WinFixer
Encyclopedia
WinFixerAlso known under various other names including: WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Windows Police Pro
Windows Police Pro
Windows Police Pro is a rogue antivirus program that displays false scan reports intended to convince the user that his or her computer is infected with various forms of malware. This misleading software will tell the user that he or she needs to purchase the full version of the software to remove...

, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator, DriveCleaner, WinspywareProtect, PCTurboPro, FreePCSecure, ErrorProtector, SysProtect, WinSoftware, XPAntivirus, Personal Antivirus, Home Antivirus 20xx, VirusDoctor, Your PC Protector, and ECsecure
is a family of scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...

 rogue security programs
Rogue software
Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware, or that installs other malware...

 developed by Winsoftware which claim to repair computer system problems on Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 computers if a user purchases the full version of the software. The software is mainly installed without the user's consent. McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...

 claims that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompts the user to purchase a paid copy of the program.

The WinFixer web page (see the image) says it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files".
However, these claims were never verified by any reputable source. In fact, most sources consider this program to actually reduce system stability and performance. The sites went defunct in December 2008 after actions taken by the Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...

.

Installation methods

The WinFixer application is known to infect users using the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

 operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

, and is browser independent. One infection method involves the Emcodec.E
Trojan.Emcodec.E
Trojan.Emcodec.E is a trojan horse that is mis-represented as an audio and video codec for Windows-based PCs. It exists in various variants with names such as Media Codec, Ecodec, Imediacodec, IntCodec, Pcodec, SVideocodec, Video iCodec, QualityCodec, Vcodec, Zip Codec, zCodec, ZCODEC and began to...

 trojan
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...

, a fake codec
Codec
A codec is a device or computer program capable of encoding or decoding a digital data stream or signal. The word codec is a portmanteau of "compressor-decompressor" or, more commonly, "coder-decoder"...

 scam. Another involves the use of the Vundo family of trojans.

Typical infection

The infection usually occurs during a visit to a distributing web site using a web browser. A message appears in a dialog box
Dialog box
In a graphical user interface of computers, a dialog box is a type of window used to enable reciprocal communication or "dialog" between a computer and its user. It may communicate information to the user, prompt the user for a response, or both...

 or popup asking the user if they want to install WinFixer, or claiming a user's machine is infected with malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

, and requests the user to run a free scan. When the user chooses any of the options or tries to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, regardless of the user’s wishes.

"Trial" offer

A free "trial" offer of this program is sometimes found in pop-ups. If the "trial" version is downloaded and installed, it will execute a "scan" of the local machine, and a couple of non existent Trojans and viruses will be located, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. However, the alleged unwanted bugs are bogus, only serving to persuade the owner to buy the program.

WinFixer application

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal may take a fairly long time if done manually. When running, it can be found in the Task manager
Task manager
A task manager is a program used to provide information about the processes and programs running on a computer, as well as the general status of the computer. It can also be used to terminate processes and programs, as well as change the processes priority...

 and stopped, but before long it will re-install and start up again.

WinFixer is also known to modify the Windows Registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

, so that it launches automatically after reboot and scans the user's computer.

Firefox popup

The Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...

 browser is vulnerable to initial infection by WinFixer. Once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.

Removal

The removal process of most rogue malware is often as simple as removing the directory it was originally installed into and then running basic cleanup software on the user's computer.

Unfortunately, simply deleting a directory won't remove WinFixer because it actively undoes whatever the user attempts. Frequently, the procedure that works on one system will not work on another because there are a large number of variants. Some sites provide manual techniques to remove infections that the automated tools can not remove.

Domain ownership

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However, this address has been proven false.

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine
Ukraine
Ukraine is a country in Eastern Europe. It has an area of 603,628 km², making it the second largest contiguous country on the European continent, after Russia...

 and another in Warsaw
Warsaw
Warsaw is the capital and largest city of Poland. It is located on the Vistula River, roughly from the Baltic Sea and from the Carpathian Mountains. Its population in 2010 was estimated at 1,716,855 residents with a greater metropolitan area of 2,631,902 residents, making Warsaw the 10th most...

