WinFixer Virus Manual Removal

WinFixer Virus Manual Removal - Vundo Variant
01-22-06

WinFixer is another of those pesky parasite/virus programs that is almost impossible to get rid of. The Aurora virus tries to get you to install this one ... but there are other methods of infection. According to several sources, it can be acquired just by visiting certain sites (via an Internet Explorer security hole).

General symptoms

It continuously reads the registry
It does not allow you to remove it from the registry
It informs you that your system may be infected and that you can have it fixed if you pay money (ie, extortion)
It monitors what you are doing and prohibits certain actions
Most of the code is encrypted so it can't be read

Because no legitimate company would ever go to such extremes to make sure that infected computers can not be cleaned until you pay your protection money

I call this a virus
I call WinFixer a type of terrorism
I request that the US federal government get involved to protect us

As of 04-15-07, winfixer.com now resolves to 127.0.0.1 - which is the "local host" address, the address of the local machine. As a result, that risk is greatly reduced ... however, the many related sites listed below are still active.

As of 11-08-07, winfixer.com is no longer found by DNS (there is no IP address). Also note that many of the associated sites have a new address.

On 12-02-08, the US Federal Trade Commission shut down the companies responsible for WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and others.

Damage to My System

The infected system is running Windows 98 and TeaTimer (supposed to protect the registry ... not this time).

I tried to create a new directory

  C:\WINDOWS\SYSTEM\oppon virus

but it would not let me. These binary files are continuously created

  C:\WINDOWS\SYSTEM\NOPPO.ini   399 KB
  C:\WINDOWS\SYSTEM\NOPPO.bak1  399 KB

Since they appear to be encrypted, they presumably contain the payload to be sent to the home computer.

This is the executable called via the registry

  C:\WINDOWS\SYSTEM\oppon.dll   533 KB  11-10-05 - probable infection date

I was not able to overwrite oppon.dll because it was in use - there were either 4 separate instances running, or a single instance was call from 4 different places, or some combination of these two.

Of course, the primary damage is caused by the popup adds that make using the computer very frustrating. There were also periodic "windows error messages"

rgnkislv performed an illegal operation
lbgfmxum performed an illegal operation

I now know that these are completely bogus and are simply used to extort money from you. In addition, the continuous registry access and system monitoring caused the machine to run very slowly. For instance, the mouse cursor was continuously toggling between the pointer and busy icons.

Let me be clear, this virus causes every program on YOUR system to run slower.

In addition, the computer would not keep an internet connection (because its IP address would automatically change) and the system needed to be restarted several times a day. Once, after the system had just been left for a few days, when I tried to shut it down via Windows, there were so many errors (definitely more than 30) that I could NOT shutdown the system. As a result, I had to turn off the power to restart the system.

Of course, unless you search the internet for the correct terms, there is no way to know how to uninstall this crap. (I eventually figured it out)

The Antivirus Crowd

In the course of debugging this problem, I visited several "reputable" antivirus sites.

McAfee lists the discovery date as 09/01/2005 (I identified it as a probable virus 7-26-05). These are direct quotes

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
This is not a virus or a trojan. It is detected as a "potentially unwanted program."
Winfixer has been known to get installed silently through code exploiting Microsoft Internet Explorer vulnerabilities.
Symptoms  
  N/A This is not a virus or trojan.
Method Of Infection  
  N/A This is not a virus or trojan.  

Give me a break

It installs silently - without your permission
It slows down your machine
It produces false error messages

This is a virus (or whatever term you prefer).

This is why I do not trust the antivirus crowd - you buy their product to protect you, then they allow crap like this to destroy your system because it "may have legitimate uses".

This is what Symantec says

WinFixer is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Both McAfee and Symantec indicate that they only remove the ACTUAL application. They specifically mention files in

C:\Program Files\WinFixer 2005\

However, my system had NONE of the files or directories that these products indicate should be removed. Perhaps I had a variant that they don't know about ...

