Thinkpoint BACK

Tdss rootkit maybe but it could also be a task launched by task scheduler, i have seen this many times with many types of malware that is why autoruns or malware defender is needed to check for bad entries.
 
othersteve said:
Not sure if this has been mentioned, but I'd give 10:1 odds that a TDSS rootkit is behind it.
Click to expand...
I agree that it's most probably a rootkit infection. I've removed a few of these ThinkPoint viruses over the past few days and most have had secondary infections, the most common being a MBR virus. Removing ThinkPoint takes 5 minutes, but you need to be sure that's not the only problem before you sign-off the job.

FWIW TDSS Killer found no trace on any of the systems I've encountered, but Gmer helped to track them down.
 
iptech said:
I agree that it's most probably a rootkit infection. I've removed a few of these ThinkPoint viruses over the past few days and most have had secondary infections, the most common being a MBR virus. Removing ThinkPoint takes 5 minutes, but you need to be sure that's not the only problem before you sign-off the job.

FWIW TDSS Killer found no trace on any of the systems I've encountered, but Gmer helped to track them down.
Click to expand...

iptech is exactly right, an MBR infection has been present on the last 4 Think Point infections I have worked on.
After manual removal of the hotfix file and all traces I could find, I still had rootkit activity.

Gmer will find it and if you have the drive imaged I would use Combofix to kill it.

Lone99star
 
Lone99star said:
iptech is exactly right, an MBR infection has been present on the last 4 Think Point infections I have worked on.
After manual removal of the hotfix file and all traces I could find, I still had rootkit activity.

Gmer will find it and if you have the drive imaged I would use Combofix to kill it.

Lone99star
Click to expand...
QFT, both iptech and Lone99star. Could be a bad system file also however, as once the rootkit is loaded it can be very difficult to detect. Newer versions of TDSSKiller (last week or so) seem to be quite proficient at removing MBR-based TDSS infections, but yeah, if that doesn't work, GMER/mbr.exe are your best friend. If mbr.exe finds an infected or unconventional MBR in use, run mbr.exe -f to correct the issue. Reboot immediately thereafter and run it again to be sure it worked.

Combofix (undocumented) automates this process I believe. However it is indeed dangerous in rare instances. Looking through CF's code it appears it also does a pretty thorough job of checking system files for proper signatures. However it does not (to my knowledge) do so in RAW form, so you're probably better off using something like TDSSKiller or an offline manual scan of the files to correct this.
 
That's odd. I've removed several of them and they didn't have a rootkit.

Co-incidentally I just had a customer call me because they'd screwed up their machine by trying a fix they got off the internet. The fix was to kill and remove the hotfix file.....but no mention of the registry key. Since it replaces the shell value explorer.exe with hotfix.exe he's booting into a blank screen.
 
Last edited:
MobileTechie said:
That's odd. I've removed several of them and they didn't have a rootkit.

Co-incidentally I just had a customer call me because they'd screwed up their machine by trying a fix they got off the internet. The fix was to kill and remove the hotfix file.....but no mention of the registry key. Since it replaces the shell value explorer.exe with hotfix.exe he's booting into a blank screen.
Click to expand...

LOL, well, theoretically, couldn't he still then press CTRL+SHIFT+ESC to bring up Task Manager (as Winlogon.exe is still running) and then manually run explorer.exe from there the first time until the key is repaired?

EDIT: Also, yeah, TDSS isn't necessarily linked to Thinkpoint, it's just that customers of TDSS can use it to download and install Rogue AVs if they so choose for profit.
 
othersteve said:
LOL, well, theoretically, couldn't he still then press CTRL+SHIFT+ESC to bring up Task Manager (as Winlogon.exe is still running) and then manually run explorer.exe from there the first time until the key is repaired?

EDIT: Also, yeah, TDSS isn't necessarily linked to Thinkpoint, it's just that customers of TDSS can use it to download and install Rogue AVs if they so choose for profit.
Click to expand...

This is what I was thinking but he reckons it doesn't work. I know the later editions of it stopped the use of task manager so maybe that setting is still in force?
 
I ran an offline scanner would that not pick it all up? I will check her log and stuff so i can see how she got reinfected.
 
MobileTechie said:
This is what I was thinking but he reckons it doesn't work. I know the later editions of it stopped the use of task manager so maybe that setting is still in force?
Click to expand...
Oh yeah, I suppose that is possible. If so, I think the next best option then (without heading out there to fix it yourself) would be to boot to recovery console and simply restore the (previously-infected) registry backup in the system32/config/RegBack folder to the system32/config folder (after backing up the registry hives)... then boot to Safe Mode and remove stuff that's not applicable or malicious via msconfig (assuming he's already removed the offending virus files).

I think that'd be the easiest way to fix it anyway.
 
You must log in or register to reply here.

Similar threads

johnrobert
New Outlook
Replies
3
Views
290
johnrobert
johnrobert
Velvis
Facebook Account Disabled
Replies
3
Views
524
lan101
lan101
britechguy
New "Microsoft Virus Scare" Scam that looks relatively authentic to the uninitiated
Replies
13
Views
1K
ell
E
thecomputerguy
Client locked out of MSN account in an interesting way.
Replies
7
Views
1K
thecomputerguy
thecomputerguy
YeOldeStonecat
Lenovos new ThinkPad X9 series
Replies
14
Views
1K
timeshifter
timeshifter
Back
Top