WiredWX Hobby Weather ToolsLog in

 


descriptionThink Point Infection EmptyThink Point Infection

more_horiz
Hi,

My wife's computer has become infected with Think Point. She is running XP Pro on an HP machine. I have read a number of the posts here regarding think point and malware before posting.

Think point was discovered the other morning when her computer booted up to the 'Think Point' splash screen. There is only one option button available is 'Safe Startup'. Before realizing this option was a trick, she accidentally clicked this option. At the time it would not let her access the internet without first buying the Think point software. She did not buy it and it just kept prompting her to do so. No other access to the internet. This is about the time I got involved.

Here's what I've done so far...

Reading the directions here, we've started the machine in 'Safe mode with networking' and attempted to download Malwarebytes. However, the machine has no access to the internet. I downloaded Malwarebytes to my computer (Win 7) and copied it to CD. We then installed Malwarebytes via this method on her machine. However, we were unable to update malwarebytes on installation due to no internet connectivity on her machine. We ran malwarebytes anyway.

Malwarebytes found 57 some odd problems and we removed them (to quarantine).

The computer still boots up to the think point splash screen (with a normal boot sequence), and still does not have internet access if booted in 'safe mode' with networking.

As a result, while I have a log from malwarebytes, I am unable to get it off her machine to post it here.

HELP!

Thanks in advance !

P.S. I also have a smaller malware issue on this (Win 7) machine, but will tackle that issue via a separate thread here. At least we have internet access with this one for now.
P.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Hi,

Welcome to GeekPolice.net!

Could you please post the Malwarebytes' log as well as the one below?

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Okay, we got OTL running, and pasted in the script. Ran the scan, but when it completes it comes with two errors error saying it can't find the OTL.txt file, and the extras.txt file, (both on drive D: (CD_ROM)) and asks if we want to create a new one. She doesn't have access to her D: drive (virus or safe mode related).

Additionally, I've got no way to post this log, or the malwarebytes log here. She is not being allowed access to write anything to her CD-ROM (she can read from it, just not write to it). Since the virus she doesn't have Internet access so we're having to do this all with sneaker-net (to my laptop).

Gosh this is frustrating!

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Hi,

Please try it in Safe Mode with Networking by rebooting the computer and tapping F8 until it asks you if you want to boot into Safe Mode.

Once there please try OTL.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
That's where we ran OTL from was safe mode. It's the only way you can run anything on that machine now (otherwise it's Think Point blocked). It is when we're in safe mode that we don't have access to the D: drive to write the log files to a CD.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Hi,

Please download ComboFix Think Point Infection Combofix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Think Point Infection Query_RC
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Think Point Infection RC_successful

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Have commyfix.exe copied to her desktop, but when we try to run the command (above) we get:

"Windows cannot find "C:\documents". Make sure you typed the name correctly, and then try again. ..."

Even though there is no path to C: in the command being typed.

Note: We are doing this in 'Safe Mode with networking'.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
Hi,

Just double click on ComboFix.exe or commy.exe.

descriptionThink Point Infection EmptyRe: Think Point Infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum