Windows Activation Virus


Recommended Posts

Working on a computer today with something I've never seen before.  Was easy enough to kill the process and start running scans anyway, but it's a weird little thing.

 

The process 543hfh.exe was running, and when it runs (even in Safe mode) it kills the explorer process, brings up a message telling the user that their Windows Activation has expired and that they must complete surveys on browsersafeguard.com in order to get an activation code to regain access to their computer.

 

Anybody seen this before and know anything about it?  Right now I've got stinger running a scan and it seems a bit less annoying than some other malware I've seen.  I just thought I would share because normally when I don't know about a process I can google the process name and I'll find something.  When I googled 543hfh.exe I got a message that said, "No documents matched your query".  Really odd for Google to not show me "anything" about it, so I thought I'd share.

Link to comment
Share on other sites

I googled it from my other computer.  My general rule is I give it an hour of work.  If after an hour I still don't know exactly how to restore the PC to a clean working state, then I reformat.

 

Just noticed there's no "New Folder" option in the context menu, and in file selection dialogs clicking "New Folder" does nothing.  The mkdir command from the command line works fine though.

Link to comment
Share on other sites

I would try Emsisoft Emergency Kit (http://www.emsisoft.com/en/software/eek/) followed by ESET (http://www.eset.com/us/download/home/detail/family/5/?trl=es , Use the full version not the online scanner). After that, run 7Smoker Pro (http://www.xp-smoker.com/7smokerpro.html) to correct and corrupt settings.

 

 

Best of luck and let me know if you need help.

Link to comment
Share on other sites

Done.

 

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Restored factory image

4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc.

5) Restored personal files after being scanned for viruses

6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

Link to comment
Share on other sites

Done.

 

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Restored factory image

4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc.

5) Restored personal files after being scanned for viruses

6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

Wow, I don't mean to burst your bubble because that was a lot of hard work but I think these steps are better:

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Download a official Microsoft install image for your version of Windows

4) If needed, request a product key. If you have all your license and documentation of your PC, you should not have a problem with this.

5) Installed some useful software like office software, antivirus, etc.

6) Restored personal files after being scanned for viruses

7) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

Those would be awesome stuff, more so those images you took.

Link to comment
Share on other sites

When I googled 543hfh.exe I got a message that said, "No documents matched your query".  Really odd for Google to not show me "anything" about it, so I thought I'd share.

 

That is probably a random name that a lot of malware creates as the .exe.

 

It could have easily been some other gibberish name like 112abc.exe.

 

I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold.

 

Then I Delete the named .exe file.

 

I remove new folders that clearly do not belong.

 

I run a CCleaner scan of the Registry, and remove anything odd.

 

And a reboot usually brings everything back to normal.

 

Again, it depends on the virus/trojan.

Link to comment
Share on other sites

That is probably a random name that a lot of malware creates as the .exe.

 

It could have easily been some other gibberish name like 112abc.exe.

 

I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold.

 

Then I Delete the named .exe file.

 

I remove new folders that clearly do not belong.

 

I run a CCleaner scan of the Registry, and remove anything odd.

 

And a reboot usually brings everything back to normal.

 

Again, it depends on the virus/trojan.

 

Yeah I was able to kill the process and use the task manager to re-start Explorer, but then I started noticing missing options in the Explorer context menus that applied across different user accounts, even new ones, and several other weird issues, so rather than dive into the rabbit hole and try to fix every possible problem it caused, and maybe miss one that would pop up as an issue later, I just killed it with fire.

 

Thanks for all the responses to this everybody, :-)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.