'cool.ne.jp' incident after majorgeek SD update

Discussion in 'privacy general' started by kwesi, Jan 26, 2005.

Thread Status:
Not open for further replies.
  1. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Hi, people. I have been slightly irritated for a little while by the well-known DSO Exploit bug in Spybot, & was pleasantly surprised to see an update fix on the majorgeeks site.

    I ran the update, & was then surprised by a message from my truly ever-excellent Giant AS, to the effect that "cool.ne.jp" was trying to add itself to my list of trusted sites, or to my trusted zone (I'm not sure exactly which).

    I googled the name, & came up with at least one dubious-looking site, so I've blocked the site in my fw & in IE.

    Does anyone know anything about this phenomenon, & should I perhaps be e-mailing someone at the majorgeeks site, or Patrick Kolla?

    Thanks.
     
    Last edited: Jan 26, 2005
  2. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Thanks very much, Spanner intheWorks.

    That is actually very useful to know. I'm going to try & find out whether other people have had similar strange events with majorgeeks.
     
  3. Ailric

    Ailric Guest

    Hi kwesi,

    It may be a false positive on the part of Giant. I know Giant (Microsoft Antispyware) mistakes an immunization in spybot (Squiresearch) as spyware.

    Majorgeeks has been spotless for me.
     
  4. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    the dso exploit in Spybot is a bug and should be ignored. it has to do with your restricted and trusted zone in your IE. if you want to full explanation:

    It refers to a specific hole in the security used by Internet Explorer. Like many security holes, it could be used for many different purposes not just a specific type of infection or intrusion. So basically, it's just "a way in" to an unpatched system.

    If a system has the exploit, meaning they have neither patches nor the work-around (setting the value of that key to 4 - for the restricted zone treatment!!), and if some malicious website was to try to exploit that hole, they could get a piece of malware (any piece of malware, for that matter) on to your system.

    Since the patch for this is pretty old, and has no doubt been in service packs and critical updates for almost two years now, any security minded people will have the patch and therefore have closed the hole.
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    kwesi

    MajorGeeks scans all the software on their site for viruses. If they find anything out of order, you can bet it won't be there.
    Downloading anything, anywhere, can be a risk. Given that, MajorGeeks is my personal favorite.

    http://www.majorgeeks.com/page.php?id=4
     
  6. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    as for the fonts of Majorgeeks, I do believe that majorgeeks is a trustworthy community, helping a lot of others all around the world...they have a nice antispyware area and are very security minded too.

    I know that there are malware types disguised as fonts and some fonts are vulnerable for a certain type of malware...

    and I know that PestPatrol was in that days (cause the font malware is quite outdated) very famous for its false positives.

    now I am not saying it was a false positive, not at all!! Just that it could be possible. and the fact that the website of Majorgeeks was vulnerable for this type of malware is possible too, every once in a while the admins need to update their forums and sites cause of the malware exposed and vulnerabilites/holes in forums and sites. it could be that they just hadn't updated fast enough.

    just my two cents.

    Inf.
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    you were just a second faster then me Ronjor, just a second and nothing more :D

    my attention was drawn somewhere else for a sec and bamm :-*

    cheers
     
    Last edited: Jan 27, 2005
  8. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Thanks very much, Ailric, Infinity & Ronjor (Wow - I'm in a gathering of superheroes/heroines!).

    Your replies, plus experimentation, have helped me to get an idea of the larger picture, & I realise that I'm going to have to consider getting GIANT to ignore S&D immunisation-related changes (the 'squiresearch' fp & the addition of '139mm.com' and 'cool.ne.jp' to my trusted zone).

    I'll research a little more before I do that.
     
  9. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I've had no problems so far with majorgeeks, I used it a fair bit when I was trying a few different firewalls.

    Jimbob
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Post by Bourne. removed as it was both off-topic to this thread and provoking argument.
     
  11. springer

    springer Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    26
    Curious...

    I just had this very same incident happen to me following a download of Spybot S&D's new beta 1.4 version from Softpedia. The alert popped up during the reboot required, asking me for permission to add "cool.ne.jp" to my "trusted zone" in IE...which I declined.

    "cool.ne.jp.", after Googling (which is how I found this thread), appears to be a Japanese domain of some sort, as in ".com" or ".ca", etc.

    Anyone ever hear an anwser to this occurance?

    o_O
     
  12. springer

    springer Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    26
    By the time I finished posting this here, an answer to this had been researched and posted over at Spyware Warriors, where I initiated a thread on this problem...and then spent some hours scouring my computer for a bug, finding nothing.

    http://spywarewarrior.com/viewtopic.php?t=9880

    Last post on afore thread link provides a response from people at Spybot regarding this occurance, which will be of particular interest to users employing multiple registry moniters, such as MS/Giant, SpywareGuard, and Spybot's TeaTimer.

    Might prevent others from wasting a lot of hours chasing...like I did yesterday...what amounts to a false positive of sorts.
     
    Last edited: Feb 1, 2005
  13. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Hi, Springer.

    Thanks for the update.

    One thing that concerns me a tad, upon reading the Spyware Warrior thread, is the idea that one should disable one or more of one's 'registry watchers,' as I know from one of the very useful threads in this forum that different security apps watch different 'hives? sections?' (I'm no techie) of the registry.

    I run Giant, and have Spywareguard, Spybot (non-resident, although I previously used Tea-Timer; perhaps that left sth behind which contributed to the fp?), Bill P's Scotty the dog (non-resident), & other apps, so I'm a little unsure how to proceed.

    I have already asked Giant to ignore one 'site' which popped up in a Giant warning, upon my re-immunising through Spybot. I may just add the cool.ne.jp one to that ignore list in Giant for now.
     
  14. springer

    springer Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    26
    That's a tough one, isn't it?

    Registry monitoring is a vital part of keeping these roaches off our computers, and I don't always get alerts from each of them on the same call.

    For now, I'm going to run them all.

    However, might be a good idea to perhaps put up a "sticky" on this subject, assuming it's going to get to be a bigger problem as indicated by the response from Spybot to this incident.

    If nothing else, might save some undue alarm like I just went through.

    On the other hand, one doesn't want to encourage users to take these alerts from their monitors lightly, either.

    Anyway...

    Hope this new info is useful.

    Cheers!

    Springer
     
  15. the person who started this post mentioned DSO things. What are these when i runa scan with spybot it picks these up and I have chosen to quarenteen these when i have found them. Should Ibe doing this? I should i just ignor them?
     
  16. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Yes, as said by INFINITY in post #5.



    snowbound
     
Loading...
Thread Status:
Not open for further replies.