Feedback
Skip to content

Why donate?

Donations this week

$7 - Евгений Тавенок

Which type of operating system are you running?



▼ ads
Advertise on FreeFixer.com
Advertise on FreeFixer.com
Advertise on FreeFixer.com
31 March 2009

Malware or legitimate?

Are you struggling to figure out if a file listed in FreeFixer's File Database is malware or a legitimate file that you want to keep on your computer? Hopefully this guide will help you:

Comparing two files, side by side

Let's look at firefox.exe, which is a legitimate file, and compare it to olhrwef.exe which is malware. These two files are great candidates for typical legitimate and malware behaviour:

firefox.exe

firefox.exe was added to FreeFixer's database on the 30 Mar 2009. The most recent search for this file was done on 30 Mar 2009. firefox.exe is located in the 'C:\Program Files\Mozilla Firefox\' folder and has a size of 307704 bytes.

So far there has been 2 searches for firefox.exe.

olhrwef.exe

olhrwef.exe was added to FreeFixer's database on the 13 Mar 2009. The most recent search for this file was done on 13 Mar 2009. olhrwef.exe is located in the 'C:\WINDOWS\system32\' folder and has a size of 106199 bytes.

So far there has been 1 search for olhrwef.exe.

File names and folder information is what appears on top for each file in the file database. Legitimate software developers give their files meaningful names that users recognize, while many malware programs use names that seems to be a number of randomized letters. Malware use this technique to avoid detection based on filenames. Legitimate programs are in most cases installed under 'C:\Program Files\', while malware has a tendency to end up in the Windows system directory 'C:\WINDOWS\system32\'. Please keep in might that there is nothing that prevent a malware author from giving their files meaningful names, or even the same name as another legitimate file.

Now, let's have a look at the version information for firefox.exe and olhrwef.exe:

Vendor and version information

The following is the available information for firefox.exe:

PropertyValue
Product nameFirefox
Company nameMozilla Corporation
File descriptionFirefox
Internal nameFirefox
Original filenamefirefox.exe
Legal copyright©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable.
Legal trademarkFirefox is a Trademark of The Mozilla Foundation.
Product version3.0.8
File version1.9.0.8

Vendor and version information

This file does not have any version or vendor information.

The vast majority of legitimate software developers take the time to fill in the version and vendor data for each file in their product, which the developers of Firefox have done. Version information is missing for olhrwef.exe, which I would say is typical malware behaviour. But keep in mind that there is nothing that stops a malware author from adding version information that seems legitimate. Also keep in mind that there are a few cases where legitimate software is missing version information.

Digital signatures

This file has a valid digital signature.

PropertyValue
Signer nameMozilla Corporation
Certificate issuer nameThawte Code Signing CA
Certificate serial number1ee2bfb90ae659c80cb7ea4c606ff03e

Digital signatures

This file is not signed.

The digital signature is a great tool for determining if a file is legitimate. Nowadays many of the big software publishers, such as Microsoft, Adobe and Google are signing their files. firefox.exe has a valid digital signature, which means that firefox.exe files comes from the company/person listed as "Signer name", in this case the Mozilla Corporation. A valid digital signature also implies that no one has manipulated the file in any way. The absence of a digital signature does however not imply that the file is malicious. Many small scale software developers, like myself, does not yet sign files.

Now you should have a pretty good idea if the file on your computer is legitimate of malware, but there is more you can do:

Using the online virus scanners

There are a few great free online services that will scan suspicious files. I highly recommend using these online scanners to further investigate the files on your computer. These scanners will run the file through a big number of anti-virus engines:

Well, now you have loads of information to determine if that file on your computer is malware or legitimate. Me and all other FreeFixer users would greatly appreciate if you share your findings by posting comments or voting on the thumb up icon keep / thumb down icon remove polls for each file you investigate. Thank you!

