Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Touchpoint aggravation!!


  • Please log in to reply
11 replies to this topic

#1 Frodolives

Frodolives

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 02 December 2010 - 01:12 AM

I was infected with the Touchpoint virus the other day. It came disguised as my anti-virus software and when I clicked the X to close out it ended up installing. I quickly shut down my computer and rebooted it (not sure if that was a bad thing). When it booted up to the Window's Welcome screen it had this stupid Touchpoint Safe Start window blaring at me and it won't let me get past it in order to run windows and my virus software to get rid of the darn thing. I went into Safe Mode and tried to restore my Computer to an earlier date only to find out that my dad had disabled it and since I can't enable the System Restore in Safe Mode and I can't boot into Normal Windows mode I am stuck!!! Please help! I don't want to click on the Touchpoint Safe Start because I don't want to run the risk of hurting my poor laptop any more than I already have! :wacko:

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:18 PM

Posted 02 December 2010 - 04:14 AM

I was infected with the Touchpoint virus the other day.

Do you mean ThinkPoint? If so ...

Please follow the removal guide at the following link:

Remove ThinkPoint (Uninstall Guide)

The MBAM log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Please post the log and let us know how the system is running now.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 02 December 2010 - 10:53 AM

That's the one!!! So in the instructions that you provided it uses the scenario that the owner of the computer had already pressed the safestart button. Is this the only way to get into Windows in order to get rid of this virus? Thanks for your help!

#4 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:18 PM

Posted 02 December 2010 - 11:09 AM

in the instructions that you provided it uses the scenario that the owner of the computer had already pressed the safestart button. Is this the only way to get into Windows in order to get rid of this virus?

No, that is not the case.

When you start the computer normally and see the Think Point screen, do not click on any of the buttons. Instead, press the Ctrl+Shift+Esc keys, all at the same time, to bring up the Windows Task Manager.

Continue with the instructions to "end" the hotfix.exe process
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 03 December 2010 - 01:11 AM

Thank you so much! I am now scanning with Malwarebytes on my laptop and reading instructions from my desktop. So far it is working. I will update and post my logs once the scan is finished. You totally saved this girl! Thanks!!

#6 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:18 PM

Posted 03 December 2010 - 01:37 AM

Good to see things progressing in the right direction.

It is very important that MBAM is updated, so make sure that is done.

Yes please, update us, and post the logs when finished.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 04 December 2010 - 01:53 AM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5236

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/3/2010 6:32:11 AM
mbam-log-2010-12-03 (06-32-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 460956
Time elapsed: 1 hour(s), 32 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\sprt42.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pvolago (Trojan.Hiloti) -> Value: Pvolago -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\sprt42.dll (Trojan.Hiloti) -> Delete on reboot.
c:\documents and settings\Danielle\application data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\application data\Adobe\plugs\kb86625250.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\application data\Adobe\plugs\kb86630296.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\application data\Adobe\plugs\kb86650390.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\local settings\Temp\0.7528870407337136.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\Desktop\thinkpoint.lnk (Rogue.ThinkPoint) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\start menu\Programs\thinkpoint.lnk (Rogue.ThinkPoint) -> Quarantined and deleted successfully.
c:\documents and settings\Danielle\application data\agtyjkj.bat (Malware.Trace) -> Quarantined and deleted successfully.

#8 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 04 December 2010 - 02:00 AM

Above is the MBAM log after the full scan. It seems to have completely contained the problem. Thanks again for your help. As a side note, when I rebooted my computer I got a funny error message that said "Error loading C:\WINDOWsjsprt42.dll The specified module could not be found 'OK' Not sure what it means exactly, but I saw that it was specified to be deleted on reboot in the MBAM log. Any insight would be appreciated. Thanks!

Edited by Frodolives, 04 December 2010 - 02:03 AM.


#9 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:18 PM

Posted 04 December 2010 - 08:06 AM

Because the MBAM scan results showed Trojan.Hiloti as well as Think Point, we should run some more scans to be sure there is no other malware or remnants hiding in the system. The error message that you are seeing on starting Windows "Error loading C:\Windows\sprt42.dll .... " is a left-over from removing the Hiloti entries: If it persists after the following work, we will remove the registry entry causing it. Please do the following:


:step1: Empty your temp folders using TFC (Temporary File Cleaner) in Safe Mode
  • Please download TFC by Old Timer and save it to your desktop.
    alternate download link
  • Re-start your computer and load Windows in Safe Mode: ( Getting into Windows Safe Mode )
    • Start tapping the F8 key as the system starts to boot again, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
    • Use the UP/DOWN arrow keys to select "Safe Mode", and press the <ENTER> key.
    • Log into your own account.
  • Run TFC:
    • Save any unsaved work. (TFC will close ALL open programs including your browser!)
    • Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)
    • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

:step2: Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.



:step3: Run MBAM (Malwarebytes Anti-malware) like this:

  • With Windows booted normally (NOT in Safe Mode), open MBAM and click the Update tab and then Check for Updates.
  • When updating is complete, click the Scanner tab and select Perform quick scan and then click Scan.
  • When the scan has completed, if anything is found in the Results, choose Remove Selected.
  • Then post the contents of the log when it is displayed.
  • Now reboot Windows normally (NOT into Safe Mode). <<< Important


:step4: I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Note 1: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.

NOTE 2: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE 3: In some instances if no malware is found, there will be no log produced.

-----------------------------------------

Please ask any questions, post the logs and let us know how the PC is running now.
Logs to post:
  • SAS
  • MBAM
  • Eset

Edited by AustrAlien, 04 December 2010 - 08:09 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#10 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 December 2010 - 01:16 AM

Thanks again for the info. After I ran the TFC--which found nothing--my Microsoft Security Essentials found the Trojan and removed it, so I didn't run the SAS. I did however run MBAM quick scan once more and will post the log below along with my MSE log. When I ran the ESET it did not provide me with a log--probably due to NOTE 3 in your above text. My computer is running just like new! Thanks for the much needed help, and if I ever have problems again I'll post here my questions here on Mybleepingcomputer!

#11 Frodolives

Frodolives
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 06 December 2010 - 01:26 AM

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5253

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/5/2010 10:16:33 PM
mbam-log-2010-12-05 (22-16-33).txt

Scan type: Quick scan
Objects scanned: 150539
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


MSE:

Catagory: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise you privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the "Allow" action and click "Apply actions". If this option is not available, log in as administrator or ask the local administrator for help.

Items:
file:C:\WINDOWS\alozugitixezo.dll
process:pid:2136
process:pid:2168
process:pid:700
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Thapa
runkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\Thapa

#12 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:18 PM

Posted 06 December 2010 - 01:41 AM

That is looking good. Your computer should be clean now.

Pleased we were able to help.

Good luck and take care.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users