Gerowen Posted April 14, 2014 Share Posted April 14, 2014 Working on a computer today with something I've never seen before. Was easy enough to kill the process and start running scans anyway, but it's a weird little thing. The process 543hfh.exe was running, and when it runs (even in Safe mode) it kills the explorer process, brings up a message telling the user that their Windows Activation has expired and that they must complete surveys on browsersafeguard.com in order to get an activation code to regain access to their computer. Anybody seen this before and know anything about it? Right now I've got stinger running a scan and it seems a bit less annoying than some other malware I've seen. I just thought I would share because normally when I don't know about a process I can google the process name and I'll find something. When I googled 543hfh.exe I got a message that said, "No documents matched your query". Really odd for Google to not show me "anything" about it, so I thought I'd share. Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted April 14, 2014 MVC Share Posted April 14, 2014 Probably because its re directing Google. With stuff like this its ALWAYS better to Format. Link to comment Share on other sites More sharing options...
Gerowen Posted April 14, 2014 Author Share Posted April 14, 2014 I googled it from my other computer. My general rule is I give it an hour of work. If after an hour I still don't know exactly how to restore the PC to a clean working state, then I reformat. Just noticed there's no "New Folder" option in the context menu, and in file selection dialogs clicking "New Folder" does nothing. The mkdir command from the command line works fine though. Link to comment Share on other sites More sharing options...
Som Posted April 14, 2014 Share Posted April 14, 2014 did you try combofix? i always do a reinstall as very last resort.. Link to comment Share on other sites More sharing options...
riahc3 Posted April 14, 2014 Share Posted April 14, 2014 If it runs in safe mode, bad news. Reformat. Don't even try to remove that because it will come back to haunt you. Link to comment Share on other sites More sharing options...
kkick Posted April 14, 2014 Share Posted April 14, 2014 I would try Emsisoft Emergency Kit (http://www.emsisoft.com/en/software/eek/) followed by ESET (http://www.eset.com/us/download/home/detail/family/5/?trl=es , Use the full version not the online scanner). After that, run 7Smoker Pro (http://www.xp-smoker.com/7smokerpro.html) to correct and corrupt settings. Best of luck and let me know if you need help. Link to comment Share on other sites More sharing options...
Gerowen Posted April 16, 2014 Author Share Posted April 16, 2014 Done. 1) Took a backup image of the computer before I started 2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM. 3) Restored factory image 4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc. 5) Restored personal files after being scanned for viruses 6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image Hum 1 Share Link to comment Share on other sites More sharing options...
riahc3 Posted April 16, 2014 Share Posted April 16, 2014 Done. 1) Took a backup image of the computer before I started 2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM. 3) Restored factory image 4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc. 5) Restored personal files after being scanned for viruses 6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image Wow, I don't mean to burst your bubble because that was a lot of hard work but I think these steps are better: 1) Took a backup image of the computer before I started 2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM. 3) Download a official Microsoft install image for your version of Windows 4) If needed, request a product key. If you have all your license and documentation of your PC, you should not have a problem with this. 5) Installed some useful software like office software, antivirus, etc. 6) Restored personal files after being scanned for viruses 7) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image Those would be awesome stuff, more so those images you took. Link to comment Share on other sites More sharing options...
Hum Posted April 19, 2014 Share Posted April 19, 2014 When I googled 543hfh.exe I got a message that said, "No documents matched your query". Really odd for Google to not show me "anything" about it, so I thought I'd share. That is probably a random name that a lot of malware creates as the .exe. It could have easily been some other gibberish name like 112abc.exe. I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold. Then I Delete the named .exe file. I remove new folders that clearly do not belong. I run a CCleaner scan of the Registry, and remove anything odd. And a reboot usually brings everything back to normal. Again, it depends on the virus/trojan. Gerowen 1 Share Link to comment Share on other sites More sharing options...
Gerowen Posted April 21, 2014 Author Share Posted April 21, 2014 That is probably a random name that a lot of malware creates as the .exe. It could have easily been some other gibberish name like 112abc.exe. I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold. Then I Delete the named .exe file. I remove new folders that clearly do not belong. I run a CCleaner scan of the Registry, and remove anything odd. And a reboot usually brings everything back to normal. Again, it depends on the virus/trojan. Yeah I was able to kill the process and use the task manager to re-start Explorer, but then I started noticing missing options in the Explorer context menus that applied across different user accounts, even new ones, and several other weird issues, so rather than dive into the rabbit hole and try to fix every possible problem it caused, and maybe miss one that would pop up as an issue later, I just killed it with fire. Thanks for all the responses to this everybody, :-) Link to comment Share on other sites More sharing options...
Recommended Posts