Just a warning for everyone out there...

Origins around August 24, 2010, started popping up in the news and on virus databases around October 16th - 18th.

So for the first time in about 12 years a virus creeped into my home system last night and had me completely shut down for several hours. It started when my husband texted me at work saying there was a popup he couldnt get rid of on the computer while he was browsing the internet. My first assumption was that it was one of those browser hijacking popups you see on the internet all over the place. When I got home however I found out it was a "Microsoft Security Essentials Alert" displaying through Windows Explorer. Even though MSEA is a real type of alert system this one was fake. Seen here:

ms_security_essentials_alert_full.jpg

DO NOT be fooled by this even though it may look like a legit popup from windows attempting to clean your system. Responding to it in any way shape or form will install it to the hard drive and it will take over at that point. If you suspect you may already have this in your system here is how to check for it, and remove it...

Manual Removal:
1. Stop Fake Microsoft Security Essential Alert process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
(random characters).exe
avsuite.exe
avsoft.exe


2. Update your installed anti-virus program.

3. Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.

4. Edit Windows registry and delete Fake Microsoft Security Essential Alert entries.
How to edit your Registry: http://www.precisesecurity.com/tools-resources/troubleshooting/edit-windows-registry/

5. Exit registry editor.

6. Remove Fake Microsoft Security Essential Alert start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and remove check mark on the following Startup item(s):
(random characters).exe
avsuite.exe
avsoft.exe

7. Click Apply and restart the computer.

Hopefully with those changes the virus will never make its way onto your system as it did mine, because once its in there it becomes A LOT more difficult.

Once active it installs the program "Think Point" which attempts to emulate a Microsoft Anti Virus program but lacks any ©, ®, or TM logos as MS always has, and contains numerous typos or grammatical errors in the messages it displays. It does a fake scan on your system while it installs itself then tells you in order to clean the fake infected files displayed you must purchase the full version of Think Point by credit card.

Once at this point you are completely locked out from using Notepad, Explorer, IExplorer, Google Chrome, Task Manager, etc but you can still work around it by forcing the computer to shutdown and rebooting into Safemode with Networking.

Once loaded into Safemode the Think Point virus will activate again attempting to lock you out from Explorer and basic Windows controls. Press Ctrl + Alt + Delete and select the Task Manager (which should work in safemode, if not you will need to let the virus do its fake scan/installation). Under the processes tab in Task Manager look out for "Hotfix.exe" and click End Process on it. That will disable the virus long enough for you to find a fix for it.

thinkpoint-intro.jpg
thinkpoint-scanner.jpg

Think Point Removal Procedures
Note: Rogue program will prevent you from executing any application. Some Windows functions will also be rendered unusable including task manager and log-off. It will also prohibit restarting or turning off the computer. To work around with this, you must force-shutdown the computer by unplugging the power supply. Then proceed with these procedures.

1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
http://www.precisesecurity.com/tools-resources/adware-tools/malwarebytes-anti-malware/

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install as “default” only

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.

6. Scan your computer thoroughly.

7. When scanning is finished click on the “Show Results”

8. Make sure that all detected threats are marked, click on Remove Selected.

9. Restart your computer.


What is it and where did it come from?
Apparently it has been known to have been bundled with up to 35 different software packages including: Major Defense Kit, Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1 and AntiSpy SafeGuard...

Examples of packaged softwares known to have Think Point bundled with it:
mssea-scan-400x300.jpg