It sounds like your user is busy clicking on too many things while browsing the web. Read this link, it seems to have some semi-comprehensive information on this parasite. http://217.115.153.75//parasite/IGetNet.html All the updates and hotfixes and anti-virus products in the world can't stop something if the user clicks "Yes" to running some silly ActiveX program. Anti-virus products will not stop ActiveX programs from running if they're ad-parasites since they're technically not "viruses." IGetnet did not use any "security holes" to install this, the user LET in run, or installed a program that let it run. If the user did NOT let it run, but it ran automatically when going to a website, then the Internet Zone settings in your Internet Options are set WAY to lax (ie: it's set to let certain types of ActiveX scripts run automatically without check) I like the point someone made earlier, switch browsers. I personally use Opera for a considerable amount of my web browsing. I even paid for the non-ad copy. The product is relatively secure, stable, and compatible with most everything. In addition, it does not allow many types of parasitic scripts to run. It even supports pop-up blocking. :) Indeed, switching browsers and also installing a personal firewall of some type to have it check all scripts before they run, have the user VERIFY that the script about to run is from a site he is on and that he's SURE he knows what it's doing. - Christopher Wagner chriswat_private Packaging Aids Corporation - Information Systems P.O. Box 9144 San Rafael, CA 94912-9144 http://www.pacaids.com/ (415) 454-4868 x116 -----Original Message----- From: Waitman C. Gobble [mailto:waitmanat_private] Sent: Sunday, November 10, 2002 7:02 PM To: incidentsat_private Subject: 030 igetnet ignkeywords Hello I have found more information regarding my original 030.com post. The machine that is infected is running Windows XP Professional with all service packs and hotfixes. Additionally, it is running Norton Antivirus 2003 with the latest database, and the machine checks clean. There is a file running on boot: C:\WINDOWS\WinStart.exe (the date of this file is November 11, 2002) The file properties indicate that it originates from IGetNet, LLC. The whois information shows that this is the owner of ignkeywords.com Also, this file exists: C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf. It's date and time reflect the last time the machine was booted. Please note that I am not sure what this file is, but it seems to relate. The machine now seems to go to ignkeywords.com, however sometimes it goes to 030.com, which is what we originally observed. The WinStart file is labelled as a "Browser Upgrade" in the file properties thingy. Thanks and Best Waitman Gobble EMK Design Buena Park, California +1.7145222528 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com SPAM: ---- Start SpamAssassin results SPAM: 0 hits, 5 required; SPAM: SPAM: ---- End of SpamAssassin results ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 12:40:17 PST