IE features hijack aka Popnav

Discussion in 'spyware news and general information' started by Pieter_Arntz, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hijacks the startpage to popnav.com and produces popups.

    In a HijackThis log fix:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.popnav.com

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\iefeaturesversion.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe

    O16 - DPF: {2CAB81F6-1CBB-49FD-809E-B2D37D0CFFED} (IEFeature Class) - hxxp://www.popmonster.com/control/src/iefeatures.ocx

    After a reboot delete these files:
    C:\WINDOWS\System32\MSrdk.xml
    C:\WINDOWS\System32\iefeaturesversion.exe
    C:\WINDOWS\System32\iefeatures.exe

    HTH,

    Pieter
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Re:IE features hijack

    New version using this entry:

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\ClrSchP038.exe
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    And another version:

    O4 - HKLM\..\Run: [SearchNavVersion] C:\Documents and Settings\subfl0wer\searchnavversion.exe
    O4 - HKLM\..\Run: [searchnav] C:\Documents and Settings\subfl0wer\searchnav.exe
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.