'Winfixer' mystery slowly unravels

A California attorney claims he has unraveled part of the mystery behind a questionable software program and is prepared to go to court.

Attorney Joseph M. Bochner filed a class-action civil suit last September in California Superior Court in Santa Clara County against two men the suit alleges are behind Winfixer, a purported security software. The lawsuit names Marc J. Cohen of Florida, and was amended last week to add James Reno of Ohio as an additional defendant, Bochner said. It seeks compensation and a halt to the distribution of Winfixer, among other remedies.

The suit was filed on behalf of Beatrice Ochoa, a mother of two who paid US$39.95 for Winfixer after it badgered her with repeated pop-up warnings that her computer had security threats. The program eventually rendered her computer's hard drive unusable, Bochner said. The suit counts another 100 anonymous victims.

"All of these people are being defrauded and they're just ordinary folks," Bochner said. "They buy a computer, they surf the Internet, they're not doing anything unreasonable and suddenly they're defrauded."

Indecision over whether Winfixer is a legitimate product may be the reason it still pervades the Internet. Winfixer has been a moving target for security experts, at times going by the names ErrorSafe, WinAntiSpyware, WinAntiVirus, SystemDoctor and DriveCleaner.

Security software from vendors such as Sophos PLC and Symantec Corp. will detect it, but give users the option of whether they want to remove it. Sophos calls it "adware" that hypes security threats and then implores users to buy the software.

Microsoft Corp., however, pulled no punches last month when Winfixer ads began show up on its instant-messaging program, calling it "malware," a shorter term for "malicious software." Experts have also seen it install itself on computers via security vulnerabilities in browsers or OSes.

However, the lawsuit could face hurdles in court. Web sites are frequently registered under false names or under stolen identifies and the real owners can be difficult to trace, said Sandi Hardmeier, a computer security authority who writes about Winfixer on her blog "Spyware Sucks."

Proving the link to the alleged perpetrators, their connections to Winfixer all the way through to the effects on Ochoa's computer will be very difficult, she said.

"Forensics is everything," she said.

Bochner acknowledges it's hard work to track down fraudsters who use the Internet's anonymity to commit crimes, but the criminals are real people who can be located. Bochner said he has compelling documentation to link the defendants named in the suit to Winfixer.

By researching IP (Internet Protocol) addresses that hosted the versions of Winfixer and their owners, Bochner alleges he has uncovered a fraud based in the U.S. that has escaped law enforcement scrutiny.

Reno ran a Web hosting company called ByteHosting Internet Service LLC with a postal address in Amelia, Ohio. Bochner said at one time, a support number for Winfixer support also rang through to ByteHosting, which led in part to Reno being added to the suit.