User's Manual

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, trojans, viruses and rootkits. FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces. The scan locations include the programs that run on your computer, the programs that starts when you reboot your computer, your browser's plug-ins, your home page setting, etc.

FreeFixer does not know which the bad files and settings are, so the scan result will contain items you want to keep and perhaps some that you want to remove. It's up to you to decide. Please be careful! If you delete a legitimate file you may damage your computer. To assist you when determining if anything should be removed you can find more information at FreeFixer's web site for each item in the scan result. You can for example see what other users chose to do in the same situation. You can also save log file of your scan result and consult the volunteers in one of the FreeFixer helper forums.

FreeFixer is freeware and Windows 2000/XP/2003 compatible.

Download and install

Please download FreeFixer from the official web site. Save the installer file somewhere on your hard drive. Double-click the installer file and follow the instructions to complete the installation.

Running FreeFixer

The image illustrates how to start FreeFixer from the Start menu. When the installation has finished you can start FreeFixer by clicking Start » (All) Programs » FreeFixer » FreeFixer. Press "Start Scan" to start FreeFixer's scan. During the scan you can click on the links to find detailed information about the type of item that FreeFixer currently is scanning.

Choosing what to remove

A screenshot of FreeFixer's scan result, showing the Browser Helper Objects installed on a machine. Once the scan is finished FreeFixer will display the scan results for each category. The categories are Browser Helper Objects, Internet Explorer toolbars, processes, etc. Your job is to decide if anything should be removed. This task is difficult if you don't have any previous experience with removing unwanted software. To assist you with this task you can click the "more info" links for each item in the scan result, which will open the FreeFixer web site with additional information about the item. You will for example see if other users chose to keep or remove a particular item in the scan result. You can also help other users by saying if you decided to keep or remove the item in the scan result. SHELL32.DLL and browseui.dll are two examples on what can appear when using the "more info" links. Please keep in mind that removing a legitimate file may damage your computer, so if you are unsure about some items in the scan result, it is probably better to keep them.

If you are a first time user you will probably find the "A typical case of spyware removal" document posted at the blog section useful. It serves as an example on how to identify and remove spyware using FreeFixer and some best practices on how to avoid removing legitimate files.

Even though the information on FreeFixer's web site offer some input if a file should be kept or removed you may want to ask an experienced user about your scan result. There are volunteers on the FreeFixer Helper forums that help users to analyse FreeFixer log files. They will ask you to copy and paste your FreeFixer log into your first post on the forum. You can save a FreeFixer log by clicking the "Save log" button, then double-click the log file and copy the contents.

For each item that you want to remove or repair, check the box to the left of the item, then click the "Fix" button.

What happens when fixing an item

If you fix an item in the scan result FreeFixer will choose the most reasonable action for that item. For example, if you fix your homepage setting FreeFixer will restore it to the homepage set in a clean install of the Windows operating system. If you choose to fix an item from the process list, FreeFixer will first shut down the process and then remove the executable file. The removal details for each item type is documented under Scan locations further ahead in this manual.

Screenshot of FreeFixer's Native Deleter removing malware files.

Removing malware often involves dealing with files that are almost impossible to delete in normal Windows mode and Windows Safe Mode. For example, some malware files protect themselves by loading when the login screen appear or immediately after the user logs on. Once the user is logged on, the malware file is already running and cannot be deleted.

When FreeFixer is unable to delete files in normal Windows mode they are registered for delayed removal with FreeFixer's Native Deleter, which removes the files upon the next reboot. The actual delete operation is done before the logon screen appear. The vast majority of malware can be deleted at this point. This strong removal feature is where FreeFixer stand out among the anti-malware tools.

FreeFixer Helper forums

There are volunteers on the following forums that will help you to analyze FreeFixer's scan result:

SecurityWonks.net forum

SecurityWonks.net hosts a forum where a group of volunteers review FreeFixer logs. To post a log you must first register at the SecurityWonks forum. After the registration is complete, please follow SecurityWonks instructions how to post a log.

If you know of a forum that want to help FreeFixer users, please contact me.

Whitelisting

In order to reduce the number of items appearing in the scan result FreeFixer will not show known Microsoft files. For example, no one wants to remove the legitimate explorer.exe or svchost.exe files, so they can safely be hidden from the scan result. To achieve this FreeFixer uses file signatures and catalog files located on your system to check if a file is a legitimate Microsoft file. Please note that there may be a few exceptions where some Microsoft files may appear in the scan result.

Scan locations

The following section will give detailed information about the types of items that FreeFixer examines in its scan, and explain what changes are made to your system if you choose to remove an item.

