WinFixer

Last updated
WinFixer
WinFixer 2005.svg
Winfixer.jpg
Screenshot of the WinFixer homepage
Type of site
 Scareware
Available inEnglish
Owner Innovative Marketing
CommercialNo
RegistrationNot required
Current statusShut down by the United States federal government
Content license
Not protected by copyright laws; see ex turpi causa non oritur actio

WinFixer [a] was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. [1] McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." [2] The program prompted the user to purchase a paid copy of the program. [3]

Contents

The WinFixer web page (see the image) said it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files." However, these claims were never verified by any reputable source. In fact, most sources considered this program to actually reduce system stability and performance. The sites went defunct in December 2008 after actions taken by the Federal Trade Commission.

Installation methods

An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or Close buttons were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a fake system scan. WinAntiVirus Pop-Up.png
An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or Close buttons were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a fake system scan.

The WinFixer application was known to infect users using the Microsoft Windows operating system, and was browser independent. One infection method involved the Emcodec.E trojan, a fake codec scam. Another involves the use of the Vundo family of trojans. [4]

Typical infection

The infection usually occurred during a visit to a distributing website using a web browser. A message appeared in a dialog box or popup asking the user if they wanted to install WinFixer, or claimed a user's machine was infected with malware, and requested the user to run a free scan. When the user chose any of the options or tried to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it would trigger a pop-up window and WinFixer would download and install itself, regardless of the user's wishes.

Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box. Winfixer-message.png
Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box.

"Trial" offer

A free "trial" offer of this program was sometimes found in pop-ups. If the "trial" version was downloaded and installed, it would execute a "scan" of the local machine and a couple of non-existent trojans and viruses would be "discovered", but no further action would be undertaken by the program. To obtain a quarantine or removal, WinFixer required the purchase of the program. [5] However, the alleged unwanted bugs were bogus, only serving to persuade the owner to buy the program.

WinFixer application

Once installed, WinFixer frequently launched pop-ups and prompted the user to follow its directions. Because of the intricate way in which the program installed itself into the host computer (including making dozens of registry edits), successful removal would have taken a fairly long time if done manually. When running, its process could be found in the task manager and be stopped, but would automatically relaunch itself after a period of time.

WinFixer was also known to modify the Windows Registry so that it started up automatically with every reboot, and scanned the user's computer. [6]

Firefox popup

The Mozilla Firefox browser was vulnerable to initial infection by WinFixer. Once installed, WinFixer was known to exploit the SessionSaver extension for the Firefox browser. The program caused popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.

Removal

Removal of WinFixer proved difficult because it actively undid whatever the user attempted. Frequently, procedures that worked on one system would not work on another because there were a large number of variants. Some sites provided manual techniques to remove infections that automated cleanup tools could not remove. [7]

Domain ownership

The company that made WinFixer, Winsoftware Ltd., claimed to be based in Liverpool, England (Stanley Street, postcode: 13088.) However, this address was proven to be false. [8]

The domain WINFIXER.COM on the whois database showed it was owned by a void company in Ukraine and another in Warsaw, Poland. [9] According to Alexa Internet, the domain was owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server secure.errorsafe.com was operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Running traceroute on Winfixer domains showed that most of the domains were hosted from servers at setupahost.net, which used Shaw Business Solutions AKA Bigpipe as their backbone.

Technical information

Technical

WinFixer was closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it would embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program was also closely related to the Vundo trojan. [4] [10]

Variants

Windows Police Pro

Windows Police Pro was a variant of WinFixer. [11] David Wood wrote in Microsoft TechNet that in March 2009, the Microsoft Malware Protection Center saw ASC Antivirus, the virus' first version. Microsoft did not detect any changes to the virus until the end of July that year when a second variant, Windows Antivirus Pro, appeared. Although multiple new virus versions have since appeared, the virus has been renamed only once, to Windows Police Pro. Microsoft added the virus to its Malicious Software Removal Tool in October 2009. [12]

The virus generated numerous persistent popups and messages displaying false scan reports intended to convince users that their computers were infected with various forms of malware that do not exist. When users attempted to close the popup message, they received confirmation dialog boxes that switched the "Purchase full version" and "Continue evaluating" buttons. [12] Windows Police Pro generated a counterfeit Windows Security Center that warned users about the fake malware. [13]

Bleeping Computer and the syndicated "Propeller Heads" column recommended using Malwarebytes' Anti-Malware to remove Windows Police Pro permanently. [12] [14] Microsoft TechNet and Softpedia recommended using Microsoft's Malicious Software Removal Tool to get rid of the malware. [12] [15]

Effects on the public

Class action lawsuit

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court; however, in 2007 the lawsuit was dropped. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings." [16] [17] [18]

Ads on Windows Live Messenger

On February 18, 2007, a blog called "Spyware Sucks" reported that the popular instant messaging application Windows Live Messenger had inadvertently promoted WinFixer by displaying a WinFixer advertisement from one of Messenger's ad hosts. [19] A similar occurrence was also reported on some MSN Groups pages. There were other reports before this one (one from Patchou, the creator of Messenger Plus!), and people had contacted Microsoft about the incidents. Whitney Burk from Microsoft issued this problem in his official statement:

Microsoft was notified of malware that was being served through ads placed in Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no longer being served by any Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at www.microsoft.com/protect.

Whitney Burk, Microsoft

Federal Trade Commission

On December 2, 2008, the Federal Trade Commission requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, the creators of WinFixer and its sister products. The complaint alleged that the products' advertising, as well as the products themselves, violated United States consumer protection laws. [20] However, Innovative Marketing flouted the court order and was fined $8,000 per day in civil contempt. [21]

On September 24, 2012, Kristy Ross was fined $163 million by the Federal Trade Commission for her part in this. [22] [23] The article goes on to say that the WinFixer family of software was simply a con but does not acknowledge that it was in fact a program that made many computers unusable.

