'cool.ne.jp' incident after majorgeek SD update

Hi, people. I have been slightly irritated for a little while by the well-known DSO Exploit bug in Spybot, & was pleasantly surprised to see an update fix on the majorgeeks site.

I ran the update, & was then surprised by a message from my truly ever-excellent Giant AS, to the effect that "cool.ne.jp" was trying to add itself to my list of trusted sites, or to my trusted zone (I'm not sure exactly which).

I googled the name, & came up with at least one dubious-looking site, so I've blocked the site in my fw & in IE.

Does anyone know anything about this phenomenon, & should I perhaps be e-mailing someone at the majorgeeks site, or Patrick Kolla?

Thanks.

 

Thanks very much, Spanner intheWorks.

That is actually very useful to know. I'm going to try & find out whether other people have had similar strange events with majorgeeks.

 

Hi kwesi,

It may be a false positive on the part of Giant. I know Giant (Microsoft Antispyware) mistakes an immunization in spybot (Squiresearch) as spyware.

Majorgeeks has been spotless for me.

 

the dso exploit in Spybot is a bug and should be ignored. it has to do with your restricted and trusted zone in your IE. if you want to full explanation:

It refers to a specific hole in the security used by Internet Explorer. Like many security holes, it could be used for many different purposes not just a specific type of infection or intrusion. So basically, it's just "a way in" to an unpatched system.

If a system has the exploit, meaning they have neither patches nor the work-around (setting the value of that key to 4 - for the restricted zone treatment!!), and if some malicious website was to try to exploit that hole, they could get a piece of malware (any piece of malware, for that matter) on to your system.

Since the patch for this is pretty old, and has no doubt been in service packs and critical updates for almost two years now, any security minded people will have the patch and therefore have closed the hole.

 

as for the fonts of Majorgeeks, I do believe that majorgeeks is a trustworthy community, helping a lot of others all around the world...they have a nice antispyware area and are very security minded too.

I know that there are malware types disguised as fonts and some fonts are vulnerable for a certain type of malware...

and I know that PestPatrol was in that days (cause the font malware is quite outdated) very famous for its false positives.

now I am not saying it was a false positive, not at all!! Just that it could be possible. and the fact that the website of Majorgeeks was vulnerable for this type of malware is possible too, every once in a while the admins need to update their forums and sites cause of the malware exposed and vulnerabilites/holes in forums and sites. it could be that they just hadn't updated fast enough.

just my two cents.

Inf.

 

you were just a second faster then me Ronjor, just a second and nothing more

my attention was drawn somewhere else for a sec and bamm

cheers

 

Thanks very much, Ailric, Infinity & Ronjor (Wow - I'm in a gathering of superheroes/heroines!).

Your replies, plus experimentation, have helped me to get an idea of the larger picture, & I realise that I'm going to have to consider getting GIANT to ignore S&D immunisation-related changes (the 'squiresearch' fp & the addition of '139mm.com' and 'cool.ne.jp' to my trusted zone).

I'll research a little more before I do that.

 

I've had no problems so far with majorgeeks, I used it a fair bit when I was trying a few different firewalls.

Jimbob

 

Post by Bourne. removed as it was both off-topic to this thread and provoking argument.

 

Curious...

I just had this very same incident happen to me following a download of Spybot S&D's new beta 1.4 version from Softpedia. The alert popped up during the reboot required, asking me for permission to add "cool.ne.jp" to my "trusted zone" in IE...which I declined.

"cool.ne.jp.", after Googling (which is how I found this thread), appears to be a Japanese domain of some sort, as in ".com" or ".ca", etc.

Anyone ever hear an anwser to this occurance?

 

By the time I finished posting this here, an answer to this had been researched and posted over at Spyware Warriors, where I initiated a thread on this problem...and then spent some hours scouring my computer for a bug, finding nothing.

http://spywarewarrior.com/viewtopic.php?t=9880

Last post on afore thread link provides a response from people at Spybot regarding this occurance, which will be of particular interest to users employing multiple registry moniters, such as MS/Giant, SpywareGuard, and Spybot's TeaTimer.

Might prevent others from wasting a lot of hours chasing...like I did yesterday...what amounts to a false positive of sorts.

 

Hi, Springer.

Thanks for the update.

One thing that concerns me a tad, upon reading the Spyware Warrior thread, is the idea that one should disable one or more of one's 'registry watchers,' as I know from one of the very useful threads in this forum that different security apps watch different 'hives? sections?' (I'm no techie) of the registry.

I run Giant, and have Spywareguard, Spybot (non-resident, although I previously used Tea-Timer; perhaps that left sth behind which contributed to the fp?), Bill P's Scotty the dog (non-resident), & other apps, so I'm a little unsure how to proceed.

I have already asked Giant to ignore one 'site' which popped up in a Giant warning, upon my re-immunising through Spybot. I may just add the cool.ne.jp one to that ignore list in Giant for now.

 

That's a tough one, isn't it?

Registry monitoring is a vital part of keeping these roaches off our computers, and I don't always get alerts from each of them on the same call.

For now, I'm going to run them all.

However, might be a good idea to perhaps put up a "sticky" on this subject, assuming it's going to get to be a bigger problem as indicated by the response from Spybot to this incident.

If nothing else, might save some undue alarm like I just went through.

On the other hand, one doesn't want to encourage users to take these alerts from their monitors lightly, either.

Anyway...

Hope this new info is useful.

Cheers!

Springer

 

the person who started this post mentioned DSO things. What are these when i runa scan with spybot it picks these up and I have chosen to quarenteen these when i have found them. Should Ibe doing this? I should i just ignor them?

 

Yes, as said by INFINITY in post #5.



snowbound