Me on Twitter
News
Mar 27 - FreeFixer 1.04 released.
Feb 12 - FreeFixer 1.03 released.
Feb 01 - FreeFixer 1.02 released.
Jan 15 - FreeFixer 1.01 released.
Dec 12 - FreeFixer 1.00 released.
Nov 15 - FreeFixer 0.70 released.
Nov 05 - FreeFixer 0.69 released.
Oct 22 - FreeFixer 0.68 released.
Oct 09 - FreeFixer 0.67 released.
Oct 02 - FreeFixer 0.66 released.
Sep 19 - FreeFixer 0.65 released.
Sep 06 - FreeFixer 0.64 released.
Jul 23 - FreeFixer 0.63 released.
May 25 - FreeFixer 0.62 released.
Feb 07 - FreeFixer 0.61 released.
Oct 16 - FreeFixer 0.60 released.
Aug 06 - FreeFixer 0.59 released.
May 17 - FreeFixer 0.58 released.
Apr 28 - FreeFixer 0.57 released.
Apr 21 - FreeFixer 0.56 released.
Follow me?
15 May DreamHost have had some connectivity issues with the datacenter where my sites are located. Seems to be online again now.
08 Apr Thank you Glen Haar for your FreeFixer donation!
02 Apr Google Code Jam 2013. Anyone participating? http://t.co/0w5469rYok
27 Mar FreeFixer v1.04 released. This version scans your Internet Explorer extensions: http://t.co/h5aQtL7nOP
25 Mar FreeFixer v1.04 released soonish. It will scan your Internet Explorer extensions. http://t.co/BWYqkVAYZc
12 Feb FreeFixer v1.03 released: http://t.co/w7FQVSPU
01 Feb FreeFixer can now continuously monitor system changes on your computer by running periodic background scans: http://t.co/fQizCL9x
30 Jan Prototyping scheduled background scans for FreeFixer. System changes will be reported in the notification area: http://t.co/v8PjlWkM
15 Jan Minor update of FreeFixer today: http://t.co/HIK3PHAi
03 Jan Turkish Registrar Enabled Phishers to Spoof Google: http://t.co/III2ntdO
FreeFixer
FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, trojans, viruses and worms. FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces. The scan locations include the programs that run on your computer, the programs that starts when you reboot your computer, your browser's plug-ins, your home page setting, etc.
FreeFixer does not know what is unwanted, so it presents the scan result and it's up to you decide if some file should be removed and if some settings should restored to their default value. Please be careful! If you delete a legitimate file you may damage your computer. To assist you when determining if anything should be removed you can find more information at FreeFixer's web site for each item in the scan result. You can for example see what other users chose to do in the same situation. You can also save log file of your scan result and consult the volunteers in one of the FreeFixer helper forums.
For more detailed information about FreeFixer, please see the User's Manual.
Download
Download FreeFixer here. FreeFixer is freeware and Windows 2000/XP/2003/20008/Vista/7/8 compatible. FreeFixer runs on both 32- and 64-bit Windows.
Screenshots
FreeFixer startup screenshot.
Screenshot showing some of FreeFixer's scan result. Files listed with green background
are on FreeFixer's list of trusted files. The files with white/gray
background are unknown to FreeFixer, so it cannot say anything about them. (In this
case, they are all legitimate files).
When FreeFixer is unable to delete files in normal Windows mode they
are registered for delayed removal with FreeFixer's Native Deleter,
which removes the files upon the next reboot. The actual delete operation
is done before the logon screen appear. The majority of malware can be deleted at
this point.
Latest blog posts
07 September 2012
The state of Internet Explorer after installing the top 20 downloads from Download.com
by Roger Karlsson
Does this sound familiar? You get a call from your parents. There's some problem with their computer. The printer isn't working, the computer won't connect to the wireless network or something like that. You go there and fix the problem, but while troubleshooting you also notice that there are some new toolbars in their web browser. When you ask them about the toolbars they usually say they have no idea how the toolbars got there.
