Removed: hotfix.exe (FakeAV – MSE)

I will tell you in this post how to fix the issue manually and how to clean it automatically using a special powerful removal tool. You can download the removal program for free here:

Malware: exe.exe

Removed: C:\Documents and Settings\Administrator\Application Data\hotfix.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: shell
Author: Unknown
Related File: C:\Documents and Settings\Administrator\Application Data\hotfix.exe
Type: User Shell


Will you remove it?
0 0

Download Removal Tool for Free

People say

Visitor post

Item Name: hotfix.exe
Author: SoftMosters AG
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\HOTFIX.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: “C:\Documents and Settings\Administrator\Application Data\hotfix.exe”

Files: C:\Documents and Settings\Administrator\Application Data\hotfix.exe

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.09.24 -
Kaspersky 7.0.0.125 2010.09.24 -
Microsoft 1.6201 2010.09.23 Rogue:Win32/FakePAV
NOD32 5474 2010.09.23 a variant of Win32/TrojanDownloader.FakeAlert.BDE

—————————————————————————————————————————-

MD5 768bc4890262ce31e3fa1d0c6ba9cdca

SHA1 71c78adf34a6f6df9a4b29a202b11b40d8fa1cc4

SHA256 a0e1b3867d1a3f2110605d42081dd1063adffb40713e424ed84fe5683fc7fcc2

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values added:1
———————————-
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “C:\Documents and Settings\Administrator\Application Data\hotfix.exe”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Application Data\hotfix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\hgksfg.bat

———————————-
Total changes:3
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




STEP 1: Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

STEP 2: Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed the first Scan will start automatically

Review the detected threats

STEP 3: Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

5 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 55 votes, average: 5.00 out of 5 (5 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...
  • Paul

    I came across this virus as well.

    The virus kills all command windows and regedit sessions that you start.

    Was able to solve this by using ProcessExplorer from Sysinternals. Used that program to kill hotfix.exe. Then I could delete the executable and edit the registry with regedit by deleting the WinLogon registry key.

    Couldn't have done it without your help though: you pointed out what had changed.

  • Rale

    I first got the Microsoft Security Essentials Alert Trojan. It was blocking my web browsers, command line tools, task manager, opening and search of files etc. I then rebooted into the safe mode and found that the admin account worked fine. This let me trace the issue to the hotfix.exe and hgksfg.bat files that had appeared in the standard user's AppData/Roaming and AppData/Local folders, respectively, while the registry was intact. I simply deleted those files whereafter everything was OK.

    My PC was running Vista with UAC, protected mode and several access right limitations for both accounts while the malware protection relied on Windows Defender.

  • Kizyr

    Hi. I came across this virus as well. First, thanks a lot for your help; I found the 1 registry edit and 2 added programs thanks to you.

    In addition to the 3 changes you noted there, I also found 2 more added programs that seem related to this malware (both came from "SoftMosters AG"). They were both under:

    C:Documents and SettingsAdministratorLocal Settings***.exe

    and had seven-digit filenames (e.g., 1546048.exe).

    I believe the seven-digit filename may be random, and there are some legit programs similar to that in the same folder (looking at the icon and program description should indicate what's legit and what's malicious). If you could confirm that, it'll probably help future users.

    Again, thanks a lot for your help! KF

  • Seng

    Hello, I came across of this virus on 9/25/10 and have been trying to get rid of it ever since. I can't go online due to the security tool pops up when I click on the IE, Regedit, Command prompt, Task manager, and some others. I am unable to delete the hotfix.exe file either. I did all this in the safemode, please help. Thanks..

  • admin

    RegRun Warrior will be useful for you: http://www.greatis.com/warrior

  • Stephen

    I wish I had known about this yesterday. Norton's was no help after two hours with support. I used SpyBot to located running processes and noticed HotFix running. I then looked at the file in explorer and saw that the time of download was very close to when the Essentials notice first popped up.

