New Scareware Displays Fake Microsoft Security Essentials Alerts

A new and aggressive rogue antivirus program, which gets installed through a fake Microsoft Security Essentials (MSE) alert, forces computers to reboot and prevents the Desktop from loading.

Called ThinkPoint, the program is dropped by a downloader-type application mimicking Microsoft Security Essentials.

The downloader displays a bogus MSE alert claiming that an unknown trojan has been detected on the computer and offers the option to clean it.

Clicking the “clean computer” button prompts another fake MSE window claiming that a solution has been found, in the form of a ThinkPoint(c) trial version. Hitting ok, installs the program and reboots the machine.

When you fall victim to the ThinkPoint rogue security application, the downloader reboots your machine then presents the victim with its own scanning screen on what appears to be a Windows blue screen.

Once the machine is rebooted, the rogue takes over the machine by preventing Explorer.exe to load (which means, the desktop will not load, either). If you click on the X in the upper right corner to close out of ThinkPoint, you are then presented with the “unprotected startup” screen.

A victim can’t get around the ThinkPoint screen because “current settings don’t allow unprotected startup.”

However, ThinkPoint actually has an operating “settings” selection with a drop-down box that includes a checkbox “Allow unprotected startup.” You can close the ThinkPoint window and load your desktop once that has been checked. From there, you can use Windows Task Manager to stop hotfix.exe — the rogue’s main file.

Alternatively, you can install and run Vipre which will remove the rogue, too.