Windows Diagnostic Virus Removal

Put the HDD into another computer temporarily, then copy this onto it, or do so using a bootable Linux distro:

ComboFix, then SmitFraudFix, but rename the names of the EXEs before running them. Afterwards, install Malwarebytes' software.

If all this fails, do a repair install, if that fails a clean install.

Can I attach via USB...it is a laptop.

Nope, you'd have to take the disk out - sorry. It looks like either Safe Mode, or a bootable Windows or Linux CD/DVD are required here.

I have it taken out...I was going to attach it to another computer.

Doing a Malwarebytes scan...need to head to bed and restart in the morning.

Thanks for your assistance...I will check back bright and early.

run msconfig and try to restore to an early point.... before you notice the problems.

Cheers

@camacho_marco,

How can you "...restore to an early point.... " via msconfig?

@thesslstore - Have you used that to correct any malware? It looks to me like just another free to scan, pay to fix scams.

Hitman Pro has found plenty when the drive was in her computer but could not delete...I went as far as purchasing (I have used it before on her machine and her subscription expired), since they have gotten me out of so much trouble in the past I don't mind supporting them.  However the activation code when added won't stick.  Is there a way to run it hooked up to another machine?  Looks like it only will can the primary drive.

phototropic: Which program that you have mentioned can be run with the drive externally hooked up to another computer?  Ran Malwarbyes on her partitions and it found nothing!  If they can be run with her drive in her computer, it does boot into windows, how can I fool the virus to let the run? Will running from a flash drive via a command prompt be an option?  I have never done that before.

Hi thesslstore:, we have worked together before!  I ran STOPzilla, paid $9.95 which I will ask for a refund, and it did not get rid of the virus as promised.  As edbedb: asked have you used this program before to actually fix scams?

Can I run Combofix with the hard drive hooked up to another machine or do I need to reinstall and run?

Hi,

  If you have Vista follow this link

http://pcsupport.about.com/od/fixtheproblem/ht/system-restore-vista.htm

If you Have XP follow this one.

http://www.tech-recipes.com/rx/1729/xp_how_to_restore_point/

Let us know how you do...

Cheers

phototropic:  I just ran Hitman...may or may not repair but it is showing Rogue Killer that I downloaded from above which is on my Flash Drive ( her computer now will access it) as a Trojan!!  Help!!  What do you think?

I will try rkill now.  Thanks

phototropic: Things are looking better...I can not disable virus protection to run Combofix since I cannot see any programs etc...what am I to do??  Should I run anyway??  i'll run Rogue Killer while I wait...hopefully it is not a trojan!!

phototropic already mentioned every tool in the link below and I am only posting this link to support his suggestion (in other words, no points for this post).

Detailed instructions for this variant can be found here:
http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic

Thanks everyone, younghv: very astute suggestions...thanks for reading the posts.  I will continue in the morning...MST as this is not the only infected computer I am dealing with and I am exhausted!  Again...I truly appreciate all you help!!

I can not delete or reinstall Malwarebytes...help please!

MagsMcKinley14,

What actions are you are actually trying to take and what are the results?

Keep in mind that you need to use explicit phrases to help us understand what you are seeing on your screen.

"...I can not delete or reinstall Malwarebytes..."

Why do you need to delete it?

Did you run rkill?  Did you run Rogue Killer?

Have you run TDSSKiller?  How about Hitman Pro?

Mbam should address your problem.  Will it run?

If any of the above have been run, please post the results here.

Just fooled...I hope...the computer to run Malwarebytes.  It would not download so when I was reinstalling it I simply renamed it.  Keeping my fingers crossed...it is running now.

Ran rkill, TDSSKiller, Rogue Killer (Which really helped the desktop and programs reappeared but I still can't see the programs when I look in the C: drive and open the Program Files except the Malwarebytes File that I loaded under a different name.

Hitman Pro is a different story...it runs but even when I enter the activation code and it says it is activated it does so it will not finish running.  Got rid of the viruses with the other programs that it was finding.


rkill.log
TDSSKiller.2.4.21.0-22.03.2011-1.txt
QuarantineReport.txt

Does anyone know anything about Dial-a-fix?  It did an amazing job repairing a computer that was badly infected with a Bootkit.TDDS virus amongst others.  Should I consider using it on this computer?

I got to tell you. If the Program Files directory is empty, I wouldn't expect that anything is going to repair this system other than a clean re-installation.

But the program files are there and the programs run...many things looked like they were gone until I started having luck with running programs...especially after I ran Rogue Killer.  When I check "show hidden files" they appear in C:/Program Files as hidden files.  Her desktop and other files which were hidden are not now.

So the computer is working properly now except that the program folders in the Program Files directory are hidden?

