View Full Version : Remove Fake Microsoft Security Essentials Alert / ThinkPoint

27-11-2010, 07:17 PM

Microsoft Security Essentials Alert is a nasty piece of malicious code that masquerades as the legitimate Microsoft Security Essentials in order to scare victims into thinking that their computers are infected to get them to pay money for the removal of inexistent malware.

The Redmond company first warned of Microsoft Security Essentials Alert in August 2010, and has been working ever since to tackle the rogue antivirus.

As is the case with other fake AV, Microsoft Security Essentials Alert is designed to trick users into thinking that their machine is plagued with malware.

Microsoft Security Essentials Alert does an excellent job at impersonating the real MSE, which is a free security solution offered to Windows users by Microsoft.

However, Microsoft Security Essentials Alert is nothing more than an impostor. Microsoft’s security solutions detect is as Rogue:Win32/FakePAV, namely a piece of scareware which attempts to convince users to pay for a license that will allow them to download and run another rogue antivirus which is supposedly among the very few solutions able to resolve their infection.

Obviously, Rogue:Win32/FakePAV or Microsoft Security Essentials Alert is not a real security solution, the threats are inexistent and users should not allow themselves to be tricked into paying money for anything, let alone a fake AV recommended by this piece of malicious code.

Once it managed to compromise a PC, Microsoft Security Essentials Alert is capable of seriously handicapping the user experience.

It does this by terminating a range of processes, including Windows Registry Editor, Internet Explorer, Windows Restore, but also additional utilities and applications.

The fake AV defaults the machine to its ThinkPoint" interface which cuts the user out of the PC completely.

“Win32/FakePAV ThinkPoint variant may modify the computer to stop the affected user from accessing the Desktop, Start Menu and Task Bar,” Microsoft stated.

With no access to Desktop, Start Menu, Task Bar, the Registry Editor, Internet Explorer, Windows Restore, etc. it’s extremely hard for end users to regain control over their PC.

In fact that you were indeed locked out of your computer by Microsoft Security Essentials Alert / ThinkPoint, there is something that you can do/

Microsoft has detailed a few steps necessary to remove the rogue AV. My advice is to first have Microsoft Security Essentials on hand, download it using another machine if you have to.

Other security solutions can also work, but the real MSE can detect and remove Microsoft Security Essentials Alert, and it’s also free provided that you have a genuine version of Windows.

Next, on the ThinkPoint menu click Settings. Check the Allow unprotected startup option and hit Save settings.

This action will permit you to close the rogue Microsoft Security Essentials Alert window and access Windows Explorer.

“Open a command prompt. To do this on Windows XP, click on Start>Run and type "cmd.exe" (without the quotes). To do this on Windows Vista and Windows 7, click on the Windows icon>Run and type "cmd.exe" (without the quotes).

“Kill 'hotfix.exe' by typing following command: taskkill /IM hotfix.exe,” Microsoft explained.

Now install the real Microsoft Security Essentials and fire it up, allowing it to scan your computer.

Microsoft Security Essentials (http://www.softpedia.com/get/Antivirus/Microsoft-Security-Essentials.shtml)

Remove Fake Microsoft Security Essentials Alert / ThinkPoint - Softpedia (http://news.softpedia.com/news/Remove-Fake-Microsoft-Security-Essentials-Alert-ThinkPoint-169006.shtml)

30-11-2010, 08:37 PM
Aggressive ThinkPoint Scareware Poses as Trojan Removal Kit

Security researchers warn that a version of the desktop locking ThinkPoint fake antivirus application is being distributed as a trojan removal tool.

The program is advertised under the name of "Windows Trojan Removal Kit" and is served from scareware websites that display antivirus-like scans.

According to researchers from GFI Software (formerly Sunbelt), the rogue domain used in this case was microsoftwindowssecurity152(dot)com, but similarly-named hosts (with different numbers) distributed the threat in the past.

"Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake 'Blue Screens of Death' and payment nag screens," Christopher Boyd, a GFI senior researcher, warns.

This is because the application is a notorious fake AV program from the ThinkPoint family, who's behavior borderlines on ransomware.

ThinkPoint sometimes poses as Microsoft Security Essentials (MSE), the legit and free antivirus product from Microsoft, but more importantly it's known to prevent users from using their systems.

After infection, when the computer boots up, the victims will no longer be able to reach the desktop. Instead, they will see ThinkPoint allegedly performing a scan and finding infections.

Like any scareware application, the program claims that it cannot remove the detected malware until a more advanced component is bought.

Fortunately, there is a way for users to bypass the screen lock. It requires going to the program's Settings menu and enabling the "allow unprotected startup" option.

The social engineering trick of passing malicious applications as malware removal tools is relatively common. Back in October, we reported about a destructive trojan distributed as a removal tool for the Stuxnet worm, which was wiping all data from the system partition.

Users are advised to only download free security tools directly from the websites of known antivirus vendors, or from established download portals, where all applications are checked before being published.

Aggressive ThinkPoint Scareware Poses as Trojan Removal Kit - Softpedia (http://news.softpedia.com/news/Aggressive-ThinkPoint-Scareware-Poses-as-Trojan-Removal-Kit-169592.shtml)