21 April 2009

FreeFixer's scan result reduced with 70% by whitelisting trusted files

Screenshot of FreeFixer's scan result showing items from trusted software publishers. These trusted files appear with a green background. As you probably already know FreeFixer is a tool that helps you to manually analyze and identify unwanted software on your system. Once you have identified the malware, you just mark it for deletion and FreeFixer will remove it for you. Since January 2009 I've been adding many new scan locations, which will increase the chance of the malware appearing in the scan result. But at the same time the size of the log file has been growing and I have to admit that it can be a time-consuming task to go through all the items and check if they should be considered safe or unwanted. Typically there are just one or two malware items in the scan result on an infected machine, and these may go undetected when dwarfed by a large number of legitimate items.

With version 0.38 of FreeFixer I introduced trusted files. These are files which have been signed by established and trusted software publishers, such as Microsoft, Apple, Adobe, TrendMicro, etc. The trusted files appear with a green background color in the scan result, to signal that they are legitimate. Please note that the trusted files will not appear in the FreeFixer log file. This will make it easier for people helping out at the FreeFixer helper forums, which often use the log file to identify the unwanted software.

The following two logs are from the same computer, and I'm happy to say that in this case the log size has been reduced with almost 70% when running FreeFixer v0.38:

FreeFixer v0.38 log

FreeFixer v0.38 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2009-04-20 10:55


Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program\Bonjour\mdnsNSP.dll

Browser Helper Objects (2 whitelisted)
{DBC80044-A445-435b-BC74-9C25C1C588A9}, Java(tm) Plug-In 2 SSV Helper, C:\Program\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class, C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

Registry Startups (9 whitelisted)
HKLM\..\Run, QuickTime Task = "C:\Program\QuickTime\QTTask.exe" -atboottime
HKCU\..\Run, Sony Ericsson PC Suite = "C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
HKCU\..\Run, uTorrent = "C:\Program\uTorrent\uTorrent.exe"

Autostart shortcuts (1 whitelisted)
Logitech SetPoint.lnk, , C:\Program\Logitech\SetPoint\SetPoint.exe

Processes (26 whitelisted)
C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\FreeFixer\freefixer.exe

Application modules (56 whitelisted)
C:\Program\Logitech\SetPoint\lgscroll.dll
C:\WINDOWS\system32\MSVCR71.dll
C:\WINDOWS\system32\MSVCP71.dll

Drivers (32 whitelisted)
OMCI, OMCI, C:\WINDOWS\system32\drivers\omci.sys

FreeFixer v0.37 log

FreeFixer v0.37 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 3
Log dated 2009-04-20 10:57


Winlogon Notify (10 whitelisted)
igfxcui - C:\WINDOWS\system32\igfxsrvc.dll

Namespace service providers (3 whitelisted)
{B600E6E9-553B-4A19-8696-335E5C896153} - C:\Program\Bonjour\mdnsNSP.dll

Browser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}, Länkhjälp till Adobe PDF Reader, C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}, Java(tm) Plug-In SSV Helper, C:\Program\Java\jre6\bin\ssv.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9}, Java(tm) Plug-In 2 SSV Helper, C:\Program\Java\jre6\bin\jp2ssv.dll
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}, JQSIEStartDetectorImpl Class, C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

Registry Startups (1 whitelisted)
HKLM\..\Run, IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HKLM\..\Run, HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
HKLM\..\Run, Adobe Reader Speed Launcher = "C:\Program\Adobe\Reader 8.0\Reader\Reader_sl.exe"
HKLM\..\Run, Logitech Hardware Abstraction Layer = KHALMNPR.EXE
HKLM\..\Run, SunJavaUpdateSched = "C:\Program\Java\jre6\bin\jusched.exe"
HKLM\..\Run, QuickTime Task = "C:\Program\QuickTime\QTTask.exe" -atboottime
HKLM\..\Run, AppleSyncNotifier = C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
HKLM\..\Run, iTunesHelper = "C:\Program\iTunes\iTunesHelper.exe"
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Sony Ericsson PC Suite = "C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
HKCU\..\Run, uTorrent = "C:\Program\uTorrent\uTorrent.exe"

Autostart shortcuts
Logitech SetPoint.lnk, , C:\Program\Logitech\SetPoint\SetPoint.exe
Personal.lnk, Personal Signature and Authentication Client, C:\Program\Personal\bin\Personal.exe

Processes (17 whitelisted)
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Delade filer\Logitech\KHAL\KHALMNPR.EXE
C:\Program\iPod\bin\iPodService.exe
C:\Program\FreeFixer\freefixer.exe

Application modules (53 whitelisted)
C:\Program\Logitech\SetPoint\lgscroll.dll
C:\WINDOWS\system32\MSVCR71.dll
C:\WINDOWS\system32\MSVCP71.dll
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\iertutil.dll
C:\WINDOWS\system32\Normaliz.dll

Services (36 whitelisted)
Apple Mobile Device, Apple Mobile Device, c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe
Bonjour Service, Bonjour-tjänst, c:\program\bonjour\mdnsresponder.exe
JavaQuickStarterService, Java Quick Starter, c:\program\java\jre6\bin\jqs.exe

Shell services (4 whitelisted)
WPDShServiceObj, {AAA288BA-9A4C-45B0-95D7-94D524869DB5}, C:\WINDOWS\system32\WPDShServiceObj.dll

Drivers (29 whitelisted)
mdmxsdk, , C:\WINDOWS\system32\drivers\mdmxsdk.sys
OMCI, OMCI, C:\WINDOWS\system32\drivers\omci.sys
PxHelp20, PxHelp20, C:\WINDOWS\system32\drivers\pxhelp20.sys
WudfPf, Windows Driver Foundation - User-mode Driver Framework Platform Driver, C:\WINDOWS\system32\drivers\wudfpf.sys

Comments

web development company writes

Show comment -9 thumbs

firace writes

-1 thumb

Hi, how can i view and/or modify the list of trusted files?
Great program, by the way.

# 30 Sep 2013, 10:35

Roger Karlsson writes

1 thumb

@firace: At the moment there are no options to customize the greenlisted files in FreeFixer. I might add that in the future.

Currently, these are the greenlisted publishers:

"ALWIL Software",
"ASUSTeK Computer Inc.",
"AT&T Services, Inc.",
"ATI Technologies, Inc",
"AVAST Software",
"AVG Exploit Prevention Labs, Inc.",
"AVG Technologies",
"Acer Incorporated",
"Acresso Software Inc.",
"Acronis, Inc",
"Adobe Systems Incorporated",
"Adobe Systems, Incorporated",
"Agnitum Ltd.",
"Apple Computer, Inc.",
"Apple Inc.",
"Authentium, Inc.",
"Authentium, inc",
"Autodesk, Inc",
"Avira GmbH",
"BITDEFENDER LLC",
"BillP Studios",
"BitTorrent Inc",
"Blizzard Entertainment",
"Broadcom Corporation",
"BullGuard Ltd.",
"CA",
"CANON INC.",
"Canon Inc.",
"Check Point Software Technologies Ltd.",
"Cisco Systems, Inc.",
"Cisco-Linksys LLC",
"Citrix Online",
"Citrix Systems, Inc",
"Comodo CA Limited",
"Comodo Security Solutions",
"Comodo Security Solutions, Inc.",
"Computer Associates International",
"Corel Corporation",
"Creative Labs Inc",
"CyberLink",
"Dell Inc",
"Dell Inc.",
"Dell Incorporated",
"Doctor Web Ltd.",
"Dritek System Inc.",
"Duplex Secure Ltd",
"ESET, spol. s r.o.",
"Elaborate Bytes AG",
"Emsi Software GmbH",
"Even Balance, Inc.",
"F-Secure Corporation",
"GRISOFT, s.r.o.",
"Google Inc",
"Hewlett Packard",
"Hewlett-Packard",
"Hewlett-Packard Company",
"HiTRUST Inc.",
"Iconix, Inc.",
"InstallShield Software Corporation",
"Intel Corporation",
"Intervideo, Inc.",
"Kaspersky Lab",
"Lavasoft AB",
"Lavasoft Limited",
"Lenovo (Japan) Ltd.",
"Lenovo (United States) Inc.",
"Lenovo(Japan)Ltd.",
"Lexmark International, Inc.",
"LogMeIn, Inc.",
"Logitech",
"Logitech Inc",
"Macromedia, Inc.",
"Macrovision Corporation",
"Malwarebytes",
"Malwarebytes Corporation",
"Marvell Semiconductor",
"McAfee, Inc.",
"Microsoft Corporation",
"Microsoft Corporation MSN",
"Microsoft Windows",
"Microsoft Windows 2000 Publisher",
"Microsoft Windows Component Publisher",
"Microsoft Windows Hardware Compatibility Publisher",
"Microsoft Windows Publisher",
"Microsoft Windows XP Publisher",
"Motorola",
"Mozilla Corporation",
"MySQL AB",
"NVIDIA Corporation",
"National Instruments Corporation",
"Nero AG",
"Nitro PDF Software",
"Nokia",
"Norman ASA",
"O and O Software GmbH",
"Opera Software ASA",
"PC Tools",
"PC Tools Labs",
"PGP Corporation",
"Panda Security S.L",
"Panda Software International",
"Paragon Software GmbH",
"Paragon Technologie GmbH",
"Prevx",
"Raxco Software, Inc.",
"RealNetworks, Inc.",
"Realtek Semiconductor Corp",
"SUNBELT SOFTWARE DISTRIBUTION",
"Safer Networking Ltd.",
"SanDisk Corporation",
"Secunia",
"Skype Technologies SA",
"Sonic Solutions",
"Sony Corporation",
"Sony Ericsson Mobile Communications AB",
"Sophos Plc",
"Spotify AB",
"Spotify Ltd",
"Stardock Corporation",
"Sun Microsystems, Inc.",
"SuperAdBlocker.com",
"Sygate Technologies, Inc.",
"Symantec Corporation",
"Synaptics Incorporated",
"Sysinternals",
"TOSHIBA CORPORATION",
"TeamViewer GmbH",
"Technology Nexus AB",
"Trend Micro, Inc.",
"VMware, Inc.",
"Valve",
"Webroot Software, Inc.",
"WinZip Computing",
"Zone Labs, Inc",

# 1 Oct 2013, 2:02

firace writes

1 thumb

Thanks for the info! Keep up the good work.

# 2 Oct 2013, 1:44

Leave a reply