Replies

Thanks for the article about Crypto-ransomware. You many not be aware of two other applications designed to protect against it. One is HitmanPro Alert and the other CryptoMonitor

http://www.surfright.nl/en/alert
https://www.easysyncsolutions.com/products.html

It would be interesting if you could check these out and do a followup.

Fred, although you mentioned uninstalling unnecessary software you didn’t say anything about examining the list of auto-starting applications. As you know that list can get quite long and eat up ram that could be better used by other applications. Also, the user said “I have to reboot every few days”. That suggests he is using sleep/hibernation instead of shutting down at the end of the day. In my experience performance degrades over time using suspend modes and rebooting is the fix for that. I find that using sleep or hibernation during the day for quick access and then a full Shutdown at the end of the day is optimal.

Note there is a free program called BlueScreenView (here: http://www.nirsoft.net/utils/blue_screen_view.html ) that makes viewing the BSOD crash dump files much easier. There are also options in Advanced System properties to disable auto-restart after BSOD (so you have a chance to copy the crash code) and adjust the dump file size (I set it to kernel memory dump for maximum information). One thing I recommend to less technically minded folks is to pull out their digital camera and take a picture of the blue screen (essentially create a screenshot) that they can share with others for analysis.

Fred, thanks for the great article. I hope you will do a “Part 2” to address the additional questions.

I prefer uninstallers such as Revo and Advanced Uninstaller (free versions available) because they target files and registry entries specific to the program being uninstalled. That’s safer than more general registry and file scanners IMHO, but it would be interesting to compare them with CCleaner registry cleanup and JV Powertools for both safety and performance gains. There is also the separate registry compression function that some tools offer which removes dead space and “re-parses” the registry to make it smaller and more efficient. In my experience compressing the registry is safe and does reduce its size, but I have no idea if it makes the slightest difference to performance.

In your article you said to make the Host file read only. If my Host file has been compermised and I make it read only I have not accomplished anything. How can I know if I have the correct Host File?

I also have about 40 files called “Host.nnnnnnnn-nnnnnn.backup” where the n’s are random numbers. Should these files be removed?

OldGuy IK

If you view the content of your current Hosts file (not the backups) you will see a list of entries where websites are equated with IP addresses, for instance:

127.0.0.1 Localhost (which is correct)

To determine if all the entries are legit you would have to check every URL using a DNS Lookup site to confirm that the IP addresses are correct. For those users who find this too technical note that for general internet browsing it’s not necessary have a hosts file. In the early days of the internet the Hosts file made browsing faster by providing a local database for DNS lookup, but that’s not necessary today with broadband. You can disable it by renaming – for instance Hosts.sav – or just delete it. You can then create a new empty text file called “Hosts” (rename and remove the txt extension) and make it read only.

Here is an option that has the potential to make the system safer:

http://perspectives-project.org/

Perspectives adds another layer of cross-checking in the process of validating certs.

There is also CsFire:

http://distrinet.cs.kuleuven.be/software/CsFire/

It’s less clear to me what CsFire does, but it sounds like it could be helpful in prevent MITM attacks.

It would be great if you could check these Firefox extensions out and do a followup.

Regarding prepping before installing a service pack I like to:

Run disk cleanup and also delete restore points since that happens anyway
Run Ccleaner to delete the stuff that Disk Cleanup misses (you’d be surprised)
Run the startup manager of choice (I like Winpatrol) and disable all unnecessary auto-starting apps.
Run an anti-malware scan with MBAM or SuperAntiSpyware.
Run Windows Update and make sure all “Important” updates other than the service pack are installed.
Reboot, disable antivirus auto-protect (or even better temporarily uninstall the AV)

Now install the service pack from Windows Update.

All of the above doesn’t take long. The bottom line though is having a current image to fall back on.