These toolbars are typically bundled with other software and if you don't pay attention during the installation process, you might end up installing not only the program that you actually want, but also some toolbars or other software that you did not want at all. Why? The majority of the bundled software is opt-out - you have to explicitly say NO to the bundled software by unchecking some checkbox during the installation.
So, today I decided to start with a fresh installation of Windows Vista, then download the top 20 most popular downloads from Download.com, install them without opting out of the bundled software. This is how your Internet Explorer will look like:
Updated 2012-09-08: Fixed publication date. The post was published 2012, not 2010.
08 June 2010
Please give me some feedback on FreeFixer
by Roger Karlsson
What do you think about the FreeFixer application and the freefixer.com web site? I've set up this blog post so you easily can post your feedback. Want to see a new feature? Did you spot a spelling error? Did FreeFixer fail to remove some malware file? Want to see more screenshots?
Please post your feedback below. Anything is welcome. If you see someone already has posted your suggestion, please give them a "thump up".
23 October 2009
Malware Detection - The Simplest Thing That Could Possibly Work
by Roger Karlsson
I'm sure most of you already know how the FreeFixer application works: It scans many locations on your Windows machine, such as the browser plugins, processes and services that are installed on your system. In its current state, FreeFixer does not have much knowledge whether a file is good or bad: It greenlists files from trusted software vendors and hides critical system files completely from the scan result. The remaining files appears in the scan result, neither listed as good, nor as bad. It's the responsibility of the user to figure out, with the help of the other FreeFixer users and the FreeFixer file library, if a file should be considered safe or if it should be removed.
This is how FreeFixer is designed to work, but admittedly, it's not easy for an inexperienced user to figure out which of the files in the scan result, if any, that should be selected for removal.
Many FreeFixer users have contacted me and suggested that FreeFixer should also detect and display malware files in red like most of the other anti-spyware and anti-virus tools do. And the suggestion makes perfect sense: It would be great to combine malware detection with the manual inspection and removal features. It would attract both beginners and experienced users.
However, I've always said no to this feature request, since it already requires lots of work to add new scan locations, supporting even more platforms than those supported today and working on the FreeFixer.com web site. Adding an additional task of analyzing lots of malware and creating malware definitions would probably result in crappy FreeFixer program with a crappy malware detection list.
Do you want to create malware definitions for FreeFixer?
I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm.
I'll link to your definition file from FreeFixer.com. FreeFixer users downloads your .xml file. Now the malware files get flagged in their scan results. The detection name that you gave the file appears and if users click on it they will be linked to your web site where you can explain more about the threat. You get credit for your work.
I've created a tiny example how to build the malware-definitions. I think you'll
understand the concept by looking directly into the .xml file:
http://www.freefixer.com/static/freefixer-demo-defs.xml
Put this file in c:\Program Files\FreeFixer\definitions\ and
FreeFixer will detect some variants of the Koobface worm. The Koobface
files will appear in red in the scan result.
If there's interest in building malware definitions for FreeFixer I'll keep on adding detection features. Some of the features that would be nice is SHA256 and MD5 detection, detection based on various parts of a file, detection of registry keys, values and data, memory scanning, signed xml-files, automatic updates, etc. You name it.
26 June 2009
Summer of Drive-By Downloads
by Roger Karlsson
The summer has finally arrived here in Sweden. Now is the time to go swimming, bouldering and do all the other things that requires great weather.
As you may know, I've been documenting lots of drive-by downloads and intend to continue doing so during the summer. To make this as smooth as possible I've set up this blog post which I'll update when I find some new malware that use security holes to install.
--As usual, I'm scanning the infected system with FreeFixer to find out what's been installed on the system. I'm also using FreeFixer to remove the unwanted files.
