Author Topic: Think Point Virus (Fake Anti-Virus)  (Read 30878 times)

0 Members and 1 Guest are viewing this topic.

Offline Kurusutitchi

  • Newbie
  • *
  • Posts: 6
Think Point Virus (Fake Anti-Virus)
« on: October 20, 2010, 09:02:46 PM »
Recently a friend of mine has his computer infected with the Think Point Virus.

What this does is, it's installed onto the computer, seems to hijack and control
the system startup, meaning nothing will start but the virus
and the Think Point will display(showing as a fake antivirus program)
saying the computer is infected with this many etc. you get it.

His computer had Mawlware what ever anti Malware installed so I attemped
to scan the computer, 4 viruses were caught.

Then to do a bootscan, I installed Avast! free and did so.

4 more viruses were gone. Problem is, the Think Point Virus is still there, I'm trying to find a way to rid of this.

Does anyone have any solutions? Like an special virus removal tool or the like?

I searched the net for answers they all said to just simply scan the computer, which does'nt help much.

He has Vista btw, tell me if you need more info.

This section may help people who may search for this part... Think Point Virus
-------
There's a way to "stop" the virus as in being active.
Once the Virus is displayed, do not touch the darn thing!
If possible,simply press Ctrl+Alt+Del, bring up the Task Manager,
and End the Process called Hotfix.exe.
The virus should go away...but not forever!
Your now left with nothing. While the Task Manager is still up,
Go to File

and select New Task(Run)

now type in "Explorer.exe"

the computer should start just fine.

Offline Le Boule

  • Jr. Member
  • **
  • Posts: 35
Re: Think Point Virus (Fake Anti-Virus)
« Reply #1 on: October 21, 2010, 03:27:25 AM »
Not much info yet regarding this fake antivirus program...no fix listed with Bleeping Computer which is usually quite reliable.  Possibly you've already removed it but suggest continuing to scan with Avast, try to update Malwarebytes and scan again with it and maybe try Superantispyware Portable which you can put on CD or flash drive and run it on the infected computer.

Just read on the MSE forum that Think Point masquerades as fake version of Microsft Security Essentials.  No fix listed there however.

 
« Last Edit: October 21, 2010, 03:31:04 AM by Le Boule »


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: Think Point Virus (Fake Anti-Virus)
« Reply #3 on: October 21, 2010, 12:19:17 PM »
The best things in life are free.

Offline lojoba

  • Newbie
  • *
  • Posts: 1
Re: Think Point Virus (Fake Anti-Virus)
« Reply #4 on: October 21, 2010, 09:01:17 PM »
Hello My daughter just had ThinkPoint show up on her PC just minutes ago.

Here a link from myantispyware.com forum that supplied the fix action. It uses malwarebytes.

http://www.myantispyware.com/2010/10/18/how-to-remove-thinkpoint-uninstall-instructions/

I eneded up here becasue like one of th members on antispyware, I was wondering and searching why avast did not catch it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36933
Re: Think Point Virus (Fake Anti-Virus)
« Reply #5 on: October 21, 2010, 09:20:00 PM »
Quote
Here a link from myantispyware.com forum that supplied the fix action. It uses malwarebytes.
The link was already posted above

Quote
I was wondering and searching why avast did not catch it
No security program have 100% detection....

Fake antivirus overwhelming scanners
http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/

Offline Riona19

  • Newbie
  • *
  • Posts: 4
Re: Think Point Virus (Fake Anti-Virus)
« Reply #6 on: October 22, 2010, 05:44:58 AM »
Curious, How long does Avast Programmers think it will take to update Avast to block this Rogue App?

My Netbook had just gotten it last night, and I had to spend 3 hours hunting it down manually to get it off my comp. Both Avast and Malwarebytes wasn't getting rid of it. It really concerned me, because I use that Netbook for school, and I can't afford to not have my stuff on it, let alone have any administrative rights to it. I finally gotten it clean, but I don't want it to come back.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36933
Re: Think Point Virus (Fake Anti-Virus)
« Reply #7 on: October 22, 2010, 09:31:46 AM »
Quote
Curious, How long does Avast Programmers think it will take to update Avast to block this Rogue App?
They update every day, but if you read the link i posted above it explain why these are difficult to detect

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: Think Point Virus (Fake Anti-Virus)
« Reply #8 on: October 23, 2010, 01:45:48 AM »
Running it in my computer, not difficult to remove, just went to settings, checked allow unsafe..., then I could go to windows. installed and updated mbam and it detected it and removed that, this easy...



Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36933
Re: Think Point Virus (Fake Anti-Virus)
« Reply #9 on: October 23, 2010, 01:48:43 AM »
Sample sendt to avast!    ;)

Offline yalcs

  • Newbie
  • *
  • Posts: 1
Re: Think Point Virus (Fake Anti-Virus)
« Reply #10 on: October 31, 2010, 09:39:28 PM »
This is a nasty one.  All of you know the frustrations it causes.  I have come across it on 2 different machines and here is what i did to [manually] fix it:

Windows XP/Vista
First you need to boot safe mode with command prompt
cd \documents and settings\
cd [to user name] i.e. User, Administrator, etc...

for each user on the computer u need to do this:
      cd application data
      del hotfix.exe
      rd /s completescan
      rd /s install


You need to clean the registry entries where it is calling the  hotfix.exe file on login as well.  Easiest way I found to do this is by opening notepad and

[copy and past the following] into it:

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”
[-HKEY_CLASSES_ROOT\secfile]

Then save the file to your desktop.  Choose "all files" type, and save as fix.reg
Then double-click the file you just created (fix.reg), and it will ask you to read in, say yes.

You will need to edit your registry, type regedit at a command prompt, or from the start-->run window.
Look for:

HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe

and delete it.

reboot and you should be okay.



WINDOWS 7

Reboot into 'safe mode with command prompt'
At the command prompt, type in 'explorer' [no quotes]
Now you should see your desktop in the background
Double Click on your icon that looks like computer screen.
Then do a SINGLE click on your C:\ drive (do not open it).
Then in the upper right of the same screen you will see a search box,
type in hotfix, then hit enter.
You should probably see three or so associated files pop-up with hotfix in them.
Right click on each one and delete them, no matter how many.

reboot

Run regedit from a command window.
F3 to open a search
type in hotfix.exe
if it finds it look at folders, see if it is:
"HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe"
...or at least something with shell=<etc>\hotfix.exe   - then delete this entry.

reboot

This has worked on almost all the PC's I have fixed (save for one that had many other virus infections.

Offline angelside

  • Newbie
  • *
  • Posts: 1
Re: Think Point Virus (Fake Anti-Virus)
« Reply #11 on: November 17, 2010, 12:19:58 PM »
Hi i haved that virus too but it's was enough to delete him from where was saved and all his files and done i get rid of it:P but the antivirus it's doesint see him like a virus

Offline Yance

  • Full Member
  • ***
  • Posts: 167
Re: Think Point Virus (Fake Anti-Virus)
« Reply #12 on: November 17, 2010, 12:51:28 PM »
This is a nasty one.  All of you know the frustrations it causes.  I have come across it on 2 different machines and here is what i did to [manually] fix it:

Windows XP/Vista
First you need to boot safe mode with command prompt
cd \documents and settings\
cd [to user name] i.e. User, Administrator, etc...

for each user on the computer u need to do this:
      cd application data
      del hotfix.exe
      rd /s completescan
      rd /s install


You need to clean the registry entries where it is calling the  hotfix.exe file on login as well.  Easiest way I found to do this is by opening notepad and

[copy and past the following] into it:

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”
[-HKEY_CLASSES_ROOT\secfile]

Then save the file to your desktop.  Choose "all files" type, and save as fix.reg
Then double-click the file you just created (fix.reg), and it will ask you to read in, say yes.