    Since I too was unable to open ANY browser, nor open task manager, even in safe mode using my admin account, and I could not even use my command line for access either, I was just lucky enough to have thought of using SpyBot to check on the processes. Once I eliminated the HotFix file I regained control of my computer, check my Norton safe files and noticed there was an ectry for HotFix and clicked it, which revealed the other file that downloaded and created the Hotfix file. I deleted that as well.

    Tonight I have to go home and run my registry checking program to make sure everything is gone, but other than that the PC is running fine. I am surprised that Norton had not heard of this issue and couldn't give me at least a clue that it wasn't a virus but a malware/root kit issue… would have saved heartache and a lot of time.

  • http://greatis.com/blog/ NightWatcher

    See the video how to remove hotfix.exe:
    http://www.youtube.com/watch?v=JjUtKVOK-PU

  • Hariprasad

    @Seng;

    I had the same virus on my computer and I was able to remove it, try this to remove the file:

    1. During the reboot, press the appropriate key to go to safe mode.

    2. Select Safe mode with Command prompt

    3. Login as admin

    4. Navigate to the folder where hotfix.exe exists and delete it with del command.

    This virus cannot be deleted in GUI mode since, as soon as the computer logs in the virus also starts to run, with the trigger being the WinLogon.

    With the command prompt, we will not have this problem.

    After this, delete the registry entry as mentioned above.

    Thanks,

    Hariprasad.

  • Charles

    This post and the previous comments were essential for helping me to fix my machine. Thanks to everyone who wrote them! Because nobody has posted instructions specifically for Windows 7, I offer the following version, which is what I did:

    1. Turn off Windows System Restore (Control Panel -> system -> system protection -> configure)..

    2. Reboot into Safe mode (Restart the computer, and immediately after it starts to reboot, press and briefly hold the F8 key).

    3. Use arrow keys and enter to select Safe mode with Command prompt.

    4. Login to an account with administrator privileges.

    5. Locate these files using the DOS commands “cd” and/or “dir”, then delete them with the “del”command:

    • C:UsersCharlesAppDataRoamingsrsf.bat

    • C:UsersCharlesAppDataRoaminghotfix.exe

    • C:UsersCharlesAppDataLocalTempmstc.exe

    6. Use the same DOS commands to search the Roaming and Local directories (and their subdirectories) for any additional files associated with the malware. All associated files that I have seen reported are *.exe, *.bat, or *.dll. Most likely, the will have been downloaded or created within a minute of hotfix.exe. Delete any files that you can verify as malware. Use caution in deleting any files that you can not verify as malware, as some legitimate programs use similar filenames. Reported additional malware files include:

    • hgksfg.bat

    • srsf.bat

    • skahgfhasd.bat

    • jsdfgs.bat

    • comiapdi.dll

    • seemingly random seven-digit filenames (e.g., 1546048.exe) (NOTE: these have not been verified as malware)

    7. If at all possible, back up the registry (Symantec has an online tool for this, but I could not get it to work).

    8. Use regedit (start->search, then “enter”) to locate the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell. If the entered value is “hotfix.exe”, then delete this value. If the value is “explorer.exe” or something that is not verifiable as malware, then do not change anything.

    9. Turn Windows System Restore back on.

  • Nick

    Okay so I got this virus on my computer and was able to remove it within 5 minutes by myself.

  • Susan

    Thank you so much for the quick fix to the hotfix.exe malware. I had run Trend Micro PC-cillin several times to locate this problem to no avail. Your software quickly located the malware and removed it.

  • John

    I used Avira.

    All I had to do was scan the file it was located in for viruses and it was removed.

  • Remove Hotfix.exe

    thank you so much. if you have this problem, you can trust these guys….

  • Vail

    got rid of hotfix by renaming it hotfixxxx.exe and then deleting. Tried to use delete on hotfix.exe but access denied until I did rename.

  • spywareremvoal

    goog post ,it is usefull for me.

  • Jon

    Didn't have a problem until I downloaded some program that was supposed to be able to covert any video to Mp4. Got rid of that and things improved. Has little bow tie logo.

  • Jon

    So called converter also messed with my alert sounds.