Browser Helper Object

A Browser Helper Object (BHO) is a plug-in for the Internet Explorer browser and Windows Explorer. Microsoft created the BHO concept to allow developers to add functionality in Internet Explorer. For example, Adobe's Acrobat Reader BHO allows users to read PDF files in Internet Explorer, Google Toolbar uses a BHO to see what web pages a user is currently visiting and shows a popularity ranking, etc.

Since the release of Internet Explorer 4.0 which introduced the BHO concept there has been many incidents where BHOs install without users' consent. For example, adware BHOs such as "180 Search Assistant", "Internet Optimizer" and "The BullsEye Network" have been installed through security holes, without any notice to the user. These are BHOs that you might want to remove with FreeFixer.

Removal details

When you choose to remove a BHO with FreeFixer "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%GUID%\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\" are removed from the registry, where %GUID% is the global unique identifier for the BHO. FreeFixer will also delete the file associated with the BHO.

Internet Explorer toolbars

The image shows Internet Explorer with the
Google and Zango Toolbar. Internet Explorer allows developer to extend the user interface with toolbars. The screenshot shows Internet Explorer with the Google Toolbar and the Zango Search Assistant toolbar.

Since third party toolbar was introduced in Internet Explorer there has been many incidents where they install without users' consent. For example, adware toolbars such as "ZToolbar", "YourSiteBar" and "UCmore XP - The Search Accelerator" have been installed through security holes, without any notice to the user. These are toolbars that you might want to remove with FreeFixer.

Removal details

The following registry values and keys will be removed from registry when using FreeFixer to delete a toolbar:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\%GUID%
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer\%GUID%
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\%GUID%
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\%GUID%

Where %GUID% is the global unique identifier for the toolbar. The file associated with the toolbar will also be deleted.

Autostart shortcut

The image illustrates the Startup folder, where there are three startup entries called
'Digital Line Detect', 'Logitech Desktop' and 'Microsoft Office'

Some programs are configured to start automatically when you log in at your computer. One approach to have it started automatically is to add a shortcut in the Startup Folder. A shortcut is a small file which points to another program and a shortcut in the startup folder is called an "Autostart shortcut" since it is loaded automatically when you log in. The image shows a Startup folder, where there are three autostart shortcuts called "Digital Line Detect", "Logitech Desktop" and "Microsoft Office". These are legitimate programs which should not be removed, but some potentially unwanted programs such as "Virtual Bouncer" also adds autostart shortcuts which you may want to remove with FreeFixer.

The autostart shortcuts are usually located in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" and "C:\Documents and Settings\%USER%\Start Menu\Programs\Startup" where %USER% is the name of the current user.

Removal details

FreeFixer removes both the actual shortcut and the file which the shortcut points to.

Registry Startup

A popular technique of getting a program to start automatically when a user logs in on a machine is to add the program's path at one of the following registry keys:

%ROOTKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%ROOTKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%ROOTKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
%ROOTKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
%ROOTKEY%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

$The image illustrates the registry editor showing the 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' location$ where %ROOTKEY% is "HKEY_LOCAL_MACHINE" or "HKEY_CURRENT_USER". A program listed at these locations is called a "Registry Startup" in FreeFixer's scan result. The image shows three legitimate programs that use this technique:

Potentially unwanted software often add themselves at these registry locations too. For example, "New.net", "Power Scan", "Surf Accuracy" and "Surf SideKick" which have been installed without users' consent all add their path at the registry locations listed above in order to start when a user logs in.

Removal details

If you choose to remove a registry startup, FreeFixer will first remove the registry value at the registry location listed above and the file associated with the registry startup.

Process

The majority of the programs available for the Windows platform appear as a separate process when running on a computer. For example, explorer.exe and svchost.exe are legitimate processes that always appear on a Windows XP machine. Often potentially unwanted software also appear as a process on your computer. For example, "NaviSearch", "SurfAccuracy" and "RelevantKnowledge/MarketScore", which have been installed without users' consent all appear as a process on the machine.

Hidden process

Some malware tries to hide their presence on infected machines by hiding processes from the Task Manager and any other program that enumerates running processes. Malware often implement the hiding by hooking the system calls that lists processes. FreeFixer will use two methods of enumerating the running processes, one that will use a regular system call and another that is guaranteed to bypass any user-mode hook. FreeFixer will then compare the results of these two system calls to detect the hidden processes. Please note that false positives can appear, if a new process is started right between the two system calls.

"AfxRootkit 2005" and "Hacker Defender" are two user-mode rootkits that will be detected by FreeFixer's hidden process scan.

FreeFixer cannot detect processes hidden by a kernel-mode rootkit.

Removal details

If you choose to remove one of the processes listed in the scan result, FreeFixer will first kill the process then delete the file.

HOSTS file

The HOSTS file is used to translate a host name to an IP (Internet Protocol) address without querying the DNS (Domain Name System) server. The HOSTS file is often modified by malware to redirect users from legitimate sites to a server controlled by the malware author. Malware can also modify the HOSTS file to block users from visiting legitimate anti-spyware and anti-virus sites.

