Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Diagnostics Virus


  • Please log in to reply
6 replies to this topic

#1 Peeks

Peeks

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 18 March 2011 - 01:12 PM

Hi Everyone, this is my first time so please be gentle....

I've recently been unlucky enough to have had the 'Windows Diagnostics' virus and am having problems. As far as I can see I have successfully removed the virus using Malaware Bytes but now find that all my music, photo, Excel, Word etc files are no longer visible. When I click on said files they appear to be empty. I know however that they are still there somewhere as I can still play music through iTunes and view my photos through my editing software. I have tried a system restore but that hasn't worked. Has anyone please got any idea of what I need to do to make these files visible again? I read a very similar post on this subject on this forum earlier today - can anyone help us? Thanks !!

Edited by hamluis, 18 March 2011 - 01:14 PM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 coles1mom

coles1mom

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:59 AM

Posted 18 March 2011 - 05:22 PM

I don't know if this will work or not but I thought it might be worth reading http://www.bleepingcomputer.com/forums/topic342412.html/page__p__1906838__hl__taking+ownership__fromsearch__1#entry1906838

Good Luck

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:59 AM

Posted 18 March 2011 - 09:05 PM

Also,try
Click Start menu, then click Search.
A pop up will ask, “What do you want to search for?” Click All files and folders.
Type Windows Diagnostic file in the search box, and select “Local Hard Drives.”
Click Search. Once the Windows Diagnostic file is found,deleteit.

OPen the Task Manager.....Press CTRL+SHIFT+ESC
Click Processes tab. Look for any Windows Diagnostic processes.
If found,right-click them and select End Process to kill them. Close Task Manager.


Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Peeks

Peeks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 21 March 2011 - 12:31 PM

Hi, thanks for the help. I think I have now removed the virus but still need to correct the alterations that it has made to my system. As I posted earlier all my music, excel, movie, photo files etc are now hidden. I can use the 'show hidden files option' which does make them visible but with an almost grey, opaque appearance. How can I return them to their usual appearance without using the 'show hidden files' feature ? I have also lost the use of 'Catalyst Control Centre' according to a pop up on start up, although I can't see what detriment this is to my system if any...
Any suggestions would again be gratefully received.

Thanks,

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:59 AM

Posted 21 March 2011 - 10:40 PM

Use Process Explorer to see what's running at startup.


Please download and run Process Explorer v11.33
Click on File then Save As, create a log.
Copy and paste it into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Peeks

Peeks
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 22 March 2011 - 05:04 AM

Hi, please see the log from Process Explorer below:

Thanks,


Process PID CPU Private Bytes Working Set Description Company Name
System Idle Process 0 87.45 0 K 24 K
System 4 0 K 23,420 K
Interrupts n/a 3.07 0 K 0 K Hardware Interrupts and DPCs
smss.exe 548 312 K 84 K
csrss.exe 628 1,732 K 7,924 K
wininit.exe 692 1,256 K 188 K
services.exe 736 2,840 K 4,060 K
svchost.exe 912 4,416 K 5,164 K Host Process for Windows Services Microsoft Corporation
ehmsas.exe 4612 1,488 K 1,020 K Media Center Media Status Aggregator Service Microsoft Corporation
unsecapp.exe 4292 2,828 K 2,140 K Sink to receive asynchronous callbacks for WMI client application Microsoft Corporation
WmiPrvSE.exe 4704 3,328 K 3,684 K
SCServer.exe 5940 2,376 K 1,564 K Microsoft Search Client Server Microsoft Corporation
FlashUtil10n_ActiveX.exe 4988 1,976 K 1,992 K Adobe® Flash® Player Installer/Uninstaller 10.2 r152 Adobe Systems, Inc.
svchost.exe 1008 4,516 K 4,696 K Host Process for Windows Services Microsoft Corporation
Ati2evxx.exe 1112 1,056 K 296 K ATI External Event Utility EXE Module ATI Technologies Inc.
Ati2evxx.exe 1572 2,980 K 1,388 K
svchost.exe 1128 15,232 K 10,124 K Host Process for Windows Services Microsoft Corporation
audiodg.exe 1340 11,944 K 8,256 K
svchost.exe 1152 88,876 K 85,564 K Host Process for Windows Services Microsoft Corporation
dwm.exe 3528 0.77 44,220 K 42,404 K Desktop Window Manager Microsoft Corporation
svchost.exe 1172 71,684 K 73,024 K Host Process for Windows Services Microsoft Corporation
taskeng.exe 3316 < 0.01 9,980 K 3,788 K Task Scheduler Engine Microsoft Corporation
taskeng.exe 3360 2,016 K 1,820 K
wuauclt.exe 5108 2,984 K 1,184 K Windows Update Microsoft Corporation
CTAudSvc.exe 1368 1,288 K 456 K Creative Audio Service Creative Technology Ltd
svchost.exe 1388 2,272 K 1,380 K Host Process for Windows Services Microsoft Corporation
SLsvc.exe 1404 7,076 K 1,112 K Microsoft Software Licensing Service Microsoft Corporation
svchost.exe 1588 16,820 K 8,176 K Host Process for Windows Services Microsoft Corporation
svchost.exe 1608 8,196 K 7,260 K Host Process for Windows Services Microsoft Corporation
spoolsv.exe 1864 5,460 K 2,404 K Spooler SubSystem App Microsoft Corporation
svchost.exe 1900 13,360 K 9,760 K Host Process for Windows Services Microsoft Corporation
AppleMobileDeviceService.exe 752 3,108 K 1,924 K MobileDeviceService Apple Inc.
AluSchedulerSvc.exe 892 1,664 K 1,192 K Automatic LiveUpdate Scheduler Service Symantec Corporation
bgsvcgen.exe 684 792 K 156 K B's Recorder GOLD Service Library B.H.A Corporation
mDNSResponder.exe 1328 1,760 K 1,768 K Bonjour Service Apple Inc.
svchost.exe 1476 2,176 K 296 K Host Process for Windows Services Microsoft Corporation
ioloServiceManager.exe 1948 25,128 K 4,580 K iolo System component iolo technologies, LLC
PIFSvc.exe 1456 2,640 K 588 K LiveUpdate Notice Service Symantec Corporation
McSACore.exe 1980 8,712 K 5,336 K SiteAdvisor McAfee, Inc.
rundll32.exe 2076 2,420 K 680 K
mfevtps.exe 828 8,580 K 7,616 K McAfee Process Validation Service McAfee, Inc.
NASvc.exe 2088 2,380 K 1,484 K NeroUpdate Nero AG
svchost.exe 2116 1,004 K 312 K Host Process for Windows Services Microsoft Corporation
svchost.exe 2248 916 K 308 K Host Process for Windows Services Microsoft Corporation
svchost.exe 2260 2,352 K 732 K Host Process for Windows Services Microsoft Corporation
RichVideo.exe 2272 1,120 K 868 K RichVideo Module
SeaPort.exe 2292 4,368 K 2,536 K Microsoft SeaPort Search Enhancement Broker Microsoft Corporation
stacsv.exe 2336 0.77 8,848 K 2,020 K IDT PC Audio IDT, Inc.
svchost.exe 2400 3,804 K 1,460 K Host Process for Windows Services Microsoft Corporation
mcshield.exe 2548 0.77 158,520 K 45,024 K McAfee On-Access Scanner service McAfee, Inc.
mfefire.exe 2592 2,552 K 2,384 K McAfee Core Firewall Service McAfee, Inc.
McSvHost.exe 2668 30,296 K 16,740 K McAfee Service Host McAfee, Inc.
alg.exe 3524 884 K 752 K Application Layer Gateway Service Microsoft Corporation
svchost.exe 1248 3,528 K 2,204 K Host Process for Windows Services Microsoft Corporation
SearchIndexer.exe 4088 50,844 K 51,960 K Microsoft Windows Search Indexer Microsoft Corporation
SearchProtocolHost.exe 3144 2.30 18,756 K 22,520 K
SearchFilterHost.exe 5452 2.30 3,484 K 2,600 K
wmpnetwk.exe 2748 21,140 K 21,124 K Windows Media Player Network Sharing Service Microsoft Corporation
svchost.exe 5056 1,660 K 156 K Host Process for Windows Services Microsoft Corporation
iPodService.exe 5292 2,876 K 2,428 K iPodService Module (32-bit) Apple Inc.
lsass.exe 760 3,372 K 2,484 K Local Security Authority Process Microsoft Corporation
lsm.exe 772 2,540 K 2,780 K
csrss.exe 704 2,772 K 7,116 K
winlogon.exe 944 2,008 K 504 K
explorer.exe 3580 < 0.01 50,412 K 58,408 K Windows Explorer Microsoft Corporation
rundll32.exe 608 9,340 K 4,204 K Windows host process (Rundll32) Microsoft Corporation
PIFSvc.exe 592 1,892 K 204 K LiveUpdate Notice Service Symantec Corporation
wmdc.exe 756 1,788 K 1,204 K Windows Mobile Device Center Microsoft Corporation
ipoint.exe 3356 6,372 K 4,228 K IPoint.exe Microsoft Corporation
itype.exe 3376 < 0.01 6,052 K 5,056 K IType.exe Microsoft Corporation
dpupdchk.exe 3736 2,372 K 1,716 K dpupdchk.exe Microsoft Corporation
wmpnscfg.exe 3808 2,056 K 1,452 K Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
mcagent.exe 4048 < 0.01 47,196 K 1,516 K McAfee Security Center McAfee, Inc.
iTunesHelper.exe 4144 < 0.01 7,008 K 3,152 K iTunesHelper Apple Inc.
realsched.exe 4208 2,108 K 256 K RealNetworks Scheduler RealNetworks, Inc.
sidebar.exe 4248 < 0.01 5,704 K 2,040 K Windows Sidebar Microsoft Corporation
ehtray.exe 4284 1,692 K 2,156 K Media Center Tray Applet Microsoft Corporation
ISUSPM.exe 4300 1,760 K 2,176 K Macrovision Software Manager Macrovision Corporation
SUPERAntiSpyware.exe 4344 105,488 K 628 K SUPERAntiSpyware Application SUPERAntiSpyware.com
AutoStartupService.exe 4368 < 0.01 30,592 K 12,196 K AutoStartService Panasonic Corporation
WinMail.exe 5424 < 0.01 36,344 K 29,160 K Windows Mail Microsoft Corporation
iexplore.exe 2052 < 0.01 13,980 K 21,364 K Internet Explorer Microsoft Corporation
iexplore.exe 4072 0.77 112,864 K 66,840 K Internet Explorer Microsoft Corporation
iexplore.exe 3028 < 0.01 79,556 K 23,712 K Internet Explorer Microsoft Corporation
WinRAR.exe 6116 9,248 K 696 K WinRAR archiver Alexander Roshal
iexplore.exe 4516 < 0.01 75,372 K 40,548 K Internet Explorer Microsoft Corporation
procexp.exe 4240 1.53 15,836 K 27,908 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com
GoogleCrashHandler.exe 3608 2,540 K 532 K
mswinext.exe 5672 < 0.01 23,560 K 16,724 K Bing Bar Microsoft Corp.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:59 AM

Posted 22 March 2011 - 08:54 PM

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users