World’s leading cause of malware related fustration
This Program is Malware, you should remove it ASAP
ThinkPoint – The “Anti-Virus” virus (that hijacks your computer)
On November 9th, 2010 (a Tuesday), my computer got infected with ThinkPoint, a fake antivirus program that is distributed through the use of a false Microsoft Security Essentials Alert (actually a pop-up) regarding the “Trojan.Horse.Win32.PAV.64.a” trojan. It is malware, and self-installs, after warning you that your computer has been infected with a high-threat level trojan. If you click on the button, in the pop-up disguised as a Windows Display Box, that is using scare tactics to make you press the button. The pressing of the button, then allows the pop-up to install hotfix.exe on your computer. This program, hotfix.exe is the program that contains ThinkPoint.
So here I was, lockout from my laptop (from Windows Explorer anyways), and kind of fusterated about the fact that some malware, pretending to be an antivirus program (also pretending to be from Microsoft) is now blocking me from my computer stuff, without my consent. Even rebooting the computer would turn Windows Explorer off, and bring me back to ThinkPoint. What was I to do, to rectify this unwanted situation. It may seem like there was nothing I could do.
However, I immediately used my iTouch, to find out how to get rid of this, and learned it’s location. Within 20 minutes, I had manually removed it from my laptop.
This “antivirus” program is actually malware, that configures itself to start every time you boot your computer, after you enter your Windows Password. This ThinkPoint malware will hide your desktop, while it is running.
It installs itself on your computer, after you click in a pop-up that is disguised as a Windows Dialog Box. The pop-up is disguised as a Microsoft Security Esentials program, claiming to be the “Microsoft Security Center” and that it has detected the submitted suspicious file “Trojan.Horse.Win32.PAV.64.a”, and that the “Threat level – very high”.
The pop-up dialog claims “Required action – AV software is required to find and delete all traces of the virus”. So you want this trojan off your computer, so you click the “OK” button, and that is when it plants hotfix.exe (which contains the ThinkPoint virus) on your computer. Then your computer turns off, and when your computer reboots, you enter your windows password, your screen turns blank (because it just turned Windows Explorer off), and takes you to the ThinkPoint screen. There it pretends to be Microsoft software, under the name Microsoft ThinkPoint, with the slogan “World’s leading security solution”..
There are many websites telling you how to bypass ThinkPoint, when you boot your computer. However, they then try to sell you software, to remove the malware.
I removed it manually, by going to it’s location, and simply deleting it.
The details are listed below.
But first, I want to say that I think these software companies are trying to capitalize on this, and I suspect that this ThinkPoint malware may have even been created by one of these companies. To scare people, into purchasing this removal software, that people would not have even needed, if not for the ThinkPoint malware program.
TO BYPASS THINKPOINT, TO ACCESS WINDOWS EXPLORER
Stop ThinkPoint process
Once Windows loaded you will see a window similar to the one below.
Now press CTRL + ALT + DEL. It will open Windows Task manager. Select hotfix.exe process as shown in the screen below.
Windows Task manager
Click “End Process” button. It will close ThinkPoint.
Now click File, New Task. Type explorer and press Enter. It will back the Start button and task bar.
HOW TO REMOVE THINKPOINT FROM YOUR COMPUTER
I manually removed ThinkPoint by deleting the “hotfix.exe” it was associated with:
The “hotfix.exe” file is the ThinkPoint malware program file, on this Windows Vista computer, it was located here:
C: Users folder >Home folder >AppData folder >Roaming folder and there was “hotfix.exe”.
My home folder is “griffyclan007”, as that is my sign-in name.
Go to your Start Menu, then cue up “My Computer” or “Computer”, double click on “Local Disk (C:), then look for “Users” folder above.
Follow the path mentioned above: Users, Home, AppData… Roaming folder
“Right Click” on hotfix.exe and choose “delete” in the sub menu……………all gone.
hotfix.exe Program Size: 584 KB
This was the only file associated with this “ThinkPoint” malware. No other entries in system registry were found when following up with other scans afterwards. Maybe there were other files associated with this “ThinkPoint” malware, maybe the systems Anti Virus software might of stopped some of it, but this one “hotfix.exe” file planted itself right in a start up folder/directory.
