Wiz's Computer and Website Security Blog

In early July, 2010, Firetrust, the makers of the famous anti-spam program: MailWasher Pro, released a brand new version. The new MailWasher 2010 was several years in the making and touts a new user interface, new spam weighting system and a brand new spam filter format.

Previously, MailWasher spam filters were in a plain text file, aptly named "filters.txt" - with each filter on a long separate line, ending with a line feed, but no blank lines between them. Some filters have many individual rules and trying to read and debug them is a challenge. The new version uses a well formed XML format, with indented sections and rules. This is a visually pleasing layout that is easy to read and edit, rule by rule. However, because each rule and condition is on a separate line, the file size is much larger than the old flat text file filters.

As many of you know, I write and publish spam filters for use in MailWasher Pro. I have been writing and updating these filters for years. But, with the release of the new MailWasher 2010, a lot of work was needed to convert the old filter format into the new one. The good news is that as of today, August 22, 2010, I completed the conversion and placed the new "Filters.xml" online. You can view and download them from my aforementioned Custom Filters page

If you already know where to save downloaded filters you don't need this article. Otherwise, you need this information to learn where to save updated filters. Where you save your filters file depends on both your operating system and the version of MailWasher Pro you have installed. Some, like me, use both the old and new versions simultaneously. I continue using the previous version 6.5.4, because it contains direct reporting of spam to SpamCop, for reporting members. And, the previous version has full-featured Mail Statistics and Spam Categories charts. I use the statistics and percentages reports in my weekly spam analysis articles, published on this blog, every Sunday (see my Spam and Email categories). These features are going to be added to the new version 2010 of MailWasher, at which time I and others will stop using the previous version.

If you are here out of curiosity, you can learn more about MailWasher Pro, or try it, or buy it here.

Let's move on with the locations of your spam filters, for various operating systems and versions of MailWasher Pro...

Continue reading "Where to save my updated MailWasher Pro spam filters" »

Posted by Wiz at 1:38 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Starting with Firefox 3.6.4, Mozilla added a new feature called Crash Protection. This feature watches over three (initially Flash, Silverlight and Quicktime) plug-ins and isolates their tabs, if or when a supported plug-in crashes. Since the browser itself survives the crash, It is possible to reload that tab and hopefully, load the affected plug-in correctly.

However, soon after Firefox 3.6.4 was released, numerous complaints began arriving at Bugzilla, claiming that the new crash protection was making it impossible for those affected to play "Farmville." Apparently, the timeout for detecting a crash was too short, and Farmville was taking too long to load its Flash presentations. The page would halt loading with this message: "The Adobe Flash plugin has crashed."

To rectify the problem Mozilla rushed out Firefox 3.6.6, with a higher timeout of 45 seconds. That should fix the timeout problem for hi-speed broadband customers, but those on low speed broadband (e.g. mobile broadband modems, smartphones, netbooks), less than stellar satellite Internet and dial-up Internet services will still be affected by these timeouts. So, here is a manual workaround that allows you to specify a new timeout value, or even disable the crash protection completely.

How to disable or increase plug-in hang protection in Firefox 3.6.4+

You can disable hang protection to prevent Firefox from killing a hanging plug-in process, regardless of how long it's taking. Crashes in the plug-in will still be caught and will not terminate the browser process.

1. In the Location bar, type about:config and press EnterReturn.
   * The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
2. The about:config page should appear. In the Filter box, type, or copy and paste: dom.ipc.plugins.timeoutSecs
3. Double click the setting and change the number to -1 to disable hang protection.
4. To maintain crash protection, change the value to a higher timeout, in seconds.
   ** Example: "45" means Firefox waits 45 seconds before declaring that a plug-in has crashed and halts the loading of the page.

You can apply this technique anytime an important web page is hanging because a plug-in is taking too long to load and Firefox declares that it crashed. You can undo your changes by lowering the timeout for normal crash protection.

Posted by Wiz at 4:35 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I don't know if a Botnet has been mis-programmed, or if some Russian spammers have mistaken my domain for a Russian speaking domain, but I am seeing huge amounts of unreadable Russian language spam over the past month. However, I doubt that I am the only totally English speaking person in the USA who is getting this unintelligible Cyrillic spam.

The why's are unimportant to me, or to you, if you are also getting foreign language spam. A few years ago I was getting Chinese language spam, which is totally weird to look at. Both the Russian and Chinese alphabets look like something out of Star Trek to me. Most people are annoyed when they get any spam at all. But, getting spam you can't even read is worse. Since I can't read the content I have no use in looking at this crap, so I have created spam filters to automatically delete it off my email servers, and I will share them with you.

I have certain systems in place to filter out spam before I download it, but you all might have altogether different measures in place. I will outline my countermeasures, then suggest others that you may be able to use.

My primary tool in the war to secure my inbox is an anti-spam program called MailWasher Pro (MWP). It is a desktop application that intercepts all incoming POP3 email, from all of the various email servers that I use to get and send email. In my extended comments I will reveal two powerful filters that I have created, which combined will automatically delete 100% of the Cyrillic coded spam sent to my various POP3 accounts.

My second tool is my desktop email client; Windows Live Mail (WLM). This is the most recent child of the no longer supported Outlook Express email client, from Microsoft. Outlook Express died when Windows Vista was released. At the same time, Windows Mail was included with Vista. With the advent of Windows 7, Windows Live Mail is the only email client available from Microsoft, as an optional download. Unlike Outlook Express, Windows Live Mail includes a junk filter module, which receives updates from time to time. You can also block incoming messages from your inbox by applying the new "International" filter, which reads the sender's From address or language encoding. If the domain listed in the From field, or the text coding matches one on the blocked countries list, it automatically goes to the Junk Mail folder, or is automatically deleted, according to your choices.

The previous anti spam countermeasures are for people using a POP3 or IMAP desktop email client to download, read, compose and send email. But, many people are still using browser based email systems, like Hotmail, Yahoo, AOL, Comcast, Charter, and other proprietary mail systems from free mail providers, or from their web hosting companies. You folks must search out and apply any junk mail rules available from your email service. I will show you how to apply junk filters to Yahoo and Hotmail, using your web browsers.

Most web hosting accounts now come with the option to enable Spam Assassin. You can turn on Spam Assassin and add the regular expression to block any "From" address containing the domain .ru

Continue reading "Blocking Russian language spam with junk filter rules" »

Posted by Wiz at 11:31 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

For a while now, the freeware Foxit PDF reader, an alternative to the also free and much exploited Adobe Reader, has been shipping bundled with the ASK search engine toolbar. Foxit is doing this because they get paid a commission for each installation of the Toolbar, by Ask.com, which helps offset the cost of developing and updating the Foxit Reader. Ask is a search engine, formerly known as "Ask Jeeves," which has been losing its popularity over the last several years. In an effort to improve their sagging search engine ranking, they have ramped up their partnerships with various software designers who are paid to include the Ask Toolbar in their program installers. In the Foxit PDF reader installer, this toolbar is also called the "Foxit Toolbar, Powered by Ask.com." In the terms of use license that most people usually agree to without reading, the option to install this toolbar is pre-checked by default. Many users of Foxit are used to simply accepting the default options when installing or updating the Foxit software. If you do allow the toolbar to be installed, the terms of Ask Toolbar service is displayed to you, beginning with these words:

"We reserve the right to add additional features or functions to the existing Toolbar. When installed on your computer, the Toolbar periodically communicates with our servers.We may require the updating of the Toolbar ... This update may occur automatically."

However, as of April 2010, Foxit has been altered in the way the Ask Toolbar gets installed, so that it cannot be uninstalled in a simple fashion. According to Ellen7, on a Foxit Corporation Forum, when a user asked how to permanently remove the advertising and Ask Toolbar from the browser, after it was installed with a recent Foxit security update, her reply was: "sorry, the current version can not remove, but will be remove in the next version." (sic). Another person on that forum was told by the Forum Administrator that the current version does not allow you to remove the Ask Search from Foxit, but the next version will allow that option, as well as the removal of the browser toolbar and search changes that are forced by this version (Foxit Reader 3.2.1.401).

Furthermore, people have discovered that even if you uncheck the toolbar option during setup, it is still getting installed, or at least keeps trying to install itself, even when you tell Scotty to block it! Then, when they try to remove it, it remains in their browsers, including the current version of Firefox. Once installed, your default search engine is forcibly changed to Ask.com. Normal procedures to switch back to Google or Yahoo are met with resistance by the Ask Toolbar, which remains active even if you uninstall it via Control Panel, or via the Add-ons utility in IE and Firefox.

Freeware software that bundles advertising and toolbars that are difficult to remove, or the removal of which break the functionality of said programs, are known in the security business as "Adware." Adware that sends home details about the browsing history of users is also sometimes called "Spyware." Programs that fall into this category are also affectionately referred to as PUPS, meaning Potentially Unwanted (or Unpopular) Programs. Most anti spyware programs will detect such applications and remove them from your PC during or after a scan, if you choose to have them do so. Some of the better known anti spyware programs that remove Adware and PUPS include Spybot Search and Destroy, Ad-Aware, and Malwarebytes Anti-Malware (a.k.a: MBAM, which also removes most really nasty spyware, rootkits, keyloggers and fake security alerts).

Instructions for manually resetting your search preferences in Internet Explorer and Firefox are found in my extended comments. Use them if the Ask Search Toolbar has hijacked your desired search engine in your browser.

Continue reading "The Foxit PDF reader is becoming an Adware supported P.U.P." »

Posted by Wiz at 5:02 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]

Details about the .htaccess file are found in my extended comments.

