Skip to content
Hello, would you like to try my malware removal tool FreeFixer?

/Roger

User's Manual

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, trojans, viruses and rootkits. FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces. The scan locations include the programs that run on your computer, the programs that starts when you reboot your computer, your browser's plug-ins, your home page setting, etc.

FreeFixer does not know which the bad files and settings are, so the scan result will contain items you want to keep and perhaps some that you want to remove. It's up to you to decide. Please be careful! If you delete a legitimate file you may damage your computer. To assist you when determining if anything should be removed you can find more information at FreeFixer's web site for each item in the scan result. You can for example see what other users chose to do in the same situation. You can also save log file of your scan result and consult the volunteers in one of the FreeFixer helper forums.

FreeFixer is freeware and Windows 2000/XP/2003/20008/Vista/7 RC1 compatible. 64-bit Windows is not supported yet.

Download and install

Please download FreeFixer from the official web site. Save the installer file somewhere on your hard drive. Double-click the installer file and follow the instructions to complete the installation.

Running FreeFixer

The image illustrates how to start FreeFixer from the Start menu. When the installation has finished you can start FreeFixer by clicking Start » (All) Programs » FreeFixer » FreeFixer. Press "Start Scan" to start FreeFixer's scan. During the scan you can click on the links to find detailed information about the type of item that FreeFixer currently is scanning.

Choosing what to remove

A screenshot of FreeFixer's scan result, showing the Browser Helper Objects installed on a machine. Once the scan is finished FreeFixer will display the scan results for each category. The categories are Browser Helper Objects, Internet Explorer toolbars, processes, etc. Your job is to decide if anything should be removed. This task is difficult if you don't have any previous experience with removing unwanted software. To assist you with this task you can click the "more info" links for each item in the scan result, which will open the FreeFixer web site with additional information about the item. You will for example see if other users chose to keep or remove a particular item in the scan result. You can also help other users by saying if you decided to keep or remove the item in the scan result. SHELL32.DLL and browseui.dll are two examples on what can appear when using the "more info" links. Please keep in mind that removing a legitimate file may damage your computer, so if you are unsure about some items in the scan result, it is probably better to keep them.

If you are a first time user you will probably find the "A typical case of spyware removal" document posted at the blog section useful. It serves as an example on how to identify and remove spyware using FreeFixer and some best practices on how to avoid removing legitimate files.

Even though the information on FreeFixer's web site offer some input if a file should be kept or removed you may want to ask an experienced user about your scan result. There are volunteers on the FreeFixer Helper forums that help users to analyse FreeFixer log files. They will ask you to copy and paste your FreeFixer log into your first post on the forum. You can save a FreeFixer log by clicking the "Save log" button, then double-click the log file and copy the contents.

For each item that you want to remove or repair, check the box to the left of the item, then click the "Fix" button.

What happens when fixing an item

If you fix an item in the scan result FreeFixer will choose the most reasonable action for that item. For example, if you fix your homepage setting FreeFixer will restore it to the homepage set in a clean install of the Windows operating system. If you choose to fix an item from the process list, FreeFixer will first shut down the process and then remove the executable file. The removal details for each item type is documented under Scan locations further ahead in this manual.

Screenshot of FreeFixer's Native Deleter removing malware files.

Removing malware often involves dealing with files that are almost impossible to delete in normal Windows mode and Windows Safe Mode. For example, some malware files protect themselves by loading when the login screen appear or immediately after the user logs on. Once the user is logged on, the malware file is already running and cannot be deleted.

When FreeFixer is unable to delete files in normal Windows mode they are registered for delayed removal with FreeFixer's Native Deleter, which removes the files upon the next reboot. The actual delete operation is done before the logon screen appear. The vast majority of malware can be deleted at this point. This strong removal feature is where FreeFixer stand out among the anti-malware tools.

FreeFixer Helper forums

There are volunteers on the following forums that will help you to analyze FreeFixer's scan result:

The FreeFixer Group

I've set up a user group where you can post your log. Please read more on how to post your a log at the FreeFixer Group.

