ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. Once installed, it shows a fake “Microsoft Security Essentials Alert” popup box showing a non-existent threat.
ThinkPoint adds a Winlogon Shell registry entry, so that ThinkPoint starts up instead of Windows Explorer during Windows startup. ThinkPoint hijacks the startup/login screen.
At this point, follow these steps to get back the standard Windows desktop:
- Start Task Manager by pressing CTRL+ALT+DEL and kill the process named hotfix.exe.
- Go to File Menu > New Task (Run) in Task Manager and type explorer.exe to spawn Windows Explorer.
In case you don’t find hotfix.exe process in Task Manager, it could mean that the rogue program is using a different filename. Interestingly, there’s a workaround built into this rogue program to get to desktop:
- Click “Safe Startup” button and allow it to finish its fake scanning (duh!). After it completes scanning and shows scan results, click “Continue Unprotected”.
- Now, click “Settings” and select the option “Allow unprotected startup”.
- Close ThinkPoint rogue program’s window by clicking the close button on top-right corner. This should take you to the standard Windows desktop.
VirusTotal scan results for ThinkPoint installer can be found here. Malwarebytes’ Anti-Malware can be used to remove ThinkPoint rogue antivirus program completely.
View full post on Swatkat’s rants