Continue reading "Block trackback spammer operating on Ubiquity Server Solutions" »

Posted by Wiz at 2:16 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

Continue reading "Block server exploit attacks coming from ThePlanet IP space" »

Posted by Wiz at 2:33 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

On September 1, 2009, Microsoft changed the way their Hotmail email servers communicate with POP3 - SMTP desktop email clients. As of this day you cannot send or receive Hotmail through Outlook Express, period; finito, kaput! You must change to a different desktop email client, like Windows Live Mail. Microsoft Outlook users can download and install the Microsoft Outlook Connector to continue to access Hotmail. The details about these changes and what you need to do follow.

If you use Microsoft Office Outlook to send and receive through Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

New Mail Server Names:
There are also changes to the names of the Hotmail POP3 and SMTP mail servers, which now use a technology known as "Delta Sync." The new incoming POP server is: pop3.live.com and the new outgoing SMTP server is: smtp.live.com. You must also change the incoming and outgoing ports, as outlined in my extended content, under "New mail servers and ports."

Continue reading "Hotmail POP access method changed on Sept 1, 2009" »

Posted by Wiz at 2:51 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

About Spybot Search & Destroy

Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.

Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.

Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).

No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.

Continue reading "How to use Spybot Search & Destroy to fight malware" »

Posted by Wiz at 2:39 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

Continue reading "Securing FormMail scripts against spambots" »

Posted by Wiz at 2:15 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.

1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.


2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.


3. Right-click on the file named HOSTS and choose (left click) Properties


4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked


5. Click Apply and OK to close the Properties window.


6. Right-click on HOSTS while holding down the Shift key and select "Open With"


7. Scroll through the programs list until you find "Notepad" and double-click on it


8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.


9. With HOSTS open for editing go to the last line in the file and hit ENTER


10. Add these lines, with a tab after each 127.0.0.1:
    
    
    
    • 127.0.0.1       tojandglow.com
    
    
    • 127.0.0.1       91.212.65.138
    
    
    • 127.0.0.1       91.212.65.0/24
    
    


11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.


12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Posted by Wiz at 5:10 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Although I use Firefox as my primary (default) browser and web design test tool, I have kept the latest version of Opera browsers installed as well, just to make sure it renders my layouts correctly. Today, March 3, 2009, I received a security alert that Opera Software, of Norway, had released a security update to the Opera Browser. This was in response to a vulnerability reported on CERT, on March 3, 2009. The new version is number 9.64. Like I usually do, I downloaded the new version, ran the setup file as an Administrator (using Run As), from my XP Professional Power User account and upgraded from the previous version (9.63). When Opera opened everything looked fine and I closed it and went on about my business, working with html files I was editing.

Begin Rant:

I was about an hour later, still logged into my Power User account, that I went to the still open directory where these .html files live and double clicked on one, expecting it to open in Firefox, which is my default browser. Instead, to my surprise, it opened in Opera! I had not made any changes in the setup of Opera. I told the program to perform an Upgrade installation, just like the previous versions had been. None of them ever stole my default browser association and few even asked about being made the default browser. This is something new and as it turned out, slightly difficult and aggravating to resolve.

When I found that Firefox was not opening .html files any more I checked its options to see if it was still the "default browser;" which it claimed it was. Had it not been, I would have been able to make it so, using the Check Now button (Tools > Options > Advanced > System Defaults). But, Firefox thought it still was the default browser, so I tried disassociating .html files within Opera, but nothing changed. About that time I decided switch to my Administrator level account to uninstall Opera and see if it gave back the previous association to Firefox, but no luck. I went into Set Access and Defaults and reset Firefox as the Default browser, which worked in the Admin account, so I logged off it and back into the Power User account. Note, that you cannot change the Program Access and Defaults from a Power User account, only an Administrator level account, in XP.

Back in my Power User account I found that it now associated .html files with Windows Notepad! Every html file I double clicked on opened in Notepad, not Firefox! I decided to do an end run around the Windows File Association defense and right clicked on an html file, in the aforementioned folder, and chose Properties. The Properties sheet showed the html files opened with Notepad and offered a button to Change that. I used the button and chose Firefox to open .html files, clicked Apply and OK. When I tried opening an html file it still wanted to use Notepad, so I restarted the computer. This act alone cures a lot of mess-ups and it fixed this one.

The point of this article isn't just to show my readers how to recover from a browser file type association theft, but also to let Opera Software know that one of their users is pretty #@$%*~ off right now about having to go through all this work to keep a long ago established file type association that their update broke, without any word of warning. Also, it may be a long time before I reinstall an Opera Browser, which I was only using to test website layouts for compatibility anyway.

End Rant

Posted by Wiz at 5:21 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.

BeyondTrust's findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft's security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.

Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:

• Most viruses cannot be installed


• Most spyware cannot be installed


• Most adware cannot be installed or survive a reboot


• Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot


• Rootkits cannot be installed


• Mistakes you make by visiting compromised websites will probably fail to cause any damage


• Botnet executables cannot take control of your computer


• Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot


• System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled


• Your HOSTS file cannot be poisoned


• Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits


• Changes cannot be made to the HKLM branch of the Windows Registry


• Some programs cannot be installed, unless you use "Run as"


• Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories

Continue reading "Running a PC with reduced user privileges stops 92% of malware" »

Posted by Wiz at 7:34 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Takeaway:
This article about (disabling) AutoPlay was supposed to be a sub-section in another article that I am composing about the Conficker/Downadup Worm, but in light of fresh information it has been promoted into its own article. If you already understand how AutoRun works skip down to the "Solution" section, in my extended comments.

AutoPlay is a long time feature included in all Windows operating systems from Windows 95 onward. It allows both data, video and music CDs and DVDs to start automatically when a pre-recorded disk is inserted into the player tray and the tray door is closed, which is a convenience for most users. With Windows XP onward when you insert a blank recordable disk into a media recorder a box will popup asking what you want to do. This is familiar stuff by now.

When you plug in a USB thumbdrive, camera memory module, external USB drive, Firewire disk, or map a network drive, one of two things usually happens. Normally, a box pops up asking what action you wish to take, with a default action highlighted. Most people usually choose to open these drives in a folder view and often select the option to remember that decision and not ask again. If they have selected that option the next time they plug in such a drive or module the device will automatically open as expected, without prompting.

When an external drive or device is plugged into your Windows PC and AutoPlay is on (which it usually is), a normally hidden file named Autorun.inf, in the root of that drive, can cause a program on the device to execute immediately. This is how setup programs run automatically when you insert a program installation disk. These Autorun.inf files are usually very small files, contain just a few lines of code, pointing to the setup executable, and are viewable in Notepad.

However, malware authors have begun exploiting this feature to spread their viruses and hostile programs to computers via removable drives and memory sticks, using the hidden AutoRun.inf to automatically run the Conficker/Downadup Worm's installation routine. This happens the moment that the device is plugged into an unpatched PC. This is one of the ways this Worm spreads in multi-computer environments. If an employee acquires the Conficker Worm while out of the office and then saves work documents to a thumbdrive, then plugs that drive into his or her work computer, the Worm can infect that computer, then attempt to infect the entire LAN!

To protect networks and standalone computers from becoming infected via removable drives that are infected various sources have recommended disabling the AutoPlay feature. Microsoft has entire pages devoted to this trick. Also, I have read details about fine tuning your AutoPlay restrictions so they only apply to removable drives, not CDs and DVDs. This all sounded like a good preventative measure until today, when I read Technical Cyber Security Alert TA09-020A, on the US-CERT website. That bulletin makes it clear that simply disabling AutoPlay via Group Policy or the recommended Registry hacks would NOT prevent infections via removable devices. This is because these hacks and workarounds do not address the problem that Autorun.inf is still parsed for instructions, which are then executed automatically, even if AutoPlay is turned completely OFF!

From the CERT bulletin:

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file.

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

Read my extended comments for solutions to this vulnerability.

Continue reading "How to effectively disable AutoRun-AutoPlay in Windows computers" »

Posted by Wiz at 11:29 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

On July 24, 2006, I wrote a technical article on my Blog titled: "Using Windows Task Scheduler to Check for/install AVG-Free Anti Virus Updates." It described a simple method end users can apply to cause the AVG Free 7.5 Updater file to run every hour, instead of just once a day.

Now it is the summer of 2008 and AVG Free is at version 8.0, with version 7.5 set for discontinuation on December 31, 2008. The AVG Free updater still only checks once per day, but the command that worked in the previous version also works in version 8.0, with some path and file name adjustments. (AVG paid versions do allow multiple daily updates and scans).

If you use AVG Free 8.x and want to have it check for updates on an hourly basis (or some other personal schedule), the information that follows will guide you through the process. I am writing this using Windows XP Professional, so these details may be different if you use Windows Vista.

You can find information about the new Task Scheduler for Windows Vista here (Microsoft MSDN), or at LifeHacker.com (lots of screen shots - JavaScript required).

Once you locate the AVG updater executable, "avgupd.exe," highlight it and click Next. Type a name for this task in the top input field. I used "AVG 8 Updater." Select the "radio" option "Daily" and click Next. Select a start time and day, making sure you also select "Every Day," or "Weekdays," depending on your requirements (home or office).Click Next. Enter a User Name and Password, if you have one assigned to your logged in identity, then click Next. If you want to fine tune your options for the updater task check the box beside "Open advanced properties for this task when i click finish."

