Friday, October 22, 2010

ThinkPoint

ThinkPoint is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

ThinkPoint is downloaded by the (existing) fake Microsoft Security Essentials alert online scam. However, the malware writers have changed the code so the downloader is copied to the users profile folder and is run after a reboot. Previously, the fake Security Essentials alert displayed fake scan results in order to get the user to chose a security product from a list of different names (which actually resulted in the same install.)

Initial fake Microsoft Security Essentials Alert screen:




(Click on graphic to enlarge)

“Click OK” screen “to allow operation system (sic) to install the trial version of ThinkPoint(c)."



(Click on graphic to enlarge)

ThinkPoint GUI:




(Click on graphic to enlarge)

Payment screen:



 
(Click on graphic to enlarge)


Splash screen:





(Click on graphic to enlarge)

Threat Name: ThinkPoint.FakeRean

How to remove ThinkPoint:

When you fall victim to the ThinkPoint rogue security application, the downloader reboots your machine then presents the victim with its own scanning screen on a Windows blue screen.

 

(Click on graphic to enlarge)

Once the machine is rebooted, the rogue takes over the machine by preventing Explorer.exe to load (which means, the desktop will not load, either). If you click on the X in the upper right corner to close out of ThinkPoint, you are then presented with the “unprotected startup” screen.

A victim can’t get around the ThinkPoint screen because “current settings don’t allow unprotected startup.”

 

(Click on graphic to enlarge)

However, ThinkPoint actually has an operating “settings” selection with a drop-down box that includes a checkbox “Allow unprotected startup.” You can close the ThinkPoint window and load your desktop once that has been checked. From there, you can use Windows Task Manager to stop hotfix.exe -- the rogue’s main file.


(Click on graphic to enlarge)

If  ThinkPoint has infected your pc, you should remove it immediately. Click here to use VIPRE to remove ThinkPoint from your computer now.

19 comments:

  1. How do I get to the VIPRE if I can't even get past the stupid thinkpoint to get online???

    ReplyDelete
  2. You should download VIPRE PC Rescue onto a thumb drive from here (you may need to use another computer to successfully download the program):
    http://live.sunbeltsoftware.com/

    Follow the directions on the page for booting the infected computer in "Safe Mode with Command Prompt".

    ReplyDelete
  3. I can't access the Task Manager. Think Point has it blocked. How do I get around that?

    ReplyDelete
  4. I saw that in a linux machine (running firefox) I installed the tool, but I sorry it failed after downloading a couple of mb of worthless data (it figured at the end that is a linux box)

    ReplyDelete
  5. Paul, you should use the VIPRE PC Rescue from a thumb drive and follow the directions on the page for booting the infected computer in "Safe Mode with Command Prompt".

    http://live.sunbeltsoftware.com

    ReplyDelete
  6. Let it run it's corse then when it ask you to bye it ckick ok / at that point press Ctrl/Alt/Delete then in processes look for hotfix highlight in and then end task then go to file and chose new task type explorer.exe this will put you back to your desktop at this point download a anit virus program (microsoft security essentials)is what I use it's good and free but almost any of them will let you download a free version for 30 - 90 days

    ReplyDelete
  7. to get past the think point on your computer to get online all u have to do is press CTRL + ALT+ DELETE and go and end a process called hotfix.exe end it when you do that start a new process and put this in the box that pops up explorer.exe and start it and your internet should come up. Once u have that download the program from above and remove it

    ReplyDelete
  8. Heads up everyone! I have been battling Thinpoint for a couple of days. And I have reason to believe that the product STOPzilla that is advertised as a Thinkpoint removal product is actually a component of the scam! The atacker wins if you buy it. I did. Now I cannot completely remove it. And it somehow finds the Thinkpoint #1 component and brings it down again.
    DON'T buy STOPzilla!!

