IE features hijack aka Popnav

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hijacks the startpage to popnav.com and produces popups.

    In a HijackThis log fix:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.popnav.com

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - hxxp://www.popmonster.com/control/src/iefeatures.ocx

    After a reboot delete these files:
    C:\WINDOWS\System32\MSrdk.xml
    C:\WINDOWS\System32\iefeaturesversion.exe
    C:\WINDOWS\System32\iefeatures.exe

    HTH,

    Pieter
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:IE features hijack

    New version using this entry:

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\ClrSchP038.exe
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    And another version:

    O4 - HKLM\..\Run: [SearchNavVersion] C:\Documents and Settings\subfl0wer\searchnavversion.exe
    O4 - HKLM\..\Run: [searchnav] C:\Documents and Settings\subfl0wer\searchnav.exe
     
Thread Status:
Not open for further replies.