Windows Diagnostic

Windows Diagnostic virus will disguise as a tool that focuses on detecting and fixing hard drive and system errors. Coming from the same group who developed Windows Tool, this new rogue program was created specifically to gain revenue from this online scam activity. Usually, this rogue application will be spread with the help of a Trojan that will modify Internet browser on infected computer and redirects it to a malicious web sites. This site will initiate a scan and reports several hard drive and system issues. At this point, a prompt to download and install a copy of Windows Diagnostic is displayed. Unknown to users, this was just an unregistered version and later on Windows Diagnostic will force victims to purchased the licensed version.

Once a presence of Windows Diagnostic is detected on the system, remove it immediately with any of the tools and procedures recommended below. It is best to use a combination of anti-virus and anti-malware program to totally eliminate Windows Diagnostic and all of its associated files. Having a full version of anti-malware program that provides a real-time scan is necessary to avoid future infection caused by fake programs like Windows Diagnostic.

Screen Shot Image:

Alias: Windows Diagnostic

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Diagnostic Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Diagnostic”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Diagnostic Virus.
4. Registry entries created by Windows Diagnostic must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Windows Diagnostic start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart Windows.

Windows Diagnostic Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

Malicious Files Added by Windows Diagnostic:
%Documents and Settings%\[User Name]\Desktop\Windows Diagnostic.lnk
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic\Windows Diagnostic.lnk
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic\Uninstall Windows Diagnostic.lnk
%Documents and Settings%\All Users\Application Data\[random] %Documents and Settings%\All Users\Application Data\[random].exe
%Documents and Settings%\All Users\Application Data\[random].dll

Windows Diagnostic Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ““
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1?