A Winfixer Primer

August 1, 2008

Update August 6, 2008:

Welcome Fixwinfixer guests: Great to have you! Over the last day or so, there’s been a definite uptick in visits to this site, let’s hope it continues. Working together, we’ll get a handle on Winfixer malware and wrestle it to the ground.

Please link here, visit frequently, and of course sign my petition. More later….


If you don’t already know about Winfixer, it’s one of the most successful software scams ever. For years now law enforcement authorities have stood by and let Winfixer flourish: as a result, today there are dozens of essentially identical Winfixer programs with many different names and in many languages. They’re all produced by the same syndicate, and they all share the same illegal methods and goals: to lie to you, to take your money and to trash your computer in the bargain.

(Winfixer is also not very careful with your personal information. More about this later.)

Here’s a five minute video about my work against winfixer, produced by KTVU in Oakland, CA, and first shown February 26, 2007 :

Also from 2007, a winfixer story from International Data Group, publishers of PCWorld, InfoWorld, MacWorld etc.

And the most recent article, from the front page of the San Jose Mercury News business section, March 23, 2008.

Almost forgot: if you hate malicious software, show your support and sign my petition. Thanks!

I’ll update this page with additional links as time permits.


Corporate Citizenship

April 10, 2007

In 2004, IP addresses associated with WinFixer served a number of fraudware domains, the most notorious of which was WinAntivirus.com. Like WinFixer, WinAntivirus hijacked browsers and popped up dire warnings of nonexistent computer problems, defrauding consumers into charging their credit cards for the WinAntivirus “cure.”

Unlike WinFixer, back then WinAntivirus bore a remarkable resemblance to Norton—one of Symantec’s crown jewels—right down to the yellow packaging. WinAntivirus also took traffic from typo-squatting sites such as “symantic.com” and “symantes.com.” With shady marketing like this, some unwelcome attention from the world’s largest computer protection company was perhaps inevitable.

On April 29, 2004, Symantec sued James Reno and his company ByteHosting, among others. Why these particular defendants? I’ve asked Symantec attorneys that question a number of times and have yet to get an answer.

Symantec deposed Reno on July 29, 2004. (A deposition is a process of questions and answers given under oath, just like in court.) Beginning in January, 2006, I repeatedly requested Symantec’s cooperation in this case, and last month Symantec’s attorneys finally responded with a copy of Reno’s depo transcript. Here’s his testimony about WinAntivirus:

Q: What is Innovative Marketing?
A: As far as I’m aware, it seems to be a company in the Ukraine that is producing the Vantage line of products, such as Win Antivirus, but that’s just by searching around.
Q: Have you ever had any connection with Innovative Marketing?
A: Directly, no.
Q: How about indirectly?
A: Yes, through a company called Billingnow.
Q: What is Billingnow?
A It’s a company I’m actually doing customer support for. They do Internet billing.
Q: What is the relationship between Innovative Marketing and Billingnow?
A: Innovative uses them for billing.

* * *

Q: When you say that you’re providing customer support, what exactly do you do – does your company do for Billingnow?
A: We’ve got a call center, answer the phones, handle billing issues for different customers that call in, look up their order, handle things like informing customers of policies and – like refund policies or technical support, help with forwarding them on to different – the different companies that Billingnow has contracts with.
If someone calls in about a non-billing question, well, we would forward them on to the proper companies.

* * *

Q: Now, winantivirus.com, has your company ever hosted that site?
A: No, we have not.
Q: Do you have any connection with it?
A: Again, we host just the e-mail. I’ve never hosted the Web site.
Q: Do you have an account address for winantivirus.com?
A: It’s in the Ukraine, I don’t have a specific address. It goes through Billingnow.

These few lines constitute all of Reno’s testimony that day regarding WinAntivirus. (The dearth of follow-up questions here is frustrating to say the least.) Nevertheless, it’s enough to prove that—more than three years ago—Reno and ByteHosting were significantly involved in WinAntivirus. Moreover Symantec knew it.

What did Symantec do with this knowledge? My next post will explore the Symantec vs. Reno settlement.

ByteHosting, Part II

March 13, 2007

It would be natural to wonder why, having sued Marc Cohen last year, I’ve now named ByteHosting, a company most people have never heard of. The answer is convoluted. Since 2004 I’ve researched thousands of potential WinFixer connections: IP addresses, domain names, phone numbers, emails and almost anything else I could ferret out online. (On the other hand, I largely ignored the whois, a database so rife with fraud that it’s worse than useless. It’s long past time either to clean it up or else abolish it altogether.) Throughout, associations with ByteHosting appeared over and over again.

The ByteHosting=WinFixer link includes (but isn’t limited to) a 2004 lawsuit by Symantec against ByteHosting founder and President James Reno, the company itself, and several others. The case concluded in late 2004: Symantec got a $3.1m “default” against someone named Sam Jain, which simply means that Jain lost because he didn’t show up to defend himself in timely fashion. Symantec settled with Reno and ByteHosting on undisclosed terms—Reno claims he paid nothing—and a permanent injunction forbade Reno et al. from pirating Symantec product. Case closed.

Starting more than a year ago, I made a few calls (and sent several letters) to counsel for Symantec, ByteHosting and Reno, all of which went nowhere. (Recently, Symantec’s counsel has begun talking with me. Stay tuned.) Meanwhile, with other leads to pursue, I assumed that if Reno and ByteHosting had settled with Symantec, they’d either stopped what they were doing or hadn’t been much involved in the first place. As it happens, I was wrong on both counts.

In my next post, I’ll begin detailing the evidence against ByteHosting.


March 12, 2007

The disclosure of an attorney’s investigative work—known in the profession as “work product”—is a nontrivial and not altogether risk-free event in the life of a litigator. There are many reasons not to do it, especially early in a lawsuit.

Nevertheless, I’ve concluded that the reasons to publish at least some of the evidence here outweigh all other imperatives: my paramount concern being the obligation to help stop an ongoing fraud. The revelation late last month that WinFixer had morphed yet again has added urgency to my growing feeling that–if the WinFixer conspiracy is to end–the public needs to know the chief instrumentality behind it, and it needs to know sooner rather than later.

More tomorrow.

Marc Cohen

October 1, 2006

Last Friday, we filed a civil action against Marc Cohen. We did so because substantial evidence shows his involvement with fraudulent software, or simply “fraudware.”

Unlike criminal cases—which often involve prison time and require the familiar “proof beyond reasonable doubt”—in civil disputes a plaintiff need only prove liability by a “preponderance of the evidence.” In other words, to obtain a judgment against Mr. Cohen, we have to show that his involvement with fraudware is “more likely than not.”

With that in mind, I invite of Mr. Cohen’s attorneys (or him if unrepresented): Answer our concerns. Provide innocent explanations. You can post them yourself as comments; alternatively, if you give me the URL, I’ll provide a link here. Furthermore, if you can prove that Mr. Cohen wasn’t involved, we’ll dismiss this lawsuit. (Ethical lawyers do so as a matter of course when it’s warranted.) I’ll publish a retraction and a personal apology to Mr. Cohen. My offer is genuine and stands for as long as this lawsuit takes.

Some of our concerns about Mr. Cohen’s business:

1. Mr. Cohen owns VipFares.com, a travel site. VipFares provides false contact information (in the case of “whois”), or no information at all (on its own website). No honest merchant conceals or falsifies his whereabouts or identity.

2. Complaints about VipFares are now rife on the Internet. If there’s authentic praise for VipFares, we haven’t seen it.

3. VipFares both permits and benefits from popups and traffic hijacked into its website via fraudware. Logically, the existence of a financial relationship between the two follows.

4. For years, VipFares has had many specific and provable associations with fraudware: developers, call centers, web designers, IP addresses, credit card processing and more.

Soon I’ll write about each of these in greater detail.