By Crescencio Reyes – PC Tools Malware Research Division
A new rogue antivirus was recently reported which is part of the fake Security Essential rogue malware. When the binary is executed, it will show a splash screen which is displayed on top of all application windows.
Figure 1: ThinkPoint splash screen
When “Safe Startup” button is clicked, it will display a window which does a fake scanning of the infected machine.
Figure 2: Fake scan
After the scanning process is complete, it will then present the results encouraging you to install the full version. You cannot continue unprotected since it will just display these windows repeatedly.
Figure 3: Scan results
Clicking on “Install the full version” will take you to the payment page.
Figure 4: Payment page
After rebooting an infected machine, the malware will take over your desktop and only display the splash screen window as shown in Figure 1.
To be able to bypass the splash screen, press CTRL+ALT+DEL to bring up the task manager. Then search for hotfix.exe in the process list and kill that process. Afterwards click on File, then “New Task (Run..)” and type explorer.exe then click OK to proceed with loading the desktop so that you can install or run Spyware Doctor to do a thorough cleanup of the infected machine.