Sunday, October 31, 2010

FLVTube - rogue video player

FLVTube is supposedly a video player that downloads and plays YouTube videos. Only a few anti-viruses categorize FLVTube as an adware, and most of the antivirus software do not have any detection for it. FLVTube uses the familiar fake codec download techniques to trick PC users in downloading their software: You chance upon a video clip on a random website and to view it you need to download FLVTube! If FLVTube is really a genuine video player, then I wonder why they are using such misleading installation strategies.


During installation, FLVTube gives options to install following affiliate products of questionable reputation:
  • Emoticons Toolbar by SweetIM
  • WhiteSmoke Grammar software
  • Uniblue RegistryBooster

And, it installs following mandatory components:
  • FLVTube Player
  • FLVTube Toolbar
  • QueryBrowser Search Assistant

FLVTube Toolbar and QueryBrowser Search Assistant hijack browser homepage and search provider to http://flvtubesearch.co and www.querybrowser.com (however, this is mentioned in terms and conditions during installation).


VirusTotal scan results of installer and browser plugins can be found here, here and here. Stay clear of this rogue video player! Malwarebytes Anti-Malware can be used to remove FLVTube Player.

Saturday, October 23, 2010

ThinkPoint rogue antivirus

ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. Once installed, it shows a fake "Microsoft Security Essentials Alert" popup box showing a non-existent threat.


ThinkPoint adds a Winlogon Shell registry entry, so that ThinkPoint starts up instead of Windows Explorer during Windows startup. ThinkPoint hijacks the startup/login screen.


At this point, follow these steps to get back the standard Windows desktop:
  • Start Task Manager by pressing CTRL+ALT+DEL and kill the process named hotfix.exe.
  • Go to File Menu > New Task (Run) in Task Manager and type explorer.exe to spawn Windows Explorer.

In case you don't find hotfix.exe process in Task Manager, it could mean that the rogue program is using a different filename. Interestingly, there's a workaround built into this rogue program to get to desktop:
  • Click "Safe Startup" button and allow it to finish its fake scanning (duh!). After it completes scanning and shows scan results, click "Continue Unprotected".
  • Now, click "Settings" and select the option "Allow unprotected startup".
  • Close ThinkPoint rogue program's window by clicking the close button on top-right corner. This should take you to the standard Windows desktop.

VirusTotal scan results for ThinkPoint installer can be found here. Malwarebytes' Anti-Malware can be used to remove ThinkPoint rogue antivirus program completely.