31 March 2009
Malware or legitimate?
by Roger Karlsson
Are you struggling to figure out if a file listed in FreeFixer's File Database is malware or a legitimate file that you want to keep on your computer? Hopefully this guide will help you:
Comparing two files, side by side
Let's look at firefox.exe, which is a legitimate file, and compare it to olhrwef.exe which is malware. These two files are great candidates for typical legitimate and malware behaviour:
firefox.exe
firefox.exe was added to FreeFixer's database on the 30 Mar 2009. The most recent search for this file was done on 30 Mar 2009. firefox.exe is located in the 'C:\Program Files\Mozilla Firefox\' folder and has a size of 307704 bytes.
So far there has been 2 searches for firefox.exe.
olhrwef.exe
olhrwef.exe was added to FreeFixer's database on the 13 Mar 2009. The most recent search for this file was done on 13 Mar 2009. olhrwef.exe is located in the 'C:\WINDOWS\system32\' folder and has a size of 106199 bytes.
So far there has been 1 search for olhrwef.exe.
File names and folder information is what appears on top for each file in the file database. Legitimate software developers give their files meaningful names that users recognize, while many malware programs use names that seems to be a number of randomized letters. Malware use this technique to avoid detection based on filenames. Legitimate programs are in most cases installed under 'C:\Program Files\', while malware has a tendency to end up in the Windows system directory 'C:\WINDOWS\system32\'. Please keep in might that there is nothing that prevent a malware author from giving their files meaningful names, or even the same name as another legitimate file.
Now, let's have a look at the version information for firefox.exe and olhrwef.exe:
Vendor and version information
The following is the available information for firefox.exe:
| Property | Value |
|---|---|
| Product name | Firefox |
| Company name | Mozilla Corporation |
| File description | Firefox |
| Internal name | Firefox |
| Original filename | firefox.exe |
| Legal copyright | ©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable. |
| Legal trademark | Firefox is a Trademark of The Mozilla Foundation. |
| Product version | 3.0.8 |
| File version | 1.9.0.8 |
Vendor and version information
This file does not have any version or vendor information.
The vast majority of legitimate software developers take the time to fill in the version and vendor data for each file in their product, which the developers of Firefox have done. Version information is missing for olhrwef.exe, which I would say is typical malware behaviour. But keep in mind that there is nothing that stops a malware author from adding version information that seems legitimate. Also keep in mind that there are a few cases where legitimate software is missing version information.
Digital signatures
This file has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | Mozilla Corporation |
| Certificate issuer name | Thawte Code Signing CA |
| Certificate serial number | 1ee2bfb90ae659c80cb7ea4c606ff03e |
Digital signatures
This file is not signed.
The digital signature is a great tool for determining if a file is legitimate. Nowadays many of the big software publishers, such as Microsoft, Adobe and Google are signing their files. firefox.exe has a valid digital signature, which means that firefox.exe files comes from the company/person listed as "Signer name", in this case the Mozilla Corporation. A valid digital signature also implies that no one has manipulated the file in any way. The absence of a digital signature does however not imply that the file is malicious. Many small scale software developers, like myself, does not yet sign files.
Now you should have a pretty good idea if the file on your computer is legitimate of malware, but there is more you can do:
Using the online virus scanners
There are a few great free online services that will scan suspicious files. I highly recommend using these online scanners to further investigate the files on your computer. These scanners will run the file through a big number of anti-virus engines:
Well, now you have loads of information to determine if that file on your computer is malware or legitimate.
Me and all other FreeFixer users would greatly appreciate if you share your findings by posting comments or voting on the
keep / 
remove
polls for each file you investigate. Thank you!
Comments
I found your web site very informative and much easier to understand than other sites,it is also straight forward and to the point. thanks I WILL recommend it to others in need. thanks again Craig
# 26 May 2009, 4:07
Lance writes
Hi i need to download keenfinder.exe because every time i open my computer an error box appears saying keenfinder.exe not found. Please help me to fix this. Thanks
# 6 Jun 2009, 7:01
Jim Vermillion writes
Thank you for the labor of love that you have invested in this very informative, clear and understandable site. You answered my need. I am very grateful.
I live only by the grace of GOD in His Beloved Son JESUS who came into the world to save sinners, even tjhe worst. Praise be to HIM forever.
