27:
211:
498:, Marc D’Souza, Kristy Ross, and James Reno, the creators of WinFixer and its sister products. The complaint alleged that the products' advertising, as well as the products themselves, violated United States consumer protection laws. However, Innovative Marketing flouted the court order and was fined $ 8,000 per day in civil contempt.
463:
longer being served by any
Microsoft system. We apologize for the inconvenience and are reviewing our ad approval process to reduce the chance of an occurrence such as this happening again. To help customers protect their PCs from malware threats, Microsoft recommends customers follow our Protect your PC guidance at
276:
Removal of WinFixer proved difficult because it actively undid whatever the user attempted. Frequently, procedures that worked on one system would not work on another because there were a large number of variants. Some sites provided manual techniques to remove infections that automated cleanup tools
140:
The WinFixer web page (see the image) said it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files." However, these claims were never verified
364:
that in March 2009, the
Microsoft Malware Protection Center saw ASC Antivirus, the virus' first version. Microsoft did not detect any changes to the virus until the end of July that year when a second variant, Windows Antivirus Pro, appeared. Although multiple new virus versions have since appeared,
236:
Once installed, WinFixer frequently launched pop-ups and prompted the user to follow its directions. Because of the intricate way in which the program installed itself into the host computer (including making dozens of registry edits), successful removal would have taken a fairly long time if done
462:
Microsoft was notified of malware that was being served through ads placed in
Windows Live Messenger banners. As a result of this notification we immediately investigated the reports and removed the offending ads, as this is a violation of our ad serving policy. We can confirm that the ads are no
518:
Also known under various other names, including AVSystemCare, DriveCleaner, ECsecure, ErrorProtector, ErrorSafe, FreePCSecure, Home
Antivirus 20xx, PCTurboPro, Performance Optimizer, Personal Antivirus, PrivacyProtector, StorageProtector, SysProtect, SystemDoctor, VirusDoctor, WinAntiSpy,
501:
On
September 24, 2012, Kristy Ross was fined $ 163 million by the Federal Trade Commission for her part in this. The article goes on to say that the WinFixer family of software was simply a con but does not acknowledge that it was in fact a program that made many computers unusable.
428:
Superior Court; however, in 2007 the lawsuit was dropped. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings."
227:
and viruses would be "discovered", but no further action would be undertaken by the program. To obtain a quarantine or removal, WinFixer required the purchase of the program. However, the alleged unwanted bugs were bogus, only serving to persuade the owner to buy the program.
342:
WinFixer was closely related to Aurora
Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it would embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove. The program was also closely related to the
372:
The virus generated numerous persistent popups and messages displaying false scan reports intended to convince users that their computers were infected with various forms of malware that do not exist. When users attempted to close the popup message, they received
154:
136:
claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.
886:
223:
A free "trial" offer of this program was sometimes found in pop-ups. If the "trial" version was downloaded and installed, it would execute a "scan" of the local machine and a couple of non-existent
203:, and requested the user to run a free scan. When the user chose any of the options or tried to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it would trigger a
758:
141:
by any reputable source. In fact, most sources considered this program to actually reduce system stability and performance. The sites went defunct in
December 2008 after actions taken by the
329:
Running traceroute on
Winfixer domains showed that most of the domains were hosted from servers at setupahost.net, which used Shaw Business Solutions AKA Bigpipe as their backbone.
799:
285:
The company that made WinFixer, Winsoftware Ltd., claimed to be based in
Liverpool, England (Stanley Street, postcode: 13088.) However, this address was proven to be false.
965:
695:
585:
894:
268:
browser. The program caused popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.
837:
161:. Even if the Cancel or Close buttons were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a fake system scan.
1120:
770:
1115:
659:
986:
214:
Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the
Internet before closing the dialog box.
264:
browser was vulnerable to initial infection by WinFixer. Once installed, WinFixer was known to exploit the SessionSaver extension for the
807:
457:), and people had contacted Microsoft about the incidents. Whitney Burk from Microsoft issued this problem in his official statement:
1140:
916:
731:
404:
366:
105:
699:
589:
132:
computers if a user purchased the full version of the software. The software was mainly installed without the user's consent.
1063:
36:
1145:
388:
523:, WinAntiVirusPro, Windows Police Pro, WinReanimator, WinSoftware, WinspywareProtect, XPAntivirus and Your PC Protector.
377:
that switched the "Purchase full version" and "Continue evaluating" buttons. Windows Police Pro generated a counterfeit
491:
195:
The infection usually occurred during a visit to a distributing website using a web browser. A message appeared in a
858:
1012:
966:"Lawsuit Filed Against Winfixer (a/k/a ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner)"
564:
487:
224:
176:
142:
378:
374:
987:"WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements - Spyware Sucks"
199:
or popup asking the user if they wanted to install WinFixer, or claimed a user's machine was infected with
863:
829:
613:
442:
312:
1125:
713:
667:
494:
against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin,
994:
421:
1084:
1037:
445:
had inadvertently promoted WinFixer by displaying a WinFixer advertisement from one of Messenger's
238:
158:
495:
425:
125:
833:
803:
438:
392:
384:
365:
the virus has been renamed only once, to Windows Police Pro. Microsoft added the virus to its
361:
166:
129:
249:
169:
681:
565:"Computer Virus Attacks, Information, News, Security, Detection and Removal | McAfee"
454:
261:
1110:
252:
so that it started up automatically with every reboot, and scanned the user's computer.
1041:
940:
305:
121:
1134:
1016:
204:
735:
1008:
635:
242:
153:
453:
pages. There were other reports before this one (one from Patchou, the creator of
543:
207:
and WinFixer would download and install itself, regardless of the user's wishes.
887:"Windows Antivirus Pro Tackled by the Microsoft Malicious Software Removal Tool"
308:, the domain was owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.
245:
and be stopped, but would automatically relaunch itself after a period of time.
210:
450:
446:
437:
On February 18, 2007, a blog called "Spyware Sucks" reported that the popular
319:
196:
180:
890:
766:
474:
400:
396:
118:
51:
941:"Malware victim tries in vain to punish its source - San Jose Mercury News"
26:
520:
326:
was operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.
293:
265:
200:
173:
759:"Fake Antivirus: 5 software titles you should definitely NOT install"
301:
297:
133:
464:
35:
360:
Windows Police Pro was a variant of WinFixer. David Wood wrote in
344:
289:
209:
184:
172:, and was browser independent. One infection method involved the
614:"How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo"
424:
woman filed a lawsuit over WinFixer and related "fraudware" in
387:
and the syndicated "Propeller Heads" column recommended using
316:
165:
The WinFixer application was known to infect users using the
1121:
Symantec's entry on ErrorSafe - a sister spyware application
608:
606:
1116:
Symantec’s Entry on WinFixer and removal instructions
1038:"Accused Scareware mongers held in contempt of court"
128:
which claimed to repair computer system problems on
97:
89:
81:
73:
65:
57:
45:
292:database showed it was owned by a void company in
157:An example of a WinFixer pop-up dialog box within
1090:. US Federal Trade Commission. September 24, 2012
1064:"Scareware con artist fined $ 163 million by FTC"
800:"Scanti-ly Clad - Another Rogue Stripped by MSRT"
449:. A similar occurrence was also reported on some
93:Shut down by the United States federal government
714:"DNS tools - Manage Monitor Analyze - DNSstuff"
682:"WinFixer Virus Manual Removal - Vundo Variant"
459:
917:"Lawyer sleuths out mystery around 'Winfixer'"
8:
19:
830:"Remove Windows Police Pro (Removal Guide)"
696:""winfixer" virus "winsoftware" crime rin"
391:to remove Windows Police Pro permanently.
