WinFixer Virus Manual Removal - Vundo Variant

WinFixer is another of those pesky parasite/virus programs that is almost impossible to get rid of. The Aurora virus tries to get you to install this one ... but there are other methods of infection. According to several sources, it can be acquired just by visiting certain sites (via an Internet Explorer security hole).

General symptoms

Because no legitimate company would ever go to such extremes to make sure that infected computers can not be cleaned until you pay your protection money

As of 04-15-07, now resolves to - which is the "local host" address, the address of the local machine. As a result, that risk is greatly reduced ... however, the many related sites listed below are still active.

As of 11-08-07, is no longer found by DNS (there is no IP address). Also note that many of the associated sites have a new address.

On 12-02-08, the US Federal Trade Commission shut down the companies responsible for WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and others.

Damage to My System | The Antivirus Crowd | Corporation ID | tracert | | Registry Settings
Uninstall | Problem Debug | Related Sites | Lawsuit | Notes | References

Damage to My System

The infected system is running Windows 98 and TeaTimer (supposed to protect the registry ... not this time).

I tried to create a new directory

but it would not let me. These binary files are continuously created Since they appear to be encrypted, they presumably contain the payload to be sent to the home computer.

This is the executable called via the registry

I was not able to overwrite oppon.dll because it was in use - there were either 4 separate instances running, or a single instance was call from 4 different places, or some combination of these two.

Of course, the primary damage is caused by the popup adds that make using the computer very frustrating. There were also periodic "windows error messages"

I now know that these are completely bogus and are simply used to extort money from you. In addition, the continuous registry access and system monitoring caused the machine to run very slowly. For instance, the mouse cursor was continuously toggling between the pointer and busy icons.

Let me be clear, this virus causes every program on YOUR system to run slower.

In addition, the computer would not keep an internet connection (because its IP address would automatically change) and the system needed to be restarted several times a day. Once, after the system had just been left for a few days, when I tried to shut it down via Windows, there were so many errors (definitely more than 30) that I could NOT shutdown the system. As a result, I had to turn off the power to restart the system.

Of course, unless you search the internet for the correct terms, there is no way to know how to uninstall this crap. (I eventually figured it out)

The Antivirus Crowd

In the course of debugging this problem, I visited several "reputable" antivirus sites.

McAfee lists the discovery date as 09/01/2005 (I identified it as a probable virus 7-26-05). These are direct quotes

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

This is not a virus or a trojan. It is detected as a "potentially unwanted program."

Winfixer has been known to get installed silently through code exploiting Microsoft Internet Explorer vulnerabilities.

  N/A This is not a virus or trojan.
Method Of Infection  
  N/A This is not a virus or trojan.  
Give me a break This is a virus (or whatever term you prefer).

This is why I do not trust the antivirus crowd - you buy their product to protect you, then they allow crap like this to destroy your system because it "may have legitimate uses".

This is what Symantec says

WinFixer is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.
Both McAfee and Symantec indicate that they only remove the ACTUAL application. They specifically mention files in However, my system had NONE of the files or directories that these products indicate should be removed. Perhaps I had a variant that they don't know about ...

Corporation ID


I use tracert to track the physical locations of web sites (it will not give you a gps location, but it will tell you in which country a site is hosted).

This trace was made 01-21-06 - it is similar to the SystemDoctor trace made 11-09-06

Fairly close - I'm in Northern Virginia, USA (mclean and ashburn) and bigpipeinc (a Shaw Company) claims to be "Canada's Internet".

This trace was made 01-22-06

That's interesting - the IP address changed.

A few minutes later, it changed back to the old address.

From their web page From a *whois* site From another *whois* site

Registry Settings

This executes the parasite when your system boots This registers the dll This infects IE There are several entries similar to this. Apparently, if the 3 above are commented out, then this has no effect. There is probably also a typeLib entry, but I ignored it.


First, do not download any uninstall tool UNLESS it is from a site that you already know and trust - there are so many bogus web sites for this specific parasite that you will probably do more harm than good.

Second, though I trashed McAfee above, they did provide the exact instructions (on their Vundo page) that I followed to remove the virus. So I figure that they do deserve some credit.

The goal here is to simply kill

To remove this parasite, you will first need two tools by sysinternals I highly recommend both of these.

Using RegMon, identify which registry keys are being accessed. This program will allow you to identify and kill new variants.

Execute Process Explorer (procexp.exe), then locate and kill all instances of the virus - there were 4 instances on my system

At this point, the task bar at the bottom of the screen will no longer be available. You can use Alt-Tab to switch between processes, or make the windows small enough so that you can simply click on the one you want.

Now it is a simple procedure to comment out the registry keys. You could simply use RegEdit and navigate to the appropriate keys ... but I prefer a short cut. In RegMon, double click on one of the keys and RegEdit will automatically navigate to that key. Comment it out and repeat for the other keys.

Turn off (or reset) the machine. Because Explorer was stopped, you won't be able to shut down Windows via software - so you must use either the power or reset button on the case to restart the system.

I know that there is additional trash in the registry - but it does not appear to matter.

Based on my experience with other parasites, the "correct" way to stop the program is probably by running it using some cryptic command line parameter. However, I don't have that information, and the instructions above work.

Problem Debug

I admit, I was not able to remove this parasite without a little help. The primary hint was that this problem was related to Vundo.

The first step with most parasites is to run RegMon. This cycle was repeated about every 3 seconds. (I've added spaces in the trace below to make it easier to read.)

Rundll32:FFFECA37 is very unusual in a RegMon trace.

The key shown as

is actually I shortened it here so the page would not be so wide.

The RunOnce key provided the key to the problem. Double clicking the *OPPON key displayed it in RegEdit.

In general, the file specified in a RunOnce key is executed only when the computer reboots. Then Windows automatically deletes the key. In this case, the virus continuously reads the key and rewrites it if you change it.

Having identified the virus, I tried the usual stuff

At this point I started searching with Google. I eventually discovered that

The final trick (provided by McAfee) was to use ProcessExplorer to kill the running processes and then comment out the related registry entries. After that, no more problem.

Normally, I "disable" executables called via the registry by modifying the registry so that the files can not be found - I almost never simply delete the registry keys. For instance, search the registry for the exe (or dll) name and change it to something like

Then windows won't be able to find it, and you'll have a record of the change.

In 2 cases, I modified the keys to hide them (highlight shown for emphasis - not visible in RegEdit)

Related Sites

Based on my Aurora virus research (and the wikipedia), Winfixer is related to the aurora virus - however, nail.exe was not found.

ErrorSafe (, (from McAfee)

This was found via Google

Any site that calls WinFixer "a useful utility" should be avoided.

Reverse DNS provides []

Which indicates that the site is actually in the North Eastern USA. - this link is in the web page

This is what WinFixer wants to install appears to be a simple reseller - so they are probably not directly involved with this parasite.

Notice that the IP address is different than what McAfee indicated, but not by much. Reverse DNS provides []

Reverse DNS provides []

This has the same snailmail address as

Come ON - 555-123-1234 - definitely a fake

This is another WinSoftware Ltd. site

WinSoftware Ltd. sites

A google search for "WinSoftware Ltd." yields more than 400 hits. These sites are related to this "company". The gross similarity of these sites, coupled with IP addresses and whois lookups indicates that this is a very sleazy company.

New IP Addresses - 11-08-07

On 11-08-07, I obtained the following addresses - the others are all the same as above. The last 2 are located in the Netherlands. LeaseWeb is owned by which appears to be legitimate. If you simply try to see the page at you will see that the site is owned by (from the webmaster email address).


On September 29, 2006, lawyer, Joseph M. Bochner, filed a class action lawsuit in Santa Clara County Superior Court on behave of Beatrice Ochoa and possibly hundreds of thousands of co-plaintiffs. The suit claimed that the defendants participated in fraud, conspiracy, and racketeering by Additional claims include

KTVU (Channel 2 in Oakland, CA) produced this Fraudware Special Report (YouTube) on the lawsuit. They repeatedly refer to WinFixer as a virus.

Not knowing any better, Beatrice Ochoa got tied of the continuous popups and purchased a copy of WinFixer ... which eventually rendered her computer's hard drive unusable. This virus eventually cost Beatrice over $1,000.

In 2007, the lawsuit was dropped because Mr. Bochner lacked the resources and expertise.

Personally, I think that a class action suit was the wrong approach. Federal crimes have been committed and the FBI should be pursueing these criminals ... not a private lawyer. Unfortunately, the FBI told Mr. Bochner that they were not interested in protecting the American people.

Mr. Bochner also claims to have uncovered a probable link between Symantec and WinFixer. Apparently, the same people who wrote WinFixer also wrote a bogus Symantec anti-virus program. It would popup on people's machines and indicate that the Symantec license had expired. Of course, clicking on renew sent you to a bogus site ... and they simple stole lots of money. In 2004, Symantec sued them, and eventually reached a confidential settlement. (WinFixer was discovered in 2005 and Symantec was not able to detect or remove it until .... well at least until 2006. As of Sept 2008, I still don't think that their programs can detect the versions I saw in 2005.) Unfortunately, this means that the connection/truth will never be known.

In fairness to the defendants, it was never proven that they are the people behind WinFixer. But, whoever the people are who distributed the virus should be brought to justice.

Additional references


This is the source that put me on the right track
WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst case scenarios, it may embed itself in Internet Explorer and may be nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses.
When I checked the McAfee site for info on Vundo, I found the instructions to manually remove the program.

This is the dialog box that the Aurora virus displayed suggesting that WinFixer is just super.

Since WinFixer is provided by a known virus writer, it should be avoided at all costs. (Clicking either button or the x in the upper corner starts the download.)

I apologize for repeating this warning here (in a reduced font size) ... but the search engines don't index information inside html comment tags.

NOTICE: If your computer has errors in the registry database or file system, 
it could cause unpredictable or erratic behavior, freezes and crashes. 
Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install WinFixer 2005 to check your computer for free? (Recommended)


Author: Robert Clemenzi
URL: http:// / Parasites / WinFixer_parasite.html