From Wikipedia, the free encyclopedia

Jump to: navigation, search
Developed by Innovative Marketing, Inc.
Operating system Microsoft Windows
Development status Shutdown by the United States Government
Type Scareware
License fraudulent activity
The screenshot of (when it was still operating)

WinFixer,WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator, DriveCleaner, WinspywareProtect, PCTurboPro, FreePCSecure, ErrorProtector, SysProtect, WinSoftware and ECsecure are a family of scareware rogue security programs developed by Winsoftware which claim to repair computer system problems on Microsoft Windows computers if a user purchases the full version of the software. The software is mainly installed without the user's consent.[1] McAfee claims that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections."[2] The program prompts the user to purchase a licensed copy of the program.[3]

The WinFixer web page (see the image) says it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files". However, these claims were never verified by any reputable source. In fact, most sources consider this program to actually reduce system stability and performance. The sites went defunct in December 2008 after actions taken by the Federal Trade Commission.


[edit] Installation methods

An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or Close buttons were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a simulated system scan.

The WinFixer application is known to infect users using the Microsoft Windows operating system, and is browser independent. One infection method involves the Emcodec.E trojan, a fake codec scam. Another involves the use of the Vundo family of trojans.[4]

[edit] Typical infection

The infection usually occurs during a visit to a distributing web site using a web browser. A message appears in a dialog box or popup asking the user if they want to install WinFixer, or claiming a users machine is infected with malware, and requests the user to run a free scan. Download of the software may be triggered when a user attempts to exit the window by clicking 'Ok' or 'Cancel' or by clicking the corner 'X', it will trigger a pop-up window and WinFixer will download and install itself.

Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box.

When the user chooses any of the options or tries to close this dialog (by clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, regardless of the user’s wishes.

[edit] "Trial" offer

A free "trial" offer of this program is sometimes found in pop-ups. If the "trial" version is downloaded and installed, it will execute a "scan" of the local machine, and a couple of non existent Trojans and viruses will be located, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. However, the alleged unwanted bugs are bogus, only serving to persuade the owner to buy the program.

[edit] WinFixer application

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal may take a fairly long time if done manually. When running, it can be found in the Task manager and stopped, but before long it will re-install and start up again.

WinFixer is also known to modify the Windows Registry, so that it launches automatically after reboot and scans the users computer.[5]

[edit] Firefox popup

The Mozilla Firefox browser is vulnerable to initial infection by WinFixer. Once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.

[edit] Avoiding infection

If the initial dialog box is shown, disconnecting from the Internet before closing it will stop WinFixer from downloading. Shutting down all browser windows using the Task Manager found in Windows 2000 and above also seems to be effective. Do not simply close the browser windows using the close button on the window, as WinFixer will still auto-download.

Because this is a dialog box related to the web browser, it does not appear in the Windows Task Manager list. However, the user may be able to avoid installing the program either by using the Alt+F4 command or by physically disconnecting from the Ethernet cable before closing the dialog box. The user could also stop infection by killing web browser process, though this will cause the user to lose all open windows/tabs at the expense of security.

Blocking its sites such as, or in your firewall will prevent the typical infecting download. However, there may be other means by which the program installs itself.

If a file download window appears, then simply clicking the "Cancel" or "No" button (depending on your browser[clarification needed]) on the file download window that appears can stop the software downloading.[citation needed] You must, however, remember not to click on the Close Window (x) button without first disabling JavaScript, since doing that is usually scripted to start the download instead.

Disconnecting your network connection is effective at stopping the file from downloading.

[edit] Removal

There are several respectable programs which may remove the WinFixer application. These include the McAfee VirusScan, Norton Antivirus, and Trend Micro family of products. Additionally, Symantec has published procedures for removing WinFixer manually. This is a manual process involving registry editing.[6] Additionally, Malwarebytes has created a free automated tool that will remove these infections.[7] Spybot - Search & Destroy[2] may also remove some forms of Winfixer.

[edit] Domain ownership

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However, this address has been proven false.[8]

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine and another in Warsaw, Poland.[9] According to Alexa Internet, the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Running traceroute on Winfixer domains shows that most of the domains are hosted from servers at, which uses Shaw Business Solutions AKA Bigpipe as their backbone.

[edit] Technical information

[edit] Technical

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde trojans. [4][10]

[edit] Miscellaneous

[edit] Class action lawsuit

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court, however, in 2007 the lawsuit was dropped. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings." [11][12][13] KTVU (Channel 2 in Oakland, CA) carried a special report. [14]

[edit] Ads on Windows Live Messenger

On February 18, 2007, a blog called "Spyware Sucks" had reported that the popular instant messaging application Windows Live Messenger had inadvertently promoted WinFixer by displaying a WinFixer advertisement from one of Messenger's ad hosts. [15] A similar occurrence also was reported on some MSN Groups pages. There were other reports before this one (one from Patchou, the creator of Messenger Plus!), and people had contacted Microsoft about the incidents. Whitney Burk from Microsoft issued this problem in his official statement:

Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at

—Whitney Burk, Microsoft

[edit] Federal Trade Commission

On December 2, 2008, the Federal Trade Commission requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, the creators of WinFixer and its sister products. The complaint alleges that the products' advertising, as well as the products themselves, violate United States consumer protection laws. As of December 2008, this motion has attempted to halt the companies operations, and so halt the distribution of WinFixer and similar products offered by the same companies.[16] However Innovative Marketing has flouted the court order and is currently being fined $8000 per day in civil contempt.[17]

[edit] References

[edit] External links

Personal tools