Feedback
Skip to content

Why donate?

Donations this week

None..

Which type of operating system are you running?



▼ ads
Advertise on FreeFixer.com
Advertise on FreeFixer.com
Advertise on FreeFixer.com

The FreeFixer Blog

The state of Internet Explorer after installing the top 20 downloads from Download.com

Does this sound familiar? You get a call from your parents. There's some problem with their computer. The printer isn't working, computer won't connect to the wireless network or something like that. You go there and fix the problem, but while troubleshooting you also notice that there are some new toolbars in their web browser. When you ask them about the toolbars they usually say they have no idea how it got there. Read more »

Please give me some feedback on FreeFixer

What do you think about the FreeFixer application and the freefixer.com web site? I've set up this blog post so you easily can post your feedback. Want to see a new feature? Did you spot a spelling error? Did FreeFixer fail to remove some malware file? What to see more screenshots? Read more »

Malware Detection - The Simplest Thing That Could Possibly Work

I'm currently experimenting with a new set of features that allows anyone to create malware definitions for FreeFixer. I've started out with the simplest thing that could possibly work: Detection based on file locations. You simply define which files are malware by specifying the file locations in an .xml file. For example, the existence of ld14.exe in the Windows directory indicates that your machine is infected with the Koobface worm. Read more »

Summer of Drive-By Downloads

The summer has finally arrived here in Sweden. Now is the time to go swimming, bouldering and do all the other things that requires great weather. As you may know, I've been documenting lots of drive-by downloads and intend to continue doing so during the summer. To make this as smooth as possible I've set up this blog post which I'll update when I find some new malware that use security holes to install. As usual, I'm scanning the infected system with FreeFixer to find out what's been installed on the system. I'm also using FreeFixer to remove the unwanted files. Read more »

Malware Doctor - Another rogue security application installing through security holes

About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor. This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red: Read more »

Security Holes, Antivirus System Pro, and testing of a new FreeFixer plugin

For the last three days I've been experimenting with a new FreeFixer plugin. The plugin simply lists the most recently modified/created files, which appear at the end of the scan result. Definitely no rocket science, but in a case of a malware infection, I think it can be quite efficient in pointing out the unwanted files. I've tested the new plugin on some real world infection picked up by my malware honeypot. All the unwanted files listed in the scan results were installed through security holes. I've marked them with red. During the testing I also ran into Antivirus System Pro, which is another of those rogue anti-spyware programs. Antivirus System Pro uses sysguard.exe as its file name and is located in the c:\Windows folder. You can find more information and screenshots on this rogue over at Bharath's Security Blog. Read more »

June Searches 2009

I'm obsessed with looking at the traffic stats for FreeFixer.com. About halfway into June shows some new filenames among the top searches: Read more »

Presto Tuneup - Yet another rogue security product

A couple of weeks ago a new rogue security application appeared. Here's a FreeFixer log from the infected machine. I've marked the Presto Tuneup file with red. Read more »

Top Searches May 2009

Curious to see what the most popular search terms are for FreeFixer.com during May? Here they are: Read more »

More Malware Installing Through Security Holes

I've been playing around with my malware honeypot for some days now and collected logs when malware installed through security holes. I've pasted the FreeFixer logs below, and marked the malware with red. I'm currently running this honeypot on Windows XP service pack 1. I'll runs some test with Service Pack 2 or 3 later on to see if I get the same installs, or if something new turns up. Read more »

System Security Rogue Anti-Spyware Still Going Strong

Although five months passed since the System Security first appeared, it's still going strong. Yesterday it installed on my malware honeypot by exploiting a security hole: Here's the FreeFixer log from the infected computer. If your are removing System Security, select the items marked in red: Read more »

Another rootkit infection and some bugs on the TODO list

Yesterday my malware honeypot ran into a nasty infection. As usual, the malware was installed just by visiting a web page. To do this, the malware distributor used some security hole to get access to the computer. Once the malware had access to the computer it installed a rootkit and hid a few registry keys to prevent detection and removal. The malware also searched the network for shared folders with write permission and infected executable files. The malware also prevented anti-malware tools such as Hijackthis from running and disabled the Task Manager and the registry editors. Read more »