SecurityWonks.net forum

SecurityWonks.net hosts a forum where a group of volunteers review FreeFixer logs. To post a log you must first register at the SecurityWonks forum. After the registration is complete, please follow SecurityWonks instructions how to post a log.

If you know of a forum that want to help FreeFixer users, please contact me.

Whitelisting

Screenshot of FreeFixer's scan result showing items from trusted software publishers. These trusted files appear with a green background. In order to reduce the number of items appearing in the scan result FreeFixer will not show critical system files that are installed as part of Windows. For example, no one wants to remove the legitimate explorer.exe or svchost.exe files, so they can safely be hidden from the scan result.

To further reduce the noise in scan result, FreeFixer has also whitelisted files from some trusted software publishers, such as Apple Inc, Trend Micro Inc, Symantec Corporation, Kaspersky Labs, Microsoft, McAfee Inc and VMWare Inc. Files from the trusted vendors are called trusted files on this web site. The trusted files will appear in the scan result, but listed with a green background color and without the the delete checkbox. Please note that the trusted files will not appear in the FreeFixer log file. This will make it easier for people helping out at the FreeFixer helper forums, which often use the log file to manually identify the unwanted software.

To achieve the trusted file whitelisting, FreeFixer uses file signatures and the catalog files located on your system to check if a file is from one of the trusted publishers.

Scan locations

The following section will give detailed information about the types of items that FreeFixer examines in its scan, and explain what changes are made to your system if you choose to remove an item. These are the current scan locations:

  1. Browser Helper Objects
  2. Internet Explorer toolbars
  3. Autostart shortcuts
  4. Registry Startups
  5. Processes
  6. Hidden processes
  7. HOSTS file
  8. System policies
  9. Suspicious filenames
  10. AppInit_DLLs
  11. Winlogon Notify
  12. Application modules
  13. Drivers
  14. Basic Internet Explorer settings
  15. KnownDlls
  16. Services
  17. TCP/IP settings
  18. Namespace service providers
  19. Transport service providers
  20. UserInits
  21. Shared Schedulers
  22. NtLoad Startups
  23. Shell Services
  24. Boot executes
  25. Windows XP Firewall Authorized Applications
  26. Mozilla Firefox Extensions
  27. Recently created or modified files
  28. Shell settings
  29. Files flagged in the definition files

Browser Helper Object

A Browser Helper Object (BHO) is a plug-in for the Internet Explorer browser and Windows Explorer. Microsoft created the BHO concept to allow developers to add functionality in Internet Explorer. For example, Adobe's Acrobat Reader BHO allows users to read PDF files in Internet Explorer, Google Toolbar uses a BHO to see what web pages a user is currently visiting and shows a popularity ranking, etc.

Since the release of Internet Explorer 4.0 which introduced the BHO concept there has been many incidents where BHOs install without users' consent. For example, adware BHOs such as "180 Search Assistant", "Internet Optimizer" and "The BullsEye Network" have been installed through security holes, without any notice to the user. These are BHOs that you might want to remove with FreeFixer.

Removal details

When you choose to remove a BHO with FreeFixer "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%GUID%\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\" are removed from the registry, where %GUID% is the global unique identifier for the BHO. FreeFixer will also delete the file associated with the BHO.

Internet Explorer toolbars

The image shows Internet Explorer with the Google and Zango Toolbar. Internet Explorer allows developer to extend the user interface with toolbars. The screenshot shows Internet Explorer with the Google Toolbar and the Zango Search Assistant toolbar.

Since third party toolbar was introduced in Internet Explorer there has been many incidents where they install without users' consent. For example, adware toolbars such as "ZToolbar", "YourSiteBar" and "UCmore XP - The Search Accelerator" have been installed through security holes, without any notice to the user. These are toolbars that you might want to remove with FreeFixer.

