ThinkPoint
| Common name | ThinkPoint |
|---|---|
| Technical name | hotfix.exe, defender.exe |
| Aliases | Rogue:Win32/FakePAV, Unknown Win32/Trojan, Red Cross Antivirus, Peak Protection 2010, AntiSpy Safeguard, Major Defense Kit, Pest Detector, Privacy Guard 2010, Palladium Pro |
| Family |
Malware Antivirus software (fake antivirus protection) |
| Classification | Scareware |
| Type | Rogue security software |
| Operating system(s) affected | Microsoft Windows XP and up |
| Filesize | Varies |
| Written in | Object Pascal |
ThinkPoint (also known as Red Cross Antivirus, Peak Protection 2010, AntiSpy Safeguard, Major Defense Kit, Pest Detector, Privacy Guard 2010, and Palladium Pro) is a bogus virus/malware scanner, pretending to warn a user about threats and viruses "detected" by the scanner and is an impersonator of the real antivirus programs. It was created in August 2010.
The following message will be displayed if a user opens up a program scanned by the scanner:
The application XXXXXXX.exe was launched successfully but it was forced to shut down due to security reasons.This happened because the application was infected by a malicious program which might pose a threat for the OS.
It is highly recommended to install the necessary heuristic module and perform a full scan of your computer to exterminate malicious programs from it.
Payload
The payload starts when it deliberately closes the browser and appears as a fake Microsoft Security Essentials warning, asking the user to download an antivirus program and restart the computer to complete installation.
It will run automatically at system startup, running before Windows Explorer (thereby removing access to taskbar and icons until the program is closed). The ThinkPoint splash screen will appear, which has two buttons: "Normal Startup" (disabled) and "Safe Startup" (enabled) .
It has a Vista-like interface and uses the Windows logo. It will run a fake system scan and list a series of so-called "threats" detected after clicking on the "Safe Startup" button. It will then prompt the user to either buy a "heuristic program" or "continue unprotected." Usually, a user will choose "continue unprotected," but the same window will keep on appearing, leaving users no choice but to buy the program for USD $99.90. The program is known to block the Windows Task Manager, Windows Explorer, Google Chrome, and other programs that may terminate it. When a user presses the CTRL-ALT-DELETE or CTRL-SHIFT-ESC key combination, ThinkPoint will prevent it from starting and will display a window that reads: "The program taskmgr.exe is blocked due to safety issues which may pose a threat to the OS.
External links
- ThinkPoint Removal Instructions from BleepingComputer.com
- Microsoft Threat Encyclopedia
- The Win32 Fake PAV Virus and How it Works