Removal details

If you choose to remove some items from the HOSTS file and it is read-only, FreeFixer will temporarily remove the write-protection.

System policies

FreeFixer will scan some of the system policies:

DisableTaskMgr

If this policy is enabled the user cannot start the Task Manager (taskmgr.exe). Malware sometimes add this policy to make it harder to troubleshoot and remove the unwanted software. If this policy is enabled, you will see a message saying Task Manager has been disabled by your administrator, when starting Task Manager. If you choose to repair this policy, FreeFixer will set it to 0, which will allow you to use the Task Manager.

DisableRegistryTools

This policy disables the Windows registry editors, Regedt32.exe and Regedit.exe. Removing malware manually often require these tools. If you choose to repair this policy, FreeFixer will set it to 0, which will allow you to use the registry tools again.

Wallpaper

This policy is sometimes used by malware to prevent users from changing the background image. For example, Troj/Spywad-G sets the wallpaper policy to C:\WINDOWS\desktop.html, which displays a fake warning message.

Suspicious filename

A common practice used among trojan authors to disguise their files is to pick the same filename as a legitimate system file. For example, svchost.exe - the Generic Host Process for Win32 Services - is located in 'C:\Windows\System32\' on Windows XP. On a clean system multiple svchost.exe processes will appear in the Task Manager's process list, how many depends on how you have configured your system. Some trojans also use svchost.exe as their filename, but put it in a different directory, often 'C:\Windows\'. Unfortunately, the trojan svchost.exe will probably go undetected when a user inspects the processes in Task Manager.

FreeFixer scans the system for files with the same name as a system file, but located in a directory where it should not be present. For example, FreeFixer checks if there is a file named explorer.exe in 'C:\Windows\System32\'. If such a file exists you might want examine it more in detail since the legitimate explorer.exe should be located in 'C:\Windows\'.

AppInit_DLLs

The AppInit_DLLs registry value holds a list of dynamic link libraries (DLLs). Every time an application loads User32.dll the system will read the AppInit_DLLs value and load all DLLs specified. This is used by some firewalls, anti-virus products but also by malware to load the malicious code into practically every process on a machine. For example, some installations of the "SurfSideKick" adware uses AppInit_DLLs to load a repair DLL that protect the adware from removal.

Normally the AppInit_DLLs registry value is empty, so if something appear in the scan you might want examine the DLL more in detail. AppInit_DLLs is located under 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows'.

Winlogon Notify

NT-based systems prior to Windows Vista supports Winlogon Notifications, which allows programs to receive and handle Winlogon events. For example, winlogon events occur when the computer is rebooted and shut down, when the screensaver starts and stops and when a user logs in and out. Windows itself register components to receive winlogon events, however it is also used by malware, such as the "Haxdoor" backdoor.

Application modules

During the scan FreeFixer examines the modules loaded into the freefixer.exe process. Generally the modules appear with the .DLL extensions in the scan result. There should be approximately 57 modules loaded into FreeFixer on a machine running Windows XP Home Service Pack 2. The purpose of this scan is to reveal unwanted software. For example, many keyloggers will appear in the list of modules, since their .DLL is likely to be loaded into FreeFixer. Rudimentary rootkits can also reveal themselves in the module list.

Drivers

Device drivers are used to interact with hardware attached to a computer. For example, drivers are used to interact with printers, video cards, network cards, etc. Some malware, such as Spyware.Apropos.C, install their own device driver on infected systems.

Removal details

If you choose to remove a driver FreeFixer will remove 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%ID%\', where %ID% is the the registry key identifier for the driver. The associated .sys file will also be removed.

Basic Internet Explorer settings

FreeFixer will scan many of the basic Internet Explorer settings:

Start Page

The Start Page is the web site that loads when you start Internet Explorer. If you choose to repair the start page settings FreeFixer will set it to "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=%IEVER%&ar=msnhome", where %IEVER% is the version number of Internet Explorer.

Search Page

If you choose to repair the Search Page settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch', where %IEVER% is the version number of Internet Explorer.

Default_Page_URL

If you choose to repair the Default_Page_URL settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=%IEVER%&ar=msnhome', where %IEVER% is the version number of Internet Explorer.

Default_Search_URL

If you choose to repair the Default_Page_URL settings FreeFixer will set it to 'http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch'.

CustomizeSearch

If you choose to repair the CustomizeSearch settings FreeFixer will set it to 'http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm'.

SearchAssistant

If you choose to repair the SearchAssistant settings FreeFixer will set it to 'http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm'.