The Advanced Properties page is where you enable or disable the task, change the schedule, manage the power settings, and decide if you want to wake your computer to run the task.

Here are the settings I used in my AVG Free 8.0 Updater scheduled task:

Task tab
Task: AVG 8 Updater
Start in: "C:\Program Files\AVG\AVG8"
Run: "C:\Program Files\AVG\AVG8\avgupd.exe" /SCHED=

Schedule tab
Schedule Task: Daily - (set a start time) - (AM/PM)
Schedule Task Daily: Every 1 day
Advanced button on Schedule Task
Check mark in "Repeat Task"
Every: 1 hours
Duration: 24 hours

Settings tab
Scheduled Task Completed: Stop the task if it runs for: 1 hour
Power Management: Check box for "Wake the computer to run this task" (NOT recommended for hourly tasks)

Make any other setting changes you want, then click Apply, then OK.

Also, under the Security tab, make sure that your logged in identity is allowed to run the task, if you are not an Administrator. If you run Windows 2000 or XP Professional you can make your daily browsing account a Power User and add yourself to the Backup Operators Group. This allows you to schedule and run backups and other tasks.

You can learn about protecting your Windows PC by running as a reduced privileges user, on my Blog article: Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses, or on my FAQs page titled: Windows 2000 and XP User Account Privileges Explained.

Posted by Wiz at 2:06 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I began experiencing problems Monday night (June 9), after using Acronis True Image 11 to restore my Windows XP Professional SP3 computer, after an experiment trying to convert my setup from single SATA to SATA RAID failed miserably. Lesson #1: If the OS is already installed and you were thinking about converting the boot system to RAID, FORGET IT!

After I finally forced my boot drive out of being labeled as a dynamic RAID disk I was able to load a saved image onto it and boot back into Windows XP (SP3), after 13+ hours of downtime. More on how I did this in my extended comments section.

Anyway, once I finally got back into Windows I left the computer alone for a while and did other things. When I came back to check for new email and see if my scheduled Windows and Acronis backup tasks were running all I saw was a hideous BSOD, with a Stop Error labeled: "BAD_POOL_HEADER," followed by these machine debug codes: STOP: 0x00000019, 0xE106F3F8, 0xE106F418, 0x0C040401. At first I thought this was a simple glitch, but I found out it wasn't, later on. My solution is further down this article.

While I was trying over and over to restore my saved image, using the Acronis Recovery CD, to one of the 250 Gb hard drives that I mucked by by initializing RAID, I noticed that my external USB drive was not listed as an accessible location for restoring a backup image, even though it was connected and turned on. I had images on both an internal and external hard drive, with the most recent being on the USB drive. So, I got out of Acronis and tried booting from my Ubuntu Hardy Heron (8.04) live CD. My intention was to copy the newer image from the USB disk to the internal backup disk. When I got into the Linux desktop and opened "Computer" I saw both the internal and external disks, with their correct disk labels, but was unable to "mount" (open) either of them! The error message pop-up contained the following information (my interpretation, not verbatim):

This disk cannot be mounted because it is marked as being in use by Windows. This is sometimes caused by improperly removing a connected device without first ejecting it using the "Safely Remove Hardware Wizard."

So, here I was, back in Windows again, with the USB drive turned on and fully visible through My Computer. I dutifully went to the System Tray and right-clicked on the Safely Remove Hardware icon, to do it the right way, and was greeted by another cryptic pop-up error message, saying:

"An exception occurred while trying to run "Shell32.dll, Control_RunDLL hotplug.dll."

How I fixed the BSOD Stop Error BAD_POOL_HEADER
In the beginning of this article I told you about getting a BSOD whenever a scheduled Windows Backup requiring "shadow copy" was initiated (save System State). I narrowed this down to only a System State backup causing the Stop Error. The solution was similar to the hotplug issue, but, instead of "Updating" the driver for each Generic Volume, I "Uninstalled" each of them, then rebooted twice. After the second reboot they were fully re-detected and ready to use and the hotplug problem was also gone. This is probably the best way to fix these problems.

Continue reading "Disk problems after restoring an image and how I solved them." »

Posted by Wiz at 2:16 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

In Today's World the Internet is no longer a safe place for Windows PC users (not that it ever was). Criminals are exploiting vulnerabilities in web sites, web servers, email, browsers, and unsecured, or under-secured Windows OS computers.

Some of the current exploits making the rounds are using JavaScript functions to install malware onto vulnerable Windows based PCs. Some of these exploits are being secretly installed into the operating system of web servers, thus causing the exploit code to appear on every web site hosted on that server (a horrible situation). The individual web site customers are at the mercy of their hosting company to detect and repair the rootkit infection that adds the exploit codes to every home page on that server. Web hosts are usually informed about such exploits in the wild, that target their operating systems and they usually apply the necessary patches and re-compile the Apache Kernel, or Windows Server OS, as soon as possible.

Another related attack vector comes from individual web sites, if they are using insecure scripts, for which various hackers are searching. Hackers send bots to probe every website they can find, following links in search results, and on websites they have already visited. The bots are programmed to attempt to run various types of exploits against that website. The exploit attempts I see most often involve trying to exploit PHP scripts, or web pages, to perform http redirects to hostile scripts, hosted on other servers. A website owner who is not fully up to speed about security issues may install a vulnerable script, or copy insecure code from an open source project, only to have his website used a a redirector to hostile codes.

Finally, there are JavaScript exploits being used on the web pages hosted unknowingly, on Windows computers that have been taken over by the Storm Trojan. When people are enticed to visit those web pages the JavaScript routines will attempt to download and run hostile code against them, which if successful will add their computer to this ever-growing BotNet. See my recent blog post about the Storm Botnet, or search my blog for the phrase "Storm Trojan."

Here are 10 steps that PC users can take to protect their computers from all JavaScript exploits.

1. Apply all available Windows/Microsoft Updates, including Office product patches. This is a MUST DO.


2. If you have not updated your copy of Internet Explorer to version 7, do so now, then use Windows Updates to apply all released patches for it. IE 7 has built-in security features that simply cannot be applied to previous versions of that browser.


3. Set your Internet Explorer security level to medium high, or high. This will cause prompts to appear when scripts are asking for permission to run, which will be on almost every website you visit. This will drive you crazy, but at least give you a fighting chance.


4. Turn on the anti-phishing filter in IE 7.


5. To avoid the craziness that goes with securing Internet "Exploder," download and install the latest version of the Firefox browser, make it your default browser for browsing the Internet. Firefox does not run ActiveX controls at all and does not allow stealth downloads or installs. Every add-on or download must be manually approved. Set the options in Firefox to automatically check for updates to both the browser and any add-ons you've installed.


6. Install the No-Script add-on for Firefox, which blocks all known JavaScript and iFrame exploits, if you configure it properly. No-Script blocks JavaScript functions on websites, by default, but allows you to override it selectively, for sites you trust.


7. If you are uncommitted regarding an Internet Security product, try Trend Micro PC-cillin Internet Security 2008. It has resident shields that will intercept hostile scripts embedded in web pages, before they are downloaded to your browser. It also removes viruses, rootkits and spyware.


8. If you are currently operating as the Computer Administrator you should consider reducing your exposure to malware by changing to a Limited User account. This is not a trivial matter, but offers tremendous protection against accidental infections. I have also posted an article on my blog explaining how running with reduced privileges can protect you online.


9. If you are on broadband Internet make sure that you have a NAT (Network Address Translation) router between the modem and your computer. NAT routers hide your computers from incoming TCP/IP and UDP probes by malicious scripts and infected computers. Some modems have built-in NAT router sections, but some don't. A straight connection from a broadband modem to a PC can make it vulnerable to scripted attacks aimed at your TCP ports. A software firewall is a must for PC owners. Windows XP and contains a built-in one way (incoming) firewall, while Vista has a two way firewall (in and out).


10. Scan for acquired malware threats often, using up-to-date applications and definitions.

By applying these 10 steps you will have secured your PC as much as possible, while still allowing it to function on the Internet. The advise about running with reduced user privileges has been officially applied by Microsoft, to their Windows Vista operating system. Vista users normally operate with reduced privileges, unless administrator overrides are required to install, or uninstall a program or driver. It is still up to the user to determine if this is safe or not.

In the end, it is always up to the computer owner to decide what level of security they can tolerate, and what programs or add-ons they will allow to be installed onto their computers. If the user is duped by a cleverly worded spam email message, into clicking on a hostile link, no security warnings known to man will prevent them from installing what might turn out to be a Trojan horse application. It happens every day! Be vigilant and practice safe Hex!

Posted by Wiz at 3:22 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Back in the days of Windows 95 I bought a program called PowerQuest Drive Image. Drive Image allowed me to take snapshots of my entire hard drive and save them to other hard drives, to be used to recover a failed master hard disk. Drive Image contained a fabulous utility named Magic Mover, which allowed me to move entire programs, with all of their settings and distributed system files, from one PC, or partition, to another. Unfortunately, Powerquest is no more, along with Magic Mover.

While answering questions on a computers section of a specialty forum, where I act as moderator, a member asked questions about moving programs, settings and preferences from his XP computer to his new Vista computer. Another member pointed him to the Windows Vista "Easy Transfer" utility, which can "move" a number of programs, which it knows about, from an XP computer to the Vista computer, over a cable or network connection.

Unfortunately, the original poster had programs he wanted moved, but are not listed in the Easy Transfer database. That's when another member mentioned a program by LapLink, called PCMover. This program can indeed move any or all of your programs, files, settings, or desktops, between two computers running Windows 95, 98, NT, Me, 2000, Media Center, XP, or Vista. Instead of taking one or more days to migrate all of your programs and settings, you can do this with PCMover in a few hours, or less.

PCmover can migrate your PC across a network, Laplink USB cable, Laplink parallel cable, Windows Easy Transfer Cable, or any type of removable media that can be read by both PCs. If your computer has multiple users, PCmover gives you the option to migrate some or all of the users at once. The security information about file ownership and access control is preserved for each user. You can even use PCmover to migrate your PC to an Intel-based Mac!

A single license of PCmover ($49.95) allows you to migrate from a single old (source) PC to a single new (destination) PC. Additional migrations require the purchase of additional licenses. For most end users this is not a problem, since they rarely have to perform such major transfers of programs. There is significant discount pricing available from LapLink, for people or businesses requiring multiple computer migrations, in 5 or 10 packs of migration licenses. Upon payment of a migration fee, the software transfers files and settings from your old computer to your new computer.

You can read more about PCMover - here.

Posted by Wiz at 12:53 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

By now most of you have seen hundreds of "Postcard" email scams in your inboxes and are getting tired of hitting the delete button (hopefully you are deleting them!). These messages have subjects containing phrases implying that a Friend, or Class-Mate or "Worshipper" (etc) has sent you a postcard, or ecard, or greeting postcard, etc. They all contain false details about an alleged e-card that is waiting for you if you click on the link supplied, usually with a numeric IP, followed a forward slash, a question mark, then a bunch of random characters, leading to a compromised PC hosting a web page containing hostile JavaScript to redirect you to a website that has the Storm Worm infector. Anybody who is foolish enough to click on that link, in a Windows PC, or Windows powered hand-held device, will probably be infected with the Storm Worm, or a variant thereof, and their PC will become a spam relay in a BotNet.

If you use MailWasher Pro to screen your incoming email I have an automatic solution for detecting and deleting these, and most other spam messages in the wild; my custom MailWasher filter rules targeting current types of spam. MailWasher Pro uses a text file called filters.txt to list custom conditions for identifying and acting against spam that matches the statements in these user configurable rules. A default installation produces a very basic filters.txt file, which is waiting for you to add your own custom rules to it.

If you don't know how to create your own MailWasher filters, visit my MailWasher Pro Filters page, where you will find my own list of custom filters for use with the MailWasher Pro email program. The filters will load into an iframe in the middle of the page (No, this is not an exploit, just an HTML inline frame with visible contents). There is a large set and a smaller set of filters. I use the smaller set which is targeted at the most recent varieties of spam in the wild. The large set includes the new rules plus anti-spam rules going back about 5 years.

To use my filters in your MailWasher application you should first copy the contents of the set you prefer to use (click inside iframe, press Control + A, press Control + C), or right-click on one of the file links on the web page and save it as "filters.txt" on your desktop. With MailWasher open click on Help > "About" which will open a box with the version and copyright details. At the bottom of this box there is a link to your personal profile data folder for MailWasher Pro. Click on the link at the bottom of the About box to open the MailWasherPro Application Data folder in a window, then close MailWasher. You must close MailWasher before editing filters.txt, otherwise your changes will be overwritten by the program. The only time you can work on filters with MailWasher open is if you use the Filters utility from within the program, to create or edit rules.

There will be a file named filters.txt in your MailWasher Pro application data folder. You will either overwrite it's contents, or add to them, depending on if you have created any of your own filter rules. If you haven't created your own filters and you downloaded one of my filters files and saved it as "filters.txt" just drag it from your desktop into the MailWasher Pro data folder and drop it there, allowing it to overwrite the existing copy.

If you chose to copy the contents in the iframe for pasting into the program's filters.txt, open filters.txt in NotePad, in the "MailWasherPro" Application Data folder. If you are going to add my filters to your existing rules choose a line where you want them to start (the beginning is a great place), click on the beginning of that line and press Control + V, to paste them in at that point. If you are going to overwrite the existing filters entirely click inside it and press Control + A (Select All), to highlight all of the contents, then press Control + V to paste my filter rules into the document, overwriting the contents, then save the changes (Alt > F > S). Make sure you don't have any blank lines between rules and that each rule begins on a new line. Turn off Word Wrap. Instructions are typed in the top comments of my rules.

After you have pasted in the new rules, close filters.txt, then open MailWasher Pro. My filters should now be loaded into the program and will delete most current incoming spam, either automatically, or manually. Use Control + F7 to display or hide the filter sidebar, in the program interface. Watch for spam messages that are hidden by some rules, which you must delete manually, by clicking on Process Mail (F6), on top of MailWasher Pro. Make it a practice to click on the Process Mail button every hour, whether there is anything marked for deletion or not. This frees up RAM and removes temporary data files created while the program is running. It will also delete hidden spam messages.

I update my rules very frequently, sometimes more than once on the same date. I post the last updated date in the comments of the filters, in the top of the files. Comments begin with //. Be sure you bookmark my MWP filters page and check it often for new or altered filters. There is a link under the iframe to sign up for alerts from ChangeDetection.com whenever it detects a new date stamp on the page.

Wizcrafts Custom MailWasher Pro Filters are discussed on the Firetrust MailWasher forum, where I post notices about filter updates and where other MailWasher users provide input about them.

Posted by Wiz at 11:50 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

For those you don't know, MailWasher Pro is a renowned email screening, spam detection/deletion program, designed for people who use a POP3 email client to send and receive their email (Outlook, Outlook Express, Windows Mail, Thunderbird, Eudora, etc). It can be set to automatically check all of your POP3 email accounts at any whole-minutes interval you choose and contains built-in tools to detect spam messages and viruses, then deal with them in the manner you define. MailWasher Pro uses a variety of spam detection techniques including a Bayesian learning filter (with user overrides), configurable blacklists and whitelists, a database of known/reported spam, domain name server (DNS) blocklists, and user configurable custom filter rules to block various types of spam, or other unwanted email. Once incoming spam has been deleted from your email servers you can download legitimate messages to your email program, which should be set to manual mode when used with MailWasher as the front-end screener.

The custom filters are very powerful tools that many people don't fully understand, hence they often go unused by less technical users. Fortunately for them, I am part of a group of technically advanced MailWasher Pro users who have learned to develop and use these custom spam filters. In fact I am the author of many of the filters now in common use by MailWasher Pro users around the World.

I use MailWasher Pro, every day, all day long, to screen all of my incoming email for spam, scams and malware, across two dozen POP3 accounts and my custom filter rules usually block almost all incoming spam, scams and malware embedded or attached to email messages. This includes image spam promoting pump and dump stocks or counterfeit drugs, and fraudulent e-card/postcard messages with links to hostile scripts that might turn your PC into a member of a Zombie BotNet. However, as spammers tend to alter their codes occasionally, from one spam run to another, sometimes a previously effective rule will to fail to block a known type of spam. I usually detect these changes and apply them to existing or new filter rules within minutes of discovering a failure to detect and delete that type of spam. I then publish these alterations and/or additions to copies of my filters that are available for copying and pasting into your own MWP filters.txt file. See my extended comments for more information about the location of the Filters.txt file.

The gist of all this is that since I hate spam and spammers I have been updating and fine-tuning my MailWasher Pro filters quite often these days, sometimes more than once per day, to respond to changes in spam runs. You can find my most recently updated/uploaded filter sets on my MailWasher Pro Filters page. Since this is time consuming work I am not too proud to accept PayPal donations from any of you who are benefiting from my ongoing filters work and can afford to make a contribution to the cause. Thanks in advance!

See my MailWasher Pro product details page for complete information about this spam screening tool, with links to download a trial version, or to purchase a permanent license (pay once, get upgrades for life). I am also available for hire to write custom MailWasher filter rules for individuals or organizations. Contact me with your requirements and I'll send you an estimate.

Continue reading "Wizcrafts MailWasher Pro Anti-Spam Filters Updated Frequently" »

Posted by Wiz at 12:28 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

With viruses, spyware, adware, keyloggers, browser/search hijackers, rootkits, and remote control spam relays infecting or taking over control of up to 75% (estimates) of the online Windows computers in the world, responsible, concerned people want to know how they can protect their computers from such rampant, recurring threats. Many folks I know have had spyware or viruses removed only to have them reappear some time later and they are confounded, because they don't realize how these threats get installed in the first place.

Running anti-virus, anti-spyware and firewall applications is a must for Windows users, but they may not stop something malicious that slips past your defenses that may be hidden inside a program or file you intensionally downloaded and installed. The innocent application or utility you downloaded may have installed a backdoor program on your computer and that program may take over control and allow more malware to be sent to your computer. Many of the multiple infections that occur so often are piggybacked onto downloaders that get installed first, without your knowledge. They lower your security settings and sometimes hide from known security programs until it is too late. Some of them even terminate anti-virus, anti-spyware and firewall programs, leaving you totally unprotected.

These hidden threats inside supposedly useful programs are called Trojan Horses, named after the legendary huge wooden gift horse that the Greek invaders gave to the army of Troy, after a lengthly siege. It was supposed to be a symbol of submission from a defeated enemy (the Greek army) to the winners (the Trojans). Somehow the Trojans were fooled into accepting the gift horse, thinking that the Greek army had evacuated the area and given up the siege. They brought it into their gates and celebrated their alleged victory and when they were good and drunk the Greek soldiers who were hidden inside the hollow places in the wooden horse emerged, opened the gates to let in the rest of their hidden army, then slaughtered the Trojan soldiers and men and sold the women and children into slavery. So the legend goes and so go the modern day software soldiers who hide encoded inside seemingly useful programs, only to invade your system and wreak havoc.

