Windows Diagnostic

Windows Diagnostic virus will disguise as a tool that focuses on detecting and fixing hard drive and system errors. Coming from the same group who developed Windows Tool, this new rogue program was created specifically to gain revenue from this online scam activity. Usually, this rogue application will be spread with the help of a Trojan that will modify Internet browser on infected computer and redirects it to a malicious web sites. This site will initiate a scan and reports several hard drive and system issues. At this point, a prompt to download and install a copy of Windows Diagnostic is displayed. Unknown to users, this was just an unregistered version and later on Windows Diagnostic will force victims to purchased the licensed version.

Once a presence of Windows Diagnostic is detected on the system, remove it immediately with any of the tools and procedures recommended below. It is best to use a combination of anti-virus and anti-malware program to totally eliminate Windows Diagnostic and all of its associated files. Having a full version of anti-malware program that provides a real-time scan is necessary to avoid future infection caused by fake programs like Windows Diagnostic.

Screen Shot Image:

Alias: Windows Diagnostic

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Diagnostic Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Diagnostic”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Diagnostic Virus.
4. Registry entries created by Windows Diagnostic must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Windows Diagnostic start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart Windows.

Windows Diagnostic Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

Malicious Files Added by Windows Diagnostic:
%Documents and Settings%\[User Name]\Desktop\Windows Diagnostic.lnk
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic\Windows Diagnostic.lnk
%Documents and Settings%\[User Name]\Start Menu\Programs\Windows Diagnostic\Uninstall Windows Diagnostic.lnk
%Documents and Settings%\All Users\Application Data\[random]
%Documents and Settings%\All Users\Application Data\[random].exe
%Documents and Settings%\All Users\Application Data\[random].dll

Windows Diagnostic Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ““
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1?

16 Responses

  1. rok 2012 says:

    Thanks. This stupid scam sofware took me few hours to remove. Few so precious hours.

  2. jv says:

    I’m really confused. Where can I find those files? I ran Malwarebytes but it stills seems to be on my comp. I still can’t access my documents.

  3. David says:

    I did a system restore which seemed to have fixed the problem. I ran Malwarebytes afterwards and it did not find anything. I still could not access my files until I checked the properties of the folders in My Computer. Somehow the properties settings were changed to hidden so the files were still there but they could not be seen. After unchecking the “hidden” box all of my files were back.

  4. Jim says:

    Wanted to say thanks to the author of this page and the writers here. Used VIPRE to get rid of Windows Diagnostic, then had similar issues restoring files. Then I right-clicked into Properties and unchecked “Hidden”.

  5. gs says:

    Hi! Thanks so much for this info!! I just got rid of the windows diagnostic virus by downloading vipre counterspy too. Fantastic. This is the best website. I’m gonna try to unhide my files! Thanks alot!

  6. Jim says:

    It seems Windows Diagnostic somehow deleted the items in my favorites menu, though, which I haven’t been able to restore. It also removed or hid my MS Paint and Word applications, which I’ve managed to replace or retrieve. The people who create these things are sad bastards who deserve to be arrested. Glad that there are antivirus programs and sites like this around, though.

  7. PV Balakrishnan says:

    Thank you for the information on this site. I have been working away for a couple of days with no success. Now with the information hree and in MalwareByte’s site it looks like I might be able to (with some more hours of work) get some functionality back. Maybe enough to migrate the critical files out of the laptop.
    PS. Will the PST, and especially QIF type files have any trojan virus embedded making it dangerous to migrate to a new machine?

  8. PV Balakrishnan says:

    At least a couple of the registry keys were missing from my machine:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ““

    I am running Malwarebytes Anti-Malware before Step 7 of rebooting. It has already discovered a few infecred files. Note I ran Malware a number of times before your Step 1 and thought that I had cleaned the machine. Not a chance! Of course, I was not able to download the updates while cleaning in the Safe mode.

  9. Bruins37 says:

    Trying to get rid of this virus for someone…ended up doing system restore because MBAM didn’t find anything.

    That helped a bit, but I still had to unhide all of the files. Then there were Start Menu problems, etc.

    I updated MBAM on another machine and ran it on the bad computer. It found 2 files: a Trojan and a “Bad Proxy.”

    The docs, etc. are back, but I still can’t get online. Could this have something to do with the virus, or is this a different problem?

    The person I’m fixing it for swears the Internet WAS working fine prior to the problem, and it says the LAN connection is working, but I’m not sure.

    Anyone else encounter this?

  10. JP from Alabama says:

    This sticky spyware is easy to remove once you know what to look for. Do the following:

    Boot your computer into safe mode:

    Click START-RUN Type in MSCONFIG Click on the STARTUP tab …Clear Anything out of STARTUP that is random (i.e. Random Letters or Numbers.

    Now it’s time to unhide the folders off your drive. You will not have access to any programs until this is done. Open up MY COMPUTER. At the top of the Page click on Tools – Folder Options…Click on the View tab at the top. Click on Show Hidden Files and Folders…Uncheck Hide Extensions for Known File Types and Uncheck Hide Protected Operating System. Click APPLY and OK.

    You will now be able to see your hidden files and folders on the desktop. There will be a Windows Diagnostic icon on the desktop. Right click it and delete it.

    Now here is how to get your programs back on the menu. Click on My computer on the desktop. Click on the C: Drive. The folders will be translucent because they still have the hidden attribute on it. Right Click the Windows Folder – Left click on Properties – Click off the HIDDEN Option and click APPLY and OK. Do the same for all the other folders to include the PROGRAMS folder. You will now be able to see your programs once you apply this unchecking of the hidden attribute.

    Next. You’ll want to click on System Restore in the System Tools portion of your Programs. Click at least a checkpoint 3-5 days before you had the problem. Once the system is restored go back to the previous steps because the attributes for the hidden files will not go back to the steps.

    Download Malwareybtes and run in SAFE mode only after it has been updated.

    Go to C:\Documents and Settings\All Users The spyware itself will be a registry icon that has a random number and alphanumeric charactters to it. Right click it and delete. DO NOT double click it. There is also another file in there that has a number on it like 197348 etc. Delete that file also. Clear out your Recycle bin.

    One last thing. You need to Delete all the files you find in the C:\windows\prefetch folder.

    Good luck!

  11. Bruins37 says:

    The registry keys that are listed above…should those entries be deleted?
    Or are those ones that should be modified? If so, should they be modified from whatever they say TO what is listed, or vice versa?
    The people who make these viruses are so talented, yet waste it on dumb stuff like this.

  12. Josh says:

    Wow…this is a gnarly virus. Looks like they’ve improved the impossibility of removing it. They made it so that when you start services.msc, it reports an error, shuts down the services module, then restarts the system.

    I always tell my customers…don’t download ANY free virus protection programs except for windows defender (if you’re running anything below vista). Every single one of them, Kaspersky, AdAware, Spysweeper, Spybot S&D, AVG Free, etc., loads their software with their own nasty little viruses and spyware that jack up your system and consume valuable system resources.

    Stick with Windows Defender. I run it on all my customers systems as well as my own and have NEVER received a report of a virus returning, and my systems are virus free.

  13. Jim says:

    @ Josh — thanks for the tip about Windows Defender.

  14. Computer Guy says:

    When confronted with the problem of a virus returning after being removed you should turn of Windows System restore and then scan and remove the virus/malware again. This time it should not come back. You can turn it back on if after you run a scan again and find no virus/malware detected. Some of these intruders are written to use Windows system restore to bring them back and then go out to the internet and get it started all over again.

  15. HDD virus says:

    My laptop is infected wiht this virus and I shutdown my laptop. I cant even start my laptop now. It will not even reboot into safe mode or safe mode with internet access. Any solution?

Leave a Reply

Your email address will not be published. Required fields are marked *