WinFixer, WinAntiVirus and ErrorSafe are seemingly identical computer programs available on the internet that claim to repair computer system problems. They are forcably installed on the victim's computer by the SysProtect vector. They display false information with regards to a user's computer, thereby confusing said user into believing their PC is infected with viruses, spyware and/or other forms of malware. The adverts pops up a display with notifications to convince the user that something may be amiss with the computer, or run a false diagnostic.

Due to these problems, WinFixer and its sister applications are reputed to be spyware or malware. However, its misleading popups and forced downloads mirror the "marketing" strategies of many spyware programs. Some computers infected with this program do exhibit sluggish performance.

Links to major anti-virus vendors and what they have to say: Symantec's Report on Winfixer: ^* McAfee's Report on Winfixer: ^* Kaspersky also has it listed as mal-ware: ^* Sophos' Report: ^*

WinFixer's claim:

WinFixer 2005 is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard drive space and recovers damaged Word, Excel, music and video files.

In reality, WinFixer doesn't do any of these things.

How it Infects

---

There are several ways in which WinFixer can infect a computer. Users using Internet Explorer are most susceptible, although users of other browsers, such as Firefox and Opera can also be infected, but are more resistant to the program.

Typical Infection

The infection usually occurs during a visit to a distributing web site (not necessarily winfixer.com) using Internet Explorer. A message appears in a Dialog Box, asking the user if they want to install WinFixer.

However, when the user chooses any of the options or tries to close this dialog (by clicking 'Ok' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, despite the user’s wishes. Because this is a dialog box related to the Internet Explorer application, it does not appear in the Windows Task Manager list (Ctrl+Alt+Del).

Trial offer of WinFixer

A free, trial offer of this program is sometimes found in pop-ups. If the trial version is downloaded and installed, it "locates" a couple of alleged trojans and viruses, but does nothing else. To obtain a quarantine or removal, WinFixer requires the purchase of the program. Some reviewers believe the alleged unwanted bugs to be bogus, only serving to induce the owner to buy the program. If the WinFixer program is found, it usually will not go away without the use of Anti-Virus software. It tends to keep popping up in windows on your screen until removed with said software.

WinFixer Application

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions. Because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal is a tedious, manual process. When running, it can be found in the Task manager and stopped, but before long it will re-install and start up again.

Firefox Popup

The Mozilla Firefox browser is less vulnerable than Internet Explorer to initial infection by WinFixer. However, once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser. The program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file. The prefs.js file is located at:

Windows: C:\Documents and Settings\_username_\Application Data\Mozilla\Firefox\Profiles\\prefs.js

Linux: ~/.Firefox/Profiles//prefs.js

Pop-up window screenshots

---

When a user browses the internet and receives an alert message, it will trigger a set of 3 pop-up windows, regardless of what type of software. WinFixer (or ErrorSafe or WinAntiVirus) will alert the user about possible ongoing attacks. In this case, WinFixer begs the user to scan the computer for possible worms, viruses and trojans, etc. If the user clicks the 'X' or Cancel it will launch another pop-up, telling the user that they have not completed the scan. If the user selects any of the options, WinFixer will install itself without the permission of the user. However, if the user disconnects from the internet, they will get the dialog boxes, but nothing will happen.

Remedies

---

Avoid infection

---

If the initial dialog box is shown, disconnecting from the Internet before closing it may prevent the download prompt and, therefore, the risk of infection. Shutting down all browser windows using Windows Task Manager also seems to be effective.

Switching to a browser other than Internet Explorer may reduce vulnerability to this and other online Trojan threats. Most malware is targeted at Internet Explorer, due to its widespread use, and thus is written to take advantage of any flaws and loopholes in its programming.

Blocking the site www.winfixer.com in your firewall will prevent the typical infecting download. However, there may be other means by which the program installs itself.

Removing WinFixer

---

It should be noted that besides WinFixer itself, there are several other products to be found on the Web that claim to have the ability to stop and uninstall WinFixer. All users are advised to be skeptical, as many of these 'solutions' are themselves WinFixer clones.

WinFixer will prompt the user to purchase a licensed copy of the WinFixer software. Making this purchase may solve the problems caused by the application, without removing it. However, buying the license carries certain ethical questions as it will encourage the creators of the program to continue their extortion. In addition, there is no proof that the program works, even after purchasing the license. Some users report that purchasing and installing the Winfixer program causes additional serious operating problems. If you have purchased the program with a credit card many urge calling the credit card to reverse the charge citing fraud. Also, you should think twice about giving your credit card information to a group of people that have already shown that they can't be trusted.

Symantec has published procedures for removing WinFixer manually. This is a tedious process involving registry editing, which should be done with the utmost care. As of January 2006, the better-known antivirus and antispyware software packages do not detect or remove WinFixer infections automatically. Webroot Spy Sweeper does detect and remove WinFixer; the free trial version of Spy Sweeper will detect WinFixer from memory and from your files and registry. However, a purchase of Webroot's software is necesary for the removal of WinFixer.

McAfee's WinFixer information indicates that WinFixer may be classified as legitimate software, however, McAfee's Vundo information should still aid in your WinFixer removal process. This removal process makes use of Sysinternals's Process Explorer (download here) to suspend infected critical system processes. (Vundo is malware intended to automatically install WinFixer on your machine, without your consent)

Numerous people claim that the free scan always contains a number of threats, in order to persuade you to buy the product. As many other things, this is unconfirmed, but caution is advised.

Domain Ownership

---

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However this has been proven false ^*. For starters, 13088 is not a valid UK postcode format — Stanley Street is in the city centre of Liverpool (linking to Mathew Street, home of The Cavern) so it should carry an L1 prefix. Also, the street itself is in a quarter of the city centre dominated by shops, galleries, boutiques, restaurants and pubs — not offices.

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine thus making them (the company) exempt from the Digital Millennium Copyright Act. ^*. Other things also don't add up, for example according to Alexa Internet the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Gonduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc. the server secure.errorsafe.com is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Miscellaneous and Technical Information

---

Technical

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses. ^* - Note: The database entry for the Virtumonde trojan and WinFixer itself are down as of late February 2006), however, a great number of forum members on on-line technical support forums and blogs believe that WinFixer is associated with the Vundo trojan.

Program Name

Although purely speculative, it seems fairly obvious that the name WinFixer is derived from the old Microsoft Windows abbreviation "Win" joined with the word fixer, thus implying Win(dows) Fixer. Because of the name association with the operating system, a hypothetical situation could occur in which a user may possibly think that they are downloading a Windows related program, when, in fact, they are not.

WinFixer also can be found under the name 'WinAntiVirus'; it behaves in the same way as WinFixer.

Identical Programs

Other programs have appeared on the internet under different names but with a similar popup as WinFixer. The popups gives exactly the same warning as WinFixer and also refuses to be ignored like its sister program. In addition, their Websites also share an uncanny resemblence to WinFixers' website.

External links

---

• McAfee's Entry on WinFixer
• Symantec’s Entry on WinFixer and removal instructions
• Symantec's entry on ErrorSafe - a sister spyware application
• Atribune's removal tool developed to remove Virtumonde (WinFixer) infections
• WinFixer Virus Manual Removal - Vundo Variant
• Blog on how to remove WinFixer
• Help2go's method (covers other baddies that come with winfixer too)
• This trojan is where many peoples problems start (leads to installing winfixer)

Please note that the following links will take you to the virus writer's home sites. Please use at your own risk.

• www.winfixer.com - WinFixer's official website - 66.244.254.64
• www.winantivirus.com - WinAntiVirus official website - 66.244.254.63
• www.errorsafe.com - ErrorSafe's official website - 66.244.254.64

Edit: Links deactivated by removing the "http://" particle to avoid getting the virus by an accidental click on them, PLEASE KEEP THOSE LINKS DEACTIVATED.

Spyware