Removal details

The following registry values and keys will be removed from registry when using FreeFixer to delete a toolbar:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\%GUID%
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\%GUID%
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\%GUID%
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\%GUID%

Where %GUID% is the global unique identifier for the toolbar. The file associated with the toolbar will also be deleted.

Autostart shortcut

The image illustrates the Startup folder, where there are three startup entries called 'Digital Line Detect', 'Logitech Desktop' and 'Microsoft Office'

Some programs are configured to start automatically when you log in at your computer. One approach to have it started automatically is to add a shortcut in the Startup Folder. A shortcut is a small file which points to another program and a shortcut in the startup folder is called an "Autostart shortcut" since it is loaded automatically when you log in. The image shows a Startup folder, where there are three autostart shortcuts called "Digital Line Detect", "Logitech Desktop" and "Microsoft Office". These are legitimate programs which should not be removed, but some potentially unwanted programs such as "Virtual Bouncer" also adds autostart shortcuts which you may want to remove with FreeFixer.

The autostart shortcuts are usually located in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and "C:\Documents and Settings\%USER%\Start Menu\Programs\Startup" where %USER% is the name of the current user.

Removal details

FreeFixer removes both the actual shortcut and the file which the shortcut points to.

Registry Startup

A popular technique of getting a program to start automatically when a user logs in on a machine is to add the program's path at one of the following registry keys:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

The image illustrates the registry editor showing the 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' location A program listed at these locations is called a "Registry Startup" in FreeFixer's scan result. The image shows three legitimate programs that use this technique:

Potentially unwanted software often add themselves at these registry locations too. For example, "New.net", "Power Scan", "Surf Accuracy" and "Surf SideKick" which have been installed without users' consent all add their path at the registry locations listed above in order to start when a user logs in.

Removal details

If you choose to remove a registry startup, FreeFixer will first remove the registry value at the registry location listed above and the file associated with the registry startup.

Process

The image illustrates the processes in the Windows TaskManager

The majority of the programs available for the Windows platform appear as a separate process when running on a computer. For example, explorer.exe and svchost.exe are legitimate processes that always appear on a Windows XP machine. Often potentially unwanted software also appear as a process on your computer. For example, "NaviSearch", "SurfAccuracy" and "RelevantKnowledge/MarketScore", which have been installed without users' consent all appear as a process on the machine.

Hidden process

Some malware tries to hide their presence on infected machines by hiding processes from the Task Manager and any other program that enumerates running processes. Malware often implement the hiding by hooking the system calls that lists processes. FreeFixer will use two methods of enumerating the running processes, one that will use a regular system call and another that is guaranteed to bypass any user-mode hook. FreeFixer will then compare the results of these two system calls to detect the hidden processes. Please note that false positives can appear, if a new process is started right between the two system calls.

"AfxRootkit 2005" and "Hacker Defender" are two user-mode rootkits that will be detected by FreeFixer's hidden process scan.

FreeFixer cannot detect processes hidden by a kernel-mode rootkit.

Removal details

If you choose to remove one of the processes listed in the scan result, FreeFixer will first kill the process then delete the file.

HOSTS file

The HOSTS file is used to translate a host name to an IP (Internet Protocol) address without querying the DNS (Domain Name System) server. The HOSTS file is often modified by malware to redirect users from legitimate sites to a server controlled by the malware author. Malware can also modify the HOSTS file to block users from visiting legitimate anti-spyware and anti-virus sites. An example is trendmicro.com, which is blocked by some malware.

