Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine


March 24th, 2007

Goal of this page

  1. Educate the online community about the scope of the problem
  2. Document all instances of the problem
  3. Provide methods and practices that industry players can use to prevent the problem
  4. Hopefully bring enough attention to the issue that someone goes after and stop the people behind it

Updates to this page

2007-03-24: Page Created
2007-03-25: Added “Work and live in Canada” ads, with creative that has unobfuscated actionscript.
2007-03-27: Added actionscript for Matchservice creative
2007-04-05: Get Safe Online scam
2007-04-06: Added sports betting tips fake ad
2007-04-18: Added, and
2007-04-23: Added, and
2007-05-30: Added speedbit, cyberipod, how2vacation, ediets and flycell

What is the Errorsafe Scam?

At core it’s the abuse of the online advertising industry to install highly questionable desktop software — namely programs like Errorsafe, and Drivecleaner. Symantec’s thoughts on Errorsafe and Drivecleaner. More specifically, via a massive network of brokers they place Media Buys with Ad-networks, Portals and Websites with fake ads for fake services which under specific conditions use Active-X controls, Windows exploits and various other methods to to install their desktop software application — which essentially is Spyware.

The end result is the proliferation of Spyware on the internet, terrible end-user experiences and just general badness. On this page I will catalogue all instances of this scam that I have observed.

If you’re still confused, here are a couple articles that talk about impacts to specific companies: — Hacked Ad Seen on MySpace Served Spyware to a Million
Spyware Sucks! — Winfixer and Errorsafe being distributed via MSN Messenger banner advertisements
Spyware Sucks! — GOTCHA! Winfixer and AOL
Slashdot — Malware Installed by LiveJournal Ad

How can it be stopped?

First off — all online sellers need to audit the ads they run and deactivate any instances of the scam documented below, when possible, sellers should try to identify the responsible party and take legal action. Next, all new advertisers should be screened to ensure that creatives provided are safe and legitimate.

As an industry — someone should take ownership of solving this problem. This could be the IAB, a larger player such as AOL or MSN or perhaps an Attorney General somewhere.

How can you help?

  • Campaign Managers and Salespeople:
    1. Make sure you understand what this scam is and how it works
    2. When working with a new Advertiser, check with colleagues and contacts at other companies as to the legitimacy of the broker/advertiser
    3. When unsure about the reputation of an advertiser, do not accept third party creatives
    4. If you choose to accept flash creatives, decompile and check the contents (more details below)
    5. Impose strict penalties in Insertion Orders for nonstandard behavior, money talks
    6. Do NOT continue to work with a broker once he has shown to promote this scam
  • Website owners:
    1. Make sure you understand what this scam is and how it works
    2. Monitor user complaints for occurrences of the scam
    3. When you find an instance, use tools such as Tamper Data to record referring URLs to provide enough evidence for your ad networks to find and stop the scam.
    4. If your ad networks are in denial — send them to this page and then cancel the relationship
  • Executives in the ad industry:
    1. Take a 1-strike approach to all partners that assist in this scam
    2. Be accountable if your organization promotes this scam
    3. Take legal action against partners that abuse you to promote the scam
  • Law enforcement & Government Agencies:
    1. Realize that this is a very large issue for the industry — this has affected every single ad network in the industry and some of the largest players in the space. Millions of users have spyware installed on their machines because of this and it must be stopped.
    2. Find the responsible people and put them in jail
    3. More specifically — start a taskforce that catalogues all documentation and proof of this scam to build the case against the people behind Errorsafe

What should you look for?

There are two key things you can do. Stop existing instances and look for new methods and instances. If you find a new method or instances that is not catalogued on this page — please email me at The main way to identify the scam is by looking at technical details — e.g. decompiling flash and documenting referring URLs. Please see the very bottom on how to dig through flash files and what ads and websites to look for.

‘Shell’ websites that serve solely to propagate ErrorSafe
The site: An online service that proclaims to help individuals ‘work from home’.
Whois Registration:

    Administrative Contact:
    Hostmaster, IntellectualDecisions, Inc.
    Cnr of Granby & Sharpe St, Suite K2135
    Kingstown, NA
    +1.5551231234    Fax: +1.5551231234

Sample ad:
Actual flash file: WorkHomeCenter SWF
Sample Bad redirect:[...]
Sample install:
The site: A dating site. The first time I saw this site you couldn’t even ‘signup’. The site seems to have expanded a bit but still several pages have errors on them. E.g. when trying to look at a profile I get an error “view error: Question `p_gender`: Function `print_radio($param_name, $value, $sources, $style, ‘ ‘);` doesn’t exists, Session halted.”
Whois Registration:

 Administrative Contact:
    web, hostmaster
    65 Queen's Gate
    London, SW7 5JS SW7 5JS
    0870 770 4581

Sample ad:
Actual flash file: Matchservice SWF
Sample Bad redirect:[...]
Sample install:
Actual actionscript (obfuscated): Matchservice Actionscript
The site: Relax at home and get paid to do nothing. You give them a name and email… and that’s it, nothing else on the page.
Whois Registration:

        Name      : MARKUS MCCOY
        Email     :
        Address   : 5th Hancock Ave, Murrieta CA
        Zipcode   : 25405
        Nation    : US
        Tel       : 951-461-2785
        Fax       :

Sample ad:
Actual flash file: mysurvey4u.swf
Sample redirect:
Sample install:
The site: A ‘casual sex’ dating site. The signup form for this site is exactly the same as the one on Note, this might actually be a legitimate site, but what makes me think it’s associated with errorsafe is the fact that google searches show that it runs full page ads on spyware and the flash file below clearly has the code to run active-x installs embedded in it.
Whois Registration:

 Administrative Contact:
    Brune, Henry
    254  Amesbury Avenue
    555-123-1234    Fax: 555-123-1234

Sample ad:
Actual flash file: Sexbuddies SWF
Sample redirect:
Sample install:
The site: A site that claims to help you find work permits in Canada (similar theme to WorkHomeCenter here?). Google search reveals no legitimate links to and only postings related to spyware, unexpected popups, and links to other sketchy things.
Whois Registration:

Registrant Name:Giorgio Vierra
Registrant Organization:Cannis
Registrant Street1:Rua Joaquim
Registrant City:Tavora
Registrant State/Province:Sao Paulo
Registrant Postal Code:1066
Registrant Country:ES
Registrant Phone:+34.04015015
Registrant Phone Ext.:

Sample ad: Canada
Actual flash file: Canada SWF
Sample redirect:
Sample install:
Actionscript Code: Canada Actionscript
The site: An airfare search site. All searches went to which seems to be shut down. 800 # associated with whois doesn’t seem to go anywhere nor is it registered to a legit business as far as I can tell.
Whois Registration:

 Administrative Contact:
    Hostmaster, Traveltray Inc.
    158 West Av
    Talmage, OH 67482

Sample ad:Traveltray IMG
Actual flash file: Traveltray SWF
Actionscript Code: Traveltray Actionscript
The site: Get paid to drive, free car, blah blah blah… (this is getting old)
Whois Registration:

 Administrative Contact:
    Hostmaster, GetFreeCar
    P.O. box 145
    Zaporozhye,  69006
    +3 8044 5170437    Fax: +3 8044 5170437

Sample ad: GetFreeCar JPG
Actual flash file: GetFreeCar SWF
Actionscript Code:GetFreeCar Actionscript

Fake ads for legitimate sites:

The scam has moved beyond the shell sites and I have observed multiple instances of flash ads for legitimate websites that have embedded within them code to launch popups and do Errorsafe Active-x installs. I’ve catalogued the ones I’ve found below. Each one if you decompile it has highly similar encrypted Actionscript embedded that triggers Active-x installs. Note, for all I know, some of the less reputable/well known companies below could very well be associated with Errorsafe. If you have evidence/documentation for that, please email it to me at or post a comment!

Victim: Travelocity
Sample creative: Travelocity
Actual flash file: Travelocity SWF
Actionscript: travelocity.txt

Victim: Priceline
Sample creative: Priceline
Actual flash file: Priceline SWF
Actionscript: pricelines.txt

Sample creative: 10 Bet
Actual flash file: 10 Bet SWF
Actionscript: 10bet.txt

Sample creative: LowerMyBills
Actual flash file: LowerMyBills SWF
Actionscript: Actionscript stored in 3rd party file here — — which I downloaded before but isn’t working right now.

Victim: UFO Afterlight
Sample creative: UFO Afterlight
Actual flash file: UFO Afterlight SWF
Actionscript: ufoafterlight.txt
Sample creative: ShopAtHomeTV
Actual flash file: ShopAtHomeTV SWF
Actionscript: shopathome.txt

Victim: Casino Ace King
Sample creative: Casino Ace King
Actual flash file: Casino Ace King SWF
Actionscript: aceking.txt

Sample creative: Get Safe Online
Actual flash file: Get Safe Online SWF
Actionscript: Get Safe Online Actionscript

Sample creative: Sports Betting Tips Screencapture
Actual flash file: Sports Betting Tips SWF
Actionscript: sportsbettingtips.txt

Sample creative: Xing Screenshot
Actual flash file: Xing SWF
Actionscript: Xing SWF

Sample creative: Thinkindie Screenshot
Actual flash file: Thinkindie SWF
Actionscript: Thinkindie Actionscript

Sample creative: JPG
Actual flash file: SWF
Actionscript: — breaks decompiler —

Sample creative: Fkycell Screenshot
Actual flash file: flycell.swf
Actionscript: Flycell Actionscript

Victim: Cyber iPod
Sample creative: cyberipod.JPG
Actual flash file: CyberiPod SWF
Actionscript: CyberIpod Actionscript

Victim: eDiets
Sample creative: eDiets Screenshot
Actual flash file: eDiets Actionscript
Actionscript: eDiets Actionscript

Sample creative: how2vacation.JPG
Actual flash file: How2vacation SWF
Actionscript: How2vacation Actionscript

Sample creative: speedbit.JPG
Actual flash file: Speedbit SWF
Actionscript: Speedbit Actionscript



How to analyze flash files

  1. Open the file in Firefox with the Tamper Data extension enabled. If it loads content from third party servers it should be considered as suspicious.
  2. Open the flash file with Action Script Viewer. Look into the actionscript for certain patterns. Specifically:
    • Encryption. If you look at the actionscript posted above you see some common patterns — namely that the code is encrypted and unreadable. You should never run a flash creative that has encrypted code.
    • Links and/or references to third party servers such as,, etc.
  3. Use common sense. A pixelated ad for travelocity is most likely not legitimate. Any large online advertiser uses an adserver — so if you are asked to host a creative for a larger marketer — think twice before uploading it.

Final Thoughts

Please send me feedback on this page. If you think I’m incorrect on any of the information it’s critical that you let me know! I will try to update this page regularly. Once updates start I’ll make sure to note at the top what changes I’ve made to the page. Why did I spend so much time documenting all this? I want to bring awareness. The last thing I want is a crusade against AOL, MSN, or any ad-network for running these ads. EVERYBODY is running them — and EVERYBODY needs to work together to stop them.

  • Mike On Ads » Blog Archive » Errorsafe — what is it, how do we stop it?

    [...] Errorsafe [...]

  • Mike

    Btw… I realized I never mentioned this, but this is really a subset of the larger scam that IS errorsafe (e.g. “registry cleaning” when it really isn’t). I’m not trying to address that issue at all, there are plenty of people out there writing about spyware and how it’s bad. This page specifically deals with how Errorsafe abuses the online advertising industry.


  • Wayne Porter: E-commerce And Marketing- Greyware The Intersection of Money & Social Media

    The Fix on Winfixer via AOL- The Latest Tricks Exposed…

    Microsoft IE Security MVP, Sandi Hardmeier, pinged my earlier this weekend over yet another problematic advertisement in a big network. She blogs again on the elusive “Winfixer”, or you can pick a name among many, for this deceptive software scam. I …

  • Wayne Porter

    Hey Mike I referenced your work here:

    Does it all seem to resonate based on what you have seen?

    Great read and detective work.


  • Mike


    You’re right — I should have said ‘obfuscated’ actionscript, not ‘encrypted’. I also do work for Right Media =).

    I had a non-obfuscated version of the actionscript a while back, I’ll see if I can dig it up and post it as it shows exactly what they’re doing. In essence, there are two key things the flash files do:

    #1 – Check the geo of the user. Since GeoIP databases are too large to store, the file has to request this info from a third-party server.

    #2 – Uses javascript to check all sorts of browser parameters. E.g., the timezone of the browser. If the buy is with a US based ad-network, no browser with a US timezone would trigger the active-x.

  • Carmen


    Just came across this information after receiving an odd message from I was on at the time, which doesn’t surprise me since my resume was “picked up” by some email scammers (phishing for SSN#s I guess) from that site recently. I have also been browsing EBay quite a bit lately. What exactly do I have to fear, as a consumer, from these heavy-traffic sites? I rarely click on the types of ads you have shown here, but now I NEVER will. I’ll just go directly to any website I want to visit. I work on an Apple MacBook,which I believe to be far less susceptible to viruses, and this drivecleaner showed up while I was browsing in Firefox. Any thoughts?

  • Mike

    You’re better off on a mac, that’s for sure. As far as I know there are no ‘Drivecleaner/Errorsafe/Winfixer’ equivalents on the Mac. In general, here would be my end-user tips:

    - Use Firefox not IE. Firefox has it’s bugs, but far fewer than IE.
    - In firefox, make sure you leave the ‘open exe’ warning enabled. This will prevent you from accidentally installing an app by clicking ‘yes’.
    - Avoid shady sites…
    - Always have anti-spyware & virus protection applications running and make sure they are always up to date.
    - Auto-install operating system updates to keep you secure.

  • Nancy

    Any experience with this group?

  • Jon Brotherhood

    thanks for the info Mike. good work. this has to be illegal. i am running a large group of sites that have been effected by networks placing ads on which have this product spawning from the back of banners. it has effectively destroyed the traffic in a few of the sites where it was unnoticed for a while. users believe the site must be riddled with viruses and never return. i am looking for someone to sue so if anyone ever gets a contact detail for this company, let me know. jon

  • Paul

    Wikipedia have some good details on the people behind this.

    I’m using a mac and got this in firefox as well.

  • Benny Radjasa

    Hi Mike, how do you decrypt the encrypted scripts once you have decompiles the flash file. So you know what encryption they used?

    - Benny

  • Mike

    Not sure how to decrypt it yet actually. Actionscripts I’ve posted are all still encrypted/obfuscated. The patterns of the code match that of SWFEncrypt.


  • Michael

    I had this errorsafe virus on my computer not too long ago, it was freaking ANNOYING! I dont even know how i got it either. Every other page i went to i’d get a pop up. Then these weird Audio ads would play, one was for doritos, one was for molsin, and one was a weird mixture of creepy sounds. They really need to catch who ever is doing this, because some people arent smart enough to be able to get it off their computers, and some people also buy the “software” they suggest you buy to get rid of it.

    I really appreciate you writing this so people know what to watch out for, the sad thing is that most people wont care about these tips until they have the virus on their computer.

    Thanks and keep up the good work advising people of this problem.

  • Chris

    Mike, great info – this is the best Errorsafe info site I have been able to find.

    I’m a developer at a large site and we are having a pretty big problem with our UK users getting errorsafe popups. I tried browsing through UK proxies, but couldn’t reproduce the spyware (probably some script blocking in effect on the proxy end).

    Does anyone have any suggestions about how to block these ads or start minimizing the problem?

    Thanks a lot guys.


  • Mike

    Chris — Try changing your timezone to UK and also playing around with browser headers. Also, clear out both cookies and flash stored objects and you just MIGHT be able to reproduce the behavior.

    On stopping this — I’m probably as frustrated as you are. The info is here — networks need to work harder to stop this and SOMEBODY needs to sue these guys!


  • Djaage

    1. Don’t use IE as primary browser..
    2.How to prevent this in firefox, Switch off JAVA, you can alway switch it back on when you need it.
    (Tools – Content – Java Hook Booth Off)On When you need JAVA

    3. set up your system with 2 partition one for system only and the second for user files. Move My Documents folder to d Drive. (Now you will not loose any personal data in case you need to Re- Install the system. If that happen make shure you rename the Documents and Settings Folder on the D drive before you re install. Call it OldDocuments and Settings
    My system is 15 gig for c drive and 285 for drive.
    My C Drive i FAT32 and my D Drive IS NTFS ( You can also have both as ntfs.
    Create a folder on D Drive call it BACKUP
    copy c partition with ghost to D: Backup
    Burn also the Backup copy out on a dvd. JUST IN CASE
    Ghost Tips: Do not use any compression when you make backups.

    Now The ULTIMATE Prevention:::

    Get hold of Deep Freeze from faraonics.

    Freeze the C Partition

    If You ever get any problems now you just restart your machine. And everything will come back.

    TIPS FOR DEEPFREEZE: DO NOT MAKE GHOST COPY WITH FROZEN MACHINE You need to Uninstall DEEP FREEZE before you make a new ghost file.

    You will also need to move your IE Favourites to d: folder Documents and Settings i use a regestry tweak program for that. In firefox edit the profile

    Close Firefox
    Move your bookmarks to the desired location. say “D:\whatever\bookmarks.html”

    Now go to

    C:\Documents and Settings\djaage YOUR NAME\Application Data\Mozilla\Firefox\Profiles\7to4koqd.default(This name can be different)
    Open prefs.js with notepad

    Add this to prefs.js

    user_pref(“browser.bookmarks.file”, “d:\Documents and Settings\djaage YOUR NAME\My Documents\\bookmarks.html”)

    Now you will never miss any bookmarks and if you need to update firefox for the future you still don’t miss any bookmarks.

