View Full Version : Remove ThinkPoint AV
10-26-2010, 10:25 PM
ThinkPoint AV has an annoying characteristic of taking over the desktop by blocking explorer.exe from properly loading. Once the user loads into the machine, all the user will see is this:
Thankfully, access to Task Manger is still possible.
Getting past ThinkPoint GUI after Windows Startup:
1.Start your computer normally
2. When the 'ThinkPoint' screen is displayed, open the Task Manager by pressing CTRL + Shift + Esc or Ctrl + Alt + Del.
3. Select the 'Processes' tab
4. Locate 'Hotfix.exe and/or ThinkPoint.exe
5. Select this process, then click 'End Process'
6. Select the 'Applications' tab
7. Click on 'New Task'
8. Type "explorer" and click 'Ok'
Your Desktop should now be displayed as normal, please download and perform a scan with PC Tools Threat Removal Tool (http://www.pctools.com/forum/showthread.php?t=67916) and Spyware Doctor with AntiVirus (http://www.pctools.com/spyware-doctor-antivirus/download/?src=lp_sdav).
10-28-2010, 01:54 AM
Warning: New rogue antivirus - ThinkPoint
A new rogue antivirus was recently reported which is part of the fake Security Essential rogue malware. When the binary is executed, it will show a splash screen which is displayed on top of all application windows.
Figure 1: ThinkPoint splash screen
Figure 2: ThinkPoint loading
When “Safe Startup” button is clicked, it will display a window which does a fake scanning of the infected machine.
Figure 3: Fake scan
After the scanning process is complete, it will then present the results encouraging you to install the full version. You cannot continue unprotected since it will just display these windows repeatedly.
Figure 4: Scan results
Figure 5: Fake warning message
Clicking on “Install the full version” will take you to the payment page.
Figure 6: Payment page
After rebooting an infected machine, the malware will take over your desktop and only display the splash screen window as shown in Figure 1.
To be able to bypass the splash screen, press CTRL+ALT+DEL to bring up the task manager. Then search for hotfix.exe in the process list and kill that process. Afterwards click on File, then “New Task (Run..)” and type explorer.exe then click OK to proceed with loading the desktop so that you can install or run Spyware Doctor (http://www.pctools.com/spyware-doctor-antivirus/download/?src=lp_sdav) to do a thorough cleanup of the infected machine.
Threat Expert Report: http://www.threatexpert.com/report.aspx?md5=96a72b62b32a3856992011b7c6f64d43
To remove the infection from your system, download and perform a scan with our PC Tools Threat Removal Tool. (http://www.pctools.com/forum/showthread.php?67916-How-to-use-PC-Tools-Fixtool-amp-Proxy-Hijack-Remove/)
Once you have run the Threat Removal Tool, download and run the PC Tools Free AntiVirus (http://www.pctools.com/free-antivirus/) to check for any leftover traces of the infection.
You may need to perform this in safe mode if you are not able to boot correctly.
12-01-2010, 08:42 PM
I got this thing and used your very good step-by-step to remove it...now running full scan...my problem is with pctools running, how did this get in? I chatted with your help, and one of the things they said is that it may be because I have 2 AV's running - pctools and AVG. I am a really old and experienced computer user, and I have seen AV getting broken by viruses, so my experience is 2 are better than 1 - and I happy to report that pctools and AVG seem to live happily together - I've had other AV's that as soon as I try to install them, they want me to kick anyone else off my computer, and I happen to think that this is not professional - but I must wonder if this is in fact correct. One thing is, though, that after removing the process etc. and rebooting, AVG came right up and told me about this and removed it, and pctools didn't or maybe didn't get a chance?
So bottom line: the help here on the forums is great, and I used the chat for the first time ever, and I am glad it is there - they said 24/7 which is great!
Is there anything else by pctools that I might need to be extra-safe?