Monthly Archives: November 2010

More on the ThinkPoint Fake Anti-Spyware Application

If your system is infected with the fake antispyware application ThinkPoint you may find yourself greeted with the following screen when restarting your computer:

This is a full-screen window with the lie “ThinkPoint - World’s leading security solution” prominently displayed. Only one button is enabled, and it is labeled “Safe Startup”. Click that, and ThinkPoint will do a dog and pony show that presents your system as infected by various pieces of malware, the solution to which, it claims is to purchase the full version of ThinkPoint. All of this is a lie, of course.

So how does ThinkPoint hijack you computer’s startup screen? It does this by changing the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell to point to hotfix.exe (or whatever filename it is programmed to use). Some versions also modify HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell in the same way.

The good news is that you can bypass ThinkPoint to gain access to your computer. Simply press Ctrl+Alt+Del and look for a process named hotfix.exe. Right-click on that and select Terminate Process. The ThinkPoint screen should go away. At this point, all you will see is a blank screen, but we will fix that. Go to to File -> New Task in Windows Task Manager and type explorer.exe. Click OK and Explorer should start, giving you access to your computer again. Now is the time to run an antimalware application, such as TrojanHunter to remove all traces of ThinkPoint for good.

Warning: Malware with Fake Adobe Digital Signature Making the Rounds

We received a new sample in the lab today of a file that claims to be from “Adobe Systems Incorporated” according to the version information and bills itself as “Adobe Updater”. When executed, it became clear that this file is malware.

The interesting part is that the file has a digital signature apparently from Adobe Systems Inc. Take a look at this screenshot:

The screenshot is what you see if you right-click on the file and select the Digital Signatures tab on the Properties page. Most users wouldn’t even do this, but if you do it appears that the file is in fact digitally signed by Adobe. Now take a look what happens when you click the Details button:

You can now see that the digital signature is not valid. But take a look at the “Countersignatures” pane in the bottom half of the window. It appears that the file is counter-signed by VeriSign Time Stamping Services. This is an additional level of deception employed by the malware creator, and is something that could potentially fool even experienced users into thinking that the file has been signed with VeriSign as a counter signer.

When executed, the malware copies itself to the Startup folder and then connects to the Internet. It is a trojan clicker intended to make money for its creator. As of 2010-11-10 the only other program to detect it other than TrojanHunter is Dr Web. TrojanHunter detects this malware as FakeAdobe.100.