17 Comments on Removed: hotfix.exe (FakeAV – MSE)

Paul on Sun, 26th Sep 2010 1:10 am


I came across this virus as well.
The virus kills all command windows and regedit sessions that you start.
Was able to solve this by using ProcessExplorer from Sysinternals. Used that program to kill hotfix.exe. Then I could delete the executable and edit the registry with regedit by deleting the WinLogon registry key.

Couldn’t have done it without your help though: you pointed out what had changed.

Rale on Sun, 26th Sep 2010 4:31 am


I first got the Microsoft Security Essentials Alert Trojan. It was blocking my web browsers, command line tools, task manager, opening and search of files etc. I then rebooted into the safe mode and found that the admin account worked fine. This let me trace the issue to the hotfix.exe and hgksfg.bat files that had appeared in the standard user’s AppData/Roaming and AppData/Local folders, respectively, while the registry was intact. I simply deleted those files whereafter everything was OK.

My PC was running Vista with UAC, protected mode and several access right limitations for both accounts while the malware protection relied on Windows Defender.

Kizyr on Sun, 26th Sep 2010 6:02 am


Hi. I came across this virus as well. First, thanks a lot for your help; I found the 1 registry edit and 2 added programs thanks to you.

In addition to the 3 changes you noted there, I also found 2 more added programs that seem related to this malware (both came from “SoftMosters AG”). They were both under:
C:\Documents and Settings\Administrator\Local Settings\***.exe
and had seven-digit filenames (e.g., 1546048.exe).

I believe the seven-digit filename may be random, and there are some legit programs similar to that in the same folder (looking at the icon and program description should indicate what’s legit and what’s malicious). If you could confirm that, it’ll probably help future users.

Again, thanks a lot for your help! KF

Seng on Mon, 27th Sep 2010 4:27 pm


Hello, I came across of this virus on 9/25/10 and have been trying to get rid of it ever since. I can’t go online due to the security tool pops up when I click on the IE, Regedit, Command prompt, Task manager, and some others. I am unable to delete the hotfix.exe file either. I did all this in the safemode, please help. Thanks..

admin on Mon, 27th Sep 2010 6:00 pm


RegRun Warrior will be useful for you:
http://www.greatis.com/warrior

Stephen on Mon, 27th Sep 2010 8:28 pm


I wish I had known about this yesterday. Norton’s was no help after two hours with support. I used SpyBot to located running processes and noticed HotFix running. I then looked at the file in explorer and saw that the time of download was very close to when the Essentials notice first popped up.

Since I too was unable to open ANY browser, nor open task manager, even in safe mode using my admin account, and I could not even use my command line for access either, I was just lucky enough to have thought of using SpyBot to check on the processes. Once I eliminated the HotFix file I regained control of my computer, check my Norton safe files and noticed there was an ectry for HotFix and clicked it, which revealed the other file that downloaded and created the Hotfix file. I deleted that as well.

Tonight I have to go home and run my registry checking program to make sure everything is gone, but other than that the PC is running fine. I am surprised that Norton had not heard of this issue and couldn’t give me at least a clue that it wasn’t a virus but a malware/root kit issue… would have saved heartache and a lot of time.

NightWatcher on Tue, 28th Sep 2010 11:18 pm


See the video how to remove hotfix.exe:
http://www.youtube.com/watch?v=JjUtKVOK-PU

Hariprasad on Sat, 2nd Oct 2010 3:40 am


@Seng;
I had the same virus on my computer and I was able to remove it, try this to remove the file:

1. During the reboot, press the appropriate key to go to safe mode.
2. Select Safe mode with Command prompt
3. Login as admin
4. Navigate to the folder where hotfix.exe exists and delete it with del command.

This virus cannot be deleted in GUI mode since, as soon as the computer logs in the virus also starts to run, with the trigger being the WinLogon.

With the command prompt, we will not have this problem.

After this, delete the registry entry as mentioned above.

Thanks,
Hariprasad.

Charles on Mon, 4th Oct 2010 1:17 am


This post and the previous comments were essential for helping me to fix my machine. Thanks to everyone who wrote them! Because nobody has posted instructions specifically for Windows 7, I offer the following version, which is what I did:
1. Turn off Windows System Restore (Control Panel -> system -> system protection -> configure)..
2. Reboot into Safe mode (Restart the computer, and immediately after it starts to reboot, press and briefly hold the F8 key).
3. Use arrow keys and enter to select Safe mode with Command prompt.
4. Login to an account with administrator privileges.
5. Locate these files using the DOS commands “cd” and/or “dir”, then delete them with the “del”command:
• C:\Users\Charles\AppData\Roaming\srsf.bat
• C:\Users\Charles\AppData\Roaming\hotfix.exe
• C:\Users\Charles\AppData\Local\Temp\mstc.exe
6. Use the same DOS commands to search the Roaming and Local directories (and their subdirectories) for any additional files associated with the malware. All associated files that I have seen reported are *.exe, *.bat, or *.dll. Most likely, the will have been downloaded or created within a minute of hotfix.exe. Delete any files that you can verify as malware. Use caution in deleting any files that you can not verify as malware, as some legitimate programs use similar filenames. Reported additional malware files include:
• hgksfg.bat
• srsf.bat
• skahgfhasd.bat
• jsdfgs.bat
• comiapdi.dll
• seemingly random seven-digit filenames (e.g., 1546048.exe) (NOTE: these have not been verified as malware)
7. If at all possible, back up the registry (Symantec has an online tool for this, but I could not get it to work).
8. Use regedit (start->search, then “enter”) to locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. If the entered value is “hotfix.exe”, then delete this value. If the value is “explorer.exe” or something that is not verifiable as malware, then do not change anything.
9. Turn Windows System Restore back on.

Nick on Fri, 8th Oct 2010 1:14 am


Okay so I got this virus on my computer and was able to remove it within 5 minutes by myself.

Susan on Wed, 13th Oct 2010 6:24 pm


Thank you so much for the quick fix to the hotfix.exe malware. I had run Trend Micro PC-cillin several times to locate this problem to no avail. Your software quickly located the malware and removed it.

John on Sat, 23rd Oct 2010 3:04 am


I used Avira.
All I had to do was scan the file it was located in for viruses and it was removed.

Remove Hotfix.exe on Wed, 27th Oct 2010 2:20 pm


thank you so much. if you have this problem, you can trust these guys….

Vail on Sat, 30th Oct 2010 10:20 pm


got rid of hotfix by renaming it hotfixxxx.exe and then deleting. Tried to use delete on hotfix.exe but access denied until I did rename.

spywareremvoal on Tue, 7th Dec 2010 5:15 am


goog post ,it is usefull for me.

Jon on Sun, 30th Jan 2011 2:37 am


Didn’t have a problem until I downloaded some program that was supposed to be able to covert any video to Mp4. Got rid of that and things improved. Has little bow tie logo.

Jon on Sun, 30th Jan 2011 2:41 am


So called converter also messed with my alert sounds.

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!