WinFixer
From Wikipedia, the free encyclopedia
WinFixer, WinAntiVirus, ErrorSafe, SystemDoctor and DriveCleaner are identical or similar computer programs available on the internet that claim to repair computer system problems. They are forcibly installed on the victim's computer by the SysProtect vector. They display false information with regards to a user's computer, thereby confusing said user into believing their PC is infected with viruses, spyware and/or other forms of malware. The adverts pop up a display with notifications to convince the user that something may be amiss with the computer, or run a false diagnostic. The program repeatedly prompts the user to purchase a licensed copy of the program.
Due to these problems, WinFixer and its sister applications are reputed to be spyware or malware. However, its misleading popups and forced downloads mirror the "marketing" strategies of many spyware programs. Some computers infected with this program exhibit sluggish performance.
Symantec's Report on Winfixer: [1] McAfee's Report on Winfixer: [2] Kaspersky also has it listed as mal-ware: [3] Sophos' Report: [4]
A possible fix?: [5]
WinFixer's claim:
WinFixer 2005 is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard drive space and recovers damaged Word, Excel, music and video files.
In truth, WinFixer does none of these things.
Contents |
[edit] How it infects
There are several ways in which WinFixer can infect a computer. Users using Internet Explorer are most susceptible, although users of other browsers, such as Firefox and Opera can also be infected, but are more resistant to the program. One infection method that is browser-independent involves the trojan Trojan.Emcodec.E, a fake codec that exists in numerous versions.
[edit] Typical Infection
The infection usually occurs during a visit to a distributing web site (not necessarily winfixer.com) using Internet Explorer. A message appears in a Dialog Box, asking the user if they want to install WinFixer.
When the user chooses any of the options or tries to close this dialog (by clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, regardless of the user’s wishes. Because this is a dialog box related to the Internet Explorer application, it does not appear in the Windows Task Manager list (Ctrl+Alt+Del). However, the user may be able to avoid installing the program either by using the Alt+f4 command or by disconnecting from the internet before closing the dialogue box.
WinFixer is able to stop a computer's optical drive from working.
[edit] Trial offer of WinFixer
A free, trial offer of this program is sometimes found in pop-ups. If the trial version is downloaded and installed, it "locates" a couple of alleged Trojans and viruses, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. Some reviewers believe the alleged unwanted bugs to be bogus, only serving to induce the owner to buy the program. If the WinFixer program is found, it usually will not go away without the use of Anti-Virus software. It tends to keep popping up in windows on the user's screen until removed with said software.
[edit] WinFixer Application
Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal may take a fairly long time if done manually. When running, it can be found in the Task manager and stopped, but before long it will re-install and start up again.
[edit] Firefox Popup
The Mozilla Firefox browser is less vulnerable than Internet Explorer (yet not totally immune) to initial infection by WinFixer. However, once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.
[edit] Mac OS X
It is difficult, if not impossible, for WinFixer to install itself on a Macintosh. The most obvious cue is its "scan" of Microsoft Windows, which demonstrates that the program is fraudulent because it runs the program like it is running a Windows program. In addition, it includes obviously "fake" browser windows that do not even match those of OS X.
[edit] Pop-up windows
When a user browses the Internet and receives an alert message, it will trigger a set of 3 pop-up windows, regardless of the software type. WinFixer, ErrorSafe, or WinAntiVirus will alert the user about possible ongoing attacks. In this case, WinFixer prompts the user to use their software to scan the computer for possible worms, viruses and Trojans, etc. If the user clicks the 'X' or Cancel it will launch another pop-up, telling the user that they have not completed the scan. If the user selects any of the options, WinFixer will install itself. If the user disconnects from the Internet before clicking an option, they will get the dialog boxes, but nothing will happen.
[edit] Avoid infection
If the initial dialog box is shown, disconnecting from the Internet before closing it may prevent the download prompt and, therefore, the risk of infection. Shutting down all browser windows using Windows Task Manager also seems to be effective. Do not simply close the browser windows using the 'X', as it will often still auto-download - use Task Manager instead (this may not be as effective for users of a Windows OS older than 2000, however 2000 and XP users can close iexplore.exe or firefox.exe without the install taking place).
Switching to a browser other than Internet Explorer may reduce vulnerability to this and other online Trojan threats. Most malware is targeted at Internet Explorer, due to its widespread use, and thus is written to take advantage of any flaws and loopholes in its programming.
Blocking the site www.winfixer.com in your firewall will prevent the typical infecting download. However, there may be other means by which the program installs itself.
[edit] Removing WinFixer
There are several other products to be found on the Web that claim to have the ability to stop and uninstall WinFixer. Many of these 'solutions' are WinFixer clones.
WinFixer will prompt the user to purchase a licensed copy of the WinFixer software. Making this purchase may solve the problems caused by the application, without removing it. There is no proof that the program works, even after purchasing the license. Some users report that purchasing and installing the Winfixer program causes additional serious operating problems.
Symantec has published procedures for removing WinFixer manually. This is a manual process involving registry editing. As of January 2006, the better-known antivirus and antispyware software packages do not detect or remove WinFixer infections automatically.
McAfee's WinFixer information indicates that WinFixer may be classified as legitimate software, however, McAfee's Vundo information may aid a user in removing WinFixer. This removal process makes use of Sysinternals's Process Explorer (download here) to suspend infected critical system processes. (Vundo is malware intended to automatically install WinFixer on your machine)
Several free reputed anti-spyware programs can detect and remove WinFixer, such as Spybot - Search & Destroy and Ad-Aware.
[edit] Domain Ownership
The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However this has been proven false [6]. See more on the WinSoftware page.
The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine thus making the company exempt from the Digital Millennium Copyright Act. [7]. According to Alexa Internet the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.
According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server secure.errorsafe.com is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.
[edit] Miscellaneous and Technical Information
[edit] Technical
WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses. [8] - Note: The database entry for the Virtumonde Trojan and WinFixer itself are down as of late February 2006), however, a great number of forum members on on-line technical support forums and blogs believe that WinFixer is associated with the Vundo Trojan.
[edit] Program Name
It is speculated that the name WinFixer is derived from the old Microsoft Windows abbreviation "Win" joined with the word fixer, thus implying it is "Windows Fixer". Because of the name association with the operating system, a hypothetical situation could occur in which a user may possibly think that they are downloading a Windows related program, when, in fact, they are not.
[edit] Identical Programs
Other programs have appeared on the internet under different names with advertisements similar to WinFixer's, including ErrorSafe, SystemDoctor, SysProtect, and WinAntiVirus. The popups give the same warning as WinFixer and also refuse to be ignored. In addition, their websites also share a resemblance to WinFixer's website.
[edit] Class Action Lawsuit
On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court.[9]
