Computer‎ > ‎Malware‎ > ‎Rouge Softwares‎ > ‎


After the malware is executed, it creates a copy of itself with the name ‘hotfix.exe’ or 'shell.exe' in the folder ‘%appdata%’. After the copy of itself is created, the shell value of the Winlogon registry key is changed. It deletes the entry for explorer.exe and adds a new entry for the newly created copy.


The scareware infection stays silent until the user tries to execute another program. Due to the fact that the registry key is changed, ThinkPoint starts for each executed program and shows a dialog.

ThinkPoint imitates the looks of legitimate software while using “Microsoft Security Essentials” as window title. To see what the scareware is doing, we choose the button “Apply actions”.

After that, the fake “Microsoft Security Essentials” offers us a trial version of ThinkPoint to solve the problem. As we like to solve our problem, we hit the “OK” button – and the computer is rebooted.

After the restart we are greeted with a new screen:

The user cannot interact with the computer anymore. The only action available is to continue with “Safe Startup”. The fake antivirus scanner is starting and shows us fake detections on legitimate software:

The user is now offered two options by the ThinkPoint, one is to “Continue unprotected”, and when pressing the button, nothing will happen. The cyber criminals want to sell their software so only “Install the full version with the required modules” will work.

We are now directed to a page were we should enter our credit card number, the billing address and were we can choose what we would like to purchase. They offer different license types starting from 1-year up to a life-time license and also some additional premium support.


  1. When you are in ThinkPoint scanner settings, go to 'Settings' and enable 'Allow unprotected startup'
  2. Scan your computer with Malwarebytes Antimalware
  3. To make sure your computer is fully clean, you can follow Virus Removing