Comments

Craig Barbre writes

19 thumbs

I found your web site very informative and much easier to understand than other sites,it is also straight forward and to the point. thanks I WILL recommend it to others in need. thanks again Craig

# 26 May 2009, 4:07

Roger Karlsson writes

5 thumbs

@Craig Thank you!

# 27 May 2009, 2:12

Lance writes

-2 thumbs

Hi i need to download keenfinder.exe because every time i open my computer an error box appears saying keenfinder.exe not found. Please help me to fix this. Thanks

# 6 Jun 2009, 7:01

stacie writes

6 thumbs

Thank this was very helpful.

# 18 Jun 2009, 21:58

Roger Karlsson writes

2 thumbs

@Lance: Keenfinder.exe is a program that redirects you to keenfinder.com if you type in a search in the browser's address bar. Keenfinder is sometimes referred to as Adware.Onestep.

More information on Keenfinder.exe is available here:

http://www.freefixer.com/library/file/30422/

# 1 Jul 2009, 1:21

Jim Vermillion writes

1 thumb

Thank you for the labor of love that you have invested in this very informative, clear and understandable site. You answered my need. I am very grateful.

I live only by the grace of GOD in His Beloved Son JESUS who came into the world to save sinners, even tjhe worst. Praise be to HIM forever.

Jim Vermillion

# 5 Aug 2009, 11:54

Helen Long writes

3 thumbs

THANKS for your helpful website! I'm not sure about a file named ld12 that just began appearing as an error as I was shutting down my pc yesterday, and again this a.m., after an Avast antivirus update was installed. The error made me wonder what this file (new to me) was for so searched Google and found your review. I deleted it and now hope it isn't one I may need somewhere. Does anyone have info on it, or suggestions of where else to look?

# 19 Aug 2009, 8:21

Chiku writes

Show comment -6 thumbs

Holly Stallings writes

3 thumbs

Your website gets 5 *'s from me. I can actually understand what your talking about. This is going on my favorites list. I would put it in my google bookmarks, but for some reason my booksmarks and my form filler disappear everytime I download the google toolbar. I even made google my homepage, but those two things are gone.

# 29 Aug 2009, 16:19

Pchopat writes

2 thumbs

Hello folks and thanks to the person who brought that information to all of us. Here is my question. I am using Webroot spy sweeper for cleaning viruses and other harmful n suspicous files. So far i am so happy about the work of that small and not that famous anti-viruses program. However recently i don't know how but i catch on my pc an adware which pops up so many different advertisments which kill the speed of my pc. So when i ran the program it finds that adware but when i put in quaranteen i still receive those pops up advertisments. Hope you can give me some advices which program will it help me because i have tried the famous anti-viruses programs and i end with the conclusion that there is no any anti-viruses program which can find all of the harmful files and viruses.

Thanks for you help and advices

# 29 Aug 2009, 16:43

manawizard writes

2 thumbs

Pchopat

try http://www.malwarebytes.org

hope this helps your situation.

# 29 Aug 2009, 17:57

Shawinds writes

1 thumb

Your wonderful site has now been bookmarked...wonderful clear information that actually answers my questions..Refreshing!! Thanks

# 1 Sep 2009, 5:06

Roger Karlsson writes

1 thumb

@Pchopat: You can also give FreeFixer a try. It scans many locations where unwanted software has a known record of appearing or leaving traces. More info here:

http://www.freefixer.com/

# 1 Sep 2009, 9:38

Åsa Möller writes

-2 thumbs

En bra sida och jag hoppas att jag har fått hjälp.

# 19 Oct 2009, 8:35

jim writes

2 thumbs

seems pretty good so far i will test it further. also good is old macdonalds farm auto eater and spybot search and destroy both free programs ... the auto eater stops the malware from executing .. spybot is not good at removing all malware

# 7 Nov 2009, 18:16

Mahesh writes

0 thumbs

i am having the error of MSVMCLS64.exe what is this and why do it occur?

having problem.

thanks

# 10 Dec 2009, 2:41

Roger Karlsson writes

0 thumbs

@Mahesh: msvmcls64.exe looks like malware to me. What does the error message say? Please post here:

http://www.freefixer.com/library/file/46046/

# 10 Dec 2009, 3:07

Jonas writes

-2 thumbs

is yahooservice.AU a virus? or will it Block me from going in my E-mail if I block access?

