SEARCH

How-To Geek

How To Get Rid of the wmpscfgs.exe Virus, a Reader Contributed Guide

How-To Geek reader Kan wrote in with a full guide to getting rid of the nasty wmpscfgs.exe virus, and we figured we should just share it with everybody, just in case anybody else comes across the same problem in the future.

Note that this is a specific guide to getting rid of a specific virus, and was tested by a specific reader. We’ve not tested these steps personally.

Symptoms of the wmpscfgs.exe Virus

  • If you have Malwarebytes or Superantispyware software, these guys will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work.
  • A warning about IE not being your default browser will always popup without even clicking or opening up IE. I would not advise to click either yes or no on it. Just move the window in one of your monitor corners and see solution below.
  • Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This is gave the virus away for me hence i start scanning and investigating. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot.
  • Microsoft Security Essentials will detect that  your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong!

If you have the above symptoms, you pretty much have the virus I had yesterday. Here is what you can do to get rid of it. Don’t bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.

  • Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one.
  • Open up windows explorer and go to Tools -> Folder options .
        a. Make sure the following are TICKED -> Show hidden files and folders
        b. Make sure the following are UNticked  -> Hide Extensions for known file types
  • Go to the following directories (this is for vista home premium):
         C:\Program Files\Internet Explorer
         C:\Users\user\AppData\Local\Temp  
    And you will see there a file called wmpscfgs.exe. Delete them.
  • Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it.

Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.

  • Open up regedit and go to:  HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run
  • Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it. For me from this point almost all of the things written in the NET currently don’t have the steps below. And its the reason why this virus keeps coming back.
  • Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
  • Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list.

    Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:

    • mcagent.exe             -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file.
    • mcagent .exe            -> the original mcagent file, renamed.
    • mcagent.exe.delme<some random number>     -> delete this one as well. I don’t see this occurring every time, but i have seen some apps with this file in them and very recently created.
  • You first need to kill the corresponding process of  the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn’t infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn’t help as well as the former Trojan exe file will be retained in the application directory.

    This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses.

  • Once you have verified that each application in your run list has been restored. To be fully sure that you don’t have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files.
  • If you want to be 100% sure, next thing you need to do is double check every process running in  your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them,  you should see an option there called “Open File Location”. Then follow steps 7 above.
  • Reboot and that’s it!

Thanks to reader Kan for writing in with this guide, and hopefully it helps somebody else!

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 01/31/10

Comments (53)

  1. Earl Truss

    You didn’t number the steps but you refer to “step 9″ at one point. If you are writing a procedure like this, you should always number the steps and especially if you want to refer to one or more specific steps. Thanks.

  2. Mike

    Any tips on how to avoid getting infected with this virus in the first place?

  3. Roberto Roberts

    Since this virus seems to involve StartUp Files and the app WinPatrol
    !(a) overrides the startup file & all startup files/exe programs listed elsewhere
    (b) shows a pop-up warning when a new file or app seeks to be added to start-up, by name
    (c) allows you to allow or refuse permission to the named file to start upon boot ……………………………..
    would Win Patrol prevent this virus from doing any or all of its damage?

  4. Kan

    it had numbers when i submitted them, but looks like they were removed when they were posted here.

  5. The Geek

    Yeah, the original post had numbers. We have a slight bug in our publishing system at the moment, it shows generic bullets for everything including ordered lists.

  6. 1fastbullet

    Nice work, Kan!!

    Thank you for the heads up.

  7. janet

    im having this virus, and i cannot delete it from the internet explorer folder, it says “Access is denied” Make sure the disk is not full or write protected” I’ve already checked the running tasks and it doesnt appear there..any suggestions?

  8. Arin

    Thanks a lot Kan. Your procedure worked, after what seemed liked hours and hours of running MBAM, Spybot and what not to remove various Trojans and viruses. One suggestion for people who are affected by this would be to kill the processess by going into “Services” and “Stopping” all virus infected files that are part of your startup process and then deleting them. You can also use a software called “Unlocker” (Google search for that software) to delete files that you do not have permission to delete (or it will delete the files upon reboot).

