Yesterday we noticed something strange. Large number of our visitors complained about seeing popups with errors in hotfix.exe, which caused it to segmentation fault. It looks like ThinkPoint (a rogue antivirus) makers made a mistake and released buggy version of Trojans, promoting this malware.
Possible message looks like this:
Access violation at address 004afe43 in module hotfix.exe. Read of address is 00000000.
ThinkPoint enters system using drive-by downloads, fake updates with trojans or network worms. First it shows a faked MSE screen , then, after a reboot, another fake scanner appears that “restores” some of the problems, but asks to pay for something. Well, most of the users started seeing hotfix.exe crashes instead of thinkpoint scan window , as it appears that it has a critical error. It is partly good thing, as it is simpler to stop its process using task manager, and eventually to remove the malware.
However, file hotfix.exe is only one of couple files used by makers of ThinkPoint. First, one still has to launch explorer.exe using task manager. Secondly, one still has to scan with TDSS killer and spyhunter to identify and eventually remove remaining infections. It is highly advisable to upgrade ones protection software to avoid Fake antivirus infections in the future, no matter of removal procedure.