21 April 2009
FreeFixer's scan result reduced with 70% by whitelisting trusted files
by Roger Karlsson
As you probably already know FreeFixer is a tool that helps you to manually analyze and identify unwanted software
on your system. Once you have identified the malware, you just mark it for deletion
and FreeFixer will remove it for you. Since January 2009 I've been adding
many new scan locations, which will increase
the chance of the malware appearing in the scan result. But at the same time the size of the log file has been growing and
I have to admit that it can be a time-consuming task to go through all the items and
check if they should be considered safe or unwanted. Typically there are just one or two malware
items in the scan result on an infected machine, and these may go undetected when dwarfed
by a large number of legitimate items.
With version 0.38 of FreeFixer I introduced trusted files. These are files which have been signed by established and trusted software publishers, such as Microsoft, Apple, Adobe, TrendMicro, etc. The trusted files appear with a green background color in the scan result, to signal that they are legitimate. Please note that the trusted files will not appear in the FreeFixer log file. This will make it easier for people helping out at the FreeFixer helper forums, which often use the log file to identify the unwanted software.
The following two logs are from the same computer, and I'm happy to say that in this case the log size has been reduced with almost 70% when running FreeFixer v0.38:
FreeFixer v0.38 log
FreeFixer v0.38 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2009-04-20 10:55
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program\Bonjour\mdnsNSP.dll
Browser Helper Objects (2 whitelisted)
{DBC80044-A445-435b-BC74-9C25C1C588A9}, Java(tm) Plug-In 2 SSV Helper, C:\Program\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class, C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Registry Startups (9 whitelisted)
HKLM\..\Run, QuickTime Task = "C:\Program\QuickTime\QTTask.exe" -atboottime
HKCU\..\Run, Sony Ericsson PC Suite = "C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
HKCU\..\Run, uTorrent = "C:\Program\uTorrent\uTorrent.exe"
Autostart shortcuts (1 whitelisted)
Logitech SetPoint.lnk, , C:\Program\Logitech\SetPoint\SetPoint.exe
Processes (26 whitelisted)
C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\FreeFixer\freefixer.exe
Application modules (56 whitelisted)
C:\Program\Logitech\SetPoint\lgscroll.dll
C:\WINDOWS\system32\MSVCR71.dll
C:\WINDOWS\system32\MSVCP71.dll
Drivers (32 whitelisted)
OMCI, OMCI, C:\WINDOWS\system32\drivers\omci.sys
FreeFixer v0.37 log
FreeFixer v0.37 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2009-04-20 10:57
Winlogon Notify (10 whitelisted)
igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program\Bonjour\mdnsNSP.dll
Browser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}, Länkhjälp till Adobe PDF Reader, C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}, Java(tm) Plug-In SSV Helper, C:\Program\Java\jre6\bin\ssv.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9}, Java(tm) Plug-In 2 SSV Helper, C:\Program\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class, C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Registry Startups (1 whitelisted)
HKLM\..\Run, IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HKLM\..\Run, HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
HKLM\..\Run, Adobe Reader Speed Launcher = "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
HKLM\..\Run, Logitech Hardware Abstraction Layer = KHALMNPR.EXE
HKLM\..\Run, SunJavaUpdateSched = "C:\Program\Java\jre6\bin\jusched.exe"
HKLM\..\Run, QuickTime Task = "C:\Program\QuickTime\QTTask.exe" -atboottime
HKLM\..\Run, AppleSyncNotifier = C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
HKLM\..\Run, iTunesHelper = "C:\Program\iTunes\iTunesHelper.exe"
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Sony Ericsson PC Suite = "C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
HKCU\..\Run, uTorrent = "C:\Program\uTorrent\uTorrent.exe"
Autostart shortcuts
Logitech SetPoint.lnk, , C:\Program\Logitech\SetPoint\SetPoint.exe
Personal.lnk, Personal Signature and Authentication Client, C:\Program\Personal\bin\Personal.exe
Processes (17 whitelisted)
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Logitech\KHAL\KHALMNPR.EXE
C:\Program\iPod\bin\iPodService.exe
C:\Program\FreeFixer\freefixer.exe
Application modules (53 whitelisted)
C:\Program\Logitech\SetPoint\lgscroll.dll
C:\WINDOWS\system32\MSVCR71.dll
C:\WINDOWS\system32\MSVCP71.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\iertutil.dll
C:\WINDOWS\system32\Normaliz.dll
Services (36 whitelisted)
Apple Mobile Device, Apple Mobile Device, c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe
Bonjour Service, Bonjour-tjänst, c:\program\bonjour\mdnsresponder.exe
JavaQuickStarterService, Java Quick Starter, c:\program\java\jre6\bin\jqs.exe
Shell services (4 whitelisted)
WPDShServiceObj, {AAA288BA-9A4C-45B0-95D7-94D524869DB5}, C:\WINDOWS\system32\WPDShServiceObj.dll
Drivers (29 whitelisted)
mdmxsdk, , C:\WINDOWS\system32\drivers\mdmxsdk.sys
OMCI, OMCI, C:\WINDOWS\system32\drivers\omci.sys
PxHelp20, PxHelp20, C:\WINDOWS\system32\drivers\pxhelp20.sys
WudfPf, Windows Driver Foundation - User-mode Driver Framework Platform Driver, C:\WINDOWS\system32\drivers\wudfpf.sys
Hot files
bill117.exe,
siszpe32.exe,
netbhl32.exe,
bill112.exe,
sshnas21.dll,
monxga32,
wwwmen32.exe,
syspck32,
zipdkg32,
monnwb32,
monnid32,
wwwpos32.exe,
aqlb.hjo,
incognito.exe,
rarype32.exe,
netuza32.exe,
9fo3ar0j.exe,
kbdsock.dll,
freddy84.exe,
freddy82.exe,
freddy81.exe,
freddy80.exe,
extrac64_cab.exe,
wmpscfgs .exe,
cliconfg64.exe,
winhlp64.exe,
siszyd32.exe,
sshnas.dll,
IS2010.exe,
smss32.exe,
winlogon32.exe,
helper32.dll,
IS15.exe,
richtx64.exe,
settdebugx.exe,
sr882388.exe,
questservice111.exe,
ccdrive32.exe,
av_md.exe,
essledv.exe,
msa.exe,
algqeh32.exe,
ld16.exe,
freddy79.exe,
photo_id.exe,
winupdate86.exe,
kwanzy131.exe,
wind7upd.exe,
mstre26.exe,
winlogon86.exe,
AVR10.exe,
webserver.exe,
ihaupd32.exe,
wyeke.exe,
wyeke.dll,
AdobeARM.exe,
WLIDSVC.EXE,
ssscheduler.exe,
getPlus_Helper.dll,
wscsvc32.exe,
zavupd32.exe,
herss.exe,
ie3sh.exe,
pp14.exe,
zwangi.exe,
msb.exe
filterpipeline..,
web development company writes