# 14 Dec 2009, 2:28

Jackson writes

0 thumbs

My virus software has told me that I have an infected file c:\windows/system32/sshnas.dll. I cannot find this file anywhere. Is it a legitimate file that is infected or a malware file?

# 20 Dec 2009, 14:45

Roger Karlsson writes

1 thumb

@jackson: sshnas.dll is a malware file. You can find more info about it here:
http://www.freefixer.com/library/file/45164/

# 20 Dec 2009, 19:37

Brian Van Hoose writes

1 thumb

I just happened to be cleaning out my Temp folder when I came across several files that I didn't recognize. This site provided information on the files in question in a way that was clear. I was able to feel comfortable with my decision to delete the files.

Thanks for providing this service.

# 18 Feb 2010, 12:14

Scott Lamb writes

1 thumb

I appreciate your page on legetimate vs malware, and I did learn a few things, but I am still stuck with the same question-to remove sfc_os.dll or not. My Mcafee calls it possibly unwanted- possible password stealer. but the last time I removed a dll file, I killed my C drive. FREAKIN'OUT!

# 22 Mar 2010, 15:03

Roger Karlsson writes

0 thumbs

@Scott: If McAfee is reporting sfc_os.dll as malware, it's probably right. But in rare cases there can be false positives (legitimate files being reported as malware) so it's always a good idea to upload it to one of the multi-scanner sites such as http://www.virustotal.com and get a scan report there.

# 23 Mar 2010, 2:09

Scott Lamb writes

1 thumb

To Roger Karlsson, thank you very much for your reply. I will give that a try. I really appreciate it. Thanks.

# 23 Mar 2010, 17:27

audrey v. writes

-2 thumbs

I get a Fatal Execusion Engine Error (Ox7927f26e)as soon as I turn my comp. on. How do I get rid of this?

# 27 Mar 2010, 13:05

Scott Lamb writes

0 thumbs

To Roger Karlsson, hi, I took your advice and uploaded 2 suspect files to virus total, and I recieved the following 1)W32/Patched.F!tr and 2)Disabled system File Check DLL. I don't know what they mean, but I don't think it sounds very good. Any ideas- Please. Thanks.

# 29 Mar 2010, 13:10

Roger Karlsson writes

0 thumbs

@Scott: Please post the links to the scan results at virustotal.com and I'll have a look at it.

# 30 Mar 2010, 5:29

Scott Lamb writes

0 thumbs

To Roger Karlsson: I don't mean to waist your time with stupid questions, but I recieved an email with the results from virus total, I don't know what you mean by the links?
Sorry, but thanks.(I'm not very computer-savvy).

# 31 Mar 2010, 8:28

jerry writes

0 thumbs

thanks for a great friendly site. i just got 'Security Tool' virus in my machine and believe me it is a very unwelcome visitor and extremely difficult to get rid of.

# 7 Apr 2010, 6:04

Dan writes

0 thumbs

I'm getting a Missing library file notice for "cryptscruntime.dll" every time I boot my Win7 machine. This file was deleted by my CalmWin antivirus since it was flagged as a threat. Any ideas?

# 7 Apr 2010, 6:32

Jenny writes

0 thumbs

I keep getting a warning message that tells me that ie3sh application has stopped working, what is this?

# 9 Apr 2010, 8:12

Richard Sweet writes

0 thumbs

Hi Roger, I am wrestling with a virus problem at the moment and just found your site. It looks like a breath of fresh air to me - straightforward and accessible to us non-techies.
Will report how I get on! Rick

# 9 Apr 2010, 19:44

Monaco writes

1 thumb

ROGER !!! You are a GOD SEND !! This is the best site I have come across in regard to viruses,ad/spyware,and detailed PC trouble shooting. You are AMAZING !! You explain the info so concisely and clearly that even a Caveman can do it !!! Ha Ha!!
Thank you for all your hard work in keeping this site available. I will be donating in the future....( need to wait for next paycheck...)
With Much Appreciation,
MARY*

PS: I am sending this site to all my friends!!

# 2 May 2010, 10:59

Chung writes

-1 thumb

Thank you very much!

# 9 May 2010, 9:22

Cuong writes

1 thumb

It's very useful. Thank you very much!

# 28 Jun 2010, 3:03

Vikas writes

1 thumb

when i start my pc, a text-box appear inwhich it is written that DLL run as an app,windows has some problems with it. Plz, tell me about this problem.Another problem is that my pc does not eject the pendrive. when i tried to eject the pen drive, it always said that it is used by another program

# 14 Jan 2011, 7:41

holveck writes

0 thumbs

bonjour j'ai un disfonctionnement dans windows microsoft
il me marque OUCore.exe windows a trouvé un problème mais ne me donne pas de réponse pour le réparer merci pour votre aide je ne suis pas une spécialiste en informatique

# 6 Feb 2011, 3:56

Margie writes

1 thumb

Hey, Free Fixer, where do I send my donation? Your website is awesome. Thanks and keep up the great work.

# 20 Mar 2011, 9:08

Brandi Johnston writes

1 thumb

thank you verymuch for ALL your info, it was so very helpful, easy to read & understand. I will definately tell everyone!

# 21 May 2011, 14:50

Robb writes

0 thumbs

Great Site! Thanks! Now, can you tell me what happened to Post-it Pal?

# 20 Sep 2011, 3:32

Carlos writes

0 thumbs

Congratulations on such an interesting website. My apologies in advance for my total ignorance on the issue of adware, malware, spyware and all those critters planted on the web. The answers offered here seem a bit ambiguous to the point that leaves me with the enormous question of what to do. Scott's case is the same I have: sfc_os.dll. The last time I ventured to delete files suggested by a review of Hijack Emsisoft cost me to reinstall the operating system and some days not dedicate to my work..

If you could be so kind and tell me exactly what I do based on the VirusTotal report here the link:

http://www.virustotal.com/file-scan/report.html?id=d55f4984bd5c619fa1af495f03577d60029968aec56b94ae185722262a0cc8de-1316840198

For the attention you kindly give to my request, I am very grateful

# 23 Sep 2011, 23:16

Roger Karlsson writes

2 thumbs

@Carlos: Sounds like sfc_os.dll has been patched to allow modifications of other system files. Please try Microsoft's System File Checker tool. It verifies the integrity of your system files and if it finds any modified system files it will ask you to replaced them with a clean copy from your installation media.

You can start the system file checker by
1. Windows button + R
2. Type in "sfc /scannow" without the quotes. Press Enter.

Did that solve the problem?

# 3 Oct 2011, 2:14

chris writes

0 thumbs

I agree with the fact that this is very understandable haven't tried any suggestions yet will let you know

# 11 Oct 2011, 8:26

Michelle writes

0 thumbs

Hello Roger,

I have registry errors on my mother's laptop that I am trying to correct. My sister told me of a legitimate virus protection site to download a free trial, Kaspersky, but while downloading their virus scanning system, I received this message: 9798428.exe - Unable To Locate Component This application has failed to start, because FLTLIB.DLL was not found. Re-installing the application may fix this problem. Please help I borrowed my mother's computer and would like to fix this for her. I need help as I have spent almost 1-week trying to fix this issue. One omitted registry or defect sends me from one place to another, and I have absolutely NO idea, if these sites are legitimate! I believed this computer got these registry errors that have corrupted the harddrive when the old Norton protection expired, and these problems will not let me download any protection. And Firefox keeps sending me messages that it keeps crashing. Can you help me fix this re-installation problem, so that I can download protection. I've gone to microsoft downloads, but things can get complex. I have found www.DLL-files.com, but when I tried to download I rcv'd a message of its legitimacy. I sincerely NEED to fix this to help run my business, until I receive my own computer.

