Full-page scams are those HOAX scary web pages that say your computer is infected (or worse) and you MUST call some phone number now (DON’T), and Microsoft has detected an issue. (NOPE). Microsoft doesn’t want your phone call, can’t identify ‘suspicious activity’ on your computer, and would not be able to match your computer to a random web page visitor. It’s impossible, implausible, and completely evil. I’ve had reports back from users who called the numbers: The ‘Department of Windows’ wants to log into your computer, give you the totally FREE and BUILT-IN Windows Defender, as a special $400 lifetime edition. Or worse, much worse. Don’t call those numbers, ever.

Those hoaxes are all full-screen and hard to exit. Press F11 to exit full screen mode, and then close the browser. Or use Alt-F4 to close the browser. Or use the keyboard method to go to task manager with Ctrl-Alt-Delete, and then close the browser. If all else fails, turn the computer off.

After restarting the computer, if your browser then asks “Restore prior pages?” answer NO. It’s also a good idea to go into the browser’s page history and clear out the last dozen pages or so, or use the ‘clear browsing history option’ and select ‘last hour’ or ‘today’ for the time range.

The post How to Close Those Full-Page Scams appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: How to Close Those Full-Page Scams.

Here’s how to turn off the Whatever: Right-click the Search box, and the menu will pop up as below. Uncheck ‘Show search highlights’. Done.

If anybody knows what that setting changes beyond adding cartoons to the bar, let me know and I’ll update this.

Updated May 21st with the tea cup. And on May 22nd with the Tennis image. And so on…

The post How to Turn off Whatever THAT is… appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: How to Turn off Whatever THAT is….

Windows Vista reaches the end of “extended” support on April 11th, 2017. It couldn’t be too soon.

The end of ‘Extended Support’ means there will be no more security patches, and no online technical assistance from Microsoft after April 11th. Existing support pages will still be available online, but will no longer be updated. Google Chrome ended support for Vista back on April 1st, 2016. If Microsoft follows the pattern of Windows XP, phone activation for re-installs will only be available from the automated system, and not from an actual human on the phone.

If you are still running any Vista-based computers, it’s time to upgrade them, retire them or disconnect them from the Internet. Most computers that shipped with Vista can run Windows 7 faster, and many can run Windows 10. (Call any local tech for help identifying if any particular system is worth an upgrade.) And if there are still any Windows XP machines out there, it’s time to melt them down. Secure erasure and safe recycling is free for my customers.

Microsoft Office 2007

Microsoft Office 2007 will reach the end of extended support October 10th of 2017. If you’re running Outlook 2007, plan ahead. Running an unpatched email program isn’t safe. Now is a good time to switch to Thunderbird, or upgrade to Office 2016.

Calendar

PC410.com maintains a short list of the end-of-life dates of the most popular software products, here.

The post Good Riddance, Vista appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Good Riddance, Vista.

Subject: Re: filetiger.com charge on my card

WTF is this $263.48 charge on my card?
I never ordered anything from filetiger.com.
I have attached a screenshot of my statement.
WTF is this about?

Thank you
Attachment: ss_filetiger.com_47155.doc

OK, I know what the transaction sizes are for my FileTiger file management software on my FileTiger.com site, and if there was a $263 site license sale for a product that sells for $9.90, I would have been notified when it happened. So it’s suspicious. There’s no signature, and the sending address has the email address as the name, like this:
abe@b.com <abe@b.com>
(I won’t show the original email addresses, as they’re both fake and variable, and likely stolen from an infected computer’s address book.)

Next, there are carbon copies to three other addresses, on three different domains. One of them is at Ford.com. Really. Another goes to a domain with no web site.

And, of course, it’s all blandly generic. The domain name is there, and it was sent to the email address associated with that domain, publicly available from the records at my domain registrar.

OK, well, I’m clearly not going to open a suspicious doc file in Word; it’s a stupid thing to do; Word has auto-run macros, and there are constant patches to force Word to ask permission before launching the macros, and workarounds for the bad guys to avoid that permission, especially if your version of Word is not the newest edition. Instead, I open it in the vastly-safer WordPerfect, which won’t run embedded macros without permission, ever, and couldn’t run a Microsoft Word macro in any case. This image is inside:  (Note that the logo for Office is wrong–it’s not a Microsoft message.)

