and delete any of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{4A6FA2EB-F381-4503-87D0-BE4CC57DEB8E}
    HKEY_CLASSES_ROOT\CLSID\{75A603E7-8BB7-4272-ABBE-9846FF1241C1}
    HKEY_CLASSES_ROOT\CLSID\{DE614603-6320-4046-A7A7-6A69CEC26F14}
    HKEY_CLASSES_ROOT\CLSID\{D7A82A12-05F5-42D8-B30D-6EF995075D2D}
    HKEY_CLASSES_ROOT\Interface\{1EF28CC5-8D97-4310-B71B-CA34EE15B897}
    HKEY_CLASSES_ROOT\Interface\{43CDAD65-AA0D-4701-8108-117F86613B69}
    HKEY_CLASSES_ROOT\Interface\{510C3373-4842-4944-8729-0AFF6725A132}
    HKEY_CLASSES_ROOT\Interface\{6D3F48F4-B40A-4C3F-A95C-85E23C3A8A91}
    HKEY_CLASSES_ROOT\TypeLib\{5630B768-1C09-4105-9E03-E35985E36B0B}
    HKEY_CLASSES_ROOT\TypeLib\{82C0673C-F1D1-47BA-B904-AB0DE82300BC}
    HKEY_CLASSES_ROOT\TypeLib\{BA49BD6A-039C-428E-AF33-8C1288D75A7B}
    HKEY_CLASSES_ROOT\TypeLib\{CA72BD3D-6044-4429-8C9A-76D90F4B29A8}
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent
    HKEY_CLASSES_ROOT\MagicControl.MagicComponent.1
    HKEY_CLASSES_ROOT\mslagent.3
    HKEY_CLASSES_ROOT\mslagent.3.1
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject
    HKEY_CLASSES_ROOT\NaviHelper.NaviHelperObject.1
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring
    HKEY_CLASSES_ROOT\NaviPromo.EGNaviScoring.1
    HKEY_LOCAL_MACHINE\Software\mc
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Uninstall\mslagent
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Uninstall\navmpc

  6. Exit the Registry Editor.

  7. Restart the computer in Normal mode. For instructions, read the section on returning to Normal mode in the document, "How to start the computer in Safe Mode."