Thinkpoint BACK

M

momo88

New Member
Reaction score
1
Hi I removed this virus for a client at the start of the week and she has just rang me to tell me she has only turned her laptop on after getting it back from me. She claims the virus is back on her laptop and the only thing she has done was turn it on and go make her self a cuppa. She did say she tried to access her email. Is it possible she has been reinfected or is it that i didn't remove it right. It was totally removed as i tested it and showed her it working fine before it left my shop.

Cheers
 
How did you remove the virus?, manually, if so what steps did you take.
Also which files did you remove?
Scanned, if so, which files did it find, and where?
 
I booted to bitdefender boot cd done a full scan, booted into native windows deleted temp files and installed mbam done full scan, updated client avg and done full scan with avg also, msconfiged the machine. Bitdefender picked up 14 and removed them cant remember names of files, mbam picked up a few and avg picked 0 up. I then used the machine for a while and rebooted several times and at the time everything was working great.
 
k, when you get the machine back, this is what I would do.

Boot into safe mode, as soon as thinkpoint comes up, task manager, kill hotfix.exe
file new, explorer.exe

your then back into safe mode properly.

go to appdata, and look for a file called hotfix.exe. delete this file.

then restart in normal mode, you could check autoruns, and process explorer, to see if there are any residual remnants.

then update mbam, full scan.

These steps have worked for myself, and others in the forums.

Please note, I did not write these steps, I found them in the forum.
 
That's a pretty long removal process for a bit of malware that can be neutered by changing a reg key and deleting a file :)

But's that's not the point I guess. Certainly MBAM removes this with no problems and it shouldn't come back. Since it alters the shell entry to point to its own file it should be obvious if it's not removed as soon as you reboot.

Sounds like she got reinfected somehow.

But since it's so soon after you removed it I think you're going to have to redo it. This is the point where you sell her a better AV and some additional protection.
 
So basically i will have to work for free? That sucks cause i am pretty sure i got rid of the virus, what i am going to do is check the logs and see if she has done anything to get reinfected.
 
The event log will tell you how often the PC has been used since you returned it, and you can also check out the date and time stamp of "%UserProfile%\Application Data\hotfix.exe".
 
momo88 said:
So basically i will have to work for free? That sucks cause i am pretty sure i got rid of the virus, what i am going to do is check the logs and see if she has done anything to get reinfected.
Click to expand...

It's entirely up to you. Checking the logs is a good idea.

What AV is she running?
 
momo88 said:
Hi I removed this virus for a client at the start of the week and she has just rang me to tell me she has only turned her laptop on after getting it back from me. She claims the virus is back on her laptop and the only thing she has done was turn it on and go make her self a cuppa. She did say she tried to access her email. Is it possible she has been reinfected or is it that i didn't remove it right. It was totally removed as i tested it and showed her it working fine before it left my shop.

Cheers
Click to expand...

Well, you can determine if her story is true, and frequently find the source of the infection by using products from Nirsoft (IEHV, MozillaHV). That's exactly what I did when a client's wife returned his laptop yesterday stating that it was "still" infected. Turns out the client went to Facebook, clicked on a link, and was infected. Printed the relevant portions out and he paid the bill with no further questions.

Rick
 
In what way does the history view via those tools differ from the history you get by looking at it inside the browser?
 
How did you know it was facebook and the link she clicked on and how did you print this information? Help would be great please so that i can prove and get paid for my work.
 
MobileTechie said:
In what way does the history view via those tools differ from the history you get by looking at it inside the browser?
Click to expand...

Download it and see for yourself. Takes moments. For me, it's easily organizable, includes more info, and easily printable.

Rick
 
momo88 said:
cool prog but how did you narrrow it down to a link on facebook for the infection?
Click to expand...

New at this, huh?

Entry for Facebook. Next entry for an advertising site. next entry is a redirect with a URL that, when Googled, is a known malware site. Miscellaneous entries after these for search engine redirects, pop ups, etc.

Rick
 
I have seen this a lot with customers they will get their machine back fire it up go to facbook click on a link and boom re-infection what i do is put them on a custom dns like Clear Cloud and they never get re-infected again, i use this personally at work and home it prevents client machine from re-directing to bad sites and get re-infected.
 
You must log in or register to reply here.

Similar threads

johnrobert
New Outlook
Replies
3
Views
288
johnrobert
johnrobert
Velvis
Facebook Account Disabled
Replies
3
Views
511
lan101
lan101
britechguy
New "Microsoft Virus Scare" Scam that looks relatively authentic to the uninitiated
Replies
13
Views
1K
ell
E
thecomputerguy
Client locked out of MSN account in an interesting way.
Replies
7
Views
1K
thecomputerguy
thecomputerguy
YeOldeStonecat
Lenovos new ThinkPad X9 series
Replies
14
Views
1K
timeshifter
timeshifter
Back
Top