This is a controversial topic that may be under dispute. Please discuss substantial changes here before making them, making sure to supply full citations when adding information, and consider tagging or removing uncited/unciteable information.

WikiProject Computing	(Rated C-Class, Low-importance)	ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles
Information technology portal v • d • e This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of Computing on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.  C  This article has been rated as C-Class on the project's quality scale.  Low  This article has been rated as Low-importance on the project's importance scale.

WikiProject Computer Security / Computing	(Rated C-Class, Low-importance)	Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles
Computer security portal v • d • e This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of Computer Security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.  C  This article has been rated as C-Class on the quality scale.  Low  This article has been rated as Low-importance on the importance scale. This article is supported by WikiProject Computing (marked as Low-importance).

Contents 1 Like an ad for Firefox 2 What Type of sites can give you WinFixer 3 Spybot and Ad-Aware 4 Grammar Fix 5 SysProtect 6 Error Safe 7 Notes about the initial pop-up message 8 Removing winfixer 9 Finding/Punishing the people behind winfixer 10 Reboot System 11 Mozilla? 12 Headline text 13 Opera Problems? 14 Just leave it? 15 Page quality 16 Spambox 17 What if you click cancel? 18 Winfixer 19 WinAntiVirus 20 Unavailable? 21 19 October cleanup 22 Neutrality? 23 DriveCleaner 24 Thought that I got it, but... 25 Winfix 26 Winantivirus very bad, very hard to remove 27 Loathesome 28 A fix? 29 Fix? update 30 Blocked Download 31 Taskmanager - only in Win2000 ? :D 32 Reguarding Winfixer 33 Regarding Firefox near-immunity 34 My solution 35 Article biased towards FireFox? 36 Domain Ownership 37 Article is massively unsourced and stuff 38 Problem Solved? 39 PCTurboPro? 40 Stop-sign 41 AssayFixer 42 How can you tell if you're infected? 43 Removal of "citation needed" tag 44 Why not sue the hell out of Drivecleaner, WinFixer, etc 45 Mac OS X 46 Realtor.com DriveCleaner popups 47 Law suits 48 Please Reconsider a Deleted Link 49 References ??? 50 WinAntiSpyware 51 Sephiroth storm edit war 52 My thoughts 53 WP is not a how to 54 watch net protection

[edit] Like an ad for Firefox

Parts of this article read almost like an advertisement for Firefox. If you want to claim that IE is more vulnerable and FF less, by all means do so, but cite sources. CNash (talk) 16:15, 3 September 2008 (UTC)

[edit] What Type of sites can give you WinFixer

I think if there is any consistency between the type of sites, someone should add it

There is no consistency, since these days this piece of crap is surreptitiously embedded into legitimate banner ads by a rogue advertiser, which is then rotated onto safe sites, triggering the download. There was a time late last year in 2006 where many bulletin boards and safe popular sites (like Livejournal) got hit by this - so now you can't be sure which sites are safe and which site isn't. Mind you, this is a mighty good case for blocking all ads on every site with an adblocker with extreme prejudice.

[edit] Spybot and Ad-Aware

I've added links to the Wikis for these two in the 'Removing WinFixer' section. I have and use both, and can affirm that they do remove WinFixer et al. effectively. Therefore, I think it is useful for them to be mentioned in this article, to help out those infected with this malware.

• That's not true. WinFixer corporation releases new versions all the time. The vundo creates random dlls that adaware or spybot cannot always pick up. they may remove the host file, but there are 6 more waiting to reinstall it. I removed that section for it cannot be applied to this Trojan. - travis —The preceding unsigned comment was added by 131.230.52.199 (talk • contribs).

• I had a version today that wasnt detected by spybot today. Spycatcher did the job though

[edit] Grammar Fix

The section "Pop up Window screenshots" had pretty bad grammar, so I tidied it up. It's not a whole lot different, but in case you mods want to see how I did, it's there. ~ Deku-Scrub

[edit] SysProtect

I got a popup that was just like WinFixer's except it was renamed to SysProtect.

[edit] Error Safe

"I got a popup that was just like WinFixer's except it was renamed to SysProtect." Same thing, only under the guize of "Error Safe".

[edit] Notes about the initial pop-up message

Editor's Personal Note: Winfixer is very dangerous to an unprotected computer, such as mine was, and is the most in-your-face spyware program I have encountered. [advice deleted] --66.30.107.71 00:37, 14 November 2005 (UTC)

The above message included some misleading adice, which has been deleted. In Winfixer pop-ups, Winfixer spyware is downloaded if you click on "Yes", "No", or even on the X button at the top. The pop-ups are not on Windows task manager, so using the three finger salute (ie. Ctrl+Alt+Del in Windows) does not work. To end the pop up safely, first disconect from the internet, then close the pop up, and close the window that follows

Ctrl+Alt+Del works if you shut down the process of your browser. Valentine de Villefort —Preceding unsigned comment added by 81.92.188.214 (talk) 20:46, 10 December 2007 (UTC)

---

Note from another user: I saw the pop-up ad for winfixer and since I never trust pop-up ads, I just closed the application by pressing the orange "X" button in the top left. However, this just caused the application to be downloaded anyway. The only way to prevent the application from being downloaded is to disable the internet application, then click the "X" button. Using Ctrl-alt-delete does not work to make the application go away, becuase the winfixer pop-up ad will not show up on the task manager.

---

Note from an unsatisfied customer: I feel pretty stupid for saying this, but I would have been taken in if not for this page which I found halfway through installation. The thing that convinced me was that my popup window DIDN'T have any of the usual tricks, like the "no" or "close" buttons also being a link. It looked authentic.

Yeah it's not actually a pop-up is it? Unless I am mistaken, it is a Dialog Box. Quite suprising that internet explorer allows a website to open this kind of thing. Does anyone know more about the nature of the initial message? -- Nojer2 11:53, 8 February 2006 (UTC)

[edit] Removing winfixer

There is a website, http://www.spyware-removal-guideline.com/winfixer-removal, that suggests a solution for removing WinFixer. I have not tried it out yet, mostly because my better judgement tells me that this site may itself be a spyware advocate. If anyone has any information on the aforementioned website, please share. Otherwise, I may have to try it out myself and, perhaps, suffer the consequences.

I'd recommend sticking with a verifiable source; both Symantec and McAfee offer 'tutorials' on how to nuke this sucker - they're time consuming procedures, but there's legitimacy. (I wonder why they cannot figure out how to get rid of it using their flagship products? Maybe that's coming.) -BB, 21Dec2005

Here is a website with good traffic rank and is also a Rogue Remover certified site which claims to remove winfixer for free with its tool with no ads, no popups, no email regustation etc. http://spywaresignatures.com/forums/viewtopic.php?name=&t=186

[edit] Finding/Punishing the people behind winfixer

All of this talk about how to remove WinFixer would be moot if the people behind this misuse of private property could be found and stopped. Surely they can be traced -- why can't they be punished for their antisocial activities? Johna 16:10, 7 January 2006 (UTC)

That wouldn't work. The internet is international, obviously and WinFixer are hosted in various places around the world and thus would need every country to ban it, which most can't be arsed to do. Also, people argue it takes away freedom of speech (the same people that think child porn is a form of expresssion). 62.31.114.26 10:17, 22 June 2006 (UTC)

What about the people who went as far as to pay the $39.95 for their ErrorSafe product? (From their credit cards.) I'm guessing that's legal? User:NealIRC 14 August 2006 18:39 (UTC)

[edit] Reboot System

A much simpler way to get rid of this adware is to simply reboot your system in system recovery mode, it has worked for numerous people including myself.(Brodey)

[edit] Mozilla?

Luckily I have Mozilla as the default download browser. Every time I fail to kill the pop-up, Mozilla stops it, as permission is required for downloads. I deny permission. Seems to work...

• I just dowloaded Mozilla after reading the above quote and am delighted! I suggest keeping both IE and Mozilla, and using one's already-infected IE if you're visiting what might be questionable sites. BTW, I posted all the stuff I found on the Ukraine/Canadian angle, in synopsis and under "Possible Legal Action". Thought it was important. Hope it's not too messy. Shawn, Montreal, 08/2006

I think you've misunderstood - the adware doesn't just infect 'IE', it infects your computer THROUGH IE. That tactic really doesn't do anything other than exposing your computer even more (whenever you use IE). Joffeloff 15:12, 2 March 2007 (UTC)

• Id agree, whenever i used IE i would get atleast 3 popups each time i visited another page, and they would predominately be Jamster pop ups or Winfixer ones (which were so OBVIOESLY fake).

As soon as i switched to FireFox, nothing. Not a single pop up since. I would say this is a sure fire to avoid Winfixer.

When I was using Firefox, I kept getting pop-ups for WinFixer (but no download). I might have been using an outdated version, though, because the pop-up blocker was awful, but actually works now.--84.12.33.72 20:52, 5 February 2007 (UTC)

• I use Firefox, and I got the popup once. I panicked and pulled the plug, and all was well. Remember that Firefox isn't immune to everything! MalwareSmarts 23:15, 5 August 2007 (UTC)

[edit] Headline text

Whoever created this page: Thank you. Our computer is infected with WinFixer and this was really informative. //user:DJRaveN4x

[edit] Opera Problems?

Hello,

I've seen WinFixer more times than I can count on computers at a local retirement home I used to volunteer at. Although I'm pretty computer safety savvy, I have to ask - is the Opera internet browser (which I use) affected by this blight? Thanks...--Spectrechris

I have found Opera to be as safe as houses in this regard. - Salmanazar 22:27, 29 January 2006 (UTC)

[edit] Just leave it?

If you have the popup come up, can you just ignore it and like move the box to the corner of the screen until your done surfing? or does it download anyway?

-I wouldn't do that...I mean, it is possible, but, I'm not willing to risk my baby (ok, computer) to test that. - Spectrechris

-:With IE security settings at medium or above, WinFixer will no be downloaded without your permission. Just close the second full-screen pop up that appears (the one that prompts for download).

[edit] Page quality

To give this page more credibility (and to get rid of the Higher Standards thingie), I re-wrote parts of it and softened some of the language...But, I left it up there so you all can review it. - Spectrechris

Yes. I'd be in favour of removing that notice now (it was put on before my improvements too). -- Nojer2 15:32, 2 March 2006 (UTC)

[edit] Spambox

Given the fact that this article is about a security threat, and that potential solutions are offered by commercial companies, is it really legitimate to include a spam warning? Lee M 03:01, 13 May 2006 (UTC)

Wikipedia is specifically not any kind of how-to guide or tutorial. I would much rather see an objective look at the nature of the program than a list of commercial websites trying to sell their removers. --RainR 08:39, 17 May 2006 (UTC)

[edit] What if you click cancel?

I got the WinFixer popup on my computer and I clicked cancel without disconnecting. Does that mean it is installed on my computer?--Taida 21:47, 26 June 2006 (UTC)

Yes :(

What if i did the same on FireFox? --Kitetsu 12:28, 21 November 2006 (UTC)

If you press cancel in Firefox or Opera, nothing is downloaded. --Xanthar 02:24, 25 November 2006 (UTC)

[edit] Winfixer

List_of_ZIP_Codes_in_New_York#13000_-_13099_:_Syracuse_area_communities_.28A-L.29

This demonstrates that 13088 is a postcode in Liverpool, New York.

--Quentin Smith 12:58, 24 July 2006 (UTC)

[edit] WinAntiVirus

WinAntiVirus isn't identical to WinFixer. As far as I know, it does work, just not very well. 80.193.149.218 22:34, 17 August 2006 (UTC)

No, WinAntiVirus does not work; it is a virus. It uses the exact same method as WinFixer, forced downloads. As stated in the main article, it "finds" x infected files, but those do not really exist. It is just trying to trick you into buying their bogus product. If you bought the product, I'm afraid you have fallen for their scam. —Preceding unsigned comment added by Aznfatnerd (talk • contribs) 23:59, 16 September 2007 (UTC)

Full WinAntiVirus does indeed work - it's a complete application based on a BitDefender engine. —Preceding unsigned comment added by Jed meyers (talk • contribs) 06:58, 3 July 2008 (UTC)

[edit] Unavailable?

I attempted to get a copy of this from http://www.winfixer.com/buy_now.html so I could test different removal tools / antispyware, and the download page claims (rather ridiculously) that no copies are available. Could it have been taken down? YnnaD 19:13, 5 September 2006 (UTC)

[edit] 19 October cleanup

I cleaned up the article a bit. It's still sort of biased against WinFixer (rightly so), I think, and the writing could use a bit more professionalism. There was a big problem with the article assuming that the user would not want to download the program, and directing them to sites that would help get rid of it. Quite unencyclopedic, I'd say... Voretus the Benevolent 17:03, 19 October 2006 (UTC)

• I really don't see why that fact would need fixing, there are exceptions to everything. GaeMFreeK 04:41, 22 August 2007 (UTC)

[edit] Neutrality?

All the tags on this article are hard to understand. While the style can be improved this is no matter of neutrality. What kind of neutrality or POV is expected about viruses? -

The {npov} {references} tags should be removed. Literally all vendors of security software recognize these programs as viruses. And many sources have been added in the last months.

I edited in some sentences about "SystemDoctor", same of the kin.--Peter Eisenburger 14:21, 23 October 2006 (UTC)

[edit] DriveCleaner

I got popups asking me to download DriveCleaner. This one claims to clean Internet tracks from adult sites and it claims to keep the registry clean (Just like Winfixer) Unsurprisingly, the popups look and act just like WinFixer. I also added it to the Winfixer article.

I had this also. I downloaded AVG Anti-Spyware, AVG Anti-Rootkit, Norton 360, Adware Alert, and Adaware SE. Eventually, it all went away. It turns out the source is a Trojan.Vundo. --HPJoker 02:51, 2 July 2007 (UTC)

[edit] Thought that I got it, but...

Um, hello there. A new Wikipedian, but old member of Wookieepedia and Star Wars Fanon Wikias.

Anyway, I went to Wikipedia's article about Proxy servers, clicked on the second Open Source Project (dmoz.org or something like that) link, clicked there anonymouse.org (or .com, can't remember) and before I got to start proxy surfing, I was on the site fi.errorsafe.org and got that nasty-pop-up window several times. I clicked cancel on all of them and somehow managed to kill that page. I'm using Internet Explorer 7 Beta now.

I came to here, read this article, panicked, went to read about disinfection on Symantec's internet site, started my trial version of F-Secure anti-virus and waited. It scanned almost every single file on my computer, including reg. keys and nothing! No viruses, trojans, malware, etc.!

So, I thought it was too good to be true and I opened registry editor and checked several folders on it as recommended in the disinfection article on Symantec's web site. NOTHING! Sorry 'bout the Caps Lock...anyway, no ErrorSafe or anything! Just the files there should be...so, I wasn't infected!

I wanted to share this story with you Wikipedians. I honestly don't know what would I have done without your article. And Symantec's article. First time ever used XP's registry editor, and it was simple! Thank you. --Roosa 18:19, 3 November 2006 (UTC)

[edit] Winfix

I believe there could be confusion in peoples minds between Winfixer and Winfix. Winfix is a windows optimizing product marketed by Challenger Software of California USA and appears to be a perfectly genuine product unconnected with Winfixer.

I wondered whether something to this effect should be included in the article, particularly if it could be done by someone with a knowledge of Winfix's legitimacy. 11.10, 5 November 2006 (UTC)

[edit] Winantivirus very bad, very hard to remove

Winantivirus is definitely malware, and none of the above fixes removes it entirely. I had to reformat to get rid of it. my router recorded 2000 outgoing security events in 2 days while this program was running on my computer. My advice is learn how to back up all your docs, and how to reformat your HD in case you ever get something this bad.

[edit] Loathesome

I'm getting very fed up with ErrorSafe peckering my PC whenever i try and upload one of my baleful drawings in imageshack.us, which, if my suspicions are correct, have the ErrorSafe popup installed there. I swear to god, if this keeps up, i just WISH i'd sue -- no, BLACKMAIL the developers of ErrorSafe to halt the "promotion" of the malware permanently for being in the cesspool of hackers without a sense of direction in life, and sue ImageShack for being a medium in their petty scheme for a petty amount of cash.

Alas, i'm just a rambling dreamer with not a lot of privileges. *sigh* --Kitetsu 12:19, 21 November 2006 (UTC)

As far as I am aware, Imageshack doesn't use advertisements from Errorsafe. However, some adware, when installed on your system, will automatically cause pop-ups when browsing certain (usually quite popular) sites, which is sometimes specified in part of the adware program itself. So the chances are, this has nothing to do with Imageshack themselves, and more to do with WinFixer/ErrorSafe. --Dreaded Walrus 12:31, 21 November 2006 (UTC)

[edit] A fix?

I think I've fixed the problem. It was in a different place than most of the system security guys think it is. However, I'm going to leave it for a week. Clue: Google 'em.gad-network.com'. Dbuckner 21:24, 2 December 2006 (UTC)

[edit] Fix? update

• My children's computer was affected my this about a month ago and I have only just worked out to fix it.
• The affected PC has strong controls over site content (they are not even allowed chat rooms or the like) so I am

still puzzling about how it happened.

• I don't believe there is any kind of malware or executable. The first sign of trouble is when

the browser randomly calls the following URL.

"http://em.gad-network.com/eas?cu=34&login=672125&mediaid_prefix=005&extparam=1:NIPfi7=ASQ6KA7u7Iwn3Uw&time=312e313536&nums=N01BGBG6Z"

This causes the behaviour of the browser to change. Thereafter, pressing the back button into the Google page causes the call above to happen, then the format of the browser changes slightly (it tabs down and to right - not sure what is happening here.

• Thereafter, you get calls such as the following (.

"http://go.winantispyware.com/NjM1/2/422/N01BGBG6Z-FBI.M0SATx&login=672125&mediaid_prefix=005&time=312e313536"

• The login id is identical in all cases. This is what suggests to me there is no malware or executable code.

All you see at any time is a window.

• However, what you see is an alarming message saying that your computer has been infected, or that it is calling

a remote computer. This is clearly false, because if you save down the page, you see that messages like '54 files have been infected' are hard coded into the html. This also is what is illegal - they are deliberately giving false information about the state of your computer in order to get money off you.

• The easiest way to fix the problem is to block the url's above.

• This does not stop the blocked calls, which Norton (in my case) reports. But it stops the problem going any

further.

• To get rid of it completely (if you are brave enough) go to the gad network site, who will send you a removal tool. This worked for me, but note that it can screw up dial connections. See below.

• The following website offers help on this

http://www.imaginarynumber.co.uk/gadnetworkarescum

Dbuckner 09:46, 3 December 2006 (UTC)

[edit] Blocked Download

Hello, I some how found my way to winfixer a year ago. I kept pressing "x" but then it gave me the download page, but I was saved by the download protection on windows XP. I went on the site again, being an idiot, so is it on my system without me knowing? —The preceding unsigned comment was added by Hihihi1823 (talk • contribs) 22:23, 9 December 2006 (UTC).

[edit] Taskmanager - only in Win2000 ? :D

While TaskMagaer application sure existsonly in Windows NT, in Windows non-NT one can just press Ctrl+Alt+Del to get list of tasks. However there are ways to hide malware from that list both on WinNT and Win 9x/ME.

Yet anyone can download additional taskmanager, for example Microsoft-SysInternals Process Explorer or z-oleg.com AVZ. However they usually are not localised that may make their use hard for non-english speaking persons.

[edit] Reguarding Winfixer

hello everyone, i have come a cros this type of problem. but be cause some viruses spyware etc. downloads and installs without you knowing, i have put all my settigns for the internet, to stop any files being downloaded, for example internet settings you can deny any file being downloaded, so if the winfixer try and download itself, my system comes up and says, something like: "sorry this file is denied by your settings" or "your settings prefent you from downloading this file". sometimes i do get this error about winfixer but what i do is i cancel it, and disconnect and run a full scan stright away. also updateing virus database... because of these spyware and viruses that come out. i do a full scan, once in the morning and once in the evening, just incase i do get infected...

This is for your information of what i do From Darren Pude 82.9.76.139 16:45, 8 March 2007 (UTC)

[edit] Regarding Firefox near-immunity

I was once an IE user, but have switched to Firefox since last year, but I noticed (or is it just me?) That Firefox has just as much popup windows for Winfixer as IE, I think both are now equally vulnerable to it, correct me if I'm wrong though Bananas 13:09, 28 March 2007 (UTC) shout at me for doing wrong!

[edit] My solution

It appears that I have found a way to get rid of this, but it isn't exactly nice. Basically, I had a stubborn file that HiJackThis couldn't remove from the BHO or Winlogon list, and Regmon would find repeated access to the registry for this filename. My file was called "C:\Windows\system32\hgghijj.dll" but Google found no hits for that filename, so I'm assuming it can change names. So, I kept getting popups in IE for the WinAntiVirus 2007 and SystemDoctor and all that garbage (these popups happened just as often in IE as in Firefox). Vundofix kept finding new files and could remove them, but it never found hgghijj.dll. SuperAntiSpyware (reccomended on some forum in place of Panda's) would find two trojans, Trojan.WinFixer and Trojan.Downloader-Gen/LIB. Symantec Antivirus would find a Trojan it called Infostealer, and also WinFixer.

Now, I had run HiJackThis and removed all the weird looking BHOs and WinLogons, except the hgghijj.dll one wouldn't remove. I tried Killbox to delete that file on reboot, but it adds a new registry command that undoes that.

The solution I ran into happened because of a spare hard drive. By installing an NTFS capable version of Windows on it, I was able to delete the hgghijj.dll file, since it wasn't being loaded in that version of Windows. Then, running the SuperAntiSpyware software again on the infected Windows install removed the two Trojans, which required a reboot. Upon reboot, the hgghijj.dll file is still gone, and Vundofix returned no Vundo files. Symantec returned no viruses. AVG Anti-Spyware also returned no spyware.

Now, there's probably a simpler way to do this (I was limited by a RAID array and didn't have a floppy drive handy, so I couldn't do this): Boot off your Windows XP CD and if you need to load RAID drivers, hit F6. Now, once you're into the setup options hit R to go to a repair console. Hopefully I'm correct at this point, and the equivelant of my hgghijj.dll file isn't being loaded. So, it should be possible to simply delete that file. 24.34.198.111 05:44, 17 April 2007 (UTC)

[edit] Article biased towards FireFox?

I think this article is rather biased towards supporting the use of Mozilla Firefox in favour of Internet Explorer. IE-users will receive many warnings (especially with XP SP2 / IE7) before being able to install this software. It will no way "download and install itself, regardless of the user’s wishes". I think, rather than advising users to switch browser, this page should advise users not to trust software from sites like these, and to never install software you can't trust for the full 100%. These programs are based on a vulnerablility that is (and will be) in every browser available - that is the naivity and stupidity of users. --Elmarj 08:17, 19 April 2007 (UTC)

Not really, even if you click the x on the message, the spyware installs itself. A lot of intermediate users don't even know that, which is not naivity nor stupidy Billtheking 16:12, 3 May 2007 (UTC)

I have gotten a billion DriveCleaner popups. Regardless of the button I click, and regardless of my operating system or web browser (I've used IE on Windows, Firefox on Windows, Firefox on Ubuntu, Galeon on Ubuntu and Konqueror on Ubuntu) I get redirected to a very ordinary HTTP download with a very ordinary Cancel button. And guess what? If you click cancel, it cancels. ~ Keiji (iNVERTED) (Talk | Contribs) 19:02, 12 June 2007 (UTC)

[edit] Domain Ownership

"The creater is a fat star trek fan who is 35 and lives with his parents." I know you are probably really mad that this program infected your computer but don't add stupid things like this to the article.

That or your joke just was stupid and doesn't belong here. —The preceding unsigned comment was added by Fontenot 1031 (talk • contribs) 22:24, 22 April 2007 (UTC).

[edit] Article is massively unsourced and stuff

Seriously. No sources for the bulk of the article. No information on if it actually spreads through a code execution exploit or just tricks users into downloading it. No information on how Firefox is currently "vulnerable". -- Consumed Crustacean (talk) 04:33, 28 April 2007 (UTC)

[edit] Problem Solved?

Winfixer is no longer a serious problem because the name servers return 127.0.0.1 instead of the old address. The many related problem programs and URLs are still a problem because valid IP addresses are still returned.

I don't understand the problem with references, there are plenty of good ones, in my opinion.

As far as how it spreads, there are known holes in old versions of the java virtual machine and other methods (such as vundo) that allow it to install itself without user action. One of the most common comments is that people don't know how it got on their machine.

For some reason "The neutrality of this article is disputed." I don't understand this at all. This is like saying terrorists are good people because they don't attack (place country of choice here). Make no mistake about it, Winfixer and its related pests are (repeat - ARE) a form of international extortion and international terrorism - they have cost the people of this planet hundreds of millions of dollars in direct costs and lost productivity. How can this article be "neutral" when the amount of damage is taken into account.

Let me be perfectly clear - I support the FBI (and others) getting involved to shut down the international terrorist that distributes this parasite.

Robert - Northern VA 06:56, 3 May 2007 (UTC)

I got this virus and I went to the symantec place to fix the thing, but it's just confusing. It might as well be in French. Can somebody clear this up or send me an email or something that can better help me understand how to get this bullshit off my computer? It's f**king annoying. tapeleg247@aol.com ChesterG 06:27, 21 May 2007 (UTC)

Probably the simplest, safest and fastest way is to reinstall windows and then for untrusted sites use just Opera web browser. This spyware installs more different spywares, and for one or few computers it is not worth to spend time searching for free removal method that would clear it totally. exe 11:19, 28 May 2007 (UTC)

[edit] PCTurboPro?

Just a stupid new copy of WinFixer? The links on my computer are now taking lots of time to click (about 3 or 4 times rather than just one).

Who is the guy who created WinFixer anyway?

[edit] Stop-sign

Stop-Sign is another WinFixer variant. Learned it the hard way...

NOTE: You can remove WinFixer infections with a system restore. Worked for me (for n

I was reading on SiteAdvisor about it, and according to the user comments, this Stop-Sign program was actually being advertised on television! Horrifying! I don't remember if I saw any ads for it, but I can remember seeing antivirus commercials with streetlight imagery. MalwareSmarts 16:54, 8 August 2007 (UTC)

By the way, it's not a WinFixer variant. MalwareSmarts 17:20, 14 August 2007 (UTC)

[edit] AssayFixer

I get pop ups by an other variant of WinFixer the name is AssayFixer.

The text is with italic text: Your computer is infected with malware and other threats, these malicios programs can cause crashes on your computer. Download a free-trail of AssayFixer now (Recommended).

[edit] How can you tell if you're infected?

I got the ErrorSafe popup, and I figured out that the thing was obviously fake pretty quickly, but I rather foolishly just X'ed out the supposed popup window each time it appeared. My browser resized itself a few times and minimised but that was it. My first reaction was to Adblock the site, more out of annoyance than anything else... After checking out Wikipedia, though, I'm worried now. I didn't get a download box and neither Firefox (2.0.0.4) nor Norton Internet Security complained about anything, and they seem to catch most stuff between them. Can it download completely silently? How can I tell whether or not I've got it? Raistlin11325 00:01, 27 June 2007 (UTC)

Wikipedia is probably not the best place to ask that. Try one of the various PC forums dotted about the web. You'll probably get a better response there. tommylommykins 20:47, 28 June 2007 (UTC)

[edit] Removal of "citation needed" tag

I removed the "citation needed" tag from the following text: WinFixer claims it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard drive space and recovers damaged Word, Excel, music and video files", The information is available on the website, but linking there isn't a very good idea. I took a screenshot of the page so that anyone who doubts that it's there can see it without going to the site, but I can't think of any way to properly cite a source for it.

Screenshot here: http://i9.photobucket.com/albums/a94/raistlin11325/ErrorSafe.jpg Raistlin11325 00:22, 27 June 2007 (UTC)

[edit] Why not sue the hell out of Drivecleaner, WinFixer, etc

I saw one person sued Winfixer, but I still had drivecleaner pop-ups on my computer. I called a support number for Drivecleaner just for the heck of it, it says "All of our customer service workers are busy, you are first in line." It says that 3 more times and then hangs up. A lot of people could win a lot of money if they sued these people. Why not? --HPJoker 02:51, 2 July 2007 (UTC)

I'm totally down with that. ChesterG 09:49, 4 August 2007 (UTC)

[edit] Mac OS X

I have received the same dialog boxes whilst running Mac OS X 10.4.10 on a PPC G5 chipset. Will the same errors occur? --ÆAUSSIEevilÆ 01:52, 4 July 2007 (UTC)

I just got a popup for this no my Macbook running OS X. This is the second time such a popup has appeared. It also redirected my open firefox window to drivecleaner.com. I am not sure what caused it, but hopefully the spyware is not actually able to infect Macs still since I know how hard it is to remove from Windows due to experience (I have removed it from at least 3 different PCs). --Petahhhh 13:39, 13 July 2007 (UTC)

Beyond a few proof-of-concept programs that exist, there is very little in the way of malicious software that targets OS X. It's therefore highly unlikely that any version of this thing would be able to infect your machine; just because the dialogue box shows up does not indicate an infection. --KatzMotel 00:31, 5 August 2007 (UTC)

[edit] Realtor.com DriveCleaner popups

I read on Sunbelt Software's blog that on Realtor.com there have been popups for DriveCleaner. Should this be added? MalwareSmarts 16:51, 8 August 2007 (UTC)

[edit] Law suits

Have they been talked about or should they also be included? Allen649 06:33, 2 September 2007 (UTC)

[edit] Please Reconsider a Deleted Link

On June 28, 2007, Improbcat deleted the link to my page just because I think the government should protect us from this type of international criminal activity. To be specific, the WinFixer domain is registered to a Ukrainian address and hosted in Canada. This parasite installs itself on your machine without invitation and then attempts to extort money to remove it. Yes ... I think the federal government should protect us from this ... who else has the power or jurisdiction?

As for the term "terrorism" (he really did not like this), this parasite has cost Americans millions of dollars in lost time and frustration. I don't feel that "vandalism" even begins to describe the damage done. And "virus" simply makes it sound like some kind of prank.

He actually said

removed spam link, including one that says he's contacted the US government because winfixer is terrorism

I guess that this could be interpreted as calling my page "spam" - I am not sure what he is saying.

As far as I know, my page is still the only one on the internet that actually explains how to remove WinFixer without paying money to someone. I think the link belongs back on the main page, but I'll place it here instead.

   WinFixer Virus Manual Removal - Vundo Variant 

Q Science 20:21, 7 September 2007 (UTC)

[edit] References ???

There are 2 comments at the top of the page

  This article does not cite any references or sources. 

  This article needs additional references or sources for verification. 

I don't get it, there are many reliable references through out the article.

There is one place that says attribution needed. I'm not sure why since the main references actually say that. Even my page (see previous post) says that - and I verified that the bugs that WinFixer claims are on your system are bogus. The entire purpose of WinFixer (and its cousins) is to extort money from clueless computer users.

At any rate, I would like to try and fix the problem, but, even after reading the style guide, I still have no idea what the real problem is.

As far as the other comment about the article contradicting itself - telling us to see the talk page is of no help. Specifically, what is wrong? This is one VERY evil piece of software. I don't think the article contradicts that position ... so, what are you talking about?

Q Science 06:30, 15 September 2007 (UTC)

Don't worry Q Science, whoever the Wiki Editor is who flagged your article with those comments, is a complete moron, unfortunately, wiki is awash with these idiots, you just have to put up with them. —Preceding unsigned comment added by 80.176.233.50 (talk) 07:25, 1 October 2007 (UTC)

[edit] WinAntiSpyware

I got WinAntiSpyware from freeonlinegames.com, but all it did was place an icon, and that can be deleted easily! Should we write about that? --Hpme2dastar123 01:02, 30 October 2007 (UTC)

[edit] Sephiroth storm edit war

User Sephiroth storm (talk) has decided to make major changes to this article. I originally reverted his changes and explained why. But rather than have a discussion, he has decided to resort to an edit war. These are some of the problems I have with his changes.

• He edited the entire file at one time, mixing proper edits with those that needed to be undone. Since there was no way to address problem sections one at a time, a complete undo made more sense.

• Some of the changes were only half done, such as replacing complete sentences with phrases and gibberish.

• In some places he changed the complete meaning of a section, but without providing any references. This is particularly bad since the previous data was correct and the changes are not.

• In a few cases, he removed valuable data that has been in the article for years.

• He made major changes without adding anything to this discussion page.

It should be noted that WinFixer is extortion program - it makes someone's computer unusable until you pay them to remove it. At the time the article was written, neither McAfee nor Symantec could detect and remove it.

Sephiroth storm has decided to make the program sound less dangerous by claiming that it is scareware or a rogue program and by stating that McAfee and Symantec can now remove it. In fact, it installs itself without the users knowledge, usually though some security hole. At that point, it takes over your machine and makes it unusable.

He removed

• Safety information warning users not ot search for WinFixer Removal programs because many of those were actually alternate versions of WinFixer

• A link to information on a class action lawsuit against WinFixer

• Information stating very clearly that Symantec would not detect or remove the program

• Information that McAfee considers the program to be legitimate

• Information from McAfee needed to manually remove WinFixer. He left in a link to the incorrect Symantec instructions.

By the way, the main reason parasites like WinFixer deserve their own WikiPedia articles is because the trusted anti-virus programs don't protect the users. If McAfee and Symantec were doing what everyone thinks they are doing, then no one would waste their time producing an article like this one. As a direct result, claims on their web sites should NOT be trusted as reliable information as to what they detect and remove.

