Windows Diagnostic malware

Windows Diagnostic malware

I came across another fake Windows diagnostic software on a laptop today that looks real enough that it’s worth sharing here.

The software calls itself Windows Diagnostic and is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. The catch is that it won’t actually fix any problems or restore access to your files until you click a button and pay them some money.

Windows Diagnostic is installed via Trojans that display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer’s hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, Windows Diagnostic will automatically be downloaded and installed onto your computer.

Once it is on your system, it opens up every time you start your PC ¬†and reports lots of serious errors which, in the case of today’s laptop, were all proven false.


While its window is open it keeps itself in the foreground above all other windows and tries to make it as hard as it can to prevent you from closing the WindowsDiagnostic window or running other programs, including closing said programs as soon as they open and presenting fake “security alert” or “system error” messages.

The following files and folders are created by Windows Diagnostic:

%UserProfile%Start MenuProgramsWindows DiagnosticWindows Diagnostic.lnk
%UserProfile%Start MenuProgramsWindows DiagnosticUninstall WindowsDiagnostic.lnk

Note: %CommonAppData% is C:Documents andSettingsAll UsersApplication Data (for Windows XP/2000) or C:ProgramData(for Windows 7/Vista)

It also creates the following registry keys:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun| {RANDOM}
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun | {RANDOM}.exe

You can delete these manually or use software like MalwareBytes to remove it.