Recently there has been a new browser hijack released and it is meaner than most of the other ones that have plagued Internet browsers. This one is called “Think Point” and it loads itself by using a fake Microsoft Security Essentials pop up. It will be delivered to your system by a small ad that runs a script or active x control from within the ad. Once it loads your browser will close and immediately “alert” you that Microsoft Security Essentials has detected a virus on your system. Don’t fall for it because if you do it will load even more nastiness and try to get you to pay for a $90.00 program that claims to remove the virus.
If you have seen the fake Microsoft Security Essentials alert then the initial malware has already been installed and you will find that you can’t even access “ctr-alt-del” to open your task manager. You also won’t be able to open or access several other programs including Internet Explorer. In some cases you will have to do a hard power down (pull the power cord) on your computer just to shut it off. If this is you right now then shut the power off for your computer. Hopefully you are reading this on another computer. There is also a fix for this problem that won’t cost you $90.00. Read on.
First and foremost DO NOT click on any of the options that the fake Microsoft Security Essentials pop offers you. Power down your system as soon as possible. If you can restart the system in safe mode as the administrator. Once you are in safe mode you can begin to look for and delete the executable files and registry entries that the Trojan has installed. First back up any files you may want to save before you make any changes just in case something goes wrong.
Now you want to start looking for the files that the Trojan Think Point has loaded. The files are named:
They will be hiding in your “%UserProfile%Application Data” folder. Open My Computer and navigate to C: > Documents and Setting > Your User Folder. This should be the folder that the main user or a user that caught the Trojan in the first place. The Trojan will load into the folder of the user that was logged in at that time if there are multiple users on your system. There may be a couple of these files or all of these files in that folder and they will be named:
If you have identified any of these files in these locations then you will want to delete the registry entries before deleting the files. The registry entries may appear to have the following names and locations:
HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = “%LocAppData%antispy.exe”
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnOnPostRedirect” = “0”
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings “WarnonBadCertRecving” = “0”
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = “%Documents and Settings%[UserName]Application Datahotfix.exe”
Be careful when editing your registry and make sure you have already backed up important files before you make any changes. You can click on Start > Run and type “regedit” to open the registry editor. Once it is open you can click on Edit > Find and then enter the names at the end of the registry locations listed above. such as “Thinkpoint.exe” and it will search for any entries in your registry with that name. Once it finds the entry it will list it in the right pane window of registry editor and you can delete each item.
Once all of the registry entries have been found you can safely delete the “exe” programs in your documents and settings folder and they won’t come back.
If you have come this far then it is time to reboot your system. When your system starts again simply let it load normally and you should have a clean desktop when it finishes. If not then you may want to consider downloading a malware removal tool or getting the latest updates for your operating system. You should do this on a regular basis anyway.
If your system is back to normal then try to remember what site you were on when this happened or ask the last user what site they were browsing on when the Trojan was loaded. If you can determine where the site is then add it to your block list. The problem with this is the site may not know about the ad that launched the Trojan because few sites check the ads that their advertising revenue comes from, they just display them. Recently there has been a flood of fake advertisers using scripts and active x controls in their ads to propagate viruses and Trojans in order to ruin operating systems or to try and load “scareware” that claims you have a problem on your system only to charge you for nothing.
If you have any questions, tips or comments then list them in the comment section below. Hopefully there will be better security implements in our browsers in the near future and perhaps even stiffer laws for companies that perpetuate this kind of attack.