, Poland
Poland
Poland , officially the Republic of Poland , is a country in Central Europe bordered by Germany to the west; the Czech Republic and Slovakia to the south; Ukraine, Belarus and Lithuania to the east; and the Baltic Sea and Kaliningrad Oblast, a Russian exclave, to the north...

. According to Alexa Internet
Alexa Internet
Alexa Internet, Inc. is a California-based subsidiary company of Amazon.com that is known for its toolbar and Web site. Once installed, the toolbar collects data on browsing behavior which is transmitted to the Web site where it is stored and analyzed and is the basis for the company's Web traffic...

, the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.

According to the public key certificate
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...

 provided by GTE
GTE
GTE Corporation, formerly General Telephone & Electronics Corporation was the largest independent telephone company in the United States during the days of the Bell System....

 CyberTrust Solutions
Cybertrust
CyberTrust was a security services company formed in Virginia in November 2004 as a result of a merger of the TruSecure and Betrusted security companies...

, Inc., the server secure.errorsafe.com is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Running traceroute on Winfixer domains showed that most of the domains are hosted from servers at setupahost.net, which uses Shaw Business Solutions AKA Bigpipe as their backbone.

Technical

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo trojan.

Class action lawsuit

On September 29, 2006, a San Jose
San Jose, California
San Jose is the third-largest city in California, the tenth-largest in the U.S., and the county seat of Santa Clara County which is located at the southern end of San Francisco Bay...

 woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court, however, in 2007 the lawsuit was dropped. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings." KTVU
KTVU
KTVU, virtual channel 2 , is the Fox-affiliated television station serving the San Francisco Bay Area. Licensed to Oakland, California, the station has been owned by Atlanta-based Cox Enterprises since 1964, making it the largest Fox affiliate by market size that is not owned and operated by the...

 (Channel 2 in Oakland, CA) carried a special report.

Ads on Windows Live Messenger

On February 18, 2007, a blog called "Spyware Sucks" had reported that the popular instant messaging
Instant messaging
Instant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...

 application Windows Live Messenger
Windows Live Messenger
Windows Live Messenger is an instant messaging client created by Microsoft that is currently designed to work with Windows XP , Windows Vista, Windows 7, Windows Mobile, Windows CE, Xbox 360, Blackberry OS, iOS, Java ME, S60 on Symbian OS 9.x and Zune HD...

 had inadvertently promoted WinFixer by displaying a WinFixer advertisement from one of Messenger's ad hosts
Ad serving
Ad serving describes the technology and service that places advertisements on web sites. Ad serving technology companies provide software to web sites and advertisers to serve ads, count them, choose the ads that will make the website or advertiser most money, and monitor progress of different...

.
A similar occurrence also was reported on some MSN Groups
MSN Groups
MSN Groups was a website part of the MSN network which hosted online communities, and which contained Web pages, hosted images, and contained a message board...

 pages. There were other reports before this one (one from Patchou, the creator of Messenger Plus!
Messenger Plus!
Messenger Plus! is a freeware add-on for Windows Live Messenger. The software provides additional functionality to Microsoft's Instant messaging client Windows Live Messenger by adding its own controls to the main interface...

), and people had contacted Microsoft about the incidents. Whitney Burk from Microsoft issued this problem in his official statement:

Federal Trade Commission

On December 2, 2008, the Federal Trade Commission
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...

 requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain
Sam Jain
Jain Shaileshkumar , better known as Sam Jain, is an internet entrepreneur and former CEO of affiliate marketing network eFront, who is currently a fugitive with an arrest warrant in California. In 2000, eFront submitted fraudulent data to Media Metrix, a website ranking publisher...

, Marc D’Souza, Kristy Ross, and James Reno, the creators of WinFixer and its sister products. The complaint alleges that the products' advertising, as well as the products themselves, violate United States consumer protection laws. As of December 2008, this motion has attempted to halt the companies operations, and so halt the distribution of WinFixer and similar products offered by the same companies. However, Innovative Marketing has flouted the court order and is currently being fined $8000 per day in civil contempt.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK