Attack of the WinFixer Clones

winhelp2002 — Sat, 06 Oct 2007 08:34:00 GMT

Lately there has been a huge increase in the WinFixer affiliates/clones ... although these clones go to great lengths to hide their true idenity, you can sniff them out if you know where to look ... WinFixer is run by "Innovative Marketing" and their main distrubtion host is SetupAHost based in Canada, although WinFixer also has setup servers in several other countries.

Acting on a email tip from Sebastiaan S I browsed over to "performanceoptimizer(dot)com". Clicking the Download button redirects to a (https) payment site. Both of these sites are related and using the same IP address (190.15.73.254) However as you can see below there is already a problem ...

To show you the SetupAHost connection you have to look at the (https) traffic and the details which is displayed below and clearly shows (highlighted in red) SetupAHost.

Now if you browse over to "freerepair(dot)org" on the same IP address ... oh my even my AV (NOD32) knows it's WinFixer!

Another clone of the same IP Address is CryptDrive which Symantec describes as:
"CryptDrive is a misleading application that may give exaggerated reports about potential risks on the computer."

Sadly I though we had convinced ValueClick to break their ties with WinFixer ... but it looks like that is not the case.
Yes "ad2cash" is on the same IP as the above and there are quite a few other examples of the below ...

Hosts News : SetupAHost

Attack of the WinFixer Clones