Category Archives: Identification

For any given product, listings of autoplays and startupware entries.

Good Riddance, Vista

Windows Vista, RIP April 11th, 2017

Windows Vista reaches the end of “extended” support on April 11th, 2017. It couldn’t be too soon.

The end of ‘Extended Support’ means there will be no more security patches, and no online technical assistance from Microsoft after April 11th. Existing support pages will still be available online, but will no longer be updated. Google Chrome ended support for Vista back on April 1st, 2016. If Microsoft follows the pattern of Windows XP, phone activation for re-installs will only be available from the automated system, and not from an actual human on the phone.

If you are still running any Vista-based computers, it’s time to upgrade them, retire them or disconnect them from the Internet. Most computers that shipped with Vista can run Windows 7 faster, and many can run Windows 10. (Call any local tech for help identifying if any particular system is worth an upgrade.) And if there are still any Windows XP machines out there, it’s time to melt them down. Secure erasure and safe recycling is free for my customers.

Microsoft Office 2007

Microsoft Office 2007 will reach the end of extended support October 10th of 2017. If you’re running Outlook 2007, plan ahead. Running an unpatched email program isn’t safe. Now is a good time to switch to Thunderbird, or upgrade to Office 2016.

Calendar maintains a short list of the end-of-life dates of the most popular software products, here.


Fake Web Charge DOC is a Social Engineering Attack

And today’s hoax email is a social engineering attack, arriving as a fake web charge DOC file. It wants me to open a DOC file and enable macros, and no, I didn’t do that.

Subject: Re: charge on my card

WTF is this $263.48 charge on my card?
I never ordered anything from
I have attached a screenshot of my statement.
WTF is this about?

Thank you
Attachment: ss_filetiger.com_47155.doc

OK, I know what the transaction sizes are for my FileTiger file management software on my site, and if there was a $263 site license sale for a product that sells for $9.90, I would have been notified when it happened. So it’s suspicious. There’s no signature, and the sending address has the email address as the name, like this: <>
(I won’t show the original email addresses, as they’re both fake and variable, and likely stolen from an infected computer’s address book.)

Next, there are carbon copies to three other addresses, on three different domains. One of them is at Really. Another goes to a domain with no web site.

And, of course, it’s all blandly generic. The domain name is there, and it was sent to the email address associated with that domain, publicly available from the records at my domain registrar.

OK, well, I’m clearly not going to open a suspicious doc file in Word; it’s a stupid thing to do; Word has auto-run macros, and there are constant patches to force Word to ask permission before launching the macros, and workarounds for the bad guys to avoid that permission, especially if your version of Word is not the newest edition. Instead, I open it in the vastly-safer WordPerfect, which won’t run embedded macros without permission, ever, and couldn’t run a Microsoft Word macro in any case. This image is inside:  (Note that the logo for Office is wrong–it’s not a Microsoft message.)

“This document was created with an older version of Microsoft Office”
“This document was created with an older version of Microsoft Office”

Wow. Brazen. It asks me to “Enable editing” and then to “Enable content”.

OK, next, I take the file and submit it, which runs it against (currently) 55 antivirus products. I did this only 10 minutes after it arrived, so there are only 3 ‘infected’ diagnosis, but it’s clearly evil:

Virus DOC file scan result


Note that VirusTotal recognized the file with another domain name, but scanned the same day as I received it, one minute ago, in fact.

I also looked inside the file with a pure text editor; there are a lot of totally random phrases in there, so it’s probably being re-generated regularly to stay ahead of AV detection software.

As always, the defense against these social-engineering attacks is the same: Don’t open attachments you didn’t ask for.


UPDATE, Later in the same day:

Apparently, I’m ripping off a lot people and should expect chargebacks. I have just received an identical message, but now from an email address in Japan. The filename has changed to “ss_filetiger.com_197472.doc”, and VirusTotal says it’s a different file, but it’s now recognized as malware by 6 of the 54 scanning programs, although it’s still not detected by the AV software I’m running locally. In other words, AV can’t keep up.

Careful: The USPS Didn’t Send THAT.

This email arrived, allegedly from the US Postal Service. Nope, it’s a fake, it’s dangerous, and the USPS doesn’t do this stuff.

usps malware email

These are common, and dangerous. Clicking that link will result, usually, in the installation of a fake security program or a search hijack toolbar. The cleanup is routine bench work (call me if you’re local to Carroll County, Maryland), but even better, just click delete and avoid the problem. And maybe consider improving the filtering on your email; ask your mail provider for help.

These typically include a document you must print, and claim to be from any of these sources:

  • Any delivery service, but especially USPS, UPS, Fedex, or DHL.
  • Any of the top 50 banks.
  • Any government body, but especially the IRS.

How do you know this is a fake? Put the mouse over the link for printing but do not click. Look in the bottom left corner of the screen to see the address that the link will go to. In this case, it should go to It doesn’t. In this email, there are more clues:

  • They’re asking you to print a label. None of the groups these claim to be from will do that.
  • The domains of the from address, the reply address, and the address in the printing link do not match each other.
  • None of the addresses in the e-mail match the claimed sender.
  • The email appears to be from a person, not a department, at a giant impersonal organization. That’s highly unlikely.
  • The logo shown is not the correct logo. It’s not the right font or the right colors or it’s an old version.
  • There are grammar errors, punctuation errors, or word choice errors in the e-mail.
  • The instructions in the e-mail don’t quite make sense. In this case, you’re supposed to take a label to the nearest post office to get your package, and not to the specific post office that delivers to your street address.

Notice the shape of the C and S. The real USPS logo uses streamlined characters that are straight at the top and the bottom. The letters in the fake are a curved generic font.

usps logo

Be suspicious of any e-mail that asks you to print a document, that claims to be from a big company, a big bank, or a government organization, or that is asking you to do something that that organization would normally handle by telephone, or by asking you to react in some other way than by printing a document. When in doubt close the e-mail and contact that organization in the way you normally would–pick up the telephone or go to their webpage, but do not, ever, click an e-mail link without looking where it goes first.

is webmaster at and