Jim Vermillion
# 5 Aug 2009, 11:54
Helen Long writes
THANKS for your helpful website! I'm not sure about a file named ld12 that just began appearing as an error as I was shutting down my pc yesterday, and again this a.m., after an Avast antivirus update was installed. The error made me wonder what this file (new to me) was for so searched Google and found your review. I deleted it and now hope it isn't one I may need somewhere. Does anyone have info on it, or suggestions of where else to look?
# 19 Aug 2009, 8:21
Chiku writes
Thanx A trillion my PC ws actin up n i js dwnldd FF n im strting 2 remve tha shyza'z as u cn tell by my spellcheck-less message im a youngin and im gna halla 2 ma peepz bout this... cheers mate...1
# 19 Aug 2009, 15:12
Holly Stallings writes
Your website gets 5 *'s from me. I can actually understand what your talking about. This is going on my favorites list. I would put it in my google bookmarks, but for some reason my booksmarks and my form filler disappear everytime I download the google toolbar. I even made google my homepage, but those two things are gone.
# 29 Aug 2009, 16:19
Pchopat writes
Hello folks and thanks to the person who brought that information to all of us. Here is my question. I am using Webroot spy sweeper for cleaning viruses and other harmful n suspicous files. So far i am so happy about the work of that small and not that famous anti-viruses program. However recently i don't know how but i catch on my pc an adware which pops up so many different advertisments which kill the speed of my pc. So when i ran the program it finds that adware but when i put in quaranteen i still receive those pops up advertisments. Hope you can give me some advices which program will it help me because i have tried the famous anti-viruses programs and i end with the conclusion that there is no any anti-viruses program which can find all of the harmful files and viruses.
Thanks for you help and advices
# 29 Aug 2009, 16:43
manawizard writes
Pchopat
try http://www.malwarebytes.org
hope this helps your situation.
# 29 Aug 2009, 17:57
Shawinds writes
Your wonderful site has now been bookmarked...wonderful clear information that actually answers my questions..Refreshing!! Thanks
# 1 Sep 2009, 5:06
jim writes
seems pretty good so far i will test it further. also good is old macdonalds farm auto eater and spybot search and destroy both free programs ... the auto eater stops the malware from executing .. spybot is not good at removing all malware
# 7 Nov 2009, 18:16
Mahesh writes
i am having the error of MSVMCLS64.exe what is this and why do it occur?
having problem.
thanks
# 10 Dec 2009, 2:41
Jonas writes
is yahooservice.AU a virus? or will it Block me from going in my E-mail if I block access?
# 14 Dec 2009, 2:28
Jackson writes
My virus software has told me that I have an infected file c:\windows/system32/sshnas.dll. I cannot find this file anywhere. Is it a legitimate file that is infected or a malware file?
# 20 Dec 2009, 14:45
Brian Van Hoose writes
I just happened to be cleaning out my Temp folder when I came across several files that I didn't recognize. This site provided information on the files in question in a way that was clear. I was able to feel comfortable with my decision to delete the files.
Thanks for providing this service.
# 18 Feb 2010, 12:14
Leave a reply
Hot files
sshnas21.dll,
monnid32,
wwwpos32.exe,
aqlb.hjo,
incognito.exe,
rarype32.exe,
netuza32.exe,
9fo3ar0j.exe,
kbdsock.dll,
freddy84.exe,
freddy82.exe,
freddy81.exe,
freddy80.exe,
extrac64_cab.exe,
wmpscfgs .exe,
cliconfg64.exe,
winhlp64.exe,
siszyd32.exe,
sshnas.dll,
IS2010.exe,
smss32.exe,
winlogon32.exe,
helper32.dll,
IS15.exe,
richtx64.exe,
settdebugx.exe,
sr882388.exe,
questservice111.exe,
ccdrive32.exe,
av_md.exe,
essledv.exe,
msa.exe,
algqeh32.exe,
ld16.exe,
freddy79.exe,
photo_id.exe,
winupdate86.exe,
kwanzy131.exe,
wind7upd.exe,
mstre26.exe,
winlogon86.exe,
AVR10.exe,
webserver.exe,
ihaupd32.exe,
wyeke.exe,
wyeke.dll,
AdobeARM.exe,
WLIDSVC.EXE,
ssscheduler.exe,
getPlus_Helper.dll,
wscsvc32.exe,
zavupd32.exe,
herss.exe,
ie3sh.exe,
pp14.exe,
zwangi.exe,
msb.exe
filterpipeline..,
Craig Barbre writes