Wow. Brazen. It asks me to “Enable editing” and then to “Enable content”.

OK, next, I take the file and submit it VirusTotal.com, which runs it against (currently) 55 antivirus products. I did this only 10 minutes after it arrived, so there are only 3 ‘infected’ diagnosis, but it’s clearly evil:

Note that VirusTotal recognized the file with another domain name, but scanned the same day as I received it, one minute ago, in fact.

I also looked inside the file with a pure text editor; there are a lot of totally random phrases in there, so it’s probably being re-generated regularly to stay ahead of AV detection software.

As always, the defense against these social-engineering attacks is the same: Don’t open attachments you didn’t ask for.

UPDATE, Later in the same day:

Apparently, I’m ripping off a lot people and should expect chargebacks. I have just received an identical message, but now from an email address in Japan. The filename has changed to “ss_filetiger.com_197472.doc”, and VirusTotal says it’s a different file, but it’s now recognized as malware by 6 of the 54 scanning programs, although it’s still not detected by the AV software I’m running locally. In other words, AV can’t keep up.

The post Fake Web Charge DOC is a Social Engineering Attack appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Fake Web Charge DOC is a Social Engineering Attack.

These are common, and dangerous. Clicking that link will result, usually, in the installation of a fake security program or a search hijack toolbar. The cleanup is routine bench work (call me if you’re local to Carroll County, Maryland), but even better, just click delete and avoid the problem. And maybe consider improving the filtering on your email; ask your mail provider for help.

These typically include a document you must print, and claim to be from any of these sources:

• Any delivery service, but especially USPS, UPS, Fedex, or DHL.
• Any of the top 50 banks.
• Any government body, but especially the IRS.

How do you know this is a fake? Put the mouse over the link for printing but do not click. Look in the bottom left corner of the screen to see the address that the link will go to. In this case, it should go to USPS.com. It doesn’t. In this email, there are more clues:

• They’re asking you to print a label. None of the groups these claim to be from will do that.
• The domains of the from address, the reply address, and the address in the printing link do not match each other.
• None of the addresses in the e-mail match the claimed sender.
• The email appears to be from a person, not a department, at a giant impersonal organization. That’s highly unlikely.
• The logo shown is not the correct logo. It’s not the right font or the right colors or it’s an old version.
• There are grammar errors, punctuation errors, or word choice errors in the e-mail.
• The instructions in the e-mail don’t quite make sense. In this case, you’re supposed to take a label to the nearest post office to get your package, and not to the specific post office that delivers to your street address.

Notice the shape of the C and S. The real USPS logo uses streamlined characters that are straight at the top and the bottom. The letters in the fake are a curved generic font.

Be suspicious of any e-mail that asks you to print a document, that claims to be from a big company, a big bank, or a government organization, or that is asking you to do something that that organization would normally handle by telephone, or by asking you to react in some other way than by printing a document. When in doubt close the e-mail and contact that organization in the way you normally would–pick up the telephone or go to their webpage, but do not, ever, click an e-mail link without looking where it goes first.

Jerry Stern is webmaster at PC410.com and Startupware.com.

The post Careful: The USPS Didn’t Send THAT. appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Careful: The USPS Didn’t Send THAT..

First call: “When I looked at the computer this morning, the screen said it was shutting down. It just sat there, so I rebooted. Nothing. Blank”

My questions: Does that computer run all the time? (Yes, it backs up at night to an external drive.)

So it hasn’t rebooted in a while? (I guess.)

“OK, unplug the external hard drive and any other USB storage devices, and reboot.” That fixed it.

Why? Because PCs of a certain age, circa 2003-2006, frequently dislike booting with a USB storage device plugged in. The machine is never turned off, until Windows Update comes along and forces a reboot.

Second call: “I thought I broke it. It was just sitting there with a spinning message forever. I let it run and it eventually shut down. My husband says I broke it again. You repaired it last week!”

Answer: LOTS of big patches last night. Slow shutdown was normal; patches were installing.

Hey, Microsoft! Automatic patching is clearly doing more good than evil, BUT clear communications would really help. Like “Your monthly security patches from Microsoft are installing right now. These happen on a regular schedule. Learn more at: (simple link that can be remembered for later)” NOT “Your computer is shutting down” or “Installing… Do not turn off your computer…” Clear messages that say that you’re working to improve their security are better than techie messages that say their systems are going DOWN. 🙁

Don’t scare your customers. That’s the job of the bad guys.

