Note that this is a specific guide to getting rid of a specific virus, and was tested by a specific reader. We’ve not tested these steps personally.
Symptoms of the wmpscfgs.exe Virus
If you have Malwarebytes or Superantispyware software, these guys will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work. A warning about IE not being your default browser will always popup without even clicking or opening up IE. I would not advise to click either yes or no on it. Just move the window in one of your monitor corners and see solution below. Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This is gave the virus away for me hence i start scanning and investigating. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot. Microsoft Security Essentials will detect that your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong!
If you have the above symptoms, you pretty much have the virus I had yesterday. Here is what you can do to get rid of it. Don’t bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.
Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one. Open up windows explorer and go to Tools -> Folder options . a. Make sure the following are TICKED -> Show hidden files and folders b. Make sure the following are UNticked -> Hide Extensions for known file types Go to the following directories (this is for vista home premium): C:\Program Files\Internet Explorer C:\Users\user\AppData\Local\Temp And you will see there a file called wmpscfgs. exe. Delete them. Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it.
Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.
Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.
exe“.
Delete it.
For me from this point almost all of the things written in the NET currently don’t have the steps below.
And its the reason why this virus keeps coming back.
Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”.
Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
Basically it renames the old exe file from say “mcagent.
exe” to “mcagent .
exe”.
With a space between the filename and the “.
exe” or extension.
It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file.
It will do this for every apps you have in your Run list.
Thus if you go to the location of say of McAfee mcagent.
exe application you will see two to three files with almost the same filename: mcagent.
exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.
exe file.
mcagent .
exe -> the original mcagent file, renamed.
mcagent.
exe.
delme
Thanks to reader Kan for writing in with this guide, and hopefully it helps somebody else!