Any infected code that you acquire and activate, or is self activating, will be run with the same rights as the logged-on user, which in most cases is Administrator level rights (privileges).

All of the previously mentioned malware threats require computer administrator privileges to fully install themselves into the operating system, or overwrite system files, or to write to the Local_Machine branch of the Windows Registry, or to hide as rootkits. Windows 2000 and XP users running with reduced privileges, as a Limited User, are protected against virtually all malware threats that need to install into the system to function. Windows 2000 or XP Professional Power Users have reduced, but not complete vulnerability to these threats. I personally run as a Power User and have not acquired any drive-by, downloaded, or browser exploited malware infections at all. I also use several anti-spyware programs, and anti-virus program and both hardware and software firewalls. I browse with Firefox, not Internet Explorer and keep everything up to date with patches and security fixes, as soon as I learn about their availability. Then I post notices on my blog to alert you all.

Some of my readers have problems running as Limited Users and I help them as much as possible to understand how things need to be done to work within and around those limitations. If you run with reduced user privileges your choice of updates will be more limited than if you apply them from an administrator level account. You would do this by first applying the updates as a Limited or Power User, then Switch Users or log onto an Administrator account and re-apply the updates and immunizations. Many security programs will require you to switch to, or log into an administrator level account to perform program updates (if not definition updates), then reboot. Others are more friendly to Limited Users after being installed by an Administrator.

I have posted more information about running with reduced user privileges, here and here.

Always assign a strong password to any Computer Administrator level accounts. Always try to run as a Limited User, or at most a Power User, under Windows 2000 or XP Professional. The Power User group is not available in XP Home, so don't bother looking for it.

Windows Vista begins a new era in user protection (out of the box) by running all accounts as Limited Users, with Power User-like rights and rights elevation prompts when you try to do something that requires full administrative privileges. I will blog about Vista's User Account Controls, and it's rights elevation prompts, in a separate article, on a future date.

Posted by Wiz at 11:53 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I am the happy owner of a used Dell Latitude C610 laptop computer. It hums away on Windows XP Professional, with 512 MB of RAM and a smallish - 20 GB hard drive. The Latitude battery still delivers over 5 hours uptime at full charge. The monitor screen is crisp and bright and I only paid $250 for it in a computer store. My only gripe has been with the mouse pointer wandering on it's own, at random times, for no apparent reason, sometimes completely out of sight.

I did a little online research on Google and found several forums where other Latitude users were complaining about the same wandering / drifting mouse pointer problems as I had (past tense). I read about some pretty drastic solutions some people have used to stop the drifting pointers, including opening up the case and cutting wires. That sounded like a way-too-drastic way to cure the problem. Other suggestions I saw involved opening the case, lifting the keyboard, then inserting an anti-static hardware bag over a metal clip, which supposedly was rubbing against the touch pad's bottom side.

Then in the midst of all this madness I found one voice of sanity from a user who simply downloaded the newest touch pad drivers for his Dell laptop. I followed up that link to the Synaptics website, where they offer generic drivers for their touch pad devices, but also provided links to each manufacturer who uses their touch pads. Dell was listed, so I went to the Dell support site, followed links and options to get to all available downloads for my Latitude C610, scrolled through the long list and finally found an update for the Dell-Synaptic Touch pad. Bingo!

After downloading and installing the new touch pad driver I rebooted (required). When I logged back into Windows I found a new icon in the SysTray, for the Synaptics Touch pad. I opened the new Mouse/Touch-Pad Pointer Properties and went through all of the new options. One option is to disable the Joystick pointer that looks like a pencil eraser, in the midst of the keyboard, or to change it's sensitivity. I opted to make it less sensitive rather than disabling it, and voila, my drifting pointer problem was gone! No cutting of wires, or inserting of bags under the chassis. A simple software download and a few minutes of configuring the awesome new pointer options and all was well with my mouse pointer, on my Dell Latitude. Plus, I took advantage of other new options in the software and enabled horizontal and vertical scroll zones and tap to click on the touch pad.

If you own a Dell laptop and your pointer is drifting all over the place, visit the Dell support website, or the Synaptics website and download the newest driver for your touch pad and operating system.

Posted by Wiz at 6:46 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Over the past few months there have been a slew of vulnerabilities reported and patched in the Apple QuickTime Player-Plug-in application. QuickTime ships with Apple iTunes when people install that application onto their computers, and millions of other folks install QuickTime to play .mov videos and mp3 files in their browsers. That means that tens or hundreds of millions of computers have QuickTime installed, and knowing the way a lot of people (don't) think about security updates, a large percentage of them are outdated and vulnerable versions of the application. In my previous blog post I revealed six new extremely critical vulnerabilities in Apple's QuickTime Player-Plug-in, revealed in early March, 2007. If you are thinking there has to be a better way to play mp3, .mov and other QuickTime file formats, without leaving your computer open to takeover from exploits against the Apple QuickTime Player, read on.

QuickTime Alternative will allow you to play QuickTime files (.mov, .qt, .3gp and other extensions) without having to install the official QuickTime Player. It also supports QuickTime content that is embedded in webpages. If you browse with Firefox and load a page that has embedded .mp3 or .wav music you have probably seen a yellow notice bar appear telling you that you need to install a missing plug-in to play content on that page. It usually refers to an embedded sound file that normally plays automatically in Internet Explorer and the recommended Firefox plug-in is almost always Apple QuickTime. The QuickTime Alternative satisfies that missing plug-in problem and will automatically playback embedded audio files, after you configure it to do so.

I have been using a free alternative to the QuickTime Player-Plug-in for several years, through various updates. It plays all of the file formats that the official player handles, when configured to play them, more securely than the Apple version. The free QuickTime Alternative player is available from free-codecs.com, on this page. Click on the Download link then look through the list of files for the most recent version, for your operating system. At the time I wrote this the newest version was 1.78, released on March 7, 2007. The alternative player is updated to remain compatible with the file types handled by QuickTime, and is not vulnerable to the same exploits as the official player is. The underlying application behind the QuickTime Alternative is called Media Player Classic, which is updated every time the alternative QuickTime player is updated.

If you decide to install substitute the alternative player you must configure it to handle the file types you want it associated with, as the default player. Details for doing this are in my extended comments.

Also available for free download is a Real Media Alternative Player. Real Alternative will allow you to play RealMedia files without having to install RealPlayer/RealOne Player.

Continue reading "About the QuickTime Alternative Player-Plug-in" »

Posted by Wiz at 3:44 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

This article really falls under the catagory of Usability and Accessibility, as it deals with overriding fonts that are hard to read for some people with sight problems. Viewability has often been overlooked by website template writers who may be young and gifted with very good eyesight, hence they code their fonts to be a fixed size that they find comfortable. Those font sizes are often entirely too small for the elderly, or people with limited sight to resolve. Add to this the fact that web browsers are designed to display web pages as per the styles and fonts specified by the site designers, and that while these fonts sizes can be overridden, it is not always obvious to the users as to how they can do so. Furthermore, even if these folks know how to override default fonts on a webpage, they are forced to do this everytime they revisit that website, since browsers reset to factory default display mode after being closed out and re-opened.

I have often been asked for advise on changing website specified fonts to those preferred by the users, on forums and via direct inquiries (I am the Wiz and am assumed to know all the answers to all the questions!). Instances where this is an issue are typically on forums, where the default stylesheet uses fixed font sizes and/or colors, which the viewer may find difficult to read. People gifted with good eyesight shouldn't goff at this. Your day is coming too.

On a forum where I am the Moderator I was recently asked if it is possible to override the default font size permanently, just for that forum. The administrator is planning to rewrite the stylesheets to allow relative font sizes to be used, which is definitely more user friendly, especially to those with poor eyesight, but until that is accomplished I was able to find a means whereby people using Firefox browsers can create their own custom stylesheet in place of the one used by that forum. The really interesting thing about this custom stylesheet is that it can be specifically targetted to control only the fonts (family, size, color, boldness) on a particular webpage, or for an entire domain. This is good news if you are a frequent reader of a particular forum that uses fixed fonts that you have trouble reading. I have researched a solution for Firefox browser users to override the fonts on a particular website, or even on a particular page or sub-forum. From now on I will refer to this location as the URL.

The rest of this article pertains to the Firefox custom stylesheet workaround. I will publish information for Internet Explorer users in another article.

To begin, you will need find your Firefox Profile folder. Instructions for locating this folder are here, in my extended comments.

The method:
Once you have opened your Firefox Profile folder, open the sub-directory named "Chrome". You will have to create a new text file and name it userContent.css. You can do this in Windows using Notepad, by right-clicking inside the Profile folder and left-clicking on "New," then left-click on "Text document." After you add the pertinent commands to the new text document you should rename it to userContent.css (right-click on file and choose Rename, then type or paste in the new name, then click away from it). Alternately, you can open the sample file named "userContent-example.css" and edit it, then Save As, or Rename it to userContent.css

Here is an example of a custom Firefox Stylesheet to increase the font size, using Percentages or EMs as a measurement, for an exemplified forum URL, where the forum runs on current phpBB code.

@-moz-document url-prefix(http://www.forum.domain.com/) {
.postbody { font-size : 1.2em !important; }
}

Or else, use percentages, like this:

@-moz-document url-prefix(http://www.forum.domain.com/) {
.postbody { font-size : 120% !important; }
}

If the forum's BB code for the class postbody includes a fixed size line-height declaration you can add this to your custom rule: line-height: 1.3em !important;, or line-height: 130% !important;. Alter the em or % number to obtain the best line spacing and to avoid cutting off lower parts of drop letters, like lowercase g, j, p, q, or y.