The post Windows Update Broke My Computer… not! appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Windows Update Broke My Computer… not!.

Here’s their press item:
//www.softwarekb.com/news/2008/12/11/court-halts-bogus-computer-scans/

This group of rogue programs has made this past year interesting for me. I clean up these programs more than any other type of malware, and yes, I get paid. But all in all, I’d rather be upgrading hard drives and building new systems.

The post FTC places temporary halt on XP Antivirus and Family appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: FTC places temporary halt on XP Antivirus and Family.

Before the install, I ran Hijack This and added everything to the ‘ignore’ list, and ran CCleaner, and accepted every registry issue found–it’s a clean test box, so there wasn’t much.

Started the install:

I chose all the default options:

At the truly arrogant file options, I made no changes–Nero wants to be your program for everything related to content. Apparently it’s more than a DVD burning program, in the opinion of the publisher.

At the install options, I again made no changes. Note the “Nero Scout” item at bottom left, unchecked by default.

The install completed without problems. I restarted the computer, and went looking. No new system tray icon appears, and no indication that I’ve installed anything more than a DVD burner. But wait, there’s something–in the Windows menus, in the Nero group, I see Nero Scout. Ooh, options. Here’s the view–it’s ON by default, and installed without asking:

Ran HijackThis again. There are only two new entries:
O4 – HKLM\..\Run: [NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O23 – Service: NMIndexingService – Nero AG –
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

So my DVD burner software includes a full indexing scan for files, also called ‘desktop search’, on by default, of all types (it’s on that ‘Files’ tab), with no system tray icon, and no obvious place to type in a search. What does this have to do with burning a DVD? (Nero, if you’re reading this, send me an answer–I’ll post it.)

I won’t comment much on the functionality of the product, except for one item: DVD-video functions (Nero Vision and some other areas) work for 30 days, then display an expired message. OK, I have no problem with a vendor trying to upsell, but announce that the product is half real and half 30-day trial in advance, and give me an option to uninstall the dead software chunks–I don’t need all this clutter.

Uninstalled. No error messages. Restarted the PC. Ran HijackThis a third time, and both autostart entries have been removed–good so far. Under C:\Program Files, there’s a leftover folder “Nero” containing 4 files and 2 more folders. Sloppy, but not unusually so. There’s a file left in the c:\WinNT folder, “NeroDigital.ini”.

Ran CCleaner, and checked the registry. Remember, I cleaned it before the install. There are now 380 registry errors. These are in the categories of:

‘Unused File Extension’ mostly for graphics still formats,

‘ActiveX/COM Issue’ for ‘AppCore.MediaSource,

‘Invalid or empty file class’ for CDmaker, and

several hundred “Open with Application Issue’ entries, pointing to “HKCR\NeroExpress.Files7…”

Overall results:
Is it startupware? Absolutely. It adds two autoplay entries, one totally unrelated to the program’s function, doesn’t ask permission before adding the unrelated functions, and turns on a processor-intensive application by silent default.

Recommendations–

First, don’t install with the defaults. Uncheck every file format on ALL the pages in the install options, except those that you’ll really use the program for. If in doubt, uncheck it.

Second, check off that box: “Configure Nero Scout on first usage” and then disable it.

Or find the autoplay entry for Nero Scout, it’s in Control Panel, Administrative Tools, Services, NMIndexingService–choose stop, and disable. Then find and delete the file:
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

And finally, consider some other program. This install doesn’t inspire trust.

The post Nero 7 Essentials appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Nero 7 Essentials.

The about.htm page asked me to install the Chinese Language Pack. Answered OK, it wanted the CD. I don’t get out of my chair that easily… clicked cancel. (Remember, I test like novices surf…) It took me back to the English about.htm page.

Found the how-to-use page, and let it install the Chinese keywords utility. The Install and Run warning, was properly signed by VeriSign, but the message was mostly bad font blocks. (No Chinese font loaded, as above.) Next, had a pop-up box all in Chinese, with one button. Clicked that, it went away. Nothing else happened. Restarted IE, nothing.