Notes

  1. Also known under various other names, including AVSystemCare, DriveCleaner, ECsecure, ErrorProtector, ErrorSafe, FreePCSecure, Home Antivirus 20xx, PCTurboPro, Performance Optimizer, Personal Antivirus, PrivacyProtector, StorageProtector, SysProtect, SystemDoctor, VirusDoctor, WinAntiSpy, WinAntiSpyware, WinAntiVirusPro, Windows Police Pro, WinReanimator, WinSoftware, WinspywareProtect, XPAntivirus and Your PC Protector.

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any malware that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in other malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Spybot – Search & Destroy</span> Spyware removal software

Spybot – Search & Destroy (S&D) is a spyware and adware removal computer program compatible with Microsoft Windows. Dating back to the first Adwares in 2000, Spybot scans the computer hard disk and/or RAM for malicious software.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

A registry cleaner is a class of utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

<span class="mw-page-title-main">Security and Maintenance</span> Microsoft Windows software

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

<span class="mw-page-title-main">SpySheriff</span> Spyware

SpySheriff is a malware that disguises itself as anti-spyware software. It attempts to mislead the user with false security alerts, threatening them into buying the program. Like other rogue antiviruses, after producing a list of false threats, it prompts the user to pay to remove them. The software is particularly difficult to remove, since it nests its components in System Restore folders, and also blocks some system management tools. However, SpySheriff can be removed by an experienced user, antivirus software, or by using a rescue disk.

<span class="mw-page-title-main">Kaspersky Anti-Virus</span> Antivirus solution

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

<span class="mw-page-title-main">PC Tools (company)</span> Australian software company

PC Tools was a software company founded in 2003 and acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the United States, United Kingdom, Ireland, and Ukraine. The company had previously developed and distributed security and optimization software for the Mac OS X and Microsoft Windows platforms.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

MonaRonaDona is a browser hijacker that uses unique tactics through popups or alert messages stating that you are infected with a virus. It uses this message to send users on a hunt for a MonaRonaDona remedy only to run into other malicious websites.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

WiperSoft is an anti-spyware program developed by Wiper Software. It is designed to help users protect their computers from such threats as adware, browser hijackers, worms, potentially unwanted programs (PUPs), trojans, and viruses. Currently available only for Microsoft Windows.

References

  1. "Winfixer". F-secure.com. Retrieved 2014-08-14.
  2. "Computer Virus Attacks, Information, News, Security, Detection and Removal | McAfee". Us.mcafee.com. Retrieved 2014-08-14.
  3. "WinFixer". Symantec. Archived from the original on March 24, 2008. Retrieved 2014-08-14.
  4. 1 2 "How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo". Bleepingcomputer.com. Retrieved 2014-08-14.
  5. Vincentas (July 6, 2013). "WinFixer in SpyWareLoop.com". Spyware Loop. Retrieved 2013-07-28.
  6. "WinFixer 2005, WinFixer 2006". www.stopbadware.org. Archived from the original on November 18, 2007.
  7. "WinFixer Virus Manual Removal - Vundo Variant". 2006.
  8. ""winfixer" virus "winsoftware" crime rin". Archived from the original on 2007-07-09.
  9. "DNS tools - Manage Monitor Analyze - DNSstuff". www.dnsstuff.com.
  10. "Vundo". Archived from the original on September 30, 2007. Retrieved February 26, 2006.
  11. Long, Daniel (2009-10-02). "Fake Antivirus: 5 software titles you should definitely NOT install". PC & Tech Authority. nextmedia. Archived from the original on 2009-10-04. Retrieved 2014-12-02.
  12. 1 2 3 4 Wood, David (2009-10-13). "Scanti-ly Clad - Another Rogue Stripped by MSRT". Microsoft TechNet. Archived from the original on 2013-01-06. Retrieved 2014-11-13.
  13. Abrams, Lawrence (2009-09-01). "Remove Windows Police Pro (Removal Guide)". Bleeping Computer. Archived from the original on 2009-09-03. Retrieved 2014-11-15.
  14. "Getting rid of malware". Coeur d'Alene Press . Propeller Heads. 2009-10-11. Retrieved 2014-11-11.
  15. Oiaga, Marius (2009-10-15). "Windows Antivirus Pro Tackled by the Microsoft Malicious Software Removal Tool". Softpedia. Archived from the original on 2014-11-11. Retrieved 2014-11-11.
  16. Jeremy Kirk (March 8, 2007). "Lawyer sleuths out mystery around 'Winfixer'". Computerworld. Retrieved 2014-08-14.
  17. "Malware victim tries in vain to punish its source - San Jose Mercury News". Mercurynews.com. 23 March 2008. Retrieved 2014-08-14.
  18. "Lawsuit Filed Against Winfixer (a/k/a ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner)". The Internet Patrol. 9 March 2007. Retrieved 2014-08-14.
  19. "WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements - Spyware Sucks". msmvps.com. Archived from the original on July 5, 2008.
  20. "Court Halts Bogus Computer Scans". Federal Trade Commission (United States). December 10, 2008. Retrieved 2008-12-11.
  21. "Accused Scareware mongers held in contempt of court". The Register (United Kingdom). December 24, 2008. Retrieved 2008-12-24.
  22. Ionescu, Daniel (October 3, 2012). "Scareware con artist fined $163 million by FTC". techhive.com. Retrieved 2012-10-03.
  23. "Winfixer Opinion" (PDF). US Federal Trade Commission. September 24, 2012. Retrieved 2012-10-03.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.