10 July
Today the rogue System Security application installed. Nothing new under the sun except this driver that can along:
c:\windows\system32\drivers\amd64si.sys
8 July
c:\windows\system32\drivers\netsik.sys c:\windows\system32\msrr32.dll c:\win32upd.exe
6 July
c:\windows\system32\appwinproc.dll HOSTS file redirecting antispy.microsoft.com to 209.44.111.62 HOSTS file redirecting antiaware-pro.com 209.44.111.62 HOSTS file redirecting www.antiaware-pro.com to 209.44.111.62
4 July
c:\windows\system32\msxz.exe
2 July
Another nasty infection. The files msjv32.dll and msne.exe was hidden from detection by a rootkit:
c:\windows\system32\msjv32.dll C:\Documents and Settings\Roger\Skrivbord\msdos.pif c:\windows\system32\msne.exe
1 July
C:\WINDOWS\9129837.exe c:\windows\system32\drivers\securentm.sys C:\WINDOWS\System32\rr64_b.exe HOSTS file redirecting safesystem.microsoft.com to 209.44.111.62 HOSTS file redirecting antiviraprof.com to 209.44.111.62 HOSTS file redirecting www.antiviraprof.com to 209.44.111.62
30 June
Nasty little bugger. None of the 40 anti-virus engines over at VirusTotal.com detects HB32.dll:
C:\WINDOWS\system32\wbem\HB32.dll
29 June
C:\WINDOWS\system32\EVA.exe C:\DOCUME~1\Roger\LOKALA~1\Temp\init.exe C:\DOCUME~1\Roger\LOKALA~1\Temp\3.EXE c:\windows\system32\drivers\systemntmi.sys C:\Documents and Settings\Roger\Application Data\twex.exe C:\Documents and Settings\Roger\Start-meny\Program\Autostart\rncsys32.exe C:\WINDOWS\ld09.exe C:\WINDOWS\System32\net.net
26 June
This drive-by download installed the System Security Rogue, Koobface, and a malware device driver:
C:\windows\ld11.exe C:\Documents and Settings\All Users\Application Data\15452184\15452184.exe c:\program\sys\sys.sys
26 June
A device driver + additional malware:
C:\WINDOWS\System32\drivers\ethxhkrw.sys C:\WINDOWS\System32\sdra64.exe C:\WINDOWS\system32\logon.exe
24 June 2009
Malware Doctor - Another rogue security application installing through security holes
by Roger Karlsson
About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor.
This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red:
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-23 23:14 System policies HKCU\..\policies\system, DisableTaskMgr = 1 HKCU\..\policies\system, DisableRegistryTools = 1 Browser Helper Objects {AFF01325-0FC2-4749-8914-FBF0565AD9CC}, Chrome copyright, jbnmck.dll(file is missing) Registry Startups HKLM\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe Processes (17 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\NOTEPAD.EXE C:\Program\FreeFixer\freefixer.exe C:\WINDOWS\System32\avast!Antivirus.exe C:\Documents and Settings\LocalService\Application Data\1361538659.exe Services (34 whitelisted) avast!Antivirus, , c:\windows\system32\avast!antivirus.exe Recently modified files (1 whitelisted) 16 minutes, c:\Documents and Settings\LocalService\Application Data\1361538659.exe 16 minutes, c:\WINDOWS\system32\jbnmck.dll 16 minutes, c:\WINDOWS\system32\avast!Antivirus.exe 16 minutes, c:\WINDOWS\Temp\wpv521245837260.exe 7 days, c:\Program\FreeFixer\freefixer.exe 36 days, c:\Program\FreeFixer\Uninstall.exe
15 June 2009
Security Holes, Antivirus System Pro, and testing of a new FreeFixer plugin
by Roger Karlsson
For the last three days I've been experimenting with a new FreeFixer plugin. The plugin simply lists the most recently modified/created files, which appear at the end of the scan result. Definitely no rocket science, but in a case of a malware infection, I think it can be quite efficient in pointing out the unwanted files.
