WinFixer

From Wikipedia, the free encyclopedia

The screenshot of www.winfixer.com (when it was still operating)
The screenshot of www.winfixer.com (when it was still operating)

WinFixer, WinAntiVirus, WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, XPAntivirus2008, Performance Optimizer, StorageProtector, PrivacyProtector, WinReanimator and others are very similar computer programs available only for Microsoft Windows that claim to repair computer system problems [1][2][3], but do not actually do so. They are sometimes installed without the user's consent, usually through Internet Explorer. They display false information about the user's computer, confusing the user into believing that their PC is infected with viruses, spyware and/or other forms of malware. The advertisements pop up a display with notifications to convince the user that something may be amiss with the computer, or run a fake diagnostic. The program repeatedly prompts the user to purchase a licensed copy of the program. Due to these problems, WinFixer and its sister applications are generally considered scareware spyware through misleading popups and forced downloads.

WinFixer claims it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files", but it has never been shown to do such things.

Contents

[edit] Methods of Exploitation

An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or X dialogs were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a simulated system scan.
An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or X dialogs were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a simulated system scan.

One manner of exploitation involves "baited" postings on public bulletin boards. A topic posted on such a bulletin board would purport to link to, for example, a celebrity image, but once the topic is opened and the alleged link to the image is clicked, a connection to the bad web site is established.

[edit] Methods of infection

There are several ways in which WinFixer can infect a computer. Users using Internet Explorer are most susceptible, although users of other browsers, such as Firefox and Opera, can also be infected, but are more resistant to the program. One infection method that is browser-independent involves the Emcodec.E trojan, a fake codec that exists in numerous versions.

[edit] Typical infection

The infection usually occurs during a visit to a distributing web site (not necessarily winfixer.com) using a web browser. A message appears in a Dialog Box, asking the user if they want to install WinFixer.

Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box.
Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box.

When the user chooses any of the options or tries to close this dialog (by clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, regardless of the user’s wishes. Because this is a dialog box related to the web browser, it does not appear in the Windows Task Manager list. However, the user may be able to avoid installing the program either by using the Alt+F4 command or by disconnecting from the Internet before closing the dialog box.

WinFixer is able to stop a computer's optical drive from working.

[edit] "Trial" offer of WinFixer

A free, "trial" offer of this program is sometimes found in pop-ups. If the "trial" version is downloaded and installed, it "locates" a couple of alleged Trojans and viruses, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. However, the alleged unwanted bugs are bogus, only serving to persuade the owner to buy the program. If the WinFixer program is found, it usually will not go away without the use of antivirus software, and even then, it can prove very difficult to remove. Winfixer tends to keep popping up on the user's screen until it is completely removed from the operating system.

[edit] WinFixer Application

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal may take a fairly long time if done manually. When running, it can be found in the Task manager and stopped, but before long it will re-install and start up again.

[edit] Firefox popup

The Mozilla Firefox browser is less vulnerable than Internet Explorer (yet not totally immune) to initial infection by WinFixer. However, once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.

[edit] Pop-up windows

When a user browses the Internet and receives an alert message, it will trigger a set of 3 pop-up windows, regardless of the software type. WinFixer, ErrorSafe, or WinAntiVirus will alert the user about possible ongoing attacks. In this case, WinFixer prompts the user to use their software to scan the computer for possible worms, viruses and Trojans, etc. If the user clicks the 'X' or Cancel it will launch another pop-up, telling the user that they have not completed the scan. If the user selects any of the options, WinFixer will install itself. If the user disconnects from the Internet before clicking an option, they will get the dialog boxes, but nothing will happen.

[edit] Avoiding infection

If the initial dialog box is shown, disconnecting from the Internet before closing it will stop WinFixer from downloading. Shutting down all browser windows using the Task Manager found in Windows 2000 and above also seems to be effective. Do not simply close the browser windows using the close button on the window, as WinFixer will still auto-download.

Blocking its sites such as www.winfixer.com, winantivirus.com or www.systemdoctor.com in your firewall will prevent the typical infecting download. However, there may be other means by which the program installs itself.

Also, simply clicking the "Cancel" or "No" button (depending on your browser) on the file download window that appears will stop the software downloading. You must, however, remember not to click on the Close Window (x) button without first disabling JavaScript, since doing that is usually scripted to start the download instead.

[edit] Removal

There are several other products to be found on the Web that claim to have the ability to stop and uninstall WinFixer. Many of these 'solutions' are WinFixer clones.

WinFixer will prompt the user to purchase a licensed copy of the WinFixer software. Making this purchase may solve the problems caused by the application, but without removing it. There is no proof that the program works, even after purchasing the license. Some users such as Beatrice Ochoa and her 100 or so co-plaintiffs report that purchasing and installing the WinFixer program causes additional serious operating problems.

Symantec has published procedures for removing WinFixer manually. This is a manual process involving registry editing. As of January 2006, the better-known antivirus and antispyware software packages do not detect or remove WinFixer infections automatically.

McAfee's WinFixer information indicates that WinFixer may be classified as legitimate software, however, McAfee's Vundo information may aid a user in removing WinFixer. This removal process makes use of Sysinternals's Process Explorer (download here) to suspend infected critical system processes. (Vundo is malware intended to automatically install WinFixer on your machine.)

Vundofix (download here) is another, easy-to-use program that can be used to remove the Virtumonde infections that are responsible for the malware.

Additionally, Malwarebytes has created a free automated tool that will remove these infections available at www.malwarebytes.org/rogueremover.php.

Spybot - Search & Destroy will also remove some forms of Winfixer. It is available for free download.

[edit] Domain Ownership

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However this address has been proven false [4].

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine and another in Warsaw, Poland. [5]. According to Alexa Internet the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server secure.errorsafe.com is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Running traceroute on Winfixer domains shows that most of the domains are hosted from servers at http://www.setupahost.net, which uses Shaw Business Solutions AKA Bigpipe as their backbone.

[edit] Technical Information

[edit] Technical

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses. [6] - Note: The database entry for the Virtumonde Trojan and WinFixer itself are down as of late February 2006); however, a great number of members on on-line technical support forums and blogs believe that WinFixer is associated with the Vundo Trojan.

It puts

  • 1) "DllRunning" in the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and
  • 2) a randomly named dll file into C:\WINDOWS\system32 .

[edit] Miscellaneous

[edit] Class Action Lawsuit

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court.[7] KTVU (Channel 2 in Oakland, CA) carried a special report [8].

[edit] External links