WinFixer

WinFixer, WinAntiVirus and ErrorSafe are identical computer programs available on the internet that claim to repair computer system problems. They are forcibly installed on the victim's computer by the SysProtect vector. They display false information with regards to a user's computer, thereby confusing said user into believing their PC is infected with viruses, spyware and/or other forms of malware. The adverts pop up a display with notifications to convince the user that something may be amiss with the computer, or run a false diagnostic.

Due to these problems, WinFixer and its sister applications are reputed to be spyware or malware. However, its misleading popups and forced downloads mirror the "marketing" strategies of many spyware programs. Some computers infected with this program exhibit sluggish performance.

Symantec's Report on Winfixer: [1] McAfee's Report on Winfixer: [2] Kaspersky also has it listed as mal-ware: [3] Sophos' Report: [4]

A possible fix?: [5]

WinFixer's claim:

WinFixer 2005 is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard drive space and recovers damaged Word, Excel, music and video files.

In truth, WinFixer does none of these things.

There are several ways in which WinFixer can infect a computer. Users using Internet Explorer are most susceptible, although users of other browsers, such as Firefox and Opera can also be infected, but are more resistant to the program. As well, it could stop your optical drive from working.

The infection usually occurs during a visit to a distributing web site (not necessarily winfixer.com) using Internet Explorer. A message appears in a Dialog Box, asking the user if they want to install WinFixer.

When the user chooses any of the options or tries to close this dialog (by clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, despite the user’s wishes. Because this is a dialog box related to the Internet Explorer application, it does not appear in the Windows Task Manager list (Ctrl+Alt+Del). Using Alt+F4 may work to successfully close this popup though.

A free, trial offer of this program is sometimes found in pop-ups. If the trial version is downloaded and installed, it "locates" a couple of alleged Trojans and viruses, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. Some reviewers believe the alleged unwanted bugs to be bogus, only serving to induce the owner to buy the program. If the WinFixer program is found, it usually will not go away without the use of Anti-Virus software. It tends to keep popping up in windows on your screen until removed with said software.

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal is a tedious, manual process. When running, it can be found in the Task manager and stopped, but before long it will re-install and start up again.

The Mozilla Firefox browser is less vulnerable than Internet Explorer (yet not totally immune) to initial infection by WinFixer. However, once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file. The prefs.js file is located at:

Windows: C:\Documents and Settings\_username_\Application Data\Mozilla\Firefox\Profiles\<profile>\prefs.js

Linux: ~/.Firefox/Profiles/<profile>/prefs.js

When a user browses the Internet and receives an alert message, it will trigger a set of 3 pop-up windows, regardless of what type of software. WinFixer (or ErrorSafe or WinAntiVirus) will alert the user about possible ongoing attacks. In this case, WinFixer begs the user to scan the computer for possible worms, viruses and Trojans, etc. If the user clicks the 'X' or Cancel it will launch another pop-up, telling the user that they have not completed the scan. If the user selects any of the options, WinFixer will install itself without the permission of the user. However, if the user disconnects from the Internet, they will get the dialog boxes, but nothing will happen.

If the initial dialog box is shown, disconnecting from the Internet before closing it may prevent the download prompt and, therefore, the risk of infection. Shutting down all browser windows using Windows Task Manager also seems to be effective.

Switching to a browser other than Internet Explorer may reduce vulnerability to this and other online Trojan threats. Most malware is targeted at Internet Explorer, due to its widespread use, and thus is written to take advantage of any flaws and loopholes in its programming.

Blocking the site www.winfixer.com in your firewall will prevent the typical infecting download. However, there may be other means by which the program installs itself.

There are several other products to be found on the Web that claim to have the ability to stop and uninstall WinFixer. All users are advised to be skeptical, as many of these 'solutions' are WinFixer clones.

WinFixer will prompt the user to purchase a licensed copy of the WinFixer software. Making this purchase may solve the problems caused by the application, without removing it. However, buying the license carries certain ethical questions as it will encourage the creators of the program to continue their extortion. In addition, there is no proof that the program works, even after purchasing the license. Some users report that purchasing and installing the Winfixer program causes additional serious operating problems.

Symantec has published procedures for removing WinFixer manually. This is a tedious process involving registry editing, which should be done with the utmost care. As of January 2006, the better-known antivirus and antispyware software packages do not detect or remove WinFixer infections automatically. Webroot (Spy Sweeper) does detect and remove WinFixer; the free trial version of Spy Sweeper will detect WinFixer from memory and from your files and registry. However, a purchase of Webroot's software is necessary for the removal of WinFixer. (update: 8/22/2006 LATEST version of Webroot's Spy Sweeper DOES NOT remove the winfixer spyware.)

McAfee's WinFixer information indicates that WinFixer may be classified as legitimate software, however, McAfee's Vundo information should still aid in your WinFixer removal process. This removal process makes use of Sysinternals's Process Explorer (download here) to suspend infected critical system processes. (Vundo is malware intended to automatically install WinFixer on your machine, without your consent)

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However this has been proven false [6]. For starters, 13088 is not a valid UK postcode format — Stanley Street is in the city center of Liverpool (linking to Mathew Street, home of The Cavern) so it should carry an L1 prefix. Also, the street itself is in a quarter of the city center dominated by shops, galleries, boutiques, restaurants and pubs — not offices. However, 13088 is the postcode for Liverpool, New York; see here. The city in question does not have a street called "Stanley Street".

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine thus making them (the company) exempt from the Digital Millennium Copyright Act. [7]. According to Alexa Internet the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Gonduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server secure.errorsafe.com is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses. [8] - Note: The database entry for the Virtumonde Trojan and WinFixer itself are down as of late February 2006), however, a great number of forum members on on-line technical support forums and blogs believe that WinFixer is associated with the Vundo Trojan.

Although purely speculative, it seems fairly obvious that the name WinFixer is derived from the old Microsoft Windows abbreviation "Win" joined with the word fixer, thus implying it is "Windows Fixer". Because of the name association with the operating system, a hypothetical situation could occur in which a user may possibly think that they are downloading a Windows related program, when, in fact, they are not.

WinFixer also can be found under the name 'WinAntiVirus'; it behaves in the same way as WinFixer.

Other programs have appeared on the Internet under different names with advertisements similar to WinFixer's, including ErrorSafe, SystemDoctor, SysProtect, and WinAntiVirus. The popups give the same warning as WinFixer and also refuses to be ignored. In addition, their Websites also share an uncanny resemblance to WinFixer's website.

• McAfee's Entry on WinFixer
• Symantec’s Entry on WinFixer and removal instructions
• Symantec's entry on ErrorSafe - a sister spyware application
• Atribune's removal tool developed to remove Virtumonde (WinFixer) infections
• WinFixer Virus Manual Removal - Vundo Variant
• Blog on how to remove WinFixer
• Help2go's method (covers other baddies that come with winfixer too)
• This Trojan is where many peoples problems start (leads to installing winfixer)