    I am a fairly good computer geek, and know how to fix this kind of problems, but there is no way we can keep up with the “variants” that pop up everywhere. Thanks to people like you and website like these, some of us do not lose our sanity or end up “formatting” the hard-drive. This virus was installed via a malicious software called Antivirus Plus (which was embedded with an pop-up ad at a newspaper website), which in turn had also disabled my Safe Mode. I removed the virus infected antivirus software (plus a infected desktop screensaver installed by AVP) after 5 hrs of hard-work only to see wmpscfgs.exe show up. As mentioned above, my laptop is clean after 12-hrs of tinkering and hope that others do not see this nasty Executable Virus.

  9. Arin

    Ha! Ha! Ha!. I counted my chicken too fast. The Antivirus Plus also caused browser hijack and my IE / Netscape browsers are useless beyong going to my home page (Google) because ity gets redirected to multiple ad-platforms. So now I am using Combo fix, drcureit and atf remover and maybe virut depending on what I see on hijack this. Just when I thought my day was ending on a positive note.

  10. Tripp

    I must admit this son of a b* perplexed me.Your steps worked but for some reason I couldn’t get into safe mode so I had to do it another way.

    This was on an XP Pro machine FYI.

    I went into msconfig and unchecked all startup apps. I then wrote down the name of all of them and located each one and it’s virus counterpart. Please note: this list was different than the one in my registry. I deleted them all and anything else I thought was a virus. The hardest ones to delete was a quicktime task that had 10 different copies. I only found that one because of searching for files modified between yesterday and today with a size of at least 39kb.

    Not sure where I picked this up at but it was tied to the fake Antivirus 2010 program so it must be very new. When I noticed something was wrong I immediately disabled the internet and worked with it offline.

    FYI – I also had 24 entries in my Scheduled Tasks (one for each hour) for this virus to check the web. I deleted those.

  11. Dev()n

    Hi

    Thanks for this, looks like it does help quite a bit. The only problem i have is that i cant open regedit, it keeps saying disabled by admin. But im the admin and i havnt disabled it, and i have followed the “disable registry prevention” instructions and all that, but still no luck. Could i just boot into safe mode and delete the wmpscfgs.exe’s and all the 39KB files?

    Thanks

  12. Dev()n

    Oh and im using Windows 7.

    Thanks

  13. Kan

    Dev()n, sorry not very familiar with how windows 7 works. But yes, as mentioned above, its recommended to do the cleanup in safe mode so that not all services/process are all up and running. You need to stop the processes that the virus started before removing the infected files and renaming back your original exe files. If you cant run regedit, you can try msconfig which Trip used.

    Trip, yeah msconfig startup items also needs to be checked. Looks like its more comprehensive than the Run registry settings.

  14. Kelly

    Hey!

    I tried this (and i’m running win7) only the virus is somehow blocking my acces into regedit. I can’t get in, tried lots of things (like editting in gpedit that i am allowed to edit) but my computer keeps blocking me out with the message that the administrator didn’t give permission.. while i’m the administrator, even when i click ‘run as administrator’ at the moment, i’m at a loss, and i don’t know what to do.. if anyone could help, it would be greatly appreciated.

    Kelly

  15. aNiZ

    I am having the same exact problems. I can not access regedit and I have gone through 6 different steps I found on the net. I can find the culprit wmpscfgs.exe but can not delete it.
    My computer has also found another virus called agent_r.qm

    I take it these are pretty new viruses cuz there is not alot of help to find on the net about it.

    Advice would be appreciated.

    aNiZ

  16. Rob S

    Woohoo!!

    Thank you! That worked out great! I have windows XP so not everything matched up perfectly, but just the fact that the virus renames your startup run files was the key in removing this annoying virus. Thank you very much =)

    – Rob

  17. Conn09

    Everyone who follows this do be careful, as there is in fact a process with a similar name to this, actually its called “wmpnscfg.exe” and is the configuration settings for the Windows Media Player Network Sharing Service, even though i don’t actually use it, it is set to run all the time and is a Microsoft certified process. Its Partner process is “wmpnetwk.exe” which is the actual sharing Service.

    just thought i would warn you all, i think that my warning would only affect those that actually use Windows Media Player.

    Cheers,

    Conn

  18. Tara

    