URL prefixes

If you are running Internet Explorer you have propably noticed that you can enter a domain name into the address bar, and it is prefixed with 'http://'. For example, if you type 'www.freefixer.com' Internet Explorer replace it with 'http://www.freefixer.com/'. If you type 'ftp.sunet.se' it will be replace by 'ftp://ftp.sunet.se/'.

There are 6 prefixes available by default, namely the ftp, gopher, home, mosaic, www and the DefaultPrefix. These are defined under the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

If you choose to repair any of the prefixes, FreeFixer will restore the default value.

KnownDlls

Windows 2000, Windows XP and Windows Vista uses the KnownDlls registry entries when the system is locating a DLL. FreeFixer examines the registry entries under 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls' and will report any modifications from the default setup. Microsoft refers to the KnownDlls registry entries as a security feature which secures the system from someone deceptively replacing APIs by placing a rogue DLL in the application directory.

Services

A Windows service is an application that runs in the background and usually starts before the login screen appear. Windows itself has many services, such as "Automatic Updates", which manages the download and installation of critical updates. Unfortunately there are also malware that run as services, such as Backdoor.Win32.Agent.alm.

Removal details

When you choose to remove a service, FreeFixer will remove the service key under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" and delete the associated service file.

TCP/IP settings

NameServer

The name server is responsible for the conversion from a domain name to an IP addresses. For example, when you type www.google.com into the web browser your name server converts it to 64.233.167.99, which is the IP address for Google's search engine. Some malware reconfigures the nameserver setting to a nameserver which they control, allowing them to send users to unwanted sites. For example, there's a malware that change the nameservers to 85.255.115.29 and 85.255.112.140

Removal details

When you choose to remove a name server, FreeFixer will clear the NameServer registry value under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%GUID%" or "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters", where %GUID% is the global unique identifier for the network interface.

Namespace service providers

Namespace providers are services that associate addresses of a network protocol with human-friendly names. For example, on a Windows XP machine there are namespace providers installed for TCP/IP, NT Directory Service and Network Location Awareness. An example of a namespace provider is the NewDotNet software.

Removal details

If you choose to remove a provider, FreeFixer uses the Winsock Service Provider Interface to uninstall it from the system.

Transport service providers

Transport providers are services that implements functions that set up network connections, transfer network data, etc. Some transport providers are called Layered Service Providers (LSP) and can intercept and modify traffic from another transport provider. An example of a transport provider is the NewDotNet software.

Removal details

If you choose to remove a provider, FreeFixer uses the Winsock Service Provider Interface to uninstall it from the system.

UserInit

The UserInit setting specifies the programs that Winlogon runs when a user logs on. By default, userinit.exe is started, which in turn runs Explorer.exe. This setting is used by some malware, such as ntos.exe (Trojan.Spy.Bancos.AAM).

Removal details

If you choose to remove a file listed as a UserInit, the file name will be removed from the UserInit registry value located under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon". The actual file will also be deleted.

Shared Schedulers

The SharedTaskScheduler registry settings specify a number of files that will be loaded by Explorer.exe upon startup. This setting is used by some malware, such as cbnfa.dll (Trojan.Spambot.BXB).

Removal details

If you choose to remove a Shared Scheduler "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler, %GUID%" and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\%GUID%\" will be removed from the registry, where %GUID% is the global unique identifier for the shared scheduler. The actual file will also be deleted.

Troubleshooting

Sometimes FreeFixer runs into problem when scanning and removing files from the computer. The following chapter will enumerate some of the most common error messages and explain why they occur, if you should worry about them and present a work-around.

The specified resource type cannot be found in the image file

Error getting translation table with 'VerQueryValue' for the file 'C:\Program\BullsEye Network\bin\bargains.exe'. System error message: The specified resource type cannot be found in the image file.

FreeFixer queries all files examined during the scan for their version information, which can be userful when determining if a file is wanted or unwanted. Version information can also be viewed with Windows Explorer for many file types by right-clicking the file, choosing Properties and then clicking the Version tab. Version information often includes a company name, a product name and a product version. The error message above can occur if FreeFixer runs into problems when getting a file's version information. This is not a severe error and you can safely ignore it.

The process cannot access the file because it is being used by another process

An error occurred when trying to open the file for reading. Filename: 'C:\DOCUME~1\Roger\LOKALA~1\Temp\31809828.exe'. Current Working Directory: C:\Program Files\FreeFixer\. System error message: The process cannot access the file because it is being used by another process.

This error will occur when another process has opened a file in an exclusive mode, preventing FreeFixer from loading the file and calculating checksums and extracting version information. This does not mean that file is malware, but you may want to examine it more in detail. (I've seen this problem appearing while on a system infected with Trojan-Downloader.Win32.Small.ecp.)

Additional information

Credits

FreeFixer is developed by Roger Karlsson. Logotype designed by Johanna Forsman.