Computer was back to normal operation
Other websites claim these registeries were also installed, but I did not find them in my computer.
Start the computer in SAFE MODE WITH COMMAND PROMPT.
When the machine loads up on the command prompt type: regedit.
Now navigate to the following lines and delete them if they appear:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%Documents and Setting%\[UserName]\Application Data\hotfix.exe”
For my particular case I found the hotfix.exe and deleted it. This allowed me to log into my desktop again.
Go to the search bar in the start section, and type in ‘run’, or click on the side panel, for those of you with older OS’s.
Once you have Run open, type in “RegEd”, and allow for it to open. Then, find these files in their consecutive orders respectively, and delete them.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%Documents and Settings%\[UserName]\Application Data\hotfix.exe”
The main thing is deleting the ThinkPoint program, at it’s location.
ThinkPoint malware is spread using pop-up banner advertisements, disguised as a Windows Dialog Box.
This appears to be an agressive FakeAV/RogueWare installation campaign utilizing banner ads on trusted websites. Some of the sites currently serving this malicious software include youtube.com, msnbc.com and bing.com.
When you visit these sites you may be presented with either a fake Adobe Reader 8 Install prompt or a Microsoft Security Essentials “Infection Found” pop-up window. Neither of these are legitimate.
This ad based drive-by download presents itself as ThinkPoint. The file may use a legitimate name such as hotfix.exe or mstsc.exe and is saved to a temp directory. It then picks out random files, claims they are infected and forces you to “clean” these false threats. ThinkPoint will state that you need a heuristic program to fix the problems and offers to sell one for $99.90. Do not purchase ThinkPoint; this program is fraudulent!Anti-viruses may detect this as FakeAV, FakeAlert, or a generic Trojan.
The “URL Source” only refers to a source of information that pertains to the update only.
Remember, I don’t trust any of these security software companies that may claim to be studying this, as these companies have the most to gain from this.
The information in the update presented here are only the known facts, with nothing to gain. These companies do have something to gain.
ThinkPoint (alias: Think Point) is the newest rogue application that we came across in the process of malware analyzing. It produces a dubious impression. On the one hand, ThinkPoint possesses a regular-looking User Interface containing the same components a normal security application. But the inside of ThinkPoint is more than just malicious. This nefarious program is distributed via the infamous fake Microsoft Security Essentials Alert that gets triggered on computers by a trojan horse. You won’t fail to tell ThinkPoint is on your workstation – it acts so impudently and aggressively that the outocmes of its activity will be right there on the surface. ThinkPoint will keep running some alleged virus scanners that are in fact counterfeit and have nothing to do with what’s actually going on inside your computer. The pranks of this scareware won’t be bound to displaying fake scanners though. ThinkPoint will be sure to issue some false positives telling you about some critical malware activity taking place. These misleading ads, as well as the scanners, aim to intimidate you and make you eventually pay for registering ThinkPoint full version in case you want to get the imaginary malicious items removed. This is the kind of routine followed by the majority of rogue security utilities. These nasty programs intrude without permission, then display fabricated detection reports and finally they ask the victim to buy the licensed copy in order to be able to cope with the purported threats found. ThinkPoint is no exception to this rule so you’d better beware of it.
WARNING: This URL refers to another website trying to sell you software to remove ThinkPoint. You can remove it yourself, using the instructions in my article above the “UPDATE” section here. Don’t purchase any software offered to remove it, or fall for the scare tactics to may you purchse software.
As any of the software purchased could lead to worse problems pertaining to trojans or malware. Were in an economic recession, so these companies aren’t making any money, and some of these could be fly-by-nights.
The later means, that these newer, smaller software companies, once they’ve got your money, you never hear of them again. But they’ve got your money, and you’ve got their trojans. Through which they can just install more malware, to lock you out of your computer. Use my instructions to remove this ThinkPoint malware, the instructions are free, and safer than using some unknown program (likely to install trojans for malware) from some unknown software company.
The following URLs contain information that pertains to the ThinkPoint virus.