Symptoms of the wmpscfgs.exe Virus
If you notice the following signs, then your system surely is infected by the wmpscfgs.exe virus.
- If you have Malwarebytes or Superantispyware software, they will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work.
- A warning about IE not being your default browser will always pop up without even clicking or opening up IE. Do not click either yes or no on it. Just move the window in one of your monitor corners and follow the solution given in (A) and (B) below .
- Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This confirms the presence of the virus. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot.
- Microsoft Security Essentials will detect that your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong!
(A) If you notice the above symptoms, you surely have this virus. Here is what you can do to get rid of it. Don’t bother about scanning as scanners can’t fully fix your problem and will end up corrupting your applications.
(1) Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one.
(2) Open up windows explorer and go to Tools -> Folder options .
(3) (a) Make sure the following are TICKED -> Show hidden files and folders
(b) Make sure the following are UNticked -> Hide Extensions for known file types
(4) Go to the following directories (this is for vista home premium):
(a) C:\Program Files\Internet Explorer
(5) And you will see there a file called wmpscfgs.exe. Delete them.
(6) Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it.
(B) Starting this part, steps need more technical experience. If you are not comfortable in doing the following steps, take the help of someone who can do it for you.
(1) Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run
(2) Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it.
(3) You may not have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
(4) Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list.
(5) Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:
(a) mcagent.exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file.
(b) mcagent .exe -> the original mcagent file, renamed.
(c ) mcagent.exe.delme-> delete this one as well.
(6) You first need to kill the corresponding process of the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above.
(7) After you have verified that each application in your run list has been restored, to be fully sure that you don’t have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow this step 7 for each occurrence of it as this virus attaches itself into executable files.
(8) If you want to be 100% sure, next thing you need to do is double check every process running in your task manager if they are legit. Some process specially those started by system won’t be able to take you to its process file, but most of them do if you right click in them and you wil see an option there called “Open File Location”. Then follow steps 7 above.
(9) Reboot and rest assured you have driven out the wmpscfgs.exe virus