You would change the URL (http://www.forum.domain.com/) to that of your preferred forum, by copying and pasting it from your browser's address bar. If the forum runs on phpBB code and you want to change the font size in the body of Posts leave the class .postbody as is. Otherwise, you can specify Body to override all font sizes, and use a percentage increase, instead of a set font size. Using the command !important; causes your style rule to override that of the website.

You can discover what stylesheet or css rules are being applied to a web page by viewing the source. In Firefox you press Control + U. Some stylesheets are included in the page you are viewing, within a set of <style> ... </style> tags. Others are in external files. Look in the HEAD section for a line containing; <link rel="stylesheet" type="text/css" src="URL">. Note the location of the external css file as listed in the src=" " part, then highlight and copy it with your mouse. Then go back to the web page in the browser, click on the URL in the address bar, remove any filename and sub-directory that is showing and paste the location of the stylesheet onto the end of the base URL, like this deactivated example:

ht*p://w*w.example.com/templates/site-style.css

If you got it right the stylesheet will display as plain text in the browser, where you can read it or save it as a .css or .txt file. Study the stylesheet to learn about the names of the Classes (names beginning with a period, as in .postbody) and IDs (names beginning with a # sign, like #content), that are assigned font size rules you want to override, and use those class or id names in your custom stylesheet, for that website.

By employing these techniques you can override the preset styles of virtually any website you may frequent, making it easier to view for your eyesight and monitor size situation. I will be posting more information about other techniques to change the font sizes in other articles on my blog.

Continue reading "How to create a custom personal stylesheet for Firefox browsers" »

Posted by Wiz at 11:35 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

CastleCops A new filter set for MWP users brought to you by Wizcrafts!

I just updated my most effective MailWasher Pro image spam filter to catch a new variant; jpegs instead of gifs. The updated filters are here.

The new rule, just under the "Restored From MailWasher Recycle Bin" rule, catches 99% of the image spam sent to me. It uses only one regular expression and is faster acting than the other rules that use more regular expression matches.

If you are not currently using a spam filter and are getting deluged with image spams for penny stocks, the combination of the email screening program MailWasher Pro and my custom MailWasher filters will reduce your visible spam to a tiny percentage of what you are probably seeing right now.

Note: The MailWasher Pro filters.txt does not go into the program directory. It goes into the MailWasherPro subdirectory under Documents and Settings\(your profile)\Application Data\. You can find this direectory and it's contents by opening MailWasher Pro, clicking on "Help," "About" and on the link on the bottom of the "About" box.

Continue reading "MailWasher Pro Image Spam Filters Updated" »

Posted by Wiz at 1:10 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

My regular readers know that I use and promote the email screening program - MailWasher Pro. This inexpensive program screens incoming email for threats or spam, using a combination of blacklists, blocklists, user-reported known spam, "Bayesian" learning filters and best of all, user configurable filter rules. The user filters in MailWasher Pro allow for matching positive or negative words and Regular Expressions and are capable of detecting just about any known type of spam trick that exists, by employing the correct combinations of test conditions.

In my last Blog entry about MailWasher Pro I mentioned that I have developed custom filters to detect and delete image spam with garbage text. This spam is quite prevalent now and is entirely sent from tens of thousands of compromised home and office computers, that have been involuntarily drafted into BotNets, by spammers. Bothered by this senseless spam, mostly for investment stocks, I developed a group of filters that recognize variations of this crap and delete it automatically, without me ever having to see it. I have been fine-tuning my image spam filters to catch variations of the original coding, which is changing every week or two.

A few days ago I was reading new posts on the MailWasher Pro Forum at CastleCops, when I came across a topic where the OP (original poster) was looking for help to block these very image spam messages. I answered with a link to my online copy of my MailWasher Pro filters and made a few people very happy with the solution to this type of spam. Since spammers' techniques change frequently, I have been updating my filters to meet those changes, and posting news in a thread that now has my name in the Title. Additionally, I have been further honored by having my filters linked to in the MailWasher Wiki, on CastleCops.com.

If you are troubled by spam, whether in words or images, and are looking for a way to detect and delete it, without having to read it again, try MailWasher Pro. It is free to try for 30 days and only costs $37.00 USD to register, with free updates for life. You can learn more about MailWasher Pro here. There are links on that page to view my custom filters.

Posted by Wiz at 5:37 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

If you are barraged with spam for junk stocks, with an image and garbage text, and want to put a stop to it clogging up your inbox, MailWasher Pro is the right tool for the job. If you already have a licensed version of MailWasher Pro you probably know how to use custom user created filter rules to detect and delete spam. But, you may not know how to block image-only spam that comes from zombie home and office computers that are part of a BotNet. I have created and tested filter rules to delete this crap off the mail server without ever seeing it. Learn all about MailWasher Pro here.

If you are already using custom filters you just have to add my filters to the MailWasher Pro filters.txt file. This file is located in your profile under Documents and Settings > (Your_Account_Name folder) > Application Data > MailWasher Pro. You will need to set your Folder View Options to display Hidden Files and Folders and to display known file extensions, or these items will not be visible. If you need to set these options follow the instructions in the Extended Comments ("Read more...").

You will see a file named Filters.txt, inside the MailWasher Pro Application Data folder. Open in it Notepad then open my special filter rules: Select all and copy the rules in the popup window, then paste the rules into Filters.txt, near the top of the filters list. Make sure that each rule is on it's own continuous line, starting with [enabled]. Be sure that you do not have any blank spaces after the end of any filter rules, or any blank lines between filter rules. These things cause problems in the program. The last rule in Filters.txt should end after the last character, without a linefeed or carriage return.

Since spammers change their particulars from time to time I will alter these rules, or add new ones to continue to block this senseless spam for junk stocks and all other spam. These and the rest of my custom filters are available on my MailWasher Pro page. To be safe in case a legitimate email is deleted by one of these filter rules I have included a rule to display any email that you restore from the MailWasher Pro Recycle Bin. You should turn on this feature by going to Tools > Options > Summary > Recycle Bin and check the option to restore email, then type a valid email address from which you can send email, into the Outgoing Mail Settings field.

Never, ever buy anything that is advertised in a spam email, and never reply to one. Delete, delete, delete! If you are a reporting member of SpamCop you can also report, report, report! MailWasher Pro has a checkbox to forward spam manually to your SpamCop account, but you must respond to their reply message to actually file the report.

MailWasher Pro is free to try for 30 days, and costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

MailWasher Pro has always supported Windows and now supports Mac OS X 10.3 and Linux (for list of supported distributions, please see the download page link on this page).

Continue reading "Automatically Delete Image Spam With MailWasher Pro" »

Posted by Wiz at 1:01 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Published on 08-19-2006 | Updated on 4-24-2007

Webroot, the manufacturer of Spy Sweeper has released a study which finds that 89% of PCs connected to the Internet contain some spyware/adware infections, with the average home computer hosting 30 different malware programs. Furthermore, according to the Webroot® State of Internet Security report, issued on March 28, 2007, 43 percent of companies surveyed globally have suffered a business disruption due to malware and 60 percent of businesses polled don't have an information security plan.

According to the Webroot study, purveyors of malware are increasingly harnessing the popularity of social networks and Web video to infect PCs. Spyware's threat is getting nastier. Infection rates are on the rise, in part thanks to the surging popularity of social-networking sites like MySpace.com.

"We're finding that the social-networking sites like MySpace are turning out to be hotbeds for spyware," CEO Dave Moll says. "People are creating multiple profiles, and the links on their sites will take you to sites that will either download or drive-by download adware and spyware."

It doesn't help that many younger users aren't sufficiently cautious about where and how they surf the Web, Moll says. "They're not looking out for danger in quite the way that more skeptical adults do," he says. "Kids on MySpace and sites like it act as though they are in a safe youth-only environment, and as a result their behavior is less cautious, and that is something that is being preyed upon by all kinds of Internet villains. And we think spyware creators will be the most aggressive in exploiting that."

Spyware creators are also employing a wider arsenal of weapons. They're piggybacking on other, more malicious types of programs such as rootkits, a type of program that conceals itself, and keyloggers, which record a user's keystrokes on a PC.

All of these infections on Windows PCs are possible in part because so many users are operating the computers with Administrator level privileges. This means that a virus or other malware program has the same rights as you do (full control), over the operating system. If the owners of these computers would switch to using a Limited User account to do their browsing, email and instant messaging the infection rate would drop off the measurable radar.

I have devoted an entire web page to the subject of creating and using Limited or Power User accounts, instead of using the default Administrator level account your computer started with. Go read that page, then create a new Limited or Power User account for your daily use. You can copy your existing settings and preferences to the new account, including your desktop icons and start menu items. Alternately, instead of creating a new Limited User account, create a new "Computer Administrator" account, assigning it a password. Log off the account you are using for everyday use and log onto the new "Computer Administrator" account to set it up as an identity. Once inside that account you can go to Start > Control Panel > User Accounts and change your other account to a "Limited User." When you log back onto your regular account all your icons and settings will still be there, but your user rights will be lowered for your protection.

As a Limited user you cannot install some programs, or uninstall any, nor can you run the Disk Defragmenter or manage accounts and policies. To do these things you can either use the Run As command (explained on the Privileges page), or use the Switch User function to log in to your Administrator level account, do what needs doing, then log off that and log back onto the Limited account.

