My computer got infected with ThinkPoint virus and how I got rid of it

My computer got infected from an external drive with a virus masquerading itself as an official Microsoft looking anti-malware calling itself ThinkPoint! If you see something like the screen shot below, do not click any of the buttons. If you did, then the malware will be installed on your machine and it will force you to restart the computer.



 Upon restarting, the following screen will be shown.


Once the computer is infected, then you cannot bring up the Windows Task Manager. Instead, it will show the screen below.


I found a way to kill off the ThinkPoint malware by using the PsTools from the Windows Sysinternals website. Download PsTools and unzip to a folder e.g. C:\Share\PsTools.

Kill off the ThinkPoint process

  1. Open up a Windows Command Prompt.
  2. In the Command Prompt, type in the following commands to list out the running processes:

    C:\> cd \share\pstools
    C:\> pslist


    A list of running processes is displayed.
  3. Determine the process id number of the hotfix process, e.g. 2124.

    Note: hostfix.exe is one of the files used by the ThinkPoint malware.
  4. In the Command Prompt, type in the following command to kill off the hotfix process.

    C:\> pskill 2124

    The process is killed and the ThinkPoint dialog box disappears from the screen. A sample session is shown below.


Remove all ThinkPoint files


ThinkPoint installs files onto the current user's Application Data folder on Windows XP e.g. C:\Documents and Settings\[user]\Application Data\. These files have to be removed.

  1. In a Windows Explorer, browse to the current user's Application Data folder.


  2. Mouse left click and press down the CTRL key to select the following files. Press DELETE.

    start
    completescan
    install
    hotfix.exe
    agtykj.bat (the letters are random)

Fix the Registry
  1. Select Start > Run.

    The Run dialog box appears.
  2. Type in regedit.


  3. Click OK.
  4. In the Registry Editor, select the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\hotfix.exe".
  5. Press Delete.

    The key created by the malware is deleted.

Comments

Popular posts from this blog

Image background removal using Krita

Making a simple balloon using Inkscape

How to copy and paste the color from one object to another using Inkscape