FreeFixer knows about many anti-malware sites which have been blocked with the HOSTS file and use this information to determine which redirects should appear in the scan log. These are the legitimate sites FreeFixer knows about:

  • www.symantec.com
  • securityresponse.symantec.com
  • symantec.com
  • www.sophos.com
  • sophos.com
  • www.mcafee.com
  • mcafee.com
  • liveupdate.symantecliveupdate.com
  • www.viruslist.com
  • viruslist.com
  • f-secure.com
  • www.f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • www.grisoft.com
  • www.avp.com
  • www.kaspersky.com
  • avp.com
  • www.networkassociates.com
  • networkassociates.com
  • www.ca.com
  • ca.com
  • mast.mcafee.com
  • my-etrust.com
  • www.my-etrust.com
  • download.mcafee.com
  • dispatch.mcafee.com
  • secure.nai.com
  • nai.com
  • www.nai.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • liveupdate.symantec.com
  • customer.symantec.com
  • rads.mcafee.com
  • trendmicro.com
  • www.trendmicro.com
  • www.microsoft.com
  • www.freefixer.com
  • freefixer.com
  • www.kephyr.com
  • kephyr.com

Removal details

If you choose to remove some items from the HOSTS file and it is read-only, FreeFixer will temporarily remove the write-protection.

System policies

FreeFixer will scan some of the system policies:

DisableTaskMgr

If this policy is enabled the user cannot start the Task Manager (taskmgr.exe). Malware sometimes add this policy to make it harder to troubleshoot and remove the unwanted software. If this policy is enabled, you will see a message saying Task Manager has been disabled by your administrator, when starting Task Manager. If you choose to repair this policy, FreeFixer will set it to 0, which will allow you to use the Task Manager.

DisableRegistryTools

This policy disables the Windows registry editors, Regedt32.exe and Regedit.exe. Removing malware manually often require these tools. If you choose to repair this policy, FreeFixer will set it to 0, which will allow you to use the registry tools again.

Wallpaper

This policy is sometimes used by malware to prevent users from changing the background image. For example, Troj/Spywad-G sets the wallpaper policy to C:\WINDOWS\desktop.html, which displays a fake warning message.

Suspicious filename

A common practice used among trojan authors to disguise their files is to pick the same filename as a legitimate system file. For example, svchost.exe - the Generic Host Process for Win32 Services - is located in 'C:\Windows\System32\' on Windows XP. On a clean system multiple svchost.exe processes will appear in the Task Manager's process list, how many depends on how you have configured your system. Some trojans also use svchost.exe as their filename, but put it in a different directory, often 'C:\Windows\'. Unfortunately, the trojan svchost.exe will probably go undetected when a user inspects the processes in Task Manager.

FreeFixer scans the system for files with the same name as a system file, but located in a directory where it should not be present. For example, FreeFixer checks if there is a file named explorer.exe in 'C:\Windows\System32\' and 'C:\'. If such a file exists you might want examine it more in detail since the legitimate explorer.exe should be located in 'C:\Windows\'.

AppInit_DLLs

The AppInit_DLLs registry value holds a list of dynamic link libraries (DLLs). Every time an application loads User32.dll the system will read the AppInit_DLLs value and load all DLLs specified. This is used by some firewalls, anti-virus products but also by malware to load the malicious code into practically every process on a machine. For example, some installations of the "SurfSideKick" adware uses AppInit_DLLs to load a repair DLL that protect the adware from removal.

Normally the AppInit_DLLs registry value is empty, so if something appear in the scan you might want examine the DLL more in detail. AppInit_DLLs is located under 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'.

Winlogon Notify

NT-based systems prior to Windows Vista supports Winlogon Notifications, which allows programs to receive and handle Winlogon events. For example, winlogon events occur when the computer is rebooted and shut down, when the screensaver starts and stops and when a user logs in and out. Windows itself register components to receive winlogon events, however it is also used by malware, such as the "Haxdoor" backdoor.

Application modules

During the scan FreeFixer examines the modules loaded into the freefixer.exe process. Generally the modules appear with the .DLL extensions in the scan result. There should be approximately 57 modules loaded into FreeFixer on a machine running Windows XP Home Service Pack 2. The purpose of this scan is to reveal unwanted software. For example, many keyloggers will appear in the list of modules, since their .DLL is likely to be loaded into FreeFixer. Rudimentary rootkits can also reveal themselves in the module list.

Drivers

Device drivers are used to interact with hardware attached to a computer. For example, drivers are used to interact with printers, video cards, network cards, etc. Some malware, such as Spyware.Apropos.C, install their own device driver on infected systems.

Removal details

If you choose to remove a driver FreeFixer will remove 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%ID%\', where %ID% is the the registry key identifier for the driver. The associated .sys file will also be removed.

Basic Internet Explorer settings

FreeFixer will scan many of the basic Internet Explorer settings:

Start Page

The Start Page is the web site that loads when you start Internet Explorer. If you choose to repair the start page settings FreeFixer will set it to "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=%IEVER%&ar=msnhome", where %IEVER% is the version number of Internet Explorer.

Search Page

If you choose to repair the Search Page settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch', where %IEVER% is the version number of Internet Explorer.

Default_Page_URL

If you choose to repair the Default_Page_URL settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=%IEVER%&ar=msnhome', where %IEVER% is the version number of Internet Explorer.

Default_Search_URL

If you choose to repair the Default_Search_URL settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch'.

CustomizeSearch

If you choose to repair the CustomizeSearch settings FreeFixer will set it to 'http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm'.

SearchAssistant

If you choose to repair the SearchAssistant settings FreeFixer will set it to 'http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm'.

URL prefixes

If you are running Internet Explorer you have propably noticed that you can enter a domain name into the address bar, and it is prefixed with 'http://'. For example, if you type 'www.freefixer.com' Internet Explorer replace it with 'http://www.freefixer.com/'. If you type 'ftp.sunet.se' it will be replace by 'ftp://ftp.sunet.se/'.

There are 6 prefixes available by default, namely the ftp, gopher, home, mosaic, www and the DefaultPrefix. These are defined under the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

If you choose to repair any of the prefixes, FreeFixer will restore the default value.

KnownDlls

Windows 2000, Windows XP and Windows Vista uses the KnownDlls registry entries when the system is locating a DLL. FreeFixer examines the registry entries under 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls' and will report any modifications from the default setup. Microsoft refers to the KnownDlls registry entries as a security feature which secures the system from someone deceptively replacing APIs by placing a rogue DLL in the application directory.

Services

A Windows service is an application that runs in the background and usually starts before the login screen appear. Windows itself has many services, such as "Automatic Updates", which manages the download and installation of critical updates. Unfortunately there are also malware that run as services, such as Backdoor.Win32.Agent.alm.

Removal details

When you choose to remove a service, FreeFixer will remove the service key under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" and delete the associated service file.

TCP/IP settings

NameServer

The name server is responsible for the conversion from a domain name to an IP addresses. For example, when you type www.google.com into the web browser your name server converts it to 64.233.167.99, which is the IP address for Google's search engine. Some malware reconfigures the nameserver setting to a nameserver which they control, allowing them to send users to unwanted sites. For example, there's a malware that change the nameservers to 85.255.115.29 and 85.255.112.140

Removal details

When you choose to remove a name server, FreeFixer will clear the NameServer registry value under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%GUID%" or "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters", where %GUID% is the global unique identifier for the network interface.

Namespace service providers

Namespace providers are services that associate addresses of a network protocol with human-friendly names. For example, on a Windows XP machine there are namespace providers installed for TCP/IP, NT Directory Service and Network Location Awareness. An example of a namespace provider is the NewDotNet software.

Removal details

If you choose to remove a provider, FreeFixer uses the Winsock Service Provider Interface to uninstall it from the system.

Transport service providers

Transport providers are services that implements functions that set up network connections, transfer network data, etc. Some transport providers are called Layered Service Providers (LSP) and can intercept and modify traffic from another transport provider. An example of a transport provider is the NewDotNet software.

Removal details

If you choose to remove a provider, FreeFixer uses the Winsock Service Provider Interface to uninstall it from the system.

UserInit

The UserInit setting specifies the programs that Winlogon runs when a user logs on. By default, userinit.exe is started, which in turn runs Explorer.exe. This setting is used by some malware, such as ntos.exe (Trojan.Spy.Bancos.AAM).