FreeFixer's scan result reduced with 70% by whitelisting trusted files

As you probably already know FreeFixer is a tool that helps you to manually analyze and identify unwanted software on your system. Once you have identified the malware on your computer, you can just mark it for deletion and the FreeFixer will remove it for you. Since January 2009 I've been adding many new scan locations, which will increase the chance of spotting the malware. The drawback of is that the size of the log file has been growing and I have to admit that it can be a time-consuming task to go through all the items and check if it should be considered safe or unwanted. Typically there are just one or two malware items in the scan reslult on a infected machine, and these may go undetected when dwarfed by a large number of legitimate items. With version 0.38 of FreeFixer I introduced trusted files. These are file which have been signed by established and trusted software publishers, such as Microsoft, Adobe, TrendMicro, etc. The trusted files appear with a green background color in the scan result, to signal that they are legitimate. Please note that the trusted files will not appear in the FreeFixer log file. This will make it easier for people helping out at the FreeFixer helper forums, which often use the log file to manually identify the unwanted software. Read more »

Malware or legitimate?

Are you struggling to figure out if a file listed in FreeFixer's File Database is malware or a legitimate file that you want to keep on your computer? Hopefully this guide will help you. Read more »

Need assistance removing spyware? I'm here to help

Hello, my name is Roger Karlsson. I'm the programmer of FreeFixer. FreeFixer is a tool for manual identification and removal of spyware, trojans, adware, and other types of unwanted software. I've set up a discussion group where you can post your FreeFixer log. This is a free service. It will not cost you anything except five minutes of your time. I'll respond as soon as possible. Please go through the following steps to post a log: Read more »

CiD Popups and Messenger Plus

So what kind of crap do we got here? Non-labelled popups, a useless uninstaller, randomly named files with useless file properties, placed in a hidden folder. All this bundled with a application with more than 400 million downloads... Read more »

Monday Morning Rootkit

Monday morning and here's another security hole exploit. This one installs some new files and configure the machine to start them every time a user logs in. Usually when it comes to these exploits, there's some ad component installed that start popping up adverts for a rogue anti-spyware program, but not this time. There were no signs of an infection unless you start examining the process list or the registry. As a matter of fact, the init.exe process listed below, is hidden from programs that enumerate the running processes running on the machine. It does not appear in the Windows Task Manager nor in FreeFixer's process list. It does not appear in FreeFixer's hidden process list which indicates that it may be a kernel level rootkit, which FreeFixer cannot detect at moment. It does however appear under the 'UserInit' listing in the scan result. Read more »

What is going on 2009

Yesterday I ran into a site that install a software component that opens up a fake Windows Firewall alert message saying that you are infected with Win32.Zafi.B. If you click the link in the fake alert message you will land at www.defender-review.com where the rogue anti-spyware program Perfect Defender 2009 is promoted. Another observation about this exploit is that it hides its main process, ocboo1892823.exe, from the user. This process is executing on the machine, but it does not appear in the Windows Task Manager, nor in any other program that enumerates processes using standard procedures. Read more »

A new year - Same old spyware

The last two months have been rather hectic. In the end of November I started to work for a game developer. So far it has been a great experience, but unfortunately I've had to set the goals for FreeFixer a bit lower than before. Anyway, it's a new year, FreeFixer 0.26 has been released, and the same old spyware is installing through security holes. The infections listed below was extremely nasty since it made the computer crash with a blue screen around 60 seconds after every reboot. Read more »

Myspace profiles links to security exploit

Recently the problems over at Myspace has got plenty of media attention. In short, some hacker has been able to add a background image covering the majority of many Myspace profile pages. If you click any of the links displayed on profile page, you will be taken to the hacker's web site, instead of the place where you intended to go. The hacker's web site will ask you to install some face codes, but more interestingly it also exploit a security hole in unpatched systems to automatically install software. Read more »

VXGame revisited

A few days ago, while on the lookout for some random spyware, I ran into another variant of VXGame. The number of modifications this spyware does to a computer is astonishing Read more »

PestTrap

How to remove PestTrap. Read more »

Spyware installing drivers

Recently I ran into another spyware infection that was install through a security hole. It seems to be a variant of an infection that I documented about a month ago. What's new about this one is that it installs a device driver on the system, as you can see at the bottom of the FreeFixer log. Read more »

VXGame spyware removal

How to remove the VxGame spyware. Read more »

A typical case of spyware removal

In this document I'll show how to clean a typical spyware infection with the help of FreeFixer. Read more »