381:that warned users about the fake malware.
25:
18:
152:
793:
791:
789:
787:
535:
511:
248:WinFixer was also known to modify the
183:scam. Another involves the use of the
103:Not protected by copyright laws; see
7:
1062:Ionescu, Daniel (October 3, 2012).
968:. The Internet Patrol. 9 March 2007
40:Screenshot of the WinFixer homepage
1009:"Court Halts Bogus Computer Scans"
14:
34:
840:from the original on 2009-09-03
828:Abrams, Lawrence (2009-09-01).
405:Malicious Software Removal Tool
367:Malicious Software Removal Tool
288:The domain WINFIXER.COM on the
106:ex turpi causa non oritur actio
660:"WinFixer 2005, WinFixer 2006"
1:
915:Jeremy Kirk (March 8, 2007).
867:. Propeller Heads. 2009-10-11
636:"WinFixer in SpyWareLoop.com"
433:Ads on Windows Live Messenger
885:Oiaga, Marius (2009-10-15).
237:manually. When running, its
757:Long, Daniel (2009-10-02).
492:temporary restraining order
407:to get rid of the malware.
1162:
1111:McAfee's Entry on WinFixer
798:Wood, David (2009-10-13).
634:Vincentas (July 6, 2013).
588:. Symantec. Archived from
389:Malwarebytes' Anti-Malware
69:Innovative Marketing, Inc.
490:requested and received a
486:On December 2, 2008, the
465:www.microsoft.com/protect
420:On September 29, 2006, a
375:confirmation dialog boxes
33:
24:
1013:Federal Trade Commission
859:"Getting rid of malware"
488:Federal Trade Commission
482:Federal Trade Commission
143:Federal Trade Commission
1141:Rogue security software
763:PC & Tech Authority
379:Windows Security Center
122:rogue security programs
16:Rogue security software
616:. Bleepingcomputer.com
479:
443:Windows Live Messenger
313:public key certificate
241:could be found in the
215:
162:
738:on September 30, 2007
670:on November 18, 2007.
411:Effects on the public
333:Technical information
213:
156:
1146:Hacking in the 2000s
1044:). December 24, 2008
1019:). December 10, 2008
416:Class action lawsuit
324:secure.errorsafe.com
320:CyberTrust Solutions
232:WinFixer application
149:Installation methods
864:Coeur d'Alene Press
664:www.stopbadware.org
322:, Inc., the server
187:family of trojans.
90:Current status
21:
1085:"Winfixer Opinion"
426:Santa Clara County
399:recommended using
356:Windows Police Pro
277:could not remove.
216:
163:
834:Bleeping Computer
804:Microsoft TechNet
592:on March 24, 2008
439:instant messaging
393:Microsoft TechNet
385:Bleeping Computer
369:in October 2009.
362:Microsoft TechNet
311:According to the
191:Typical infection
167:Microsoft Windows
130:Microsoft Windows
112:
111:
58:Available in
1153:
1099:
1098:
1096:
1095:
1089:
1081:
1075:
1074:
1072:
1071:
1059:
1053:
1052:
1050:
1049:
1040:. The Register (
1034:
1028:
1027:
1025:
1024:
1005:
999:
998:
997:on July 5, 2008.
993:. Archived from
983:
977:
976:
974:
973:
962:
956:
955:
953:
952:
937:
931:
930:
928:
927:
912:
906:
905:
903:
902:
893:. Archived from
882:
876:
875:
873:
872:
855:
849:
848:
846:
845:
825:
819:
818:
816:
815:
806:. Archived from
795:
782:
781:
779:
778:
769:. Archived from
754:
748:
747:
745:
743:
734:. Archived from
728:
722:
721:
718:www.dnsstuff.com
710:
704:
703:
698:. Archived from
692:
686:
685:
678:
672:
671:
666:. Archived from
656:
650:
649:
647:
646:
631:
625:
624:
622:
621:
610:
601:
600:
598:
597:
582:
576:
575:
573:
572:
561:
555:
554:
552:
551:
540:
524:
516:
477:
281:Domain ownership
250:Windows Registry
170:operating system
117:was a family of
38:
29:
22:
1161:
1160:
1156:
1155:
1154:
1152:
1151:
1150:
1131:
1130:
1107:
1102:
1093:
1091:
1087:
1083:
1082:
1078:
1069:
1067:
1061:
1060:
1056:
1047:
1045:
1036:
1035:
1031:
1022:
1020:
1007:
1006:
1002:
985:
984:
980:
971:
969:
964:
963:
959:
950:
948:
947:. 23 March 2008
945:Mercurynews.com
939:
938:
934:
925:
923:
914:
913:
909:
900:
898:
884:
883:
879:
870:
868:
857:
856:
852:
843:
841:
827:
826:
822:
813:
811:
797:
796:
785:
776:
774:
756:
755:
751:
741:
739:
730:
729:
725:
712:
711:
707:
694:
693:
689:
680:
679:
675:
658:
657:
653:
644:
642:
633:
632:
628:
619:
617:
612:
611:
604:
595:
593:
584:
583:
579:
570:
568:
567:. Us.mcafee.com
563:
562:
558:
549:
547:
542:
541:
537:
533:
528:
527:
517:
513:
508:
484:
478:
472:
455:Messenger Plus!
435:
418:
413:
358:
353:
340:
335:
304:. According to
296:and another in
283:
274:
262:Mozilla Firefox
258:
234:
221:
193:
151:
100:
99:Content license
48:
41:
17:
12:
11:
5:
1159:
1157:
1149:
1148:
1143:
1133:
1132:
1129:
1128:
1123:
1118:
1113:
1106:
1105:External links
1103:
1101:
1100:
1076:
1066:. techhive.com
1054:
1042:United Kingdom
1029:
1000:
978:
957:
932:
907:
877:
850:
820:
783:
749:
723:
705:
702:on 2007-07-09.
687:
673:
651:
626:
602:
577:
556:
546:. F-secure.com
534:
532:
529:
526:
525:
510:
509:
507:
504:
483:
480:
473:Whitney Burk,
470:
434:
431:
417:
414:
412:
409:
357:
354:
352:
349:
339:
336:
334:
331:
306:Alexa Internet
282:
279:
273:
270:
257:
254:
233:
230:
220:
217:
192:
189:
150:
147:
110:
109:
101:
98:
95:
94:
91:
87:
86:
83:
79:
78:
75:
71:
70:
67:
63:
62:
59:
55:
54:
49:
46:
43:
42:
39:
31:
30:
15:
13:
10:
9:
6:
4:
3:
2:
1158:
1147:
1144:
1142:
1139:
1138:
1136:
1127:
1126:FTC complaint
1124:
1122:
1119:
1117:
1114:
1112:
1109:
1108:
1104:
1086:
1080:
1077:
1065:
1058:
1055:
1043:
1039:
1033:
1030:
1018:
1017:United States
1014:
1010:
1004:
1001:
996:
992:
988:
982:
979:
967:
961:
958:
946:
942:
936:
933:
922:
921:Computerworld
918:
911:
908:
897:on 2014-11-11
896:
892:
888:
881:
878:
866:
865:
860:
854:
851:
839:
835:
831:
824:
821:
810:on 2013-01-06
809:
805:
801:
794:
792:
790:
788:
784:
773:on 2009-10-04
772:
768:
764:
760:
753:
750:
737:
733:
727:
724:
719:
715:
709:
706:
701:
697:
691:
688:
683:
677:
674:
669:
665:
661:
655:
652:
641:
637:
630:
627:
615:
609:
607:
603:
591:
587:
581:
578:
566:
560:
557:
545:
539:
536:
530:
522:
515:
512:
505:
503:
499:
497:
493:
489:
481:
476:
469:
468:
466:
458:
456:
452:
448:
444:
440:
432:
430:
427:
423:
415:
410:
408:
406:
402:
398:
394:
390:
386:
382:
380:
376:
370:
368:
363:
355:
350:
348:
346:
337:
332:
330:
327:
325:
321:
318:
314:
309:
307:
303:
299:
295:
291:
286:
280:
278:
271:
269:
267:
263:
256:Firefox popup
255:
253:
251:
246:
244:
240:
231:
229:
226:
219:"Trial" offer
218:
212:
208:
206:
205:pop-up window
202:
198:
190:
188:
186:
182:
178:
175:
171:
168:
160:
155:
148:
146:
144:
138:
135:
131:
127:
124:developed by
123:
120:
116:
108:
107:
102:
96:
92:
88:
84:
80:
76:
72:
68:
64:
60:
56:
53:
50:
44:
37:
32:
28:
23:
1092:. Retrieved
1079:
1068:. Retrieved
1057:
1046:. Retrieved
1032:
1021:. Retrieved
1003:
995:the original
990:
981:
970:. Retrieved
960:
949:. Retrieved
944:
935:
924:. Retrieved
920:
910:
899:. Retrieved
895:the original
880:
869:. Retrieved
862:
853:
842:. Retrieved
823:
812:. Retrieved
808:the original
775:. Retrieved
771:the original
762:
752:
742:February 26,
740:. Retrieved
736:the original
726:
717:
708:
700:the original
690:
676:
668:the original
663:
654:
643:. Retrieved
640:Spyware Loop
639:
629:
618:. Retrieved
594:. Retrieved
590:the original
580:
569:. Retrieved
559:
548:. Retrieved
538:
514:
500:
485:
461:
460:
441:application
436:
419:
383:
371:
359:
341:
328:
323:
315:provided by
310:
287:
284:
275:
259:
247:
243:task manager
235:
222:
194:
164:
139:
114:
113:
104:
85:Not required
82:Registration
47:Type of site
126:Winsoftware
1135:Categories
1094:2012-10-03
1070:2012-10-03
1048:2008-12-24
1023:2008-12-11
991:msmvps.com
972:2014-08-14
951:2014-08-14
926:2014-08-14
901:2014-11-11
871:2014-11-11
844:2014-11-15
814:2014-11-13
777:2014-12-02
645:2013-07-28
620:2014-08-14
596:2014-08-14
586:"WinFixer"
571:2014-08-14
550:2014-08-14
544:"Winfixer"
531:References
451:MSN Groups
197:dialog box
181:fake codec
74:Commercial
891:Softpedia
767:nextmedia
475:Microsoft
401:Microsoft
397:Softpedia
338:Technical
174:Emcodec.E
119:scareware
52:Scareware
838:Archived
496:Sam Jain
471:—
447:ad hosts
422:San Jose
351:Variants
347:trojan.
115:WinFixer
20:WinFixer
732:"Vundo"
684:. 2006.
521:Spyware
519:WinAnti
294:Ukraine
272:Removal
266:Firefox
239:process
225:trojans
201:malware
61:English
302:Poland
298:Warsaw
177:trojan
134:McAfee
1088:(PDF)
506:Notes
345:Vundo
290:whois
185:Vundo
159:Opera
66:Owner
744:2006
395:and
260:The
179:, a
403:'s
317:GTE
1137::
1011:.
989:.
943:.
919:.
889:.
861:.
836:.
832:.
802:.
786:^
765:.
761:.
716:.
662:.
638:.
605:^
300:,
145:.
77:No
1097:.
1073:.
1051:.
1026:.
1015:(
975:.
954:.
929:.
904:.
874:.
847:.
817:.
780:.
746:.
720:.
648:.
623:.
599:.
574:.
553:.
467:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.