Removal of Windows Diagnostic Malware

Printer Friendly Version

How Did My Computer Become Infected with Windows Diagnostic malware?

More likely than not, you visited an infected web page and were then infected with the trojan behind the rogue virus called Windows Diagnostic. Virus writers are becoming experts in SEO (search engine optimization) and are getting infected sites ranking very high in the search engines. Although these sites only rank high for a short time, they can do tremendous damage while they are showing up.

In this particular case, the computer I was cleaning up was infected when its owner went to the following sites from a Google search.

http://www.discountesteelauder.co.cc/78ke
http://www.mainezoocoupons.co.cc/bi4k

Neither site is operational now, but they did show up in search results and helped infect the computer with some nasty rogue malware called Windows Diagnostic. This malware is virtually identical to a number of other drive utility type scareware products like Windows Repair, Windows Scan, Windows Safe Mode, Windows Disk, and Windows Restore. It shows a PC Performance & Stability report and scares you into thinking your computer is about to crash...unless you purchase the product.

What Does Windows Diagnostic malware look like?

Windows Diagnostic Malware - Rogue Antivirus

The Windows Diagnostic malware presents a "PC Performance & Stability Report" when it pops up on your computer. This report shows the same sorts of alerts that many rogue antivirus type programs show. However, it takes things a step further. Instead of showing viruses, trojans, and other malicious programs that have invaded your computer, it tells you that your hard drive and computer are crashing with a variety of messages such as:

"Hard Drive Failure The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system"
"System Error An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors"
"Critical Error Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can't find hard disk space. Hard drive error"
"Fix Disk Windows Diagnostic Diagnostics will scan the system to identify performance problems. Start or Cancel"
"Windows Diagnostic Diagnostics Windows detected a hard disk error. A problem with the hard drive sectors has been detected. It is recommended to download the following sertified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?"
"Requested registry access is not allowed. Registry defragmentation required Read time of hard drive clusters less than 500 ms 32% of HDD space is unreadable Bad sectors on hard drive or damaged file allocation table GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash Drive C initializing error Ram Temperature is 83 C. Optimization is required for normal operation. Hard drive doesn't respond to system commands Data Safety Problem. System integrity is at risk. Registry Error - Critical Error"
"Critical Error! Damaged hard drive clusters detected. Private data is at risk"
"Critical Error Hard Drive not found. Missing hard drive"
"Critical Error RAM memory usage is critically high. RAM memory failure"
"Critical Error Windows can't find hard disk space. Hard drive error"
"Critical Error! Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware"
"Critical Error A critical error has occurred while indexing data stored on hard drive. System restart required"
"System Restore The system has been restored after a critical error. Data integrity and hard drive integrity verification required"
"Activation Reminder Windows Diagnostic Activation Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features"
"Low Disk Space You are running very low disk space on Local Disk (C:)"

What Does the Windows Diagnostic malware do to your system?

First of all, this program disables Task Manager so that it makes removing the pest that much harder. Beyond the fact that it pops up the annoying messages virtually non stop, it also does something even more devious, it sets the hidden attribute on virtually all files on the hard drive, so the desktop, Start Menu, Documents, etc show as blank. From the novices point of view, it appears the virus wiped all the information from the hard drive. A very scary thought indeed.

Because of the widespread havoc this malware causes, there are many steps involved in removing it

First read this information on how to fix the task manager and re-enable it,

Can I Remove Windows Diagnostic manually?

To try to remove the Windows Diagnostic malware manually you'll need to complete the following tasks. However, if you delete the wrong item in the registry it could render your computer unbootable. For this reason, do not try to remove this malware manually unless you are experienced in deleting files and removing items from the registry. In reality, its much easier to use a program such as Malwarebytes Anti-Malware to clean the system. This is covered in my step-by-step procedure below.

Stop Windows Diagnostic processes:
[random name].exe

Disable Windows Diagnostic DLL files:
%AllUsersProfile%\Application Data\[random].dll

Delete Windows Diagnostic Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′

Remove Windows Diagnostic files:
%AllUsersProfile%\Application Data\~[random]
%AllUsersProfile%\Application Data\~[random]
%AllUsersProfile%\Application Data\[random].dll
%AllUsersProfile%\Application Data\[random].exe
%AllUsersProfile%\Application Data\[random]
%AllUsersProfile%\Application Data\[random].exe

Step by Step Procedure for Removing Windows Diagnostic malware

1) Restart Your Computer in Safe Mode (with Networking) by pressing F8 when the computer boots and selecting the appropriate option.

2) If the malware program appears to still pop up even in Safe Mode, then follow these extra steps.

Click on Start, Run and type MSCONFIG and Press Enter (For Windows XP)
Click the Start Orb and type MSCONFIG and Press Enter (For Windows Vista and 7)
In the System Configuration Utility, click on the Startup tab and look for an entry that appears to be a random character named .exe file. In my case, the file was LoEwouCqpDax.exe. As you can see the file name is just a bunch of random characters and should be fairly easy to spot in the Startup section.
Once you've located this filename, uncheck it and click Ok. When the computer asks to restart, go ahead and restart in Safe Mode as in Step 1.

3) Now that the computer is somewhat stable, open a web browser and download Malwarebytes Anti-Malware from their site

4) After Malwarebytes has downloaded, install it and try to update it. In one particular occasion, it was unable to update and I had to update it manually. In order to update Malwarebytes manually, you'll need to download the mbam-rules.exe file and run it.

5) Now proceed to run Malwarebytes Anti-Malware and remove any problems it finds.

6) After cleaning and rebooting the system, you may be still experiencing a very annoying aspect of this trojan. It hides files over the entire hard drive. Yes, you can simply go into the system and Show Hidden Files, but this unhides system files and other Windows files that should not be deleted. By hiding these important files, you aren't going to delete something you really need by accident. So, how do we unhide the normal files, but keep the system files hidden? With a command prompt command!

To Unhide files and folders that Windows Diagnostic and other programs hide

For Windows XP

1) Click on Start, Run
2) Type CMD and press Enter
3) At the command prompt type the following and press Enter

CD \

4) Now the command prompt should show the root folder of the hard drive. Most likely C:\
5) At the command prompt type the following and press Enter

ATTRIB -H *.* /S /D

This command will unhide the files that are currently hidden. Because the important system files have a system attribute attached to them as well, the above command will not work for them and they will be skipped and kept hidden from prying eyes.

This command will take some time, so dont be afraid if it takes anywhere from a few minutes to half an hour to finish. What the command does is simple. It removes the hidden attribute from all files on the hard drive. The /S parameter tells it to search the current folder and all subfolders, while the /D parameter processes tthe folders as well.

6) Type Exit and press Enter when the procedure is complete. Then reboot your computer

For Windows Vista/7

1) Click on Start, All Programs
2) Click Accessories and Find Command Prompt
3) Right click on the Command Prompt option and choose Run as Administrator
4) At the command prompt type the following and press Enter

CD \

5) Now the command prompt should show the root folder of the hard drive. Most likely C:\
6) At the command prompt type the following and press Enter

ATTRIB -H *.* /S /D

This command will unhide the files that are currently hidden. Because the important system files have a system attribute attached to them as well, the above command will not work for them and they will be skipped and kept hidden from prying eyes.

This command will take some time, so dont be afraid if it takes anywhere from a few minutes to half an hour to finish. What the command does is simple. It removes the hidden attribute from all files on the hard drive. The /S parameter tells it to search the current folder and all subfolders, while the /D parameter processes tthe folders as well.

7) Type Exit and press Enter when the procedure is complete. Then reboot your computer

Run a Thorough Virus Scan

Finally, as an extra precaution, scan your computer with online virus scanner like Housecall, BitDefender, or eTrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues.

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
ESet (NOD32) Online Scanner
Kaspersky Online Scan - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files

Trojan Scanner
TrojanScan by WindowsSecurity.com

Spyware Scanners
Malwarebytes AntiMalware
Super AntiSpyware
Spybot Search and Destroy

Congratulations! Your computer should be free of the Windows Diagnostic, Windows Restore, Windows Repair or other similar named nasty.

Search PCHell.com