Guest Orlando Posted November 19, 2010 Report Share Posted November 19, 2010 First for all, we must know the rogue Think Point. It's divided by two parts, one alonside its activation, the other after the restart of the system asked by viruses (first part). Let's go to learn more about this rogue. Description: First Part: When you run the file, it works in background, and it will stop the exe files with a window that appear on your desktop. Description: the main window of the virus in the first part (screenshot N°1) The scan finds a malware (certainly fake, screenshot N°2) and it promises the removal (screenshot N°3), after that you must restart the computer pressing on “ok” (screenshot N°4). (screenshot N°2) (screenshot N°3) (screenshot N°4) Second part: after the restart the situation appears this: (screenshot N°5) I don't put some screenshot because the rogue is various. It starts a scan of computer, and you need to buy a full version of program to render your computer secure. To exit from Think Point you must enable the “Allow unprotected startup” in the settings. After, to shut down your computer you could practise the normal shut down or you must use the power button, because this rogue in some of our test block shutdown. Removal instruction: First we need to login in safe mode with networking. When the safe mode starts, also the rogue starts, we could use the task manager (ctrl+shift+esc). Go under processes. Then click and highlight hotfix.exe and click “End Task”. If it asks you "Are you sure you want to terminate the process?" click yes. (screenshot N°6) After in the task manager (under “Applications”) run “New Task (Run...)” and write “explorer.exe” (without “”). If it appears an error: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them" run this command first: cacls "C:\Windows\explorer.exe" /G Everyone:F A new windows will come up asking "Are you sure?" Type Y and press enter. After, run again “explorer.exe”. Now you must download windows-shell.reg and double click on it. Click "Yes" when it asks if you want to add the information to the registry. Now download Immunet. Then install it and do a complete scan. After this, restart the computer (normal mode). The rogue has removed, but some parts of this remain in the system. Please remove these files and key: Windows XP: C:\Documents and Settings\[user Name]\Application Data\[RANDOM CHARACTERS].bat C:\Documents and Settings\[user Name]\Application Data\install C:\Documents and Settings\[user Name]\Application Data\start Windows Vista and Windows 7: C:\Users\[user Name]\AppData\Roaming\[RANDOM CHARACTERS].bat C:\Users\[user Name]\AppData\Roaming\install C:\Users\[user Name]\AppData\Roaming\start Go in the registry (START-RUN-"regedit.exe") and delete this: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = %AppData%\hotfix.exe Technical details (files and key associated to Think Point): Files: -In Windows XP: C:\Documents and Settings\[user Name]\Application Data\hotfix.exe C:\Documents and Settings\[user Name]\Application Data\[RANDOM CHARACTERS].bat C:\Documents and Settings\[user Name]\Application Data\install C:\Documents and Settings\[user Name]\Application Data\start -In Windows Vista and Windows 7: C:\Users\[user Name]\AppData\Roaming\hotfix.exe C:\Users\[user Name]\AppData\Roaming\[RANDOM CHARACTERS].bat C:\Users\[user Name]\AppData\Roaming\install C:\Users\[user Name]\AppData\Roaming\start Registry values: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = %AppData%\hotfix.exe Immunet Protect prevents this rogue. DOWNLOAD IMMUNET FREE For corrections, removal problems, incomprensions or other please send me a private message and I'll correct it. Best regards, Orlando Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.