You will need to edit your registry, type regedit at a command prompt, or from the start-->run window.
Look for:

HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe

and delete it.

reboot and you should be okay.



WINDOWS 7

Reboot into 'safe mode with command prompt'
At the command prompt, type in 'explorer' [no quotes]
Now you should see your desktop in the background
Double Click on your icon that looks like computer screen.
Then do a SINGLE click on your C:\ drive (do not open it).
Then in the upper right of the same screen you will see a search box,
type in hotfix, then hit enter.
You should probably see three or so associated files pop-up with hotfix in them.
Right click on each one and delete them, no matter how many.

reboot

Run regedit from a command window.
F3 to open a search
type in hotfix.exe
if it finds it look at folders, see if it is:
"HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe"
...or at least something with shell=<etc>\hotfix.exe   - then delete this entry.

reboot

This has worked on almost all the PC's I have fixed (save for one that had many other virus infections.

This steps are works. I have already do those step 2 months ago and can clean the Think Point from my friend notebook.
Windows 8 Pro 64bit; Avast Free 8.0.1482; K9 Web Protection 4.0.296

Offline circlingsky

  • Newbie
  • *
  • Posts: 14
Re: Think Point Virus (Fake Anti-Virus)
« Reply #13 on: November 18, 2010, 02:54:48 AM »
This is a nasty one.  All of you know the frustrations it causes.  I have come across it on 2 different machines and here is what i did to [manually] fix it:

Windows XP/Vista
First you need to boot safe mode with command prompt
cd \documents and settings\
cd [to user name] i.e. User, Administrator, etc...

for each user on the computer u need to do this:
      cd application data
      del hotfix.exe
      rd /s completescan
      rd /s install


You need to clean the registry entries where it is calling the  hotfix.exe file on login as well.  Easiest way I found to do this is by opening notepad and

[copy and past the following] into it:

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”
[-HKEY_CLASSES_ROOT\secfile]

Then save the file to your desktop.  Choose "all files" type, and save as fix.reg
Then double-click the file you just created (fix.reg), and it will ask you to read in, say yes.

You will need to edit your registry, type regedit at a command prompt, or from the start-->run window.
Look for:

HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe

and delete it.

reboot and you should be okay.



WINDOWS 7

Reboot into 'safe mode with command prompt'
At the command prompt, type in 'explorer' [no quotes]
Now you should see your desktop in the background
Double Click on your icon that looks like computer screen.
Then do a SINGLE click on your C:\ drive (do not open it).
Then in the upper right of the same screen you will see a search box,
type in hotfix, then hit enter.
You should probably see three or so associated files pop-up with hotfix in them.
Right click on each one and delete them, no matter how many.

reboot

Run regedit from a command window.
F3 to open a search
type in hotfix.exe
if it finds it look at folders, see if it is:
"HKCU\Software\Microsoft\Windows NT\CurrentConfiguration\Winlogon\\Shell = %AppData%\hotfix.exe"
...or at least something with shell=<etc>\hotfix.exe   - then delete this entry.

reboot

This has worked on almost all the PC's I have fixed (save for one that had many other virus infections.

Thanks for this info.  My college-student daughter came downstairs a half hour ago panicked because she'd mistakenly downloaded thinkpoint while researching on her laptop.  Within 15 minutes, she was up and running again.  Thanks yalcs, you're a life saver :)  And thanks to the contributing members of Avast forums for the many other times I've found helpful information and solutions here.  It's great knowing there's a reliable place to turn when these situations come up.

Offline mjamae27

  • Newbie
  • *
  • Posts: 1
Re: Think Point Virus (Fake Anti-Virus)
« Reply #14 on: November 20, 2010, 04:30:51 AM »
guys ,,,if you have an avast internet security u could just right click the shortcut then scan it...after that avast will detect its a threat ..then avast will ask what do you want to do if you want to move it to chest or delete it..just choose delete..then restart ur pc...you'll see what i mean tnx guys!! always here for you^^..