Removal details

If you choose to remove a file listed as a UserInit, the file name will be removed from the UserInit registry value located under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon". The actual file will also be deleted.

Shared Schedulers

The SharedTaskScheduler registry settings specify a number of files that will be loaded by Explorer.exe upon startup. This setting is used by some malware, such as cbnfa.dll (Trojan.Spambot.BXB).

Removal details

If you choose to remove a Shared Scheduler "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, %GUID%" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\" will be removed from the registry, where %GUID% is the global unique identifier for the shared scheduler. The actual file will also be deleted.

NtLoad Startups

The NtLoad registry setting specifies a number of executables that will be started when logging on to your machine. This registry value is used by some malware, such as Troj/Hasik-A.

Removal details

If you choose to remove a NtLoad Startup FreeFixer will modify the "load" registry value under "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows". The registry value holds a comma separated list of files and the one you selected for removal will be deleted from the list. The actual file will also be deleted from the disk.

Shell Services

The Shell Service registry setting specifies a number of dynamic link libraries that are loaded into the Windows Explorer process. This feature is used by legitimate components, such as the Network Connections System Tray component that, depending on your system settings, may appear in system tray area. This registry setting is also used by malware such as Trojan.Win32.Agent.eld and Troj/Melko-A.

Removal details

A Shell Service is identified by the following registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, %NAME% = %GUID%". Where %NAME% is the name of the Shell Service and %GUID% is the global unique identifier for the service. If you choose to delete a Shell Service, the %NAME% registry value will be deleted. The "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\" registry key will also be deleted. And finally, the actual file specified under "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\InprocServer32\" is deleted from disk.

Boot executes

The BootExecute registry setting specifies a number of executables that are started during the Service Load Phase. At this time of the boot sequence the WIN32 subsystem has not been started, so the bootexecute programs cannot link regular DLLs such as kernel32.dll. Instead these programs use the NT Native API by linking to ntdll.dll. The BootExecute registry setting is used by legitimate programs such as FreeFixer's Native Deleter ffnd.exe and Microsoft's autochk.exe tool, but can also be used to launch a malware executable during reboot.

Removal details

If you choose to remove a BootExecute the registry data and the associated file will be deleted.

Windows XP Firewall Authorized Applications

The Windows XP Firewall keeps track of all applications that are allowed to accept inbound network connections. If an application is not on the list, it cannot accept incoming connections. Some malware, such as Win32.Qweasy.F, add themselves to the firewall's list of authorized applications to unblock the malware's network activity.

Removal details

If you choose to remove an authorized application, it will be removed from the XP Firewall's authorized application list, specified under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%PROFILE%\AuthorizedApplications\List", where %PROFILE% is DomainProfile or StandardProfile. The actual file will also be deleted from disk.

Mozilla Firefox extensions

The image illustrates the Mozilla Firefox extensions FireFTP, Google Pagerank Status, Swedish spell check and Web Developer. Mozilla Firefox allows developers to extend the web browser by building extensions. There are many excellent extensions, such "FireFTP", "Google Pagerank Status" and "Web Developer", but unfortunately some unwanted extensions has begun to appear. A Firefox extension is identified by a file install.rdf, usually located under "C:\Program Files\Mozilla Firefox\extensions" or "C:\Documents and Settings\%PROFILE%\Application Data\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE%\extensions", where %PROFILE% is your user name and %FIREFOX_PROFILE% is your Firefox profile identifier. The .rdf file contains information about the extension and the developer.

Removal details

If you choose to remove a Mozilla Firefox extension, FreeFixer will remove the exentsion's .rdf file. Once you restart Firefox, it will remove any remaining files that belongs to the extension.

Recently created or modified files

Screenshot showing the last modified and created date for rsync.exe FreeFixer also scans the computer's fixed drives for the 30 most recently modified or created files. This scan is implemented by looking at each file's modified and created date, which you can see by right-clicking on a file in Windows Explorer and choosing properties. Since the scan is likely to report a large number of legitimate files, the result is placed in the end of log.

Shell settings

When logging in on a Windows machine the operating system will by default start Windows Explorer. This application, often called the Windows Shell, is responsible for showing the desktop icons, the Start Menu, the Taskbar, etc. It is possible to disable or use another shell by modifying the Shell registry value located under: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" and "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon". By default, Shell is set to Explorer.exe.

Some malware will modify the Shell value to make the malware program start each time a user logs in. For example, here's a modified Shell value that will run a malware file named spoolsv32.exe when a user logs in.

Repair details

If you choose to repair any of the Shell settings, the Shell registry value will be set to Explorer.exe.

Files flagged in the definition files

FreeFixer version 0.48 introduced the definition file, which allows anyone to create lists of files which should be detected as malware. In its current state the definition file can only detect malware based on file locations. Future versions of FreeFixer will add more powerful detection techniques.

The FreeFixer log

The FreeFixer log is a plain text report of the scan result. The log basically contains the same information as the scan result. The log will also display the FreeFixer version number, when the log was generated and what operating system you are running. At the end of the log is the history from previous runs of the FreeFixer program. The history tracks FreeFixer's file removals and direct modifications of the Windows registry.

The following is a FreeFixer log from an infected computer. The log shows many malware files such as winhelper.dll, msa.exe, c.exe, msxml71.dll, a.exe, exe[1].exe, SetupAdvancedVirusRemover[1].exe, dfghfghgfj[1].dll and wscsvc32.exe. There are only two legitimate files in the log - freefixer.exe and ffnd.exe - which belong the Freefixer program: 

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-10 14:42


Transport service providers (3 whitelisted)
{A25E7F7A-4049-450F-9789-AF876910F6A7} - C:\WINDOWS\system32\winhelper.dll
{6DBCA3F0-ACCF-4F0E-8998-F976BB4FA56D} - C:\WINDOWS\system32\winhelper.dll

Processes (19 whitelisted)
C:\WINDOWS\msa.exe
C:\Program Files\FreeFixer\freefixer.exe

Application modules (67 whitelisted)
C:\WINDOWS\system32\winhelper.dll

Recently created/modified files (7 whitelisted)
3 minutes, c:\WINDOWS\system32\ffnd.exe
5 minutes, c:\WINDOWS\msa.exe
5 minutes, c:\Documents and Settings\roger\Local Settings\Temp\c.exe
5 minutes, c:\WINDOWS\system32\msxml71.dll
5 minutes, c:\Documents and Settings\roger\Local Settings\Temp\a.exe
5 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\WEGR55JE\exe[1].exe
5 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\SetupAdvancedVirusRemover[1].exe
5 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\dfghfghgfj[1].dll
5 minutes, c:\WINDOWS\system32\winhelper.dll
7 minutes, c:\Documents and Settings\roger\Local Settings\Temp\wscsvc32.exe


History
+HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, DisableTaskMgr = 0
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, winupdate.exe
-C:\WINDOWS\system32\winupdate.exe (on reboot)
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, wow64main.exe
-C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe (on reboot)
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, winhbt.exe
-C:\DOCUME~1\roger\LOCALS~1\Temp\winhbt.exe (on reboot)
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Advanced Virus Remover
-C:\Program Files\AdvancedVirusRemover\AVR.exe (on reboot)
-HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PopRock
-C:\DOCUME~1\roger\LOCALS~1\Temp\b.exe (on reboot)

End of FreeFixer log

The history shows that FreeFixer has been used to delete the following malware files during a previous run: winupdate.exe, wow64main.exe, winhbt.exe, AVR.exe and b.exe. Malware items under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the Windows registry and the setting that disables the Windows Task Manager have also been removed.

Settings file

FreeFixer reads many configuration settings from the settings file. By default, it is located in C:\Documents and Settings\%USERNAME%\Application Data\FreeFixer\settings.txt where %USERNAME% is your user name. The settings file controls some of FreeFixer's behaviour. For example, adding the following to the settings file will disable the scan for recently created or modified files:

plugins.recentfiles.enable=0

The following settings are supported:

SettingDescriptionAllowed values
logfile.files.md5 If enabled, the MD5 hash will be diplayed for each file in the FreeFixer log. 0,1
logfile.files.sha256 If enabled, the SHA256 hash will be diplayed for each file in the FreeFixer log. 0,1
plugins.bho.enable Enable/disable the Browser Helper Objects scan. 0,1
plugins.toolbar.enable Enable/disable the Internet Explorer toolbars scan. 0,1
plugins.regstartup.enable Enable/disable the Registry Startups scan. 0,1
plugins.autostart.enable Enable/disable the Autostart shortcuts scan. 0,1
plugins.process.enable Enable/disable the Processes scan. 0,1
plugins.iesettings.enable Enable/disable the Basic Internet Explorer settings scan. 0,1
plugins.policies.enable Enable/disable the System policies scan. 0,1
plugins.filenaming.enable Enable/disable the Suspicious filenames scan. 0,1
plugins.hostsfile.enable Enable/disable the HOSTS file scan. 0,1
plugins.appmodules.enable Enable/disable the Application modules scan. 0,1
plugins.hiddenprocess.enable Enable/disable the Hidden processes scan. 0,1
plugins.appinitdlls.enable Enable/disable the AppInit_DLLs scan. 0,1
plugins.winlogonnotify.enable Enable/disable the Winlogon Notify scan. 0,1
plugins..knowndlls.enable Enable/disable the KnownDlls scan. 0,1
plugins.drivers.enable Enable/disable the Drivers scan. 0,1
plugins.services.enable Enable/disable the Services scan. 0,1
plugins.tcpip.enable Enable/disable the TCP/IP settings scan. 0,1
plugins.shellservice.enable Enable/disable the Shell Services scan. 0,1
plugins.sharedscheduler.enable Enable/disable the Shared Schedulers scan. 0,1
plugins.bootexecute.enable Enable/disable the Boot executes scan. 0,1
plugins.userinit.enable Enable/disable the UserInits scan. 0,1
plugins.tsp.enable Enable/disable the Transport service providers scan. 0,1
plugins.nsp.enable Enable/disable the Namespace service providers scan. 0,1
plugins.ntloads.enable Enable/disable the NtLoad Startups scan. 0,1
plugins.xpfwauthapps.enable Enable/disable the Windows XP Firewall Authorized Applications scan. 0,1
plugins.recentfiles.enable Enable/disable the Recently created or modified files scan. 0,1
plugins.firefoxextension.enable Enable/disable the Mozilla Firefox Extensions scan. 0,1
plugins.shellsettings.enable Enable/disable the Shell settings scan. 0,1
plugins.thirdpartyfiles.enable Enable/disable the Files flagged in the definition files scan. 0,1

Troubleshooting

Sometimes FreeFixer runs into problem when scanning and removing files from the computer. The following chapter will enumerate some of the most common error messages and explain why they occur, if you should worry about them and present a work-around.

The process cannot access the file because it is being used by another process

An error occurred when trying to open the file for reading. Filename: 'C:\DOCUME~1\Roger\LOKALA~1\Temp\31809828.exe'. Current Working Directory: C:\Program Files\FreeFixer\. System error message: The process cannot access the file because it is being used by another process.

This error will occur when another process has opened a file in an exclusive mode, preventing FreeFixer from loading the file and calculating checksums and extracting version information. This does not mean that file is malware, but you may want to examine it more in detail. (I've seen this problem appearing while on a system infected with Trojan-Downloader.Win32.Small.ecp.)

Additional information

The Library

Did you know that you can find an overview of the most searched and most unwanted files in the FreeFixer Library?

Credits

FreeFixer is developed by Roger Karlsson. Logotype designed by Johanna Forsman.