8 Replies Latest reply on Mar 26, 2011 4:27 AM by Peacekeeper

    Windows Diagnostic Virus


      I have the "Windows Diagnostic" virus on my computer.  Any suggestions on how to remove it?

        • 1. Re: Windows Diagnostic Virus
          Jayadeep NR

          Windows Diagnostic creates thefollowing files and folders


          %UserProfile%\Desktop\WindowsDiagnostic.lnk
          %UserProfile%\Start Menu\Programs\Windows Diagnostic\Windows Diagnostic.lnk
          %UserProfile%\Start Menu\Programs\Windows Diagnostic\Uninstall WindowsDiagnostic.lnk
          %CommonAppData%\{RANDOM}.exe
          %CommonAppData%\{RANDOM}
          %CommonAppData%\{RANDOM}.dat

           

          Note: %CommonAppData% is C:\Documents andSettings\All Users\Application Data (for Windows XP/2000) or C:\ProgramData(for Windows 7/Vista)

           

          Windows Diagnostic creates thefollowing registry keys and values

           

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run| {RANDOM}
          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe

           


          Delete them manually and be careful while deleting the registry keys or you can run Anti-malwarebytes to remove it

           

          http://www.malwarebytes.org/mbam-download.php 

          • 2. Re: Windows Diagnostic Virus

            If you can not delete the problem and malwarebytes will not run.You can also try to download Rkill developed by Lawrance Abrams.This program basically kills the malicious processes so you can run malwarebytes.The link is below.Make sure you read the info first.http://www.bleepingcomputer.com/download/anti-virus/rkill

             

            After Rkill is done then Run Malwarebytes.Which you can download from the link posted by Jay

            • 3. Re: Windows Diagnostic Virus

              Thanks all.  I used the Malware software and was able to remove the virus.  I then restored my computer to an earlier date and my background and most of my desktop icons came back.  However, my documents, some of my photos, my favorites, etc. are still missing.  I know they are still there because when I tried to put a particular icon back on my desktop, I was advised that I already had one there.  How can I make them re-appear?

              • 4. Re: Windows Diagnostic Virus
                Jayadeep NR

                Clyde,

                 

                Files may be hidden on your computer.

                Open  Control Panel>> Folder Options>> View (TAB) >> and select “Show Hiddenfiles folders and drives”.

                Click apply and ok buttons. Check your documents and desktop.

                • 5. Re: Windows Diagnostic Virus

                  I got this virus Sunday night while I was uploading to youtube. I couldn't login until I connected to my youtube account with google(I didn't want to so I searched the net to find someway around), somewhere I got the virues.

                   

                  Got the Win Diagnostic warning popup, thought for a while wondering if it was real, should have done research didn't. I clicked fix error, it ran for a few then I realized I messed up when McAfee poped up saying it found a trojan threat, BUT IT WAS TO LATE. The virus had already planted itself before Mcafee found it, why didn't McAfee stop it before it infected my PC. Isn't that why I pay money for VP?

                   

                  Anyway, I did a Mcafee scan found nothing, did a Win Defender found nothing. Ran safe mode and couldn't find anything either, I was actually in safe mode not the fake safe mode from infection. So I got my wifes laptop and found I had the virus Win Diagnostic, Again why didn't Mcafee stop it, I am uptodate with total protection.

                   

                  Anyway I found this post, dnlded malwarebytes on my wifes laptop, loaded it on my pc and ran it. It found 8 infections and when it was done it said the 2 in memory infects wasn't fixed. I clicked restart as it asked and Win Defender blocked Malwarebytes from starting so I click run Malwarebytes. Still don't know if it cleaned the 2 memory infections, so I ran it again and it didn't find anything. Ran Mcafee and Win Defender again and they didn't find anytinng. So no idea if my PC is 100% cleaned of the infection

                   

                  Went online to see if I could get my desktop icons and start menu and Win Exploer files/folders back since some where misssing. FOund out they probably where hidden. Done a search and found a couple sites that told me to go into registry and add a "0" to a registry. THe path they said to use was not there, I figured it was because it was for XP and I have Vista. Ran a search and couldn't find any registry path for vista to unhide all file folders missing icons.

                   

                  I already knew how to unhide file/folder in Win Ex. I don't want to do that and leave it that way just to see my file/folders/icon, because then that opens up secure file/folders to any other virus that attachs. I did unhide them just to see if the missing files/folders where there, they where. I did go into properties on favorites, and unchecked hidden on attributes, that fixed favorites but its not worked on anything else. I need to at least get the accessary and admisistrator folder back in start menu on desktop.

                   

                  I also just ran the fix harddrive errors program and it did not fix the hidden folder file desktop icon problem....Wonder if part of the infection is still on my pc. Next I may try system restore, I don't want to try use last good configuration from F8 feature, may not fix the problem and I may loose important data.

                   

                  I sell online I need to get this fixed, is there a way to find out 100% sure the virus infection is removed. I hate to input any personal data to my online selliing site and this infection get my passwords and hack my accounts. Especially my Paypal account.

                   

                  I have Dell Inspiron, IE7,Total protection,Vista

                   

                  Message was edited by: musky8it on 3/21/11 10:49:13 PM CDT
                  • 6. Re: Windows Diagnostic Virus
                    Peacekeeper

                    Not an expert re virus removal but have you checked if the above registry keys are gone? Also the bleeping computer site above has the steps to remove this. They suggest rkill and MWB but the manual removal path might point if you have anything there still.

                     

                    http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic

                     

                    Also worth running getsusp it auto sends suspect files to Mcafee and if you put in your email addy you will be kept informed.

                     

                    Download here the latest version https://community.mcafee.com/message/161182#161182

                    Before you use Getsusp, you should go to this document

                    https://community.mcafee.com/docs/DOC-1323

                    and download the PDF file explaining what Getsusp is and how it works, and this document

                    https://community.mcafee.com/docs/DOC-1761

                    which downloads the installation guide PDF document.

                    • 7. Re: Windows Diagnostic Virus

                      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run| {RANDOM}
                      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}.exe

                       

                      Those keys are not there so maybe if they was there they where removed, the only keys I see in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run is default and sidebar

                       

                      As for files and folders Win Diagnostic might of created, I looked in C:\ProgramData and didn't see anything posted in the top post. I didn't look in every subfolder just C:\ProgramData. I do remember running a folder/file search for "Windows Diagnostic" in C:\drive after I ran Malwarebytes and found a couple. One I remember was WD uninstall which I deleted, the other I can't remember but it said Windows Diagnostic,  I deleted it to.

                       

                      Just to be sure I just ran 2 searches in folder C:\ProgramDate. One search was for Windows Dia. and the other the word "randon", the search came up with no results. So hopefully my PC is clean. Even if hidden I think hidden files/folders show in a search,right????

                       

                      I also ran a search for Windows Diagnostic on Computer in Win. Ex.(every drive). The only thing left that resembled Win Diagnostic  was folder and files named Modem Diagnostic Tool and x86 microsoft windows diagnostic schedule. Those are windows tools so I left them.

                       

                      As I said in my last post, after running Malwarebytes most of my desktop icons where gone(hidden), all saved favorites in browser missing, allot of folders in Win. Ex.. missing, the start menu had all folders missing, other folders/files too. From a search I did find them hidden. I did go to desktop and favorite properties and unchecked hidden, the desktop icons and favorites showed but the desktop icons where all lined up in different order than I had them. So I ran a system restore back to 2 days before I got the virus.

                       

                      When system restore was done the desktop icons where put back just like I had them and my start menu folders all came back. There where  folders in Win. Ex. that where still hidden, like my pictures. I just went  into pictures properties and unchecked hidden, that put them back up.

                       

                      So hopefully its all removed. Hope so, don't want anything spying on me and acquiring my passwords to my bank, ebay, and paypal accounts.

                       

                      One thing I would like to know, is how could it get passed McAfee? I was not dnlding anything. This PC is strickly for business. I don't play games, music, etc on it, I use my older PC for playing on the net.

                      • 8. Re: Windows Diagnostic Virus
                        Peacekeeper

                        As said not an expert but my thoughts are

                        1 Any1 else use this PC as

                        Windows Diagnostic is a rogue    application.                                   A  rogue   application  tries    to trick you  by                  displaying         false              positive/misleading        scan       results         report,  which   says        that  your                   computer    has a    problem,     or     infected with          viruses    or       trojan,      but  you      will    not   be    able          to fix it        before you          purchase.

                         

                        You can get these buy accessing sites I nearly got a fake AV accessing a medical site and clicking on no or the X top right seems to install it. One has to go to the task manager and end task the application/process so it has been said

                         

                        To ensure safety download and run the getsusp file I posted above. It connets to Mcafee and sends suspect files to them. In preferences add your email info so they can contact you with evaluations.

                        If you think you have a virus infection on your PC do one or both of the following :

                         

                        - Run the free Mcafee Stinger program from http://vil.nai.com/vil/stinger/ -

                        set it to Report Mode (in Preferences) and post the logs of anything it detects.( set it to very high sensitivity)

                         

                        Download the latest version of Getsusp here https://community.mcafee.com/thread/32269