    ReplyDelete
  9. what can i do after "Safe Mode with Command Prompt" it show ????please i pc is dieing
    my pc is shut down and trun on...god..who can help me..please and thank you

    ReplyDelete
  10. chuang, here are the command line directions.

    Directions for Command Line:

    1. Boot the computer in "Safe Mode with Command Prompt" (press F8 when the computer starts to boot. When the boot screen appears, use the down arrow to highlight the selection).

    2. When the command line appears, navigate to the directory or removable media that contains the VIPRE Rescue Program (VIPRERescue7415.exe).

    3. Type "VIPRERescue7415.exe" at the command prompt.

    4. At the prompt, "Do you wish to extract the VIPRE Rescue Scanner to your computer?" click Yes.

    5. You will be prompted for a destination folder to unzip to. Keep the default (C:\VIPRERESCUE) or enter a new folder, then click Unzip. Make sure the checkbox for "When done unzipping open: .\deep_scan.bat" is checked.

    6. The VIPRE Rescue Program will download the files into the destination folder. Click OK at the prompt.

    7. The VIPRE Rescue Program will open a command line window and run a deep scan.

    Hope this helps.

    ReplyDelete
  11. If your PC is infected to the point that you don't know what to do to fix it. Please keep in mind that if you purchase VIPRE Antivirus, Sunbelt Software has free Malware Removal Assistance for all customers. A $29.95 investment in the best antivirus software will also get you malware removal by an expert.

    ReplyDelete
  12. i need some major help! my computer is a dell and i have this virus. I must now A.S.A.P. how to destroy the virus

    ReplyDelete
  13. Hi Jennifer,

    If you are a VIPRE customer, you can contact our support department free of charge. We offer free malware removal assistance to all customers.

    Consumer Support: 877-673-1153
    Worldwide: 1-727-562-0101 Ext 500

    Thanks

    ReplyDelete
  14. I was trying to do the CTRL+ALT+DEL and on mu computer it did not work.

    ReplyDelete
  15. Hello,

    Please help me. While trying to extract the vipre exe file, I get an error message, "The Windows Installer service is not accessible in Safe Mode. Please try again when your computer is not in Safe Mode or you can use System Restore to return your machine to a previous good state."

    I am a super NOVICE, but I tried to make the windows installer work by creating a registry entry, but that did not work either. I would appreciate any help that you could provide. Thanks a million!

    ReplyDelete
  16. Hi Lisa,

    You should download the EXE on another computer and copy it to a thumb drive then when in safe mode on the infected PC, install the program. You can find and print instructions to help you through the process here:
    http://live.sunbeltsoftware.com

    ReplyDelete
  17. This showed up on my sisters laptop. I've never seen this before and it was a really good thing she knew to have me look at it before doing anything. Her and my mom aren't very computer literate so I come over to be their "tech support" every once and a while.

    I was able to Ctrl+Alt+Del and pull up the task manager and end the task. It didn't show up as Think Point though. I can't remember exactly what it was but it showed up as like "hot"-something. I believe it was two words or a compound word with the word "hot" in it.

    After I ended this task I went to "File" and "New Task" then ran "C:\Windows\explorer.exe" which will load your desktop and everything else that needs to run. Then I went to "C:\Users\[userfolder]\AppData\Roaming" and there was the Think Point exe along with some other files that I deleted. I can't remember if I found anything in the system Startup folder (I was flying through folders looking for anything suspicious). After removing all of these I restarted the computer and it started up fine.

    I think I'm still going to try out this VIPRE tool in case I missed anything.

    You would think Avira would have been a little helpful in this.

    ReplyDelete
  18. Do I really need to uninstall my current firewall before installing vipre? Help!

    ReplyDelete
  19. Hi Kim,

    No you don't have to uninstall your firewall to use VIPRE, but you will have to uninstall if you use VIPRE Premium because it has a built in firewall.

    You can get VIPRE without the firewall and continue using the firewall you have now here:
    http://go.sunbeltsoftware.com/?linkid=411

    ReplyDelete