Corporation ID

Registrant:
 WinFixer
 P.O. Box 3
 Kiev, NA 04114
 UA

Domain name: WINFIXER.COM

Administrative Contact:
 Hostmaster, WinFixer  hostmaster@winfixer.com
 P.O. Box 3
 Kiev, NA 04114
 UA
 +(380) 97 939 09 44

Note: UA - Ukraine

tracert

I use tracert to track the physical locations of web sites (it will not give you a gps location, but it will tell you in which country a site is hosted).

This trace was made 01-21-06 - it is similar to the SystemDoctor trace made 11-09-06

tracert winfixer.com

Tracing route to winfixer.com [66.244.254.63]
   ...  The first few hops are omitted - they add no useful information
 13    12 ms    16 ms    11 ms  te-6-1-cr01.mclean.va.ibone.comcast.net [68.86.88.1]
 14    12 ms    13 ms    16 ms  te-1-1-pr01.ashburn.va.ibone.comcast.net [68.86.84.98]
 15    12 ms    12 ms    11 ms  rx0as.vx.shawcable.net [68.86.88.126]
 16    18 ms    18 ms    18 ms  rc2hu-pos7-0.ny.shawcable.net [66.163.77.49]
 17    17 ms    18 ms    18 ms  rc1hu-ge4-0-0.ny.shawcable.net [66.163.74.5]
 18    29 ms    29 ms    29 ms  rc1sh-pos14-3.mt.shawcable.net [66.163.76.157]
 19    28 ms    31 ms    29 ms  ra1sh-ge3-3.mt.shawcable.net [66.163.66.33]
 20    34 ms    33 ms    32 ms  rx0sh-set-up-a-host.mt.bigpipeinc.com [66.244.223.98]
 21    33 ms    32 ms    33 ms  winfixer.com [66.244.254.63]

Trace complete.

Fairly close - I'm in Northern Virginia, USA (mclean and ashburn) and bigpipeinc (a Shaw Company) claims to be "Canada's Internet".

This trace was made 01-22-06

Tracing route to winfixer.com [66.244.254.64]

  ....

 19    29 ms    28 ms    29 ms  ra1sh-ge3-1.mt.shawcable.net [66.163.66.10]
 20    34 ms    33 ms    33 ms  rx0sh-set-up-a-host.mt.bigpipeinc.com [66.244.223.98]
 21    33 ms    32 ms    33 ms  rr-grp1.yyz1.cl1.setupahost.net [66.244.254.64]

That's interesting - the IP address changed.

A few minutes later, it changed back to the old address.

setupahost.net

From their web page

Setup A Host, Inc
P.O Box 2122
Peterborough, Ontario K9J 7Y4
Canada

+1 (905) 248-3003

From a *whois* site

OrgName:    SetupAHost 
OrgID:      SETUP 
Address:    157 Adelaide Street West
Address:    Suite 352
City:       Toronto
StateProv:  ON
PostalCode: M5H-4E7
Country:    CA

RNOCEmail:  ipadmin@setupahost.net

From another *whois* site

SetupAHost 
2135A des Laurentides Blvd. 
Suite 170 
Laval, QC H7M 4M2 
CA 
+1.905-481-0332

Registry Settings

This executes the parasite when your system boots

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 *OPPON = rundll32.exe C:\WINDOWS\SYSTEM\OPPON.DLL,CreateProtectProc rerun

This registers the dll

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}]
 @     = "MSEvents Object"
 AppID = ""

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\ProgID]
 @ = "MSEvents.MSEvents.1"

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\VersionIndependentProgID]
 @ = "MSEvents.MSEvents"

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32]
 @              = "C:\\WINDOWS\\SYSTEM\\OPPON.DLL"
 ThreadingModel = "apartment"

[HKEY_CLASSES_ROOT\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\TypeLib]
 @ = "{BAD59A24-6891-417D-A041-C8FD495B77F1}"

This infects IE

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
 Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}]

There are several entries similar to this. Apparently, if the 3 above are commented out, then this has no effect.

[HKEY_LOCAL_MACHINE\Software\CLASSES\MSEvents.MSEvents]
@="MSEvents Object"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MSEvents.MSEvents\CLSID]
@="{B313D637-F405-4052-AC37-E2119AB3C8F8}"

[HKEY_LOCAL_MACHINE\Software\CLASSES\MSEvents.MSEvents\CurVer]
@="MSEvents.MSEvents.1"

There is probably also a typeLib entry, but I ignored it.

Uninstall

First, do not download any uninstall tool UNLESS it is from a site that you already know and trust - there are so many bogus web sites for this specific parasite that you will probably do more harm than good.

Second, though I trashed McAfee above, they did provide the exact instructions (on their Vundo page) that I followed to remove the virus. So I figure that they do deserve some credit.

The goal here is to simply kill

C:\WINDOWS\SYSTEM\oppon.dll

To remove this parasite, you will first need two tools by sysinternals

RegMon - allows you to see which registry keys are being accessed
ProcessExplorer - allows you to stop any program, including rogue dll's

I highly recommend both of these.

Using RegMon, identify which registry keys are being accessed. This program will allow you to identify and kill new variants.

Execute Process Explorer (procexp.exe), then locate and kill all instances of the virus - there were 4 instances on my system

Explorer
IExplorer - Internet Explorer infected via the Browser Helper Object
2 instances related to rundll
If you just kill the second instance, it restarts itself. Killing the first instance, and selecting "Kill Process Tree" works.

At this point, the task bar at the bottom of the screen will no longer be available. You can use Alt-Tab to switch between processes, or make the windows small enough so that you can simply click on the one you want.

Now it is a simple procedure to comment out the registry keys. You could simply use RegEdit and navigate to the appropriate keys ... but I prefer a short cut. In RegMon, double click on one of the keys and RegEdit will automatically navigate to that key. Comment it out and repeat for the other keys.

Turn off (or reset) the machine. Because Explorer was stopped, you won't be able to shut down Windows via software - so you must use either the power or reset button on the case to restart the system.

I know that there is additional trash in the registry - but it does not appear to matter.

Based on my experience with other parasites, the "correct" way to stop the program is probably by running it using some cryptic command line parameter. However, I don't have that information, and the instructions above work.

Problem Debug

I admit, I was not able to remove this parasite without a little help. The primary hint was that this problem was related to Vundo.

The first step with most parasites is to run RegMon. This cycle was repeated about every 3 seconds. (I've added spaces in the trace below to make it easier to read.)

43  3.73025036  Rundll32:FFFECA37  OpenKey       HKLM\Software\Microsoft\Windows\CurrentVersion                  SUCCESS	hKey: 0xC188F7B0
44  3.73029375  Rundll32:FFFECA37  QueryValueEx  HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS	20 0 	
45  3.73031759  Rundll32:FFFECA37  CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion                  SUCCESS		

46  3.73088241  Rundll32:FFFECA37  OpenKey       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS	hKey: 0xC1896600
47  3.73094153  Rundll32:FFFECA37  QueryValueEx  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*OPPON   SUCCESS	72 75 6E 64 6C 6C 33 32 ...
48  3.73097134  Rundll32:FFFECA37  FlushKey      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS		
49  3.73099685  Rundll32:FFFECA37  CloseKey      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS		

50  3.73112655  Rundll32:FFFECA37  OpenKey       HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS  hKey: 0xC1896600
51  3.73115849  Rundll32:FFFECA37  FlushKey      HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS
52  3.73118734  Rundll32:FFFECA37  CloseKey      HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS

53  3.73230720  Rundll32:FFFECA37  OpenKey       HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS	hKey: 0xC1896600	
54  3.73237038  Rundll32:FFFECA37  QueryValueEx  HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS	43 3A 5C 57 49 4E 44 4F ...
55  3.73240161  Rundll32:FFFECA37  FlushKey      HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS		
56  3.73242640  Rundll32:FFFECA37  CloseKey      HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS		

57  3.73249292  Rundll32:FFFECA37  OpenKey       HKLM\Software\Microsoft\Windows\CurrentVersion                   SUCCESS	hKey: 0xC188F7B0
58  3.73253036  Rundll32:FFFECA37  QueryValueEx  HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber  SUCCESS	20 0 	
59  3.73255205  Rundll32:FFFECA37  CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion                   SUCCESS

Rundll32:FFFECA37 is very unusual in a RegMon trace.

The key shown as

HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}

is actually

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
      Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}

I shortened it here so the page would not be so wide.

The RunOnce key provided the key to the problem. Double clicking the *OPPON key displayed it in RegEdit.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 *OPPON = rundll32.exe C:\WINDOWS\SYSTEM\OPPON.DLL,CreateProtectProc rerun

In general, the file specified in a RunOnce key is executed only when the computer reboots. Then Windows automatically deletes the key. In this case, the virus continuously reads the key and rewrites it if you change it.

Having identified the virus, I tried the usual stuff

Delete the file - failed because the program was running
Over write the file - failed for the same reason
Comment out the registry keys - new keys were automatically generated

At this point I started searching with Google. I eventually discovered that

This is a wide spread problem
There were no instructions on the web to remove this
WinFixer is an extortion virus and you have to pay to disable it
Several companies have free scanners that will detect this - but expect to pay to get rid of it
The problem may be related to Vundo

The final trick (provided by McAfee) was to use ProcessExplorer to kill the running processes and then comment out the related registry entries. After that, no more problem.

Normally, I "disable" executables called via the registry by modifying the registry so that the files can not be found - I almost never simply delete the registry keys. For instance, search the registry for the exe (or dll) name and change it to something like

   *OPPON = rundll32.exe C:\WINDOWS\SYSTEM\OPPON.DLL,CreateProtectProc rerun
-> *OPPON = xx 01-2006 rundll32.exe C:\WINDOWS\SYSTEM\OPPON.DLL,CreateProtectProc rerun

Then windows won't be able to find it, and you'll have a record of the change.

In 2 cases, I modified the keys to hide them (highlight shown for emphasis - not visible in RegEdit)

   Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8} 
-> Browser Helper Objects\{B31xx3D637-F405-4052-AC37-E2119AB3C8F8}

   HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8} 
-> HKCR\CLSID\{B31xx3D637-F405-4052-AC37-E2119AB3C8F8}

Related Sites

Based on my Aurora virus research (and the wikipedia), Winfixer is related to the aurora virus - however, nail.exe was not found.

ErrorSafe (www.errorsafe.com, 66.244.254.63) (from McAfee)

Notice that both Winfixer and errorsafe have the same IP address. Comparison of the Winfixer.com and errorsafe.com pages indicates better than 90% identical. In my opinion, these are both written by and hosted by the same person.

This was found via Google

WinFixer 2005 free download. WinFixer 2005 is a useful utility to ...
http://www.freedownloadscenter.com/Utilities/System_Maintenance_and_Repair_Utilities/WinFixer_2005.html

Any site that calls WinFixer "a useful utility" should be avoided.

Domain Name: FREEDOWNLOADSCENTER.COM  [66.246.72.50]
Registrant:
 Victor Sazhin
 Minskaya st, house 3
 Moscow, Moscow 121108
 RU
 (095)724-3536

Reverse DNS provides
220918.ds.nac.net [66.246.72.50]

Which indicates that the site is actually in the North Eastern USA.

http://www.softwareprofit.com - this link is in the Winfixer.com web page

WinFixer 2005 / WinAntiSpyware 2005

WinAntiVirus PRO 2006

This is what WinFixer wants to install

locator1.cdn.imagesrvr.com/sites/winfixer.com/www/download/2006/WinFixer2006FreeInstall.cab

imagesrvr.com appears to be a simple reseller - so they are probably not directly involved with this parasite.

