dslreports logo
    All Forums Hot Topics Gallery
Search Topic:
share rss forum feed

Villa Rica, GA

WARNING: Winfixer and Errorsafe being distributed via MSN Me

WARNING: Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements
Part of this article may fall to the bottom of screen on smaller displays - scroll down if this happens to you. 

Edit: I should point out that MSN Messenger's proper name is now Windows Live Messenger.

"The malware commonly known as Winfixer aka Errorsafe is being distributed via MSN Messenger banner advertisements.  This has been reported to secure@microsoft.com and they and the MSN ads team are investigating.

I was originally warned that this is happening by none other than Patchou of Messenger Plus! fame on Thursday 15 Feb 2007 at 7:33:00 am Perth time.  I received a second report from Johan Brune that confirmed what is happening at 11.56am Perth time, 18 February (about 3 and a half hours ago) and I have now been able to reproduce the problem on my own machine.  It says a lot for Patchou's integrity that he was willing to write to me and warn me about this problem despite our history.  I have been extremely critical of him and his Sponsor Program in the past and have said some very nasty things at times, yet despite all that we have been able to maintain an open dialogue which has borne important fruit - Patchou was the first person to report the winfixer infiltration to me.

Brief warnings appeared on www.mess.be and at Neowin (http://www.neowin.net/index.php?act=view&id=38176)
after Patchou got in touch and while I was still investigating and trying to confirm the problems, but they contain little in the way of screenshots or detailed information.  Also, the articles report that the Free PC-Secure banners trigger dialogue windows, which is not my experience, or the experience of anybody that I have contacted to duplicate my tests and verify the problems.

So far I have seen two ways that the bad guys are using to try and get Winfixer on to a machine via MSN Messenger banner advertisements - one involved a pop-up alert that appeared with no user interaction - the other needs the user to click on the banner advertisement and visit a Web page, then manually download an installer.

The most dangerous banner advertisement looked like this screenshot on my system - nothing happens if you try to click on the banner advertisement BUT when the banner advertisement disappears when the ads are rotated, something worse happens...."

More from Sandi Hardmeier a Microsoft MVP since 1999 specialising in Internet Explorer can be found  here.

Windsor, ON
I read this yesterday on Sandi's blog. This is one of the reasons I patch MSN Messenger to remove the ads. Not only are they annoying and fill up MSN Messenger, but now I find out some of them contain spyware.

Sure I know not to click an ad, but accidental clicks do happen all the time. When clicking in a conversation I usually nudge a contact by accident, meaning who's to say those nudges couldn't be ad clicks.



4 edits
reply to cjsmith
malware installation attempts were in neowin's banners too:
»www.neowin.net/forum/index.php?s ··· 6958&hl=

Villa Rica, GA
Please don't "Shoot the Messenger"


1 edit
reply to cjsmith
To get this piece of crud, it seems you have to register, so i did. Without needing any confirmation by email, i was taken to the following page -

You need Active Scripting enabled to get there and DL. Naturally i chose to DL it myself via the Direct Link and save it !

I havn't checked my junk email acc. yet, but it'll just get blasted anyway, as will any others they or their cohorts might send, if i get any at all. I presume it's just part of the scam to make it look more legit !

This is what you get FreePCSecureInstall.exe v1.3.91.3 -

On the Sandi Hardmeier www about this, it shows a 135kb file, but mine is 79.7kb ? Not that either will be any better though lol.

Complete with nice Digital Cert -


" Please don't "Shoot the Messenger " Good one lol.


edit - typo Only
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks