WinZix claims to be a new compression format better than any of the others out there. However, many online users claim^[1] that WinZix contains spyware and that it has caused issues on their computers. It has been proven that WinZix leaves files after uninstalling the program. In fact, it leaves an unknown process running, that cannot be seen from the task manager. It also appears to cloak itself, appearing as Internet Explorer "iexplore.exe".^{[citation needed]} There are also cases where the program deleted the entire content of one folder. In computer science and information theory, data compression or source coding is the process of encoding information using fewer bits (or other information-bearing units) than an unencoded representation would use through use of specific encoding schemes. ... A file format is a particular way to encode information for storage in a computer file. ... A large number of toolbars, some added by spyware, overwhelm an Internet Explorer session. ... Task manager on Windows XP A task manager is a program used to provide information about the processes and programs running on a computer, as well as the general status of the computer. ... Windows Internet Explorer (formerly Microsoft Internet Explorer), and commonly abbreviated to IE, is a series of proprietary graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems starting in 1995. ...

The author claims that the program does not install spyware, viruses, or trojans. But they do admit that it installs adware and claim that the adware can be easily removed without removing the program.^[2] A large number of toolbars, some added by spyware, overwhelm an Internet Explorer session. ... A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. ... The tone or style of this article or section may not be appropriate for Wikipedia. ... WhenU adware displaying ads on a Windows desktop. ...

v1.0 Format

On opening a .ZIX file in a hex editor, it appears as if that the .ZIX format is simply a wrapper format which is used to enclose a given file. Some users have claimed that compressing a 700KB file results in a 701KB file and this can be directly linked to the fact that WinZix does not appear to actually compress a file. It puts its own file header on the existing file and packages it as a .ZIX file. If you were to remove the first few bytes of the new .ZIX file, you should have the original file (in whatever format it was) back again. A hex editor (or binary file editor or byte editor) is a type of computer program that allows a user to manipulate binary (normally non-plain text) computer files. ... In information technology, Header refers to supplemental data placed at the beginning of a block of data being stored or transmitted, which contain information for the handling of the data block. ...

Dissection

The v1.0 .ZIX files are simply the original file padded at the beginning and end with a few extra bytes. Here is an example header of a .ZIX file with an encapsulated .AVI file:

 .ZIX header 0000 5A49580B68E21500000000 ZIX.h...... 

 .AVI header 0000 524946465467E215415649204C495354 RIFFTg..AVI LIST 0010 7E2200006864726C6176696838000000 ~"..hdrlavih8... 

 first 43 bytes of the .ZIX file examined in this article: 0000 5A49580B68E215000000005249464654 ZIX.h......RIFFT 0010 67E215415649204C4953547E22000068 g..AVI LIST~"..h 0020 64726C6176696838000000 drlavih8... 

As seen above, an 11-byte header has been added at the beginning of the file: A 3-byte string ("ZIX") followed by a DWORD (a 4-byte binary number, 367159307 in this case) with the location of the second header from the beginning of the .ZIX followed by a last DWORD ("0" function unknown, possibly the high-DWORD in 64bit addressing). After the ZIX header the original file usually follows, left completely untouched.

At the very end of the file, a second header, the footer, has also been added. It contains the following text string:

 "d8:announce21:http://www.winzix.com5:filesld9:attributei0e6:finishi367159307e4:name30:Lost.S03E20.HDTV.XViD-Caph.avi4:sizei367159296e5:starti11eeee" 

This is very similar to how BitTorrent stores information in its .torrent files. When this information is broken apart, one can see that it contains the original filename, size and starting offset within the .ZIX: BitTorrent is a peer-to-peer file sharing (P2P) communications protocol. ...

 "d" dictionary (root) 8 bytes "announce" (key) 21 bytes "http://itsspyware.com" (value) 5 bytes "files" (key) "l" (list of file entry dictionaries, as follows: "d" dictionary (for file entry) 9 bytes "attribute" "i"nteger 0e (attribute of 0, meaning unknown -- read-only, archive, system... ?) 6 bytes "finish" "i"nteger 367159307e (.ZIX file position of the last byte of original file) 4 bytes "name" 30 bytes "Lost.S03E20.HDTV.XViD-Caph.avi" (original filename) 4 bytes "size" "i"nteger 367159296e (original file size, 350MiB) 5 bytes "start" "i"nteger 11e (.ZIX file position of the first byte of original file [for the first file, this will be right after the header, 11 bytes]) "e" end dictionary (for file entry) ..."d" dictionary, same as the block above for each additional file ... 9 bytes "attribute" ... (etc) ..."e" end of dictionary (for additional file) "e" end of list (of files) "e" end of root dictionary 

By using a hex editor you can simply delete these two headers and save the file, to restore the original file without the use of the WinZIX software, which is infested by spyware. A hex editor (or binary file editor or byte editor) is a type of computer program that allows a user to manipulate binary (normally non-plain text) computer files. ...

There is no malicious data or information within the .ZIX file itself unless specifically placed there by the .ZIX user - the same holds for any archival format.

v2.0 files are actually compressed. At this time the format has yet to be fully picked apart, but investigation via hex-editor again reveals similarities to the structure of true .ZIP files.

Links

The programs below will handle version 1.0 files only.

UnZix is a command-line utility including source-code written by Jim Dunn http://www.page13.com/ or various torrent trackers.

UnZixWin a windows-based utility by NeverShaveYourDuck Found on TorrentBox

UnZIX, drop your .ZIX onto the tiny .EXE by EkriirkE http://www.ekriirke.com/Tools/UnZIX.htm or various torrent trackers.

UnZixHTA is a free Windows-based HTML Application by Andrew Urquhart that recovers the contents of version 1.0 Zix files, including zix files that contain multiple files. It can be found, including source code, at http://andrewu.co.uk/tools/unzixhta/

Notes

1. ^ Online comments about WinZix
2. ^ WinZix FAQ

It has been found that if the "ZIX" file just contains a single AVI, by simply changing the file extension from ZIX to AVI certain media player software (such as VLC) will open and play the file as normal. If it contained a ZIP file, most popular archivers should be able to open the file unaltered. VLC media player is a free software (GPL) media player by the VideoLAN project. ...

v2.0 Format

- Now ZIX 2.0 is released. The listed UnZIX software above cannot manipulate files generated by it. UnZIXing via the original WinZIX 2.0 executable appears harmless, but it is recommended you still remove all other files in the directory but WinZIX.exe. It is also always the best idea to have a good configured firewall running, and disallowing any connection to the internet by WinZIX (and also forbid registration of DLL libraries and launching of other programs by WinZIX ) NOTE: It appears that the authors are storing something similar to .ZIP file but data is rearranged. It may be possible to then write a ZIX->ZIP converter applet. More to come later.

Dissection and Code

Luke-Jr has taken a few hours to dissect and reverse engineer the v2 ZIG format. He has published the results, including incomplete code for an decompressor, at http://luke.dashjr.org/programs/dezix/

This code will extract a single file from a v2 ZIX. It has been tested successfully against files generated by the Linux 'console' compressor, but does not seem to work on at least one file found in the wild. Improvements (such as multiple file support and fixing it to work with wild ZIXs) are welcome.

Removing WinZix

It is possible to delete the WinZixManager.dll file by opening CMD (dos-prompt).

- Go to the location at hand, usually C:Program FilesWinzix For those unfamiliar with DOS-commands, this is done by typing "cd *LOCATION*". In this case, "cd "program fileswinzix""

- While "on-site", so to speak, type, BUT DO NOT EXECUTE, "del winzixmanager.dll"

- Now, open task manager (ctrl+alt+del or ctrl+shift+esc) and tell it to stop the "explorer" process. This will kill the inhibiting factor, since the DLL-file seems intertwined with explorer.exe, this can be ascertained using Whatsrunning--> modules. Stopping explorer will cause the desktop shortcuts to disappear, but they will return. Explorer automatically reinitializes itself.

- Being very fast, quickly press "enter" in CMD, which remains operational. Press "enter" before Explorer reinitializes. The culprit is now erased from the machine.

Solution #2

For people that aren't fast enough or like to do it the clean way, you can restart the computer.

- Before you see the Windows splash screen, press F8 a couple of times until you get a screen asking you how to start Windows.

- Choose for Safe Mode with command prompt. Wait until a dos prompt appears.

- Go to the location of Winzix by typing "cd "program fileswinzix"" and press enter

- Type "del winzixmanager.dll" and press enter

Now you can restart you system. When you boot normally into Windows, you should check C:Program FilesWinzix if the deleted DLL is still gone. If so, everything worked fine. If not, you need to either use the previously mentioned method where you terminate the explorer.exe process, or you need to retry the "clean" way of removing the DLL. Starting in safe mode is considered clean since only important processes are started which are needed to at least run the most essential things. Choosing for the safe mode with command prompt should provide you a desktop without starting explorer.exe (no shortcuts and such on your desktop) and thus not initializing the WinZIX manager. Good luck.

Solution #3

For people who prefer to think instead of the wiki-wiki type ;)

just rename this DLL to another name and restart explore, now you can remove it. I haven't tried this with WinZix but have used this method to remove other trojans

Solution #4

Go to Start, Run, Type "cmd" (without the quotation marks).

Inside the dos-box, type the following: (after each line press enter)

cd
cd program files
cd winzix
regsvr32 /u winzixmanager.dll
exit

After this, it takes about 20 seconds for a window to appear that the dll unregister has succeeded. Now reboot the pc and then after the reboot delete the file. (method tried myself)

• WinZix website