From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Screenshot of the WinFixer homepage
Type of site
Available inEnglish
OwnerInnovative Marketing, Inc.
RegistrationNot required
Current statusShut down by the United States federal government
Content license
Not protected by copyright laws; see ex turpi causa non oritur actio

WinFixer[a] is a family of scareware rogue security programs developed by Winsoftware which claim to repair computer system problems on Microsoft Windows computers if a user purchases the full version of the software. The software is mainly installed without the user's consent.[1] McAfee claims that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections."[2] The program prompts the user to purchase a paid copy of the program.[3]

The WinFixer web page (see the image) says it "is a useful utility to scan and fix any system, registry and hard drive errors, it ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files". However, these claims were never verified by any reputable source. In fact, most sources consider this program to actually reduce system stability and performance; the sites went defunct in December 2008 after actions taken by the Federal Trade Commission.

Installation methods[edit]

An example of a WinFixer pop-up dialog box within Opera. Even if the Cancel or Close buttons were clicked to dismiss the box, it would redirect to a WinAntiVirus page anyway, featuring a simulated system scan.

The WinFixer application is known to infect users using the Microsoft Windows operating system, and is browser independent. One infection method involves the Emcodec.E trojan, a fake codec scam. Another involves the use of the Vundo family of trojans.[4]

Typical infection[edit]

The infection usually occurs during a visit to a distributing web site using a web browser. A message appears in a dialog box or popup asking the user if he wants to install WinFixer, or claiming a user's machine is infected with malware, and requests the user to run a free scan; when the user chooses any of the options or tries to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it will trigger a pop-up window and WinFixer will download and install itself, regardless of the user’s wishes.

Initial message prior to infection - a user wishing to avoid infection might wish to disconnect from the Internet before closing the dialog box.

"Trial" offer[edit]

A free "trial" offer of this program is sometimes found in pop-ups. If the "trial" version is downloaded and installed, it will execute a "scan" of the local machine and a couple of non-existent Trojans and viruses will be "discovered", but no further action will be undertaken by the program. To obtain a quarantine or removal, WinFixer requires the purchase of the program.[5] However, the alleged unwanted bugs are bogus, only serving to persuade the owner to buy the program.

WinFixer application[edit]

Once installed, WinFixer frequently launches pop-ups and prompts the user to follow its directions; because of the intricate way in which the program installs itself into the host computer (including making dozens of registry edits), successful removal may take a fairly long time if done manually. When running, it can be found in the Task manager and stopped, but before long it will self-relaunch and its process will be seen to be running again.

WinFixer is also known to modify the Windows Registry so that it starts up automatically with every reboot, and scans the user's computer.[6]

Firefox popup[edit]

The Mozilla Firefox browser is vulnerable to initial infection by WinFixer. Once installed, WinFixer is known to exploit the SessionSaver extension for the Firefox browser; the program causes popups on every startup asking the user to download WinFixer, by adding lines containing the word 'WinFixer' to the prefs.js file.


The removal process of most rogue malware is often as simple as removing the directory it was originally installed into and then running basic cleanup software on the user's computer.

Unfortunately, simply deleting a directory won't remove WinFixer because it actively undoes whatever the user attempts. Frequently, the procedure that works on one system will not work on another because there are a large number of variants; some sites provide manual techniques to remove infections that the automated tools can not remove.[7]

Domain ownership[edit]

The company that makes WinFixer, Winsoftware Ltd., claims to be based in Liverpool, England (Stanley Street, postcode: 13088.) However, this address has been proven false.[8]

The domain WINFIXER.COM on the whois database shows it is owned by a void company in Ukraine and another in Warsaw, Poland.[9] According to Alexa Internet, the domain is owned by Innovative Marketing, Inc., 1876 Hutson St, Honduras.

According to the public key certificate provided by GTE CyberTrust Solutions, Inc., the server is operated by ErrorSafe Inc. at 1878 Hutson Street, Belize City, BZ.

Running traceroute on Winfixer domains showed that most of the domains are hosted from servers at, which uses Shaw Business Solutions AKA Bigpipe as their backbone.

Technical information[edit]


WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst-case scenarios, it may embed itself in Internet Explorer and become part of the program, thus being nearly impossible to remove; the program is also closely related to the Vundo trojan.[4][10]


Windows Police Pro[edit]

Windows Police Pro is a variant of WinFixer.[11] David Wood wrote in Microsoft TechNet that in March 2009, the Microsoft Malware Protection Center saw ASC Antivirus, the virus' first version. Microsoft did not detect any changes to the virus until the end of July that year when a second variant, Windows Antivirus Pro, appeared. Although multiple new virus versions have since appeared, the virus has been renamed only once, to Windows Police Pro. Microsoft added the virus to its Malicious Software Removal Tool in October 2009.[12]

The virus generates numerous persistent popups and messages displaying false scan reports intended to convince users that their computers are infected with various forms of malware that do not exist; when users attempt to close a popup message, they receive confirmation dialog boxes that switch the "Purchase full version" and "Continue evaluating" buttons.[12] Windows Police Pro generates a counterfeit Windows Security Center that warns users about the fake malware.[13]

Bleeping Computer and the syndicated "Propeller Heads" column recommended using Malwarebytes' Anti-Malware to remove Windows Police Pro permanently.[12][14] Microsoft TechNet and Softpedia recommended using Microsoft's Malicious Software Removal Tool to get rid of the malware.[12][15]

Effects on the public[edit]

Class action lawsuit[edit]

On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court; however, in 2007 the lawsuit was dropped. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable; the program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings." [16][17][18]

Ads on Windows Live Messenger[edit]

On February 18, 2007, a blog called "Spyware Sucks" reported that the popular instant messaging application Windows Live Messenger had inadvertently promoted WinFixer by displaying a WinFixer advertisement from one of Messenger's ad hosts.[19] A similar occurrence also was reported on some MSN Groups pages. There were other reports before this one (one from Patchou, the creator of Messenger Plus!), and people had contacted Microsoft about the incidents. Whitney Burk from Microsoft issued this problem in his official statement:

Federal Trade Commission[edit]

On December 2, 2008, the Federal Trade Commission requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain, Marc D’Souza, Kristy Ross, and James Reno, the creators of WinFixer and its sister products. The complaint alleges that the products' advertising, as well as the products themselves, violate United States consumer protection laws.[20] However, Innovative Marketing has flouted the court order and is currently being fined $8000 per day in civil contempt.[21]

On September 24, 2012, Kristy Ross was fined $163 million by the Federal Trade Commission for her part in this;[22][23] the article goes on to say that the WinFixer family of software was simply a con but does not acknowledge that it was in fact a program that made many computers unusable.


  1. ^ Also known under various other names, including AVSystemCare, DriveCleaner, ECsecure, ErrorProtector, ErrorSafe, FreePCSecure, Home Antivirus 20xx, PCTurboPro, Performance Optimizer, Personal Antivirus, PrivacyProtector, StorageProtector, SysProtect, SystemDoctor, VirusDoctor, WinAntiSpy, WinAntiSpyware, WinAntiVirusPro, Windows Police Pro, WinReanimator, WinSoftware, WinspywareProtect, XPAntivirus and Your PC Protector.


  1. ^ "Winfixer". Retrieved 2014-08-14.
  2. ^ "Computer Virus Attacks, Information, News, Security, Detection and Removal | McAfee". Retrieved 2014-08-14.
  3. ^ "WinFixer". Symantec. Retrieved 2014-08-14.
  4. ^ a b "How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo". Retrieved 2014-08-14.
  5. ^ Vincentas (July 6, 2013). "WinFixer in". Spyware Loop. Retrieved 2013-07-28. Italic or bold markup not allowed in: |newspaper= (help)
  6. ^ [1] Archived November 18, 2007, at the Wayback Machine
  7. ^ "WinFixer Virus Manual Removal - Vundo Variant". 2006.
  8. ^
  9. ^ "DNS tools - Manage Monitor Analyze - DNSstuff".
  10. ^ "Vundo". Archived from the original on September 30, 2007. Retrieved February 26, 2006.
  11. ^ Long, Daniel (2009-10-02). "Fake Antivirus: 5 software titles you should definitely NOT install". PC & Tech Authority. nextmedia. Archived from the original on 2009-10-04. Retrieved 2014-12-02.
  12. ^ a b c d Wood, David (2009-10-13). "Scanti-ly Clad - Another Rogue Stripped by MSRT". Microsoft TechNet. Archived from the original on 2013-01-06. Retrieved 2014-11-13.
  13. ^ Abrams, Lawrence (2009-09-01). "Remove Windows Police Pro (Removal Guide)". Bleeping Computer. Archived from the original on 2009-09-03. Retrieved 2014-11-15.
  14. ^ "Getting rid of malware". Coeur d'Alene Press. Propeller Heads. 2009-10-11. Retrieved 2014-11-11.
  15. ^ Oiaga, Marius (2009-10-15). "Windows Antivirus Pro Tackled by the Microsoft Malicious Software Removal Tool". Softpedia. Archived from the original on 2014-11-11. Retrieved 2014-11-11.
  16. ^ Jeremy Kirk (March 8, 2007). "Lawyer sleuths out mystery around 'Winfixer'". Computerworld. Retrieved 2014-08-14.
  17. ^ "Malware victim tries in vain to punish its source - San Jose Mercury News". Retrieved 2014-08-14.
  18. ^ "Lawsuit Filed Against Winfixer (a/k/a ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner)". The Internet Patrol. Retrieved 2014-08-14.
  19. ^ [2] Archived July 5, 2008, at the Wayback Machine
  20. ^ "Court Halts Bogus Computer Scans". Federal Trade Commission (United States). December 10, 2008. Retrieved 2008-12-11.
  21. ^ "Accused Scareware mongers held in contempt of court". The Register (United Kingdom). December 24, 2008. Retrieved 2008-12-24.
  22. ^ Ionescu, Daniel (October 3, 2012). "Scareware con artist fined $163 million by FTC". Retrieved 2012-10-03.
  23. ^ "Winfixer Opinion" (PDF). US Federal Trade Commission. September 24, 2012. Retrieved 2012-10-03.

External links[edit]