14 DAY TRIAL // A new and aggressive rogue antivirus program, which gets installed through a fake Microsoft Security Essentials (MSE) alert, forces computers to reboot and prevents the Desktop from loading.
Called ThinkPoint, the program is dropped by a downloader-type application mimicking Microsoft Security Essentials.
The downloader displays a bogus MSE alert claiming that an unknown trojan has been detected on the computer and offers the option to clean it.
Clicking the "clean computer" button prompts another fake MSE window claiming that a solution has been found, in the form of a ThinkPoint(c) trial version. Hitting ok, installs the program and reboots the machine.
The exact same fake Microsoft Security Essentials application was previously used to advertise a list of several rogue antivirus programs.
After reboot, the user is presented with a ThinkPoint splash screen with two buttons, one reading "Safe Startup" and an inactive one called "Normal Startup."
Clicking "Safe Startup" aunches the rogue application's interface, which informs the user that a scan will be performed.
ThinkPoint claims the heuristics module is required in order to remove the threats discovered during the scan. This module is not included in the trial version and obviously costs money.
It's worth noting that up to this point Windows Explorer is not running, therefore, the victim can't access the desktop.
The behavior of blocking critical operating system features is not new, but is more common to ransomware, a type of application, which asks for money in order to restore normal functionality.
Fortunately, for some reason, the ThinkPoint authors have added a simple way to bypass this, in the form of an option called "allow unprotected startup," found under the settings menu.
According to researchers from GFI Sunbelt, enabling this setting and closing the ThinkPoint window will load the Desktop.
Then users can open the task manager and kill the hotfix.exe process, the program's main component.
There are some free security applications like Malwarebytes' Anti-Malware or SUPERAntiSpyware, that do a particularly good job of removing scareware and rogue programs such as this.
