• 0

Windows Activation Virus


Go to solution Solved by riahc3,

Question

Gerowen

Working on a computer today with something I've never seen before.  Was easy enough to kill the process and start running scans anyway, but it's a weird little thing.

 

The process 543hfh.exe was running, and when it runs (even in Safe mode) it kills the explorer process, brings up a message telling the user that their Windows Activation has expired and that they must complete surveys on browsersafeguard.com in order to get an activation code to regain access to their computer.

 

Anybody seen this before and know anything about it?  Right now I've got stinger running a scan and it seems a bit less annoying than some other malware I've seen.  I just thought I would share because normally when I don't know about a process I can google the process name and I'll find something.  When I googled 543hfh.exe I got a message that said, "No documents matched your query".  Really odd for Google to not show me "anything" about it, so I thought I'd share.

Link to post
Share on other sites

9 answers to this question

Recommended Posts

  • 0
riahc3

If it runs in safe mode, bad news.

Reformat. Don't even try to remove that because it will come back to haunt you.

Link to post
Share on other sites
  • 0
+John Teacake

Probably because its re directing Google. With stuff like this its ALWAYS better to Format. 

Link to post
Share on other sites
  • 0
Gerowen

I googled it from my other computer.  My general rule is I give it an hour of work.  If after an hour I still don't know exactly how to restore the PC to a clean working state, then I reformat.

 

Just noticed there's no "New Folder" option in the context menu, and in file selection dialogs clicking "New Folder" does nothing.  The mkdir command from the command line works fine though.

Link to post
Share on other sites
  • 0
Som

did you try combofix?  i always do a reinstall as very last resort..

Link to post
Share on other sites
  • 0
kkick

I would try Emsisoft Emergency Kit (http://www.emsisoft.com/en/software/eek/) followed by ESET (http://www.eset.com/us/download/home/detail/family/5/?trl=es , Use the full version not the online scanner). After that, run 7Smoker Pro (http://www.xp-smoker.com/7smokerpro.html) to correct and corrupt settings.

 

 

Best of luck and let me know if you need help.

Link to post
Share on other sites
  • 0
Gerowen

Done.

 

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Restored factory image

4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc.

5) Restored personal files after being scanned for viruses

6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

  • Like 1
Link to post
Share on other sites
  • 0
riahc3

Done.

 

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Restored factory image

4) Removed OEM crapware, installed Windows Updates, installed some useful software like office software, antivirus, etc.

5) Restored personal files after being scanned for viruses

6) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

Wow, I don't mean to burst your bubble because that was a lot of hard work but I think these steps are better:

1) Took a backup image of the computer before I started

2) Backed up personal files separately so I could scan them for viruses and just copy and paste them without having to mount the image in a VM.

3) Download a official Microsoft install image for your version of Windows

4) If needed, request a product key. If you have all your license and documentation of your PC, you should not have a problem with this.

5) Installed some useful software like office software, antivirus, etc.

6) Restored personal files after being scanned for viruses

7) Made a backup image of the computer after it was done, so in case they blow it up in the next month or so I can just restore that image

Those would be awesome stuff, more so those images you took.

Link to post
Share on other sites
  • 0
Hum
When I googled 543hfh.exe I got a message that said, "No documents matched your query".  Really odd for Google to not show me "anything" about it, so I thought I'd share.

 

That is probably a random name that a lot of malware creates as the .exe.

 

It could have easily been some other gibberish name like 112abc.exe.

 

I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold.

 

Then I Delete the named .exe file.

 

I remove new folders that clearly do not belong.

 

I run a CCleaner scan of the Registry, and remove anything odd.

 

And a reboot usually brings everything back to normal.

 

Again, it depends on the virus/trojan.

  • Like 1
Link to post
Share on other sites
  • 0
Gerowen

That is probably a random name that a lot of malware creates as the .exe.

 

It could have easily been some other gibberish name like 112abc.exe.

 

I can usually hit control/alt/delete, when the computer first boots up, then stop the process before it takes hold.

 

Then I Delete the named .exe file.

 

I remove new folders that clearly do not belong.

 

I run a CCleaner scan of the Registry, and remove anything odd.

 

And a reboot usually brings everything back to normal.

 

Again, it depends on the virus/trojan.

 

Yeah I was able to kill the process and use the task manager to re-start Explorer, but then I started noticing missing options in the Explorer context menus that applied across different user accounts, even new ones, and several other weird issues, so rather than dive into the rabbit hole and try to fix every possible problem it caused, and maybe miss one that would pop up as an issue later, I just killed it with fire.

 

Thanks for all the responses to this everybody, :-)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.