No hardly...there is still something causing virus scans not to work properly without fooling it...Malwarebytes is running and has found 2 problems so far.

If Malwarebytes doesn't do it, then I think it's time to give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

See if you can use this AVG clean-up tool to remove AVG
http://www.avg.com/us-en/download-tools

I am confused as to why you want AVG Cleaned up...it is not her protection.  Currently she has MSE, which is not showing up except that Combofix sees it, and Trend Micro Client/Server Security Agent.  Yes, I know there should only be 1 virus program securiting her system...which would you choose???

If the infection is still there, make sure you update MBAM before running a quick scan.

"Her desktop and other files which were hidden are not now. "

Sorry I'm behind, so files are not hidden now? then just a good scan needs to be done?

"I am confused as to why you want AVG Cleaned up"

Sorry, I have been monitoring this question from the beginning and I thought I read that AVG was installed.

Making progress...great help...thanks everyone.
.rpggamergirl: Thanks for your assistance...I knew about how to show hidden folders but great tip about unchecking the box...have no idea why they were all hidden.

Error message while scanning with SuperAnti Spyware..."Cannot create file "C:\ProgramData\Skype\Plugins\pxml.xml"  Access denied.  May just be the virus removal.  In removing viruses from another computer an Experts Exchange Expert mentioned that Skype useres were prone to a recent deluge of Fake AV.  Can I update Skype without her losing any of her information?

Mags,
SAS is nowhere in the list of tools you need to fix this.
I gave you a specific link to the instructions that will fix this for you.

I has a computer with a "Windows Diagnostic" infection today and it was in and out in less than an hour.

ComboFix is a great tool, but (IMO) not needed for this problem.

Yes, I just got done running it and i found viruses.  I am now running Malwarebytes.  Thanks younghv: for the reminder post...it was on my list!

I have seen all types of fake security malware but I have never seen one to change the file attributes. I think she might have something more serious going on there.

edbedb,
Please feel free to read the instructions at the link I posted.
That is exactly one of the symptoms of this malware.

"To further make it seem like your computer is not operating correctly, Windows Diagnostic will also make it so that certain folders on your computer display no contents."

http://www.bleepingcomputer.com/virus-removal/remove-windows-diagnostic

This is really not a very serious malware variant and no need for any kind of exotic tools.

@younghv - I stand corrected. I have been monitoring this question and I only check links that I suspect might be bad advice like the one earlier by thesslstore. I don't worry about yours so I did not see that.

"...This is really not a very serious malware variant and no need for any kind of exotic tools..."

That is what is so puzzling.  Initially, the problem was that no tools would run.  After some initial confusion, Rogue Killer and Rkill fixed that up.  But now after runninhg TDSSKiller, Hitman Pro,  Mbam, and (apparently) SAS, the infection remains.

MagsMcKinley14,

Please could you post the most recent Mbam scan log.  Thanks.

np - :)
I find that 'Grinler' is almost as good as our own 'rpg'.

Ran SAS, eliminated viruses (will attach log next post), Mbam found no viruses, ran rkill, running SAS again.

ok...here are some scans...cross your fingers...I think I've slayed the dragon...with your help!!
mbam-log-2011-03-25--18-34-59-.txt
SUPERAntiSpyware-Scan-Log---03-2.log

OK...I deleted an old Trend product and MSE which do not show up as protecting her computer any longer.  It was so strange that MSE would show up as running but I could never find it.  MSE will also not reload due to an error so I loaded Avast Free in the meantime, ran a scan that came out clean.

What do you think is the best free anti-virus out there right now?

Do I need to activate rkill before each scan??

I unhid all folders that should be showing...thanks for the tip.

I can not set up remote access with GoToAssist...bumps me off.  Reinstalled Java, deleting all old versions and update IE.  Got the error message "Installer: Wrapper.CreateFile failed with error5: Access is denied."  Java verified that the correct version is installed.  GoToAssist still won't work.

Other than that it seems to be working fine.  What do you think??

>>"OK...I deleted an old Trend product and MSE which do not show up as protecting her computer any longer.  It was so strange that MSE would show up as running but I could never find it"<<<

With regards to MSE still showing up as running:
That's because even though it's been uninstalled, the corresponding info is still present in the root\securitycenter WMI namespace and that's where ComboFix gets its info from. The offending program, in this case Microsoft Security Essentials' entry needs to be deleted from there either by using ComboFix script or by wbemtest.exe


Click on Start menu > Run > type in:

wbemtest

Click OK

Connect to root\SecurityCenter

You would need to change the root\default to root\securitycenter
Click on "Query" tab
Type in SELECT * FROM AntivirusProduct (If it's an AV entry you're trying to remove)

Click on Apply

In the Query result window, highlight the offending antivirus and click Delete.

Check my article with screenshots how to remove an entry:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2088-Can't-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html

optoma:Hi Vic,
Could you run autoruns (dont make any changes within autoruns)
Autoruns http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Within Autoruns,select the file tab and select save(Ctrl+S)
Right click autoruns.arn and rename to autoruns.txt to attach here

Also run process explorer and get a screenshot of the entire processes running
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx 

rpggamergirl:  Above link was sent prematurely.  I followed the above from your link.  Attached are my results.

I apologize if I was not clear...MSE does not show up on my computer...I ran wbemtest to be sure.

phototropic: I am running the online scanner...so far it has come up with 1 threat "Win32/PrcView application"

Mags -
Did you post in the wrong question?

For the record, my name is "Vic", but please don't confuse me with that other name you have posted.

Hey Vic...Sorry for the confusion...question posed in ID: 35234034 was sent prematurely.  Included it to let rpggamergirl: know what I had done.  This was a post from her article above in ID: 35230667.

rpggamergirl:  Sorry I forgot to attach the files...Auto run and Process Explorer
AutoRuns.txt
Process-Explorer-page-1.jpg
Process-Explorer-page-2.jpg
Process-Explorer-page-3.jpg

phototropic: Here is the log from the Eset Scan...Looks like if found another program it thought was a virus - MGTools.  Looks like she is clean...

If she is now running Avast I assume Windows Defender should not be running...correct.

Still having issues with GoToAssist...may have to forget about it.
Eset-Online-Scanner-Log.txt

MGTools is not software that I have any experience with. However, it seems to crop up as a false positive a lot:

http://forum.kaspersky.com/index.php?showtopic=123143
http://forums.majorgeeks.com/showthread.php?t=160902

So, if that is all the eset scan found, then I think we can give your pc a clean bill of health.

How is it running now?

It's because of the "process.exe" that MGTools use.... which is a legit file used by many legit tools to stop system processes.

An antivirus can't distinguish between "good" and "malicious" use of such file that's why it flags it as bad.

Thanks everyone...Running well...trying to reload GoToAssit after speaking with the Tech dept...will close session tonight.

HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thought I was good to go...Scans coming clean until...
Avast asked if I wanted to run a boot-time scan so I did.  Woke up this morning with 2 virus detections and some corrupt files.
Java:Agent-DR
Java:Agent-DU
Deleted both...not suprised since it has been Java that has not allowed me to run my remote access software GoToAssist.

Should I delete Java and then go into the registry, search and delete all Java entries?

Then when I logged on I got a message:  Window Activation - Activation was successful, saying that Windows Vista is genuine BUT after I closed that window in the lower right corner is says, "Windows Vista (TM), Build 6002, This copy of Windows is not genuine."  What is going on??

Please assist ASAP my client needs her computer back...this has been a nightmare...I really appreciate all your help....wish I could give 5000 points!!!

Googled Window activation...solved.

Still need your advise on Java!!!  Please!!!!

Mags,
If you check, you will probably find that one (or more) Java updates needs to be loaded on that system.

I deleted all old versions and update to the most recent version of Java and that was before Avast found the Virus.

I backed up the registry and am now deleting anything having to do with Java before I reinstall it.

I'm going to try and run Combofix...I think I can run it now with the Antivirus Programs under control...I will post the log when it is finished.

Mags,
You say that you love CCleaner, so I suggest that you never manually do any cleaning in your registry.

CCleaner has a 'Registry' function that will remove all of that residue for you.

I do, but it didn't get rid of or correct any faulty Java files or clean up left over GoToAssit Files...because of the viruses is there any reason I can't simply delete anything related to Java???  I'm missing a ski day with my husband so I'm a little frustrated...thanks for letting me vent since I can't vent to my customer.

Here is the ComboFix log.  Thanks for reviewing it.
ComboFix-Log.txt

Appears the virus is gone.  Computer is runnin well.  Reinstalled Java, still can not use Citrix GoToAssit but it stopped working befor this.
Thank you very much for your time and help!

No problem.  Glad to hear everything is back on tracki.

Maybe now would be a good time to go skiing...

phototropic:  Thanks...unfortunately the lifts are closed due to high winds.  I am however clearing off my desk...thankful for slaying the virus dragons, with your patient help.  Then I will be heading up the mountains to a friends for a weekend away from it all!!!

Enjoy...hope you get some time away from it all too...........somewhere I will find balance with my little computer business and taking care of myself.  Sometimes I find it hard to walk away from a computer in trouble even if it means not getting paid for all my time.  Learning time is on me, thanks for an arsenal of tools for fighting viruses!!

I'm sure I will hear from you again on a future thread, especially since you have helped me before!  Take care.

Warm regards,
Mags