1
How to remove ThinkPoint on Tue Oct 19, 2010 5:21 am
DragonMaster Jay
Site Owner
ThinkPoint removal
Welcome to the removal guide for ThinkPoint. This is to be considered a self-help guide, and the Security Team at this site does not assume responsibility for direct, indirect, or consequential damage to your computer as a result of doing the step-by-step guide below.
ThinkPoint is a new rogue antivirus program. This program is installed on your computer, usually by Trojans.
Once the program is installed, it will begin displaying fake security alerts (that look like Microsoft Security Essentials), including advice about removing viruses. Upon execution, it will scan your computer and find fake threats, and then it urges you to purchase its software in order to protect your computer and/or remove the threats.
Upon further infection, the program may cause severe issues, such as system takeover by displaying a screensaver of "ThinkPoint" across the screen.
Also, it will hide the Desktop, taskbar, and start menu - making it impossible to regain control over your system quickly.
Lastly, it will hijack common useful removal tools, such as Task Manager, regedit, etc.
Normal uninstall is usually not possible with rogue antivirus software, which is why these instructions must be particularly followed.
ThinkPoint screenshot
:::FAKE ALERTS:::
List of files associated with this rogue:
XP
%UserProfile%\Application Data\hotfix.exe
%UserProfile%\Application Data\thinkpoint.exe
%UserProfile%\Application Data\{RANDOM}.bat
%UserProfile%\Application Data\{RANDOM}.bin
%UserProfile%\Application Data\{RANDOM}.dat
%UserProfile%\Application Data\completescan
Vista and 7
%UserProfile%\AppData\Roaming\hotfix.exe
%UserProfile%\AppData\Roaming\thinkpoint.exe
%UserProfile%\AppData\Roaming\{RANDOM}.bat
%UserProfile%\AppData\Roaming\{RANDOM}.dat
%UserProfile%\AppData\Roaming\{RANDOM}.bin
%UserProfile%\AppData\Roaming\completescan
%UserProfile%\AppData\Local\Temp\{RANDOM}.exe
All
%UserProfile%\Local Settings\Application Data\{68D4B3CD-C7E0-4B95-94BA-DD5EFD9B4246}
C:\bbotxxxxxx.exe
Note: %temp% refers to the following locations, based on your version of Windows:
Windows XP: C:\Documents and Settings\{USER}\Local Settings\Temp
Vista/7: C:\Users\{USER}\AppData\Local\Temp
%UserProfile% refers to the following locations, based on your version of Windows:
Windows XP: C:\Documents and Settings\{USER}\
Vista/7: C:\Users\{USER}\
To be able to see some of the folders, you need to enable windows to Show all Files and Folders
Instructions for your Operating System here
List of Registry entries associated with this rogue:
[HKEY_CURRENT_USER\Software\PAV]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"thinkpoint"="%UserProfile%\Application Data\thinkpoint.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell” = “%Documents and Settings%\[UserName]\Application Data\hotfix.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“WarnonBadCertRecving” = “0″
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“WarnOnPostRedirect” = “0″
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\hotfix.exe"
List of HijackThis entries associated with this rogue:
O4 - HKCU..\Run: [RANDOM.exe] C:\Users\{USER}\AppData\Local\Temp\RANDOM.exe ()
O4 - HKCU..\Run: [thinkpoint] C:\Users\{USER}\AppData\thinkpoint.exe ()
O4 - HKCU..\Run: [terrapoint700x0main.exe] C:\Users\{USER}\AppData\Roaming\6DAD4D618B00D18FDAAF7B301FCDA7C7\terrapoint700x0main.exe ()
O4 - HKCU..\RunOnce: [RANDOM] C:\Users\{USER}\AppData\Local\RANDOM.exe ()
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\{USER}\Application Data\hotfix.exe) - C:\Documents and Settings\{USER}\Application Data\hotfix.exe ()
How to remove this rogue
STEP 1 - First tasks
STEP 2 - Clean rogue files
Download TFC by OldTimer to your desktop
STEP 3 - Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.
Double Click mbam-setup.exe to install the application.
STEP 4 - Infection gone?
Check to see if the infection is gone.
If the infection is not gone, then please do the following:
If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.
Welcome to the removal guide for ThinkPoint. This is to be considered a self-help guide, and the Security Team at this site does not assume responsibility for direct, indirect, or consequential damage to your computer as a result of doing the step-by-step guide below.
ThinkPoint is a new rogue antivirus program. This program is installed on your computer, usually by Trojans.
Once the program is installed, it will begin displaying fake security alerts (that look like Microsoft Security Essentials), including advice about removing viruses. Upon execution, it will scan your computer and find fake threats, and then it urges you to purchase its software in order to protect your computer and/or remove the threats.
Upon further infection, the program may cause severe issues, such as system takeover by displaying a screensaver of "ThinkPoint" across the screen.
Also, it will hide the Desktop, taskbar, and start menu - making it impossible to regain control over your system quickly.
Lastly, it will hijack common useful removal tools, such as Task Manager, regedit, etc.
Normal uninstall is usually not possible with rogue antivirus software, which is why these instructions must be particularly followed.
ThinkPoint screenshot
:::FAKE ALERTS:::
List of files associated with this rogue:
XP
%UserProfile%\Application Data\hotfix.exe
%UserProfile%\Application Data\thinkpoint.exe
%UserProfile%\Application Data\{RANDOM}.bat
%UserProfile%\Application Data\{RANDOM}.bin
%UserProfile%\Application Data\{RANDOM}.dat
%UserProfile%\Application Data\completescan
Vista and 7
%UserProfile%\AppData\Roaming\hotfix.exe
%UserProfile%\AppData\Roaming\thinkpoint.exe
%UserProfile%\AppData\Roaming\{RANDOM}.bat
%UserProfile%\AppData\Roaming\{RANDOM}.dat
%UserProfile%\AppData\Roaming\{RANDOM}.bin
%UserProfile%\AppData\Roaming\completescan
%UserProfile%\AppData\Local\Temp\{RANDOM}.exe
All
%UserProfile%\Local Settings\Application Data\{68D4B3CD-C7E0-4B95-94BA-DD5EFD9B4246}
C:\bbotxxxxxx.exe
Note: %temp% refers to the following locations, based on your version of Windows:
Windows XP: C:\Documents and Settings\{USER}\Local Settings\Temp
Vista/7: C:\Users\{USER}\AppData\Local\Temp
%UserProfile% refers to the following locations, based on your version of Windows:
Windows XP: C:\Documents and Settings\{USER}\
Vista/7: C:\Users\{USER}\
To be able to see some of the folders, you need to enable windows to Show all Files and Folders
Instructions for your Operating System here
List of Registry entries associated with this rogue:
[HKEY_CURRENT_USER\Software\PAV]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"thinkpoint"="%UserProfile%\Application Data\thinkpoint.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell” = “%Documents and Settings%\[UserName]\Application Data\hotfix.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“WarnonBadCertRecving” = “0″
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“WarnOnPostRedirect” = “0″
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%AppData%\hotfix.exe"
List of HijackThis entries associated with this rogue:
O4 - HKCU..\Run: [RANDOM.exe] C:\Users\{USER}\AppData\Local\Temp\RANDOM.exe ()
O4 - HKCU..\Run: [thinkpoint] C:\Users\{USER}\AppData\thinkpoint.exe ()
O4 - HKCU..\Run: [terrapoint700x0main.exe] C:\Users\{USER}\AppData\Roaming\6DAD4D618B00D18FDAAF7B301FCDA7C7\terrapoint700x0main.exe ()
O4 - HKCU..\RunOnce: [RANDOM] C:\Users\{USER}\AppData\Local\RANDOM.exe ()
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\{USER}\Application Data\hotfix.exe) - C:\Documents and Settings\{USER}\Application Data\hotfix.exe ()
How to remove this rogue
STEP 1 - First tasks
- Restart your computer. On log on, you will see a ThinkPoint screensaver come on:
- Press CTRL+ALT+DELETE or CTRL+SHIFT+ESC. Windows Task Manager should launch.
- Find the process hotfix.exe, select it, and press End Process.
- Then, go to File > New Task (Run...), type in explorer.exe and hit OK.
- Exit Task Manager.
STEP 2 - Clean rogue files
Download TFC by OldTimer to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion. - Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
STEP 3 - Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
STEP 4 - Infection gone?
Check to see if the infection is gone.
If the infection is not gone, then please do the following:
- Read and follow the steps in this topic.
- Then, post a new topic containing those logs in this section.
If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.
..........................................................
DragonMaster Jay
Administrative Director SecuraGeek Association
Advanced Malware Analysts Group Owner
Kaspersky Anti-Virus 2012: Click HereContribute/donate to our site
Mon May 21, 2012 7:06 pm by 