This really works to protect your computer against virtually all of the current known exploits. If you read the various bulletins released every month by Microsoft, concerning this or that new vulnerability, you'll see a paragraph explaining that the scope of the damage is proportional to the level of privileges on the account you are logged onto. If you are using an account that does not have privileges to create, delete, rename, or alter any files in the operating system directories, the danger from accidentally downloaded malware is close to nil, in that account. This includes the entire crop of browser search hijackers and BHOs. They all depend on being able to write to the local machine branch of the Windows Registry to do their dirty work. Furthermore, if something does manage to attach itself to your browser, under a Limited Account, it cannot jump across identities to infect the administrator account, or other user accounts. Also, viruses and spyware cannot disable your anti-virus, or anti spyware, or firewall programs, from within a Limited User account, but those programs can go after the attackers and remove them before they find a way to install into the system.

Read about an exploit that masquerades as a video decoder to install the Zlob Trojan -->

Continue reading "Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses" »

Posted by Wiz at 4:37 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I was recently participating in a forum discussion about AVG Free anti virus and one of the members complained that AVG's scheduler would a: only check for updates once a day, and b: not look for updates at all when his computer was in standby mode. I researched a solution that I have tested on my own computer and seems to work fine.

I used Windows Task Scheduler to create a task to wake the computer (if asleep) and run the AVG Updater from the scheduler commandline, then automatically either fetch and install an available update, or instantly exit if no update is available at that moment. You can create multiple daily schedules with Windows Task Scheduler, but only one daily with the AVG Free scheduler. Note, that if you create an hourly schedule you should not select the option to wake the computer to run the task!

The steps to create the schedule and the commandline used are listed below.

* Go to Start > All Programs > Accessories > System Tools > Scheduled Tasks
* Open the Task Scheduler and double-click on Add Scheduled Task
* When the Scheduled Tasks Wizard opens click on Next
* When the second tab opens you will have to use the Browse button to locate the AVG program and it's updater file
* If you installed AVG into the default directory, navigate to Program Files\Grisoft\AVG Free\avginet.exe and double-click on that file to add it to the scheduler. Type a name for this task; e.g. AVG Updater
* Click on Daily to choose that option, then click Next
* Set the time of day you want it to run, Every Day, and the Start Date, then click Next
* Your account name should be in the User Name field. Type and retype your login password to authorize the scheduled task and click on Next
* Check the option to open the Advanced Properties when you click Finish
* Click on the Settings tab
* "Wake the computer to run this task" is optional but not recommended for hourly tasks. But if you choose to enable it, check the box and click Apply. Click OK. Your task is almost ready to run, but needs at least one edit. Unless you edit the commandline as follows it will not download an update unless you click on the prompt box. My edit bypasses that prompt and automatically downloads and installs updates.
* Go back to the Scheduled Tasks window and locate your new task and double click on it to open it's properties box. You should see this command: "C:\Program Files\Grisoft\AVG Free\avginet.exe"
* Add a space to the end of that command (spacebar) then type this exactly: /SCHED=
* The final command should be: "C:\Program Files\Grisoft\AVG Free\avginet.exe" /SCHED=
* If you are prompted for your user name and password type them in and click OK. If you don't use a password just press Enter.
* You can also modify the schedule from the Schedule Properties by clicking on the Schedule Tab and the Advanced button, where you can schedule it to run any number of times at any interval.
* When you are done editing the schedule click on Apply, then OK, to close the task properties.

Using those steps should wake your computer if it is in standby or hibernation, then poll for updates and download any that are available. It works on my Windows XP Professional computer, using AVG Free, version 7.x.

Wiz

Continue reading "Using Windows Task Scheduler to Check for/install AVG-Free Anti Virus Updates | Commandline | Wakes Computer" »

Posted by Wiz at 9:52 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

If you have inadvertently installed Microsoft Windows Genuine Advantage (WGA) Notifications and are getting popup notices concerning the validity of your operating system, these instructions will help you to remove this optional (at this moment) Windows component.

SUMMARY
This article applies to the version of Microsoft Windows Genuine Advantage (WGA) Notifications that is distributed during the pilot program. For example, this version is included in the pre-release version that accompanies the Microsoft Software License Terms. To safely and easily uninstall the pilot version, you must install the general release version of WGA Notifications. If you do not install this version, you can follow the steps in this article to disable or uninstall the pilot version.

Important These instructions have not been tested on the general release version of the WGA Notifications. Therefore, these instructions are not supported. Microsoft will offer the general release version of WGA Notifications to users who uninstall the pilot version at a later date. These users will obtain the general release version through the Microsoft Automatic Update service. WGA Notifications is part of the Windows Genuine Advantage program.

When you use a non-genuine version of Windows, you receive a message when you log on that states that the copy of Windows appears to be non-genuine. Then, you are directed to the WGA Web site to learn more. If you do not want to obtain a genuine copy of Windows, you receive periodic messages that notify you that the copy of Windows appears to be non-genuine.

Note If you are running a genuine copy of Windows and want to use WGA Notifications, you may receive messages to update Windows XP.

Regardless of genuine status, users are not denied access to critical updates. However, users who have not validated their computers as genuine are not able to install other updates such as those for Microsoft Internet Explorer 7.0 and Microsoft Windows Defender.

MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Disable WGA Notifications
1. Log on to the computer by using an account that has administrative permissions.
2. Make sure that the WGA Notifications version that exists on the computer is a pilot version. The version format for the pilot version is 1.5.0532.x. In this case, you can uninstall versions 527-532 only. For example, you can uninstall versions that range from 1.5.0527.0 to 1.5.0532.2. To find the WGA Notifications version, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Add or Remove Programs, locate and then click Windows XP - Software, then click Windows Genuine Advantage Notifications, and then click Click here for support information.
c. In the Support Info dialog box, verify the version number, and then click Close.
3. Rename the following files by changing the extension to .old:
• Rename %Windir%\system32\WgaLogon.dll to %Windir%\system32\WgaLogon.old
• Rename %Windir%\system32\WgaTray.exe to %Windir%\system32\WgaTray.old
4. Restart the computer.

Manually uninstall WGA Notifications
1. Log on to the computer by using an account that has administrative permissions.
2. Make sure that the WGA Notifications version that exists on the computer is a pilot version. The version format for the pilot version is 1.5.0532.x. In this case, you can uninstall versions 527-532 only. For example, you can uninstall versions that range from 1.5.0527.0 to 1.5.0532.2. To find the WGA Notifications version, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Add or uninstall Programs, locate and then click Windows Genuine Advantage Notifications, and then click Click here for support information.
c. In the Support Info dialog box, verify the version number, and then click Close.
3. Rename the following files by changing the extension to .old:
• Rename %Windir%\system32\WgaLogon.dll to %Windir%\system32\WgaLogon.old
• Rename %Windir%\system32\WgaTray.exe to %Windir%\system32\WgaTray.old
4. Restart the computer.
5. Unregister LegitCheckControl.dll by using Regsvr32. To do this, follow these steps:
a. Click Start, click Run, type cmd, and then click OK.
b. At the command prompt, type the following, and then press ENTER:
Regsvr32 %Windir%\system32\LegitCheckControl.dll /u
6. Restart the computer.
7. Click Start, click Run, type cmd, and then click OK.
8. At the command prompt, delete the following files by typing the Del command. Press ENTER after you type each command.
• Del %Windir%\system32\wgalogon.old
• Del %Windir%\system32\WgaTray.old
• Del %Windir%\system32\LegitCheckControl.dll
9. At the command prompt, type regedit.
10. Locate and then right-click the following registry subkeys. Click Delete after you locate each subkey.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\Notify\WgaLogon
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall\WgaNotify

Continue reading "How to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications" »

Posted by Wiz at 10:37 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

"Spam," in computer-speak, refers to Unsolicited, Commercial Email (UCE) or "Junkmail." Spam is used to hawk everything from counterfeit brand name watches and prescription drugs, to mortgages and loans. Nobody I know wants to receive junk mail, whether in their postal mailbox or computer inbox. Yet, most people who venture online with an email account will be spammed, some to the point where spam email represents 80% of their weekly incoming email. These folks are in serious need of a real solution to help reduce the level of spam that reaches their inboxes. I am going to describe a solution to your email spam problem in this post.

Before I continue with my solution I have to tell you that it is software based screening program that does not work with browser-based email systems (AOL, Yahoo, Webmail, or other proprietary email systems). You must be receiving your email via a separate stand-alone POP3 email "client," like Outlook, Outlook Express, Euroda, Thunderbird, or a similar email program. If you are using one of these stand-alone email clients the rest of this discussion applies to you. If not, you are at the mercy of your ISP or email service provider to filter out spam and viruses.

My solution to dealing with spam is to screen all incoming email and filter out anything that trips one of the filter conditions, or is otherwise identified by it's content as a phishing attempt, 419-type scam, spam or virus. The program that does this is named MailWasher Pro and I've been using it for several years, and recommend it to all of my friends and clients.

MailWasher Pro intercepts incoming POP3 email accounts (as many as you have setup in it), reads an adjustable number of lines of text, including the full incoming headers, then compares the results with internal and external blacklists and blocklists, and databases of known spam, and sources of spam, as well as known or suspected viruses. MailWasher Pro also contains a built-in Bayesian Learning Filter that you can train to recognize what you call spam and what you don't. Lastly, one of the most powerful features is the user created filters that can be customized to identify virtually any type of undesirable email and either mark it for manual deletion and blacklisting, or automatically delete it immediately. These user filters use both plain text and Regular Expressions to identify strings of text or code that give away a spam message, or virus, or exploit.