Sincerely,
Need Sleep (Help!)

# 4 Feb 2012, 23:42

Roger Karlsson writes

0 thumbs

@Michelle: FLTLIB.DLL is a system file that comes with Windows. For some reason it seems to be missing on your mother's computer. Generally I think it is a bad idea to download missing DLLs from other parties than Microsoft, since it is difficult to known if you get a legitimate file and that you get the correct version of the DLL for your operating system.

Instead I recommend you to try Microsoft's System File Checker tool. It verifies the integrity of your system files and if it finds any modified or missing system files it will ask you to replaced them with a clean copy from your installation media.

You can start the system file checker by
1. Windows button + R
2. Type in "sfc /scannow" without the quotes. Press Enter.

You can also start the Microsoft System File Checker from FreeFixer from the Tools tab.

Did that solve the problem of the missing FLTLIB.DLL file?

# 7 Feb 2012, 23:28

christina montuori writes

0 thumbs

Hej Roger,
Jag har inte kollat min pc (malware!)med "freefixer.com" annu. Men jag har STORA forhoppningar, att jag kan fixa pc fran att "boot" upp sa langsamt!
To be continued!

# 1 Apr 2012, 12:47

raymond writes

0 thumbs

i have a 64bit dell running vista .. my flash player crashed and i can't find a compatable one to replace it .. any ideas?

# 30 Apr 2012, 15:37

Ben writes

0 thumbs

It was easy to understand, as I am about as unknowledgeable about this type of thing as a cat!
I ran it, but I never did find anything about the "LxrAutorun" that appeared on my PC....however I'll keep trying.
I am thankful for people as yourself who care about others and try to help. Ben

# 6 Oct 2012, 11:29

Paul Graham writes

0 thumbs

HI: I have been researching this DTUPDATE.EXE and so far nobody knows anything? Thats pretty amazing? So, I guess I'll try AVG as my firewall alert window asks me to confirm it but only because its not in my list of safe networks? Well if you can't help with that, maybe you can try telling me, why do I "Frequently get a popup window to download I.E.8, when in my list of software programs I am using I.E.8? Why is I.E. server always telling me I'm not running it already? NOW, that really is weird. Thank you and I hope you'll help.

# 10 Oct 2012, 14:43

Roger Karlsson writes

0 thumbs

@Paul: I've posted some info on the DTUPDATE.EXE file here:
http://www.freefixer.com/library/file/80076/#comment4389

Hope this answered your questions about DTUPDATE.EXE.

Regarding Internet Explorer 8.0 and the pop-up, I found the following support thread over at Microsoft where a user got the same problem:

http://answers.microsoft.com/en-us/ie/forum/ie8-windows_other/internet-explorer-8-popup/f7507a62-a33b-4835-bab6-62d53e4b3d8a

Did the steps outlined there solved the pop-up problem?

# 11 Oct 2012, 4:28

Hans F. Milo writes

2 thumbs

Windows File Protection wants the Windows Professional CD. This is a used computer that was not accompanied by any CDs. I'm trying to follow your suggestion to run sfc /scannow, but I cannot exit the program and I do not have any CDs to give it. I have to unplug the computer to get out of it. All because I downloaded Firefox. I got the DATAMN~I.EXE after I left the computer on overnight, the first time after getting Firefox. I always leave it on...

# 24 Oct 2012, 9:46

STEVE A. writes

-1 thumb

THANKS FOR THE INFO ON THE FILE YOUR SCANNERS WERE VERY HELPFULL IN MAKING ME FEEL BETTER THAT THIS FILE WASN'T MALWARE. AGAIN THINK YOU.

# 23 Jan 2013, 0:47

Leave a reply