There is a particularly bad “rogue antivirus” program called “ThinkPoint” making the rounds at the moment – I’ve removed it from PCs owned by three different clients just today!
What is it?
I’ll tell you exactly how this particular infection gets into your computer in just a moment, but first of all I’ll tell you that the vast majority of these rogues make their way onto PCs by pretending to be something useful – this is why they are called Trojans (as in the mythical “Trojan horse”). However, they are only useful to the people who create them because they makes them lots of money. They do this by forcing you to sign up for a fake subscription to the rogue antivirus program that has been foisted upon you in order for you to regain control of your computer. Once you have paid for this subscription, usually the messages go away until your subscription runs out and the program tells you that it has removed all the infections it was warning you about – except that they were all made up in the first place.
Generally (certainly not always), these sorts of infections don’t do anything bad such as sending your bank account, credit card or password details to anyone, despite the fact that there may be copious warnings saying as much and constantly popping up on the screens of infected PCs. The only bad thing they usually do is try to con you out of some money via the fake subscription.
How does it get on my PC?
While I know at least one of the infections I saw today came to my client via a porn website (he admitted as much), don’t feel safe just because you steer clear of adult sites. Legitimate web sites with poor security are getting hacked and unwittingly becoming hosts for Trojans. This means I find myself cleaning infections from the PCs of little old ladies who tell me they’ve been searching for knitting patterns (you never can tell for sure these days, but I’m pretty sure that’s not a euphemism for “porn” ;-).
How can I avoid it?
With this particular “ThinkPoint” Trojan, there is a clue you can watch out for when surfing the web to avoid being infected. If you’ve arrived at a website that has a video you want to watch, see what happens when you click on the “play” button. If the video starts playing, you’re all safe, but if instead of video you get a message that gives you the impression you must first click on another link to download the latest version of Flash Player, run for the hills!… or at least immediately shut down your browser (Internet Explorer, Firefox, Safari, Chrome) to to avoid the infection by clicking on the X in the top-right corner.
Keep in mind that Flash Player is a perfectly legitimate program that is very useful for viewing videos on the internet, however, unless this is the very first time you are using your browser, it is highly likely that this message is NOT about the real Flash Player. To get the latest update for the REAL Flash Player click here.
How do I know if I got infected?
If you didn’t shut down your browser when you got the Flash Player message and instead clicked on the link, there’s a good chance that in the next few minutes you’ll then see the screen at the top of this article. The fake Microsoft Security Essentials alert will claim that Microsoft Security Center has detected the submitted file as “Trojan.Horse.Win32.PAV.a”. Finally, it will state that you need to install ThinkPoint solve the problem.
If you choose to continue, your computer will restart, but it won’t boot all the way to the Desktop, even in safe mode. The rogue program will hide all the desktop icons and taskbar. A program labeled ThinkPoint will show up.
Then it will run a fake system scan and you won’t be able to stop it. After the fake scan ThinkPoint will list numerous problems on your computer. If you choose to install the full version of the program with required modules you will be taken to the pay page of ThinkPoint.
ThinkPoint will block nearly all programs on your computer. It will certainly block task manager (if left long enough) and other system tools as well.
How to disable the infection
There is a way to temporarily turn it off by booting the computer and doing nothing else but pressing Ctrl+Alt+Del as soon as the Windows boot process begins. This should bring up Task Manager.
In Task Manager do the following:
- Click on the “Processes” tab,
- Right-click on the process called “hotfix.exe”,
- Select “End Process”.
The ThinkPoint screen will disappear but you now have nothing on the screen except Task Manager!
Now, do the following:
- Click on “File”,
- Click on “New Task(Run…)”,
- Type in “explorer.exe” (without the quotes),
- Click on “Ok”.
Your screen should now be back to normal. However, if you reboot your computer, you will have to go through this whole process again because the infection is still there. If you run your security software now, hopefully it will be able to remove the infection.
How to permanently remove the infection
If your security software can’t get rid of the infection or you find the whole process above just too distressing, give Geeks to the Rescue a call and we’ll have a RescueGeek out there as soon as possible!