Restarted Win XP Home, and IE. There are 5 new icons in the tool bar, all Yahoo-related. Some Chinese characters appear in the right-end of the address bar.

All this was added to the autoplays, as reported by HijackThis:

Running processes:
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wpabaln.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://seek.3721.com/srchasst.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.3721.com/srchcust.htm
O2 – BHO: IE – {D157330A-9EF3-49F8-9A67-4141AC41ADD4} – C:\WINDOWS\DOWNLO~1\CnsHook.dll
O4 – HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 – HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O8 – Extra context menu item: Quick Search (Yisou.com) – res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 – Extra button: Short Message – {00000000-0000-0001-0001-596BAEDD1289} – http://sms.3721.com/ie/index.htm (file missing)
O9 – Extra button: Yahoo 1G mail – {507F9113-CD77-4866-BA92-0E86DA3D0B97} – http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 – Extra button: E bazar – {59BC54A2-56B3-44a0-93E5-432D58746E26} – http://cn.rd.yahoo.com/auct/promo/3721/200508/ielogo-wcfashion/*
http://cn.promo.auctions.yahoo.com/200507/fashion/index.html?refcode=3721200508ielogo-wcfashion (file missing)
O9 – Extra button: 3721 Assistant – {5D73EE86-05F1-49ed-B850-E423120EC338} –
http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 – Extra button: Instant Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} –
http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 – Extra button: (no name) – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Repair Browser – {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} –
http://assistant.3721(DOT)com/security1.htm?fb=Cns (file missing)
O9 – Extra button: (no name) – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 – Extra ‘Tools’ menuitem: Clean Internet access record – {FD00D911-7529-4084-9946-A29F1BDF4FE5} –
http://assistant.3721(DOT)com/clean1.htm?fb=Cns (file missing)
O11 – Options group: [!CNS] Chinese keywords

UNINSTALL–There was an entry in the add/remove list for Chinese keywords. Ran it. The uninstall was perfect. That’s rare–it put the autoplays back exactly as they were.

Overall, the install is sloppy–note the (file missing) on some of the items above. The uninstall was good. Clearly not a drive-by download. I saw no extra popups at the site, before or after installing the plug-in, or after removing it.

While the site is on the SpybotSD list of sites that it adds to the restricted sites list in IE, my test, as of Sept 8, 2005, didn’t show anything more suspicious than an overly-invasive toolbar with a sloppy install.

I’d like anyone who can read Chinese to repeat the test–I could easily have missed installing a optional portion of the toolbar.

The post Review of 3721(dot)com appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Review of 3721(dot)com.

Test run Aug 25th, 2005, clean Win XP Home, no patches, not activated, no drivers except automatically-installed items from the Windows installation. Items listed as detected by HijackThis.

Installing the Crawler toolbar added these items to the system settings:
Running processes:
C:\Program Files\Crawler\CToolbar.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://portal.crawler.com/search/ie.aspx?tb_id=60002
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Crawler\ctbr.dll/sa
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 – URLSearchHook: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O2 – BHO: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\ctbr.dll
O3 – Toolbar: &Crawler Toolbar – {4B3803EA-5230-4DC3-A7FC-33638F3D3542} – C:\PROGRA~1\Crawler\ctbr.dll
O8 – Extra context menu item: Crawler Search – tbr:iemenu
O18 – Protocol: tbr – {4D25FB7A-8902-4291-960E-9ADA051CFBBF} – C:\PROGRA~1\Crawler\ctbr.dll

When Internet Explorer is NOT running, CToolbar continues to run, and it autoplays with the system.

Uninstall results–this item not removed–it’s the IE home page:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.crawler.com/?tbid=60002

Overall: The main executable runs when it shouldn’t, for no stated purpose. Uninstall doesn’t restore home page but does restore all other settings. Search results from toolbar show pay-for-display ads first, clearly labeled, before showing true search results which may or may not be on the first page of results.

Summary: I wouldn’t automatically delete this one if the user finds it helpful–doesn’t appear to do anything disruptive. The publisher should fix the way it runs ctoolbar, so that it starts with IE, and doesn’t run all the time.

The post Crawler(dot)com toolbar appeared first on Startupware.com. Visit to read more about software design, malware, and computer security.

Original article: Crawler(dot)com toolbar.