How Did My Computer Become Infected with Windows Diagnostic
malware?
More likely than not, you visited an infected web page and were then
infected with the trojan behind the rogue virus called Windows
Diagnostic. Virus writers are becoming experts in SEO (search engine
optimization) and are getting infected sites ranking very high in the
search engines. Although these sites only rank high for a short time,
they can do tremendous damage while they are showing up.
In this particular case, the computer I was cleaning up was infected
when its owner went to the following sites from a Google search.
http://www.discountesteelauder.co.cc/78ke
http://www.mainezoocoupons.co.cc/bi4k
Neither site is operational now, but they did show up in search results
and helped infect the computer with some nasty rogue malware called
Windows Diagnostic. This malware is virtually identical to a number of
other drive utility type scareware products like Windows Repair,
Windows Scan, Windows Safe Mode, Windows Disk, and Windows Restore. It
shows a PC Performance & Stability report and scares you into
thinking your computer is about to crash...unless you purchase the
product.
What Does Windows Diagnostic malware look like?
The Windows Diagnostic malware presents a "PC Performance &
Stability Report" when it pops up on your computer. This report shows
the same sorts of alerts that many rogue antivirus type programs show.
However, it takes things a step further. Instead of showing viruses,
trojans, and other malicious programs that have invaded your computer,
it tells you that your hard drive and computer are crashing with a
variety of messages such as:
"Hard Drive Failure The system has detected a problem with one or more
installed IDE / SATA hard disks. It is recommended that you restart the
system"
"System Error An error occurred while reading system files. Run a
system diagnostic utility to check your hard disk drive for errors"
"Critical Error Hard drive critical error. Run a system diagnostic
utility to check your hard disk drive for errors. Windows can't find
hard disk space. Hard drive error"
"Fix Disk Windows Diagnostic Diagnostics will scan the system to
identify performance problems. Start or Cancel"
"Windows Diagnostic Diagnostics Windows detected a hard disk error. A
problem with the hard drive sectors has been detected. It is
recommended to download the following sertified <sic>
software to fix the detected hard drive problems. Do you want to
download recommended software?"
"Requested registry access is not allowed. Registry defragmentation
required Read time of hard drive clusters less than 500 ms 32% of HDD
space is unreadable Bad sectors on hard drive or damaged file
allocation table GPU RAM temperature is critically high. Urgent RAM
memory optimization is required to prevent system crash Drive C
initializing error Ram Temperature is 83 C. Optimization is required
for normal operation. Hard drive doesn't respond to system commands
Data Safety Problem. System integrity is at risk. Registry Error -
Critical Error"
"Critical Error! Damaged hard drive clusters detected. Private data is
at risk"
"Critical Error Hard Drive not found. Missing hard drive"
"Critical Error RAM memory usage is critically high. RAM memory failure"
"Critical Error Windows can't find hard disk space. Hard drive error"
"Critical Error! Windows was unable to save all the data for the file
\System32\496A8300. The data has been lost. This error may be caused by
a failure of your computer hardware"
"Critical Error A critical error has occurred while indexing data
stored on hard drive. System restart required"
"System Restore The system has been restored after a critical error.
Data integrity and hard drive integrity verification required"
"Activation Reminder Windows Diagnostic Activation Advanced module
activation required to fix detected errors and performance issues.
Please purchase Advanced Module license to activate this software and
enable all features"
"Low Disk Space You are running very low disk space on Local Disk (C:)"
What Does the Windows Diagnostic malware do to your system?
First of all, this program disables Task Manager so that it makes
removing the pest that much harder. Beyond the fact that it pops up the
annoying messages virtually non stop, it also does something even more
devious, it sets the hidden attribute on virtually all files on the
hard drive, so the desktop, Start Menu, Documents, etc show as blank.
From the novices point of view, it appears the virus wiped all the
information from the hard drive. A very scary thought indeed.
Because of the widespread havoc this malware causes, there are many
steps involved in removing it
First read this information on
how to fix the
task manager and re-enable it,
Can I Remove Windows Diagnostic manually?
To try to remove the Windows Diagnostic malware manually you'll need to
complete the following tasks. However, if you delete the wrong item in
the registry it could render your computer unbootable. For this reason,
do not try to remove this malware manually unless you are experienced
in deleting files and removing items from the registry. In reality, its
much easier to use a program such as Malwarebytes Anti-Malware to clean
the system. This is covered in my step-by-step procedure below.