    Good Luck


  • Jack Yan

    Thank you so much, Mike, for identifying some of the aliases these bastards might be hiding behind. This is an incredibly useful page for a fellow publisher.

  • Jack Yan

    Mike, me again: I believe ads were hijacked in some way (as Carmen experienced on April 22 when she went into the site). We ran some of that company’s ads on one of our sites and they loaded up the SystemDoctor/ErrorSafe/DriveCleaner windows. When I went through the cache, I found the CareerBuilder ads were hosted by, which may have some connection to these products. We’ve had to disable many of the ads from the ad network will we hear from them that their client has been removed. Sorry I don’t have a screen shot for you.

  • Mandy

    hi mike, if a flash ad is served and we grab their code and in the embed tag we add allowScriptAccess=”never” allowNetworking=”internal” would that not solve this issue?

  • Mike

    That’s a great question! I would imagine that it does! I will try to test is sometime this weekend.

  • Mandy

    hey mike, did you get a chance to try this out? can you point me to a swf file that injects this problem so that i can try it out?

  • Mike

    Wow, such a simple solution and it does work! I’ve setup two test pages –

    Indeed the new flash-9 permissioning works as on my machine the first URL redirects to ‘PC TurboPRO’ and the second doesn’t.


  • Mandy

    Awesome! :) Thanks for testing it out Mike.

  • Sample Advertising Copy

    I found your blog via Google while searching for sample advertising copy and your post regarding Errorsafe looks very interesting to me. I have a few websites of my own and I must say that your site is really top notch. Keep up the great work on a really high class resource.

  • De-constructing Malicious Flash « Sosuke

    [...] of this code in to find someone else that had run into this. I turned up a txt file from the site Mike on Ads – Errorsafe. He even put together an example of what this type of code can do if you look at the comments of [...]

  • how to repair a zip

    I am lucky enough to find your blog which help me in lots of ways. Thank you!

  • keylogger

    Thank you for sharing your article.

  • sachin ruhela

    Access File Repair
    access password recovery
    Access Password Recovery Software
    MS Access Password Recovery
    Access Password Recovery Tool
    MS Access Password Recovery Tool
    download free key logger
    Chat Archive Recovery
    Database conversion software
    Database Converters
    Data Recovery Tool
    Free Data Wiper
    Digital camera photo recovery software
    Disk Recovery Software
    Data recovery software free download
    Web Hosting
    Free Keylogger
    Excel File Recovery
    MS excel repair software
    Fix Excel
    excel recovery
    Excel Recovery Tool
    Repair Excel
    Excel Repair
    recover msn password
    Excel File Fix
    Floppy Disk Recovery
    Floppy Recovery
    Free Excel Recovery
    Keystroke Logger
    Windows Data Recovery
    Windows Recovery Tools
    Hard drive data recovery
    IE Password Recovery
    IPod Recovery
    Key logger
    free keylogger software
    download a free keylogger
    keyloggers free
    keylogger freeware
    keylogger software
    keylogger software free
    keystroke capture
    Keylogger Software Download
    free keylogger downloads
    best keylogger free
    msn password recovery
    Outlook Express Password Recovery Software
    password finder
    Recovery Password
    Password Recovery
    password recovery software
    password recovery software free
    pen drive data recovery software
    Pen Drive Recovery
    PowerPoint Repair Tool
    Chat Recovery Software
    Fix Excel File
    Restore Excel File
    Email Recovery
    cell phone sms recovery software
    recovery for excel
    Repair Excel Files
    repair excel files software
    Data Recovery Software
    sim card deleted sms recovery
    SIM Card Data Recovery
    Key logger software
    downloadable keylogger
    download keylogger freeware
    free invisible keylogger
    data recovery
    Download Free Keylogger
    keystroke recorder
    software keylogger
    remote key logger
    sim recovery
    Sim Card Recovery
    Sim Card SMS Recovery
    remote keylogger free
    Spy Keylogger
    USB drive data recovery
    Word file repair software
    Zip Repair Tool

    That’s interesting to read about, Thank you for sharing this informative stuff..

  • keylogger

    Thank your for article, it’s very interesting