If the message contains content that matches any known conditions it is either flagged to be deleted or is automatically deleted from the email server, according to your choices when you set it up. If you are a member of SpamCop MailWasher Pro can forward spam messages directly to your reporting account. SpamCop will generate an autoreply message that contains a link that you must click on to finish the reporting process, because they require manual reports to be filed at all times. Still, this saves you the trouble of displaying the source code, then copying it and pasting it into a browser report field on SpamCop's reporting page.

I have created an entire web page detailing MailWasher Pro and how it works. I have also included a link on that page to a sample of my custom filters that are responsible for eliminating huge amounts of spam, including "image spam." It should be noted that spammer techniques are not standing still and neither are my efforts to create effective rules to counter new spam tricks.

MailWasher Pro is a commercial program that is free to try for 30 days. If you wish to continue using it you will have to pay to license it. The current registration price is $37.00, which includes Free Upgrades for Life. It also includes your first year subscription to the optional FirstAlert! members' reporting system. You can read all about this on my MailWasher Pro web page.

You can go straight to the MailWasher Pro website and download a 30 day trial, by clicking on this banner:

Continue reading "MailWasher Pro Screens Incoming Email and Filters Out Spam and Viruses" »

Posted by Wiz at 10:25 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

Everybody who has an email account is plagued by the spam and scam epidemic that is polluting your inboxes. Most people simply deal with having to resort to hitting Delete over and over again. Others, like yours truly, do something about it. I report all spam that gets through my defenses to SpamCop, where I have a Reporting Member account. I also use an email screening program that automatically deletes most spam, which I will talk about later in this article.

The SpamCop reporting system requires you to be able to display, copy and paste the complete message source, including the normally hidden headers. Displaying an email's source code is what this article is about. Even if you are not a SpamCop reporting member learning how to read the headers will allow you to trace the origin of scam emails (links in extended comments) from financial fraud artists in countries like Nigeria, and to file complaints with the Internet Service Providers that provide the connections to the scammers or spammers.

I am frequently asked "how do I display email headers and source code?" The methods vary with the email client (program), but every one I have seen will offer some means of displaying the full incoming headers. The following sections cover Microsoft Outlook and Outlook Express, Hotmail and Yahoo! browser-based email.

MS Outlook
Double click the message to open it in its own window. Then click View-Options and you can view the data in the "Internet headers" pane. You can copy that data and paste it into another email or SpamCop report.

Outlook Express
If the message is not open, right-click on the message in your Inbox and select Properties > Details > Message Source (button).

If the message is already open, simply press Control and F3 (together) and the "Message Source" window will appear. Once the source code is displayed in the resizable window you can copy it and paste it into a report.

Hotmail
If you are using browser-based Hotmail, login and go to "Options." At the Options page click the link labeled "Mail Display Settings" and find the section "Message Headers." Put the dot in the option "Full." Click on "OK" at the bottom to save your changes. Now, when you get a scam email and Forward it the recipient can read the full headers.

You can reveal the complete source code of any email in Hotmail by opening the message and looking for the blue link labeled "View E-mail Message Source," just above the white email message body. The source will open in a new browser window, and can be copied and pasted.

Yahoo!
If you use Yahoo! email, login and click on "Mail Options." When the options page loads locate the section labeled Personalization and click on the link labeled "General Preferences." On the General Preferences" page scroll to "Messages" and put the dot in the radio choice labeled "Show ALL Headers."

To forward the headers with an email scam or spam, scroll down farther to "Message Actions" and find "Forwarding Messages." Select the radio choice to "Forward as Inline Text." Click the "Save" button at the bottom. After this all you have to do is Forward any scam emails and the full headers will be at the top of the message.

SpamCop has a list of commonly used email programs, including AOL, with instructions for either displaying the full headers, and/or forwarding as an attachment.

With the source cody copied to the Windows Clipboard you can paste it into the report text field in your SpamCop member's reporting page, or paste it into an email that you will send to an authority who can deal with tracing or reporting it, or you can paste it into a new Notepad document and save it for your own analysis.

Continue reading "How to display the headers of spam/scam emails, for reporting or tracing the source." »

Posted by Wiz at 11:17 AM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

I am frequently asked about securing the Outlook Express email client. One of the recurring questions is "why can't I receive file attachments in my email?"

Answer:
The default security setting for Outlook Express is to block file attachments. To allow attachments to be downloaded and opened click on the menu item "Tools" then on Options > Security, and UNCHECK the option labeled "Do not allow attachments to be saved or opened that could potentially be a virus."

What do the other security options control and what effect do they have on my email capabilities?

Virus Protection

"Select the Internet Explorer security zone to use:"
I would recommend selecting the radio option to use the Restricted sites zone(More secure), as it will disable some common exploit codes used by viruses, and spyware distributers. By reading email in the Restricted sites zone you prevent tracking cookies from loading, Javascript from running, and cloaked links to phishing sites will reveal their true destination when you hover the mouse over them.

"Warn me when other applications try to send email as me." This will alert you if a Worm gets onto your computer and starts sending out mass spam or virus infected emails that appear to come from you. While this won't catch more sophisticated email sending exploits (using their own SMTP engine), it may stop some exploits from going out with your return address in them. Always select this option.

Download Images:

"Block images and other external content in HTML e-mail."
If you select this option you will not be able to view images in your email. It also prevents tracking gifs, sound files, and flash ads from loading when you open an email. This pretty much cripples 80% of the email you may want to receive, in return for blocking images and tracking gifs in a small percentage of unsolicited commercial email (spam). I personally do not check this option.

The other options only apply to people who maintain digital ID certificates, to apply them when sending or receiving messsages. Most of us don't use any of those options.

After you have checked or unchecked your desired settings click Apply to save them, then OK to close the options window.

Continue reading "How to control the downloading of email attachments or other harmful content in Outlook Express" »

Posted by Wiz at 3:48 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

If you have been using an unlicensed copy of Windows XP, Home, Professional, Corporate, or Media version, you already know that Manual Windows Updates and optional Windows XP enhancements and driver updates are not available to you. You may have turned on Automatic Windows Updates to at least receive security patches. You may also be one of the millions of users of unlicensed installations of Windows XP to receive the WGA Piracy popup notices, when you login, and while you are using your computer. You may already know the one I mean. It says:

"This copy of Windows is not genuine; you may be a victim of software counterfeiting." The popups notices will continue to occur until such time as the computer owner installs a valid license code, which may require a phone call to Microsoft support.

In a previous article on this blog I covered the situation in depth, along with temporary worarounds and a permanent solution. This article deals with and recaps the better, permanent solution. Click on the Continue Reading link below, for the full details.

Continue reading "Converting an unlicensed copy of Windows XP to a legally, licensed version" »

Posted by Wiz at 1:11 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.

If you're using MSN Messenger, or AIM, or Yahoo! or Trillian IM clients as your chat, IM or video conferencing tool, you may never use Windows Messenger and have tried to remove it from the startup group to keep it from appearing in your Systray. However, despite removing it from the Registry key that launches it you may have seen it return on occasion, and had to fight with it's icon and access denied messages while trying to shut it down.

The reason that Windows Messenger makes these unwanted re-appearances is that Outlook, Outlook Express and even some Microsoft Web pages can still make it load automatically. Fortunately, you can completely stop Windows Messenger from reappearing by making an alteration to the local group policy with the Group Policy Editor. You must be running with Administrator privileges to perform this action.

Here's what you should do:

For Windows XP Professional users:

1. Open the Run dialog box by pressing the keys - Windows + R, or click on Start > Run;

2. In the Open text box type Gpedit.msc and click OK to launch the Group Policy Editor.

3. Go to Computer Configuration | Administrative Templates | Windows Components | Windows Messenger.

4. Double-click the Do Not Allow Windows Messenger To Be Run setting.

5. In the resulting dialog box, select the Enabled option, and click OK

6. Close the Group Policy Editor.

How to disable Messenger in XP Home Edition

1: Solution #1 - Uninstall Messenger

2: Locate the file named SYSOC.INF in C:\Windows\Inf folder. NOTE: This folder and file are hidden by default.

3: Open SYSOC.INF with Notepad and locate this line: msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

4: Remove the word "hide" from the line, then close the file, saving the changes.

5: You can now use the Add/Remove Programs icon in the Control Panel to remove this Windows Component.

Stopping Windows Messenger from reappearing with Outlook Express

Even after you go through the trouble of "uninstalling" the darn thing, Windows Messenger still may pop up whenever you run Outlook Express -- which some people do every time they start Windows. To stop Outlook Express from bringing Windows Messenger back onto your System tray, follow these steps:

1. Open Outlook Express.
2. Choose Options from the Tools menu.
3. Click the General tab.
4. Click to remove the checkmark from the box marked, "Automatically log on to Windows Messenger."
5. Click the OK button.
6. Choose Layout from the View menu.
7. Click to remove the checkmark from Contacts.
8. Click the OK button to close the Window.

See more solutions in the extended comments ...

Continue reading "Disabling Windows Messenger on Windows XP Computers" »

Posted by Wiz at 12:19 PM | Permalink

Get Norton 360 Version 4.0 - All-In-One Security. If you have a non-current version of a Symantec security program and wish to renew your definition updates subscription, or upgrade to a new version at a discount, go to the Norton Product Upgrades & Renewals page.