Stop Windows Diagnostic processes:
[random name].exe
Disable Windows Diagnostic DLL files:
%AllUsersProfile%\Application Data\[random].dll
Delete Windows Diagnostic Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
“LowRiskFileTypes” =
‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
“SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
“Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
“DisableTaskMgr” = ’1′
Remove Windows Diagnostic files:
%AllUsersProfile%\Application Data\~[random]
%AllUsersProfile%\Application Data\~[random]
%AllUsersProfile%\Application Data\[random].dll
%AllUsersProfile%\Application Data\[random].exe
%AllUsersProfile%\Application Data\[random]
%AllUsersProfile%\Application Data\[random].exe
Step by Step Procedure for Removing Windows Diagnostic malware
1) Restart Your Computer in
Safe
Mode (with Networking) by pressing F8 when the computer boots
and selecting the appropriate option.
2) If the malware program appears to still pop up even in Safe Mode,
then follow these extra steps.
- Click on Start, Run and type MSCONFIG and Press Enter (For
Windows XP)
- Click the Start Orb and type MSCONFIG and Press Enter (For
Windows Vista and 7)
- In the System Configuration Utility, click on the Startup
tab and look for an entry that appears to be a random character named
.exe file. In my case, the file was LoEwouCqpDax.exe. As you can see
the file name is just a bunch of random characters and should be fairly
easy to spot in the Startup section.
- Once you've located this filename, uncheck it and click Ok.
When the computer asks to restart, go ahead and restart in Safe Mode as
in Step 1.
3) Now that the computer is somewhat stable, open a web browser and
download Malwarebytes
Anti-Malware from their site
4) After Malwarebytes has downloaded, install it and try to update it.
In one particular occasion, it was unable to update and I had to update
it manually. In order to update Malwarebytes manually, you'll need to
download
the mbam-rules.exe file and run it.
5) Now proceed to run Malwarebytes Anti-Malware and remove any problems
it finds.
6) After cleaning and rebooting the system, you may be still
experiencing a very annoying aspect of this trojan. It hides files over
the entire hard drive. Yes, you can simply go into the system and Show
Hidden Files, but this unhides system files and other Windows files
that should not be deleted. By hiding these important files, you aren't
going to delete something you really need by accident. So,
how do we unhide the normal files, but keep the system files hidden?
With a command prompt command!
To Unhide files and folders that Windows Diagnostic and other
programs hide
For Windows XP
1) Click on Start, Run
2) Type CMD and press Enter
3) At the command prompt type the following and press Enter
CD \
4) Now the command prompt should show the root folder of the hard
drive. Most likely C:\
5) At the command prompt type the following and press Enter
ATTRIB -H *.* /S /D
This command will unhide the files that are currently hidden. Because
the important system files have a system attribute attached to them as
well, the above command will not work for them and they will be skipped
and kept hidden from prying eyes.
This command will take some time, so dont be afraid if it takes
anywhere from a few minutes to half an hour to finish. What the command
does is simple. It removes the hidden attribute from all files on the
hard drive. The /S parameter tells it to search the current folder and
all subfolders, while the /D parameter processes tthe folders as well.
6) Type Exit and press Enter when the procedure is complete. Then
reboot your computer
For Windows Vista/7
1) Click on Start, All Programs
2) Click Accessories and Find Command Prompt
3) Right click on the Command Prompt option and choose Run as
Administrator
4) At the command prompt type the following and press Enter
CD \
5) Now the command prompt should show the root folder of the hard
drive. Most likely C:\
6) At the command prompt type the following and press Enter
ATTRIB -H *.* /S /D
This command will unhide the files that are currently hidden. Because
the important system files have a system attribute attached to them as
well, the above command will not work for them and they will be skipped
and kept hidden from prying eyes.
This command will take some time, so dont be afraid if it takes
anywhere from a few minutes to half an hour to finish. What the command
does is simple. It removes the hidden attribute from all files on the
hard drive. The /S parameter tells it to search the current folder and
all subfolders, while the /D parameter processes tthe folders as well.
7) Type Exit and press Enter when the procedure is complete. Then
reboot your computer
Run a Thorough Virus Scan
Finally, as an extra
precaution, scan your computer with online virus scanner like
Housecall, BitDefender, or eTrust or download and install an antivirus
program and run a complete scan. A list of online scanners is below,
some however will only scan but not remove issues.
Online Virus Checkers
Trend Micro
Housecall - will scan and remove threats
BitDefender
Scan Online - will scan and remove threats
ESet (NOD32) Online Scanner
Kaspersky
Online Scan - will scan and remove threats
Panda
Activescan - appears to only scan for but not remove threats
McAfee
FreeScan - appears to only scan for but not remove threats
eTrust
Antivirus Web Scanner - will scan and remove threats
Symantec
Security Check - will scan and remove threats
Dr.Web
Online Check - user can upload and test for threats on
particular files
Trojan Scanner
TrojanScan by WindowsSecurity.com
Spyware Scanners
Malwarebytes AntiMalware
Super AntiSpyware
Spybot Search and Destroy
Congratulations! Your
computer should be free of the Windows Diagnostic, Windows Restore,
Windows Repair or other similar named nasty.