Unfortunately, the original editors of this site have moved on to other things and the valuable information they contributed to this article is now being removed.

Q Science (talk) 18:35, 2 October 2008 (UTC)

And yet you have not produced any edits to make the article better yourself. Feel free to add any verifiable information you please, however, saying that I am attempting to make the article sound less dangerous is incorrect. Wikipedia does have a manual of style, and the article in its original form was highly POV. I made my original edits, you undid them, I undid your revision, and decided to take your advice and find sources for the article. This article has went from 4 refernces to 13. I also open gateways of communication, and asked you to join WikiProjects involved with Malware and InfoSec, and you accuse me of starting an edit war? noone else has objected to my edits, and I have opened the article for review on the WikiProject Computing/Computer and Information Security task force page. Of course I welcome comments from any editor on this issue.

Addition: Also, as for McAffee and Symantic's detection and/or removal of WinFixer:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135733 Threat Profile: Winfixer Risk Assessment

  - Home Users: N/A   - Corporate Users: N/A  

Date Discovered: 9/1/2005 Date Added: 9/1/2005

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It purports to be an system repair/maintenance application, but requires paid registration before any issues found can be fixed.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-120121-2151-99

WinFixer is a Security Risk that may give exaggerated reports of threats on the computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

ProtectionInitial Rapid Release version June 27, 2007 Latest Rapid Release version October 2, 2008 revision 041 Initial Daily Certified version June 27, 2007 Latest Daily Certified version October 2, 2008 revision 050 Initial Weekly Certified release date December 7, 2005

Both sites claim to offer detection of WinFixer, and both also have removal instructions. I think it is logical to assume that anyone looking to remove these infections would prefer to get complete instructions from the vendor (McAfee/Symantic/ect.) rather than wikipedia, if said instructions cause damage to a users computer. Wikipedia could be held responsible, which is why it does not offer advice on malware removal.

Answers:

• Safety information warning users not ot search for WinFixer Removal programs because many of those were actually alternate versions of WinFixer

-Instead I included VERIFIABLE references that claim to remove the infection. The same can be said for most Malware applications. However, if you provide a trusted third party reference, I will gladly include it in the article.

• A link to information on a class action lawsuit against WinFixer

-This was inserted randomly into the article, I believe there was a link, however, I do not know if it was indeed a reference. Feel free to provide it, as a matter of fact, I will locate it, but there doesn't appear to be a need for it.

• Information stating very clearly that Symantec would not detect or remove the program

-Addressed above.

• Information that McAfee considers the program to be legitimate

-McAfee(R) AVERT recognizes that this program MAY have legitimate uses in contexts where an authorized administrator has knowingly installed this application. This is not the same as saying that it is legitimate. What kind of SysAdmin installs a reported rouge application, that has not been vetted?

• Information from McAfee needed to manually remove WinFixer. He left in a link to the incorrect Symantec instructions.

-Manual removal can indeed be dangerous, however, I included a link to the Mcafee listing that links to removal instructions.

• It should be noted that WinFixer is extortion program - it makes someone's computer unusable until you pay them to remove it.

Please provide a source for this information. Many types of Malware can damage or ruin a users computer, that is why they are termed Malware, malicious-Software. To call these programs "extortion programs" could be considered slander, which is what happened when several vendors of rouge programs took the security companies to court. As such, they are not claissified as viruses or spyware (depeneding on the vendor) but as PUP's (potentially unwanted program). Wikipedia cannot cal the application as such, unless verifiable third parties call it such.

I look forward to your response. Sephiroth storm (talk) 02:58, 3 October 2008 (UTC)

I looked at the page history, the link for the class-action lawsuit is http://fixwinfixer.wordpress.com/, this is a personal blog, and therefore not verifiable, by wikipedia standards. However, the link in the article to a news release is good, and the information seems verifiable. I have no issue creating a new section for this

Sephiroth storm (talk) 03:11, 3 October 2008 (UTC)

The removed link was Lawsuit Filed Against Winfixer though this computerworld.com article is probably better. Both of these should count as sources for the statement that WinFixer makes a system unusable.

Symantec and McAfee should not be used as reliable sources, both have a long history of not protecting systems from WinFixer. Specifically, manual procedures to remove it were provided precisely because their software was not able to.

McAfee says

• Winfixer is a "potentially unwanted program", not a virus or a trojan
• Winfixer has been known to get installed silently through code exploiting Microsoft Internet Explorer vulnerabilities
• Additional overhead in bandwidth due to possible download of updates or other content
• You can not get rid of this without special instructions. Originally, you had to edit the registry, now you search for "joke" programs.

Translation - it gets on you machine without your permission, there is no way to get rid of it without special help, the "increased bandwidth" means that you are no longer able to use your browser or mouse - but it is just a "joke", not a problem.

It is interesting that McAfee lists the discovery date as 9/1/2005 - My records show that I first encountered WinFixer in the wild before 7/26/2005. In addition, the registry keys that had to be modified to remove it were not the same keys that McAfee or Symantec give. Apparently, there are several versions they still don't detect. Another possibility is that they provide instructions for removing only the purchased copy, not the one that simply appears on someone's system.

The "neutral point of view" argument was had a long time ago and the article was toned down a lot back then. Now you want to tone it down even more. I guess that you can call a piece of software that destroys your computer "potentially unwanted". And when it requests money so that the system will be useable, I guess I don't know the definition of "extortion". Please suggest something more politically correct. Personally, it would be better to delete this article than to understate the problem.

As for other references, this article used to have a lot of references. However, information rot has crept in over time as one reference after another was removed.

Q Science (talk) 06:56, 3 October 2008 (UTC)

It's not about what I want to put in the article, its about what can be referenced. It's been said before, wikipedia doesn't want the truth, it wants what can be verified. Personally, I dont use McAfee or Symantic, but I can't put personal experience in a article.

As for those articles, I have to say, that one of the confirmed effects of most Adware, and other Rouge programs to bog down the CPU, with startup processes, and multiple popups. To specificly state that, would add unnesesary heat to the article, don't you agree? Anyone who wanted to know what the potential effects of these types of application could check the articals on Malware, and Rouge programs, both linked in the article. Sephiroth storm (talk) 12:35, 3 October 2008 (UTC)

How is this for a comprimise?

On September 29, 2006, a San Jose man filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court, however, in 2007 the lawsuit was dropped. In the lawsuit, the plaitiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable." KTVU (Channel 2 in Oakland, CA) carried a special report. —Preceding unsigned comment added by Sephiroth storm (talk • contribs) 12:51, 3 October 2008 (UTC)

The "San Jose man" is lawyer Joseph M. Bochner who has documented the case in his blog, one of the references you deleted a few minutes ago, probably without bothering to read it. Note - this was a primary reference written by one of the people this WinFixer article is about.

In the original (before you changed it), the article referred to the woman who's computer was attacked. But I agree with you that the wording was poor at best.

And at least, if you are going to say that the suit was dropped, explain the it was because Bochner ran out of money.

You removed info on cd drives failing, try this reference. Like I said, there used to be lots of references, but they have disappeared over time. WikiPedia needs an article on information rot and how it tends to reduce WikiPedia's usefulness. I have also seen this happen in other articles.

I strongly suggest that you read this entire discussion page. (Just scroll up.) I went through it last night. The comments themselves reveal how bad WinFixer is. Even the old POV discussions are there. If it is true that the legal system now requires viruses to be called by some politically correct term, then there should be a page somewhere documenting that. And ALL related pages should have a link to it. It is a sad day when courts say that you have to call a crook a friend. It is even worse when the WikiPedia POV style guide supports that.

As for Symantec, their site is anything but unbiased - they have a closed settlement with the people behind WinFixer. I assume that they have toned down their comments about how bad this software is as part of the settlement.

Q Science (talk) 17:23, 3 October 2008 (UTC)

As for the blog, generally they cannot be used as reliable sources, as we cannot verify who the blog belongs to. I can create a blog and sign up as George W. Bush, it doesn't mean that I am. As for the better Anti-Virus article, it does not say that the drive was rendered useless, simply that it popped open. I have seen no other reports of the program exibiting such behavior. Generally a program can send such a command to a machine, but it is rare. While I will not argue with including it on the section of the article reguarding the lawsuit, we would need more references of other incidents in order to put in the larger article.

As for the previous comments, I understand how bad WinFixer can be. Any user is free to look at the Talk page and see these comments, however, we cannot use the accounts of people whose identities and experiences cannot be verified in Wikipedia.Sephiroth storm (talk) 12:46, 20 October 2008 (UTC)

[edit] My thoughts

Hello. Reading through this page, I suggest the following changes:

• Either Image:WinAntiVirus Pop-Up.png or Image:Winfixer-message.png should be used, but not both, because they mainly have duplicate content. (WP:FUC 3a)
• This article is severely biased. (WP:BIAS) One example is the requirement to verify information from WinFixer but not other sources: "The WinFixer web page [claims...] but its claims have not been verified".
• The avoiding infection section is not encyclopedic and should be removed or refactored to be encyclopedic. (WP:NOT)
• Quotes from WinFixer and Microsoft must have references. (WP:CITE)
• Lots of the domain ownership section focuses on trivial details, such as the exact fake address used.
• The winfixer.com domain name information is supported by a dead link to dnsstuff.com. (WP:DEADLINK) DNS records are primary sources requiring additional analysis, secondary sources should be used (WP:SYN)
• Castlecops.com is a forum which is normally not a reliable source. (WP:RS)
• Lots of potentially controversial statements are not supported by references. (WP:CITE)

--h2g2bob (talk) 18:05, 26 October 2008 (UTC)

I'll take a look tomorrow. Sephiroth storm (talk) 20:18, 26 October 2008 (UTC)

[edit] WP is not a how to

Parts of this article reads a lot like a how to, and WP is not a how to guide. Shouldn't someone do something to clean this up? PCHS-NJROTC ^(Messages) 01:17, 12 December 2008 (UTC)

[edit] watch net protection

came across watchnetprotection.com/scan/index2.php?affid=07000 which seems to have the same MO. any relation?--Mongreilf (talk) 16:34, 5 January 2009 (UTC)

Apparently, that domain name was created today. How did you find it so fast?

From Godaddy

 Domain name: watchnetprotection.com  Registrar: Regtime Ltd. Creation   date: 2009-01-05 Expiration date: 2010-01-05  Registrant:   Howard Brooks   Email: howardcbrooks@gmail.com   Organization: Private person   Address: 1387 Andell Road   City: Nashville   State: TN   ZIP: 37201 

This person is already associated with another scam/virus - System Security.

 Domain name: websecurityexamine.com  Registrar: Regtime Ltd. Creation   date: 2009-01-02 Expiration date: 2010-01-02  Registrant:   Howard Brooks   Email: howardcbrooks@gmail.com   Organization: Private person   Address: 1387 Andell Road   City: Nashville   State: TN   ZIP: 37201 

Unfortunately, this data is only found via unreliable (blog) sources and, therefore, can not be included in wikipedia until a "reliable" source, like Symantec, decides to include it on their web page ... probably in 6 to 12 months. Q Science (talk) 17:52, 5 January 2009 (UTC)

i was looking for recipes for a pimms martini is how--Mongreilf (talk) 19:34, 6 January 2009 (UTC)