Domain name: ERRORSAFE.COM [66.244.254.64]
Registrant:
 ErrorSafe, Inc.
 Rua Luiz de Conto, 133
 Toledo, Parana CEP 85914-045
 BR


Administrative Contact:
 Parizotto, Jardim  info@errorsafe.com
 Rua Luiz de Conto, 133
 Toledo, Parana CEP 85914-045
 BR
 +1.7865130244    Fax: +1.7865130244

Notice that the IP address is different than what McAfee indicated, but not by much. Reverse DNS provides
rr-grp1.yyz1.cl1.setupahost.net [66.244.254.64]

Domain name: SOFTWAREPROFIT.COM [66.244.254.43]
Registrant:
 SoftwareProfit
 P.O. Box 3
 Kiev, NA 
 UA

Administrative Contact:
 Hostmaster, SoftwareProfit  hostmaster@softwareprofit.com
 P.O. Box 3
 Kiev, NA 
 UA
 +(380) 97 939 09 44    Fax: +(380) 97 939 09 44

Reverse DNS provides
box43.yyz1.setupahost.net [66.244.254.43]

This has the same snailmail address as winfixer.com.

Domain name: WINANTISPAM.COM [66.244.254.46]
Registrant:
 Innovative Marketing, Inc.
 1876 Hutson Street
 Belize City, NA 
 BZ

Administrative Contact:
 Hostmaster, Innovative  hostmaster@innovativemarketing.com
 1876 Hutson Street
 Belize City, NA 
 BZ
 555-123-1234    Fax: 555-123-1234

Come ON - 555-123-1234 - definitely a fake

This is another WinSoftware Ltd. site

WinSoftware Ltd. sites

A google search for "WinSoftware Ltd." yields more than 400 hits. These sites are related to this "company". The gross similarity of these sites, coupled with IP addresses and whois lookups indicates that this is a very sleazy company.

billingnow.com          [66.244.254.63]
innovativemarketing.com [66.244.254.177]  Fax: (123) 456-7890
softwareprofit.com      [66.244.254.43]
winadblocker.com        [66.244.254.46]
winantispam.com         [66.244.254.46]
winantispy.com          [66.244.254.46]
winantivirus.com        [66.244.254.63]
winantiviruspro.com     [66.244.254.63]
wincontentfilter.com    [66.244.254.46]
windrivecleaner.com     [66.244.254.46]
winfirewall.com         [66.244.254.46]
winfixer.com            [66.244.254.64]  127.0.0.1 as of 04-15-07
winnanny.com            [66.244.254.46]
winpopupguard.com       [66.244.254.46]
winprivacyguard.com     [66.244.254.46]
winpluspak.com          [66.244.254.63]
errorsafe.com           [66.244.254.64]   
systemdoctor.com        [66.244.254.63, 66.244.254.64]

New IP Addresses - 11-08-07

On 11-08-07, I obtained the following addresses - the others are all the same as above.

softwareprofit.com      [66.244.254.180]
winfixer.com            [           ]     no longer found
errorsafe.com           [85.17.4.103]
systemdoctor.com        [85.17.4.103]

The last 2 are located in the Netherlands.

http://www.dnsstuff.com/tools/whois.ch?ip=85.17.4.103

LeaseWeb
P.O. Box 93054
1090BB AMSTERDAM
Netherlands
www.leaseweb.com

LeaseWeb is owned by

www.ocom.com [85.17.8.34]

which appears to be legitimate.

C:\>tracert 85.17.4.103

Tracing route to 85.17.4.103 over a maximum of 30 hops

 The first 7 are not important

  8    28 ms   210 ms   211 ms  TenGigabitEthernet8-4.ar3.DCA3.gblx.net [64.210.21.57]
  9   100 ms   100 ms   101 ms  64.213.76.150
 10   103 ms   105 ms   105 ms  62.212.95.142
 11   100 ms   101 ms   100 ms  85.17.4.103

Trace complete.

If you simply try to see the page at

http://85.17.4.103/asd

you will see that the site is owned by viragehosting.com (from the webmaster email address).

Lawsuit

On September 29, 2006, lawyer, Joseph M. Bochner, filed a class action lawsuit in Santa Clara County Superior Court on behave of Beatrice Ochoa and possibly hundreds of thousands of co-plaintiffs. The suit claimed that the defendants participated in fraud, conspiracy, and racketeering by

Distributing WinFixer, ErrorSafe, WinAntiVirus, and WinAntiSpyware (collectively called "fraudware")
Providing false information when registering domain names (making it very hard to know who is providing the software)

Additional claims include

That the software misrepresented the existence of malware on the user's machine (more fraud).
That the software interfered with the use of, access to, and control of the victim's computers.

KTVU (Channel 2 in Oakland, CA) produced this Fraudware Special Report (YouTube) on the lawsuit. They repeatedly refer to WinFixer as a virus.

Not knowing any better, Beatrice Ochoa got tied of the continuous popups and purchased a copy of WinFixer ... which eventually rendered her computer's hard drive unusable. This virus eventually cost Beatrice over $1,000.

In 2007, the lawsuit was dropped because Mr. Bochner lacked the resources and expertise.

Personally, I think that a class action suit was the wrong approach. Federal crimes have been committed and the FBI should be pursueing these criminals ... not a private lawyer. Unfortunately, the FBI told Mr. Bochner that they were not interested in protecting the American people.

Mr. Bochner also claims to have uncovered a probable link between Symantec and WinFixer. Apparently, the same people who wrote WinFixer also wrote a bogus Symantec anti-virus program. It would popup on people's machines and indicate that the Symantec license had expired. Of course, clicking on renew sent you to a bogus site ... and they simple stole lots of money. In 2004, Symantec sued them, and eventually reached a confidential settlement. (WinFixer was discovered in 2005 and Symantec was not able to detect or remove it until .... well at least until 2006. As of Sept 2008, I still don't think that their programs can detect the versions I saw in 2005.) Unfortunately, this means that the connection/truth will never be known.

In fairness to the defendants, it was never proven that they are the people behind WinFixer. But, whoever the people are who distributed the virus should be brought to justice.

Additional references

Lawyer Joseph M. Bochner's personal blog

Lawyer sleuths out mystery around 'WinFixer'

Lawsuit Filed Against WinFixer

Notes

This is the source that put me on the right track http://en.wikipedia.org/wiki/WinFixer

WinFixer is closely related to Aurora Network's Nail.exe hijacker/spyware program. In worst case scenarios, it may embed itself in Internet Explorer and may be nearly impossible to remove. The program is also closely related to the Vundo and Virtumonde viruses.

When I checked the McAfee site for info on Vundo, I found the instructions to manually remove the program.

This is the dialog box that the Aurora virus displayed suggesting that WinFixer is just super.

Since WinFixer is provided by a known virus writer, it should be avoided at all costs. (Clicking either button or the x in the upper corner starts the download.)

I apologize for repeating this warning here (in a reduced font size) ... but the search engines don't index information inside html comment tags.

NOTICE: If your computer has errors in the registry database or file system, 
it could cause unpredictable or erratic behavior, freezes and crashes. 
Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install WinFixer 2005 to check your computer for free? (Recommended)

References

http://en.wikipedia.org/wiki/WinFixer - This is the source that related WinFixer to Vundo
Unfortunately, wikipedia has a serious problem with information rot and most of the useful information is disappearing.
McAfee details on removing Vundo
sysinternals provides ProcessExplorer and RegMon - the tools that were used to remove this parasite.
Spyware Alert: WinFixer Almost Tricked Us - pcmag, Jan 14, 2006 - This refers to WinFixer as spyware.
Winfixer/ Vundo / Virutmonde Victims implies that this parasite can be installed via a Sun Java (v. J2SE 1.4.2_03) security hole. It explicitly states that simply updating Java WILL NOT fix the problem because the update procedure does not remove the old version.
The CastleCops forum provides evidence that the company associated with WinFixer is just a front.
Well, a lawyer, Joseph M. Bochner, has decided to go after these guys. See Lawyer sleuths out mystery around 'Winfixer' for more details and watch Fraudware Special Report on youtube.com
On December 2, 2008, the US Federal Trade Commission requested and received a temporary restraining order to halt the massive �scareware� scheme associated with WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The article gives details on the scams

Author: Robert Clemenzi