IE features hijack aka Popnav

Discussion in 'spyware news and general information' started by Pieter_Arntz, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hijacks the startpage to popnav.com and produces popups.

    In a HijackThis log fix:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.popnav.com

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - hxxp://www.popmonster.com/control/src/iefeatures.ocx

    After a reboot delete these files:
    C:\WINDOWS\System32\MSrdk.xml
    C:\WINDOWS\System32\iefeaturesversion.exe
    C:\WINDOWS\System32\iefeatures.exe

    HTH,

    Pieter
     
    Pieter_Arntz, Jan 2, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Re:IE features hijack

    New version using this entry:

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\ClrSchP038.exe
     
    Pieter_Arntz, Jan 19, 2004
    #2
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    And another version:

    O4 - HKLM\..\Run: [SearchNavVersion] C:\Documents and Settings\subfl0wer\searchnavversion.exe
    O4 - HKLM\..\Run: [searchnav] C:\Documents and Settings\subfl0wer\searchnav.exe
     
    Pieter_Arntz, Mar 15, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...