I've tested the new plugin on some real world infection picked up by my malware honeypot. All the unwanted files listed in the scan results were installed through security holes. I've marked them with red. During the testing I also ran into Antivirus System Pro, which is another of those rogue anti-spyware programs. Antivirus System Pro uses sysguard.exe as its file name and is located in the c:\Windows folder. You can find more information and screenshots on this rogue over at Bharath's Security Blog.
Malware Log 1
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-09 20:16 Browser Helper Objects {5B1D95A2-F547-4e5e-8902-622B08354622}, BHO, C:\WINDOWS\system32\iehelper.dll Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, system tool = C:\WINDOWS\sysguard.exe HOSTS file 209.44.111.57 alarm-security.microsoft.com 209.44.111.57 inetantivirus.com 209.44.111.57 www.inetantivirus.com Processes (11 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 2 minutes, c:\Program\FreeFixer\freefixer.exe 2 minutes, c:\Program\FreeFixer\Uninstall.exe 17 minutes, c:\WINDOWS\system32\iehelper.dll 27 minutes, c:\WINDOWS\sysguard.exe 26 minutes, c:\wxh21u.exe 27 minutes, c:\a113c2.exe
Malware Log 2
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-08 22:57 UserInits (1 whitelisted) C:\WINDOWS\System32\sdra64.exe Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (15 whitelisted) C:\Program\Messenger\msmsgs.exe C:\DOCUME~1\Roger\LOKALA~1\Temp\winELyqWgX.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 5 minutes, c:\Program\FreeFixer\freefixer.exe 5 minutes, c:\Program\FreeFixer\Uninstall.exe 35 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\winELyqWgX.exe 21 days, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe
Malware Log 3
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-09 15:25 System policies HKCU\..\policies\system, DisableRegistryTools = 1 Browser Helper Objects {82633227-7884-4264-6517-5599ca323026}, , C:\Program\Common Files\System\s sig.dll Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Autostart shortcuts Visio Util Firing.exe, , C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Visio Util Firing.exe Yahoo Software Firing.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\Yahoo Software Firing.exe HOSTS file 67.212.80.125 pagead2.googlesyndication.com Processes (12 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\wininet.exe C:\Program\FreeFixer\freefixer.exe Shell services (4 whitelisted) SysRun, {D7FFD784-5276-42D1-887B-00267870A4C7}, C:\WINDOWS\System32\svshost.dll Recently modified files 4 minutes, c:\Program\FreeFixer\freefixer.exe 4 minutes, c:\Program\FreeFixer\Uninstall.exe 32 minutes, c:\WINDOWS\system32\svshost.dll 32 minutes, c:\WINDOWS\system32\wininet.exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\YQ2T1TWE\1[1].exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\1\svchost.exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\0H6N6RCD\1[1].exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\~tt1.tmp 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\0H6N6RCD\load[1].exe 22 days, c:\Program\Common Files\System\Adobe_Office_Firing.exe 22 days, c:\Documents and Settings\All Users\Start-meny\Program\Autostart\Visio Util Firing.exe 22 days, c:\Documents and Settings\Roger\Start-meny\Program\Autostart\Yahoo Software Firing.exe 22 days, c:\Program\Common Files\System\s sig.dll 22 days, c:\Documents and Settings\Roger\Lokala inställningar\Temp\winxfH6q2KD.exe 22 days, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\KHYB4HUB\load[1].exe 22 days, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe
Malware Log 4
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-05-18 12:57 UserInits (1 whitelisted) C:\WINDOWS\System32\win32avs.exe Registry Startups HKLM\..\Run, internat = C:\WINDOWS\internat.exe (file is missing) HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (14 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Documents and Settings\Roger\Skrivbord\calc.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 3 minutes, c:\Program\FreeFixer\freefixer.exe 3 minutes, c:\Program\FreeFixer\Uninstall.exe 24 minutes, c:\Documents and Settings\Roger\Skrivbord\calc.exe 24 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\ntsystem.exe 24 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\C12FS9AV\calc[1].exe 46 minutes, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe