A friend called that he opened a Microsoft Word file from an unknown sender, and clicked the “Enable Macro” security option, and then his computer stopped working with the following error message window prompted.
Windows has encountered a corrupted folder on your hard drive.
Multiple corrupted files have been found in the folder “My Documents”. To prevent serious loss of data, please allow Windows to restore these files.
And there are two “Restore files” and “Restore files and check disk for errors” link at the bottom. My friend did not believe these messages were legitimate ones from Microsoft and suspected that his computer was infected by some kind of virus / malware. So he didn’t go ahead to click any of these two links and gave me a call. I am glad he did since who knows what would happen if he clicked them.
I instructed him on the phone to use “Alt+F4” to close these suspicious programs, but it does not work for this particular window. And he rebooted his computer a couple time, but as soon as his network has been connected, this error message prompted again. I asked him to do a safe mode reboot, but unfortunately he could not boot into the safe mode even he pressed the “F8″ key before the Windows loaded.
So I decided to play a visit to see what was going on.
Then I found out that his OS is Windows 8.1, and I had to boot into the Safe Mode according to this TechNet article ” Windows Startup Settings (including safe mode) ” by holding “Shift” key while I clicked the Restart option in Windows 8.
In the Safe Mode, I had a chance to snip around and finally found out the cause. Here are my steps:
- Press Win+R, then type “msconfig” to find out what kind of services/program run at the startup. And I found out there was a weird program called “Diablo III Setup”, and disabled it and took it noted.
- Press Win+R, and type “regedit” to check any startup items from there. Usually you should check
For 64-bits OS, you might need to check
- From the step 2, we can see there was a Executable file in a random strings folder under “C:\ProgramData” directory. And here is the property of that file.
From the above, you can see the bad guy used a looks-fine Exe file and embedded their malware code.
Now you can delete the Regedit entries in the step 2.
- When I tried to delete the file/directory found in the step 3, I got a permission error message. To resolve it, what I needed to do is to remove “Everyone” (which has a Denied Write privilege) from the file security privilege list.
Now you can double check if there are some other suspicious files left, otherwise the steps above should have resolved this issue. And if you are using wireless network and could not connect to the network afterwards, you need to run the Repair wizard to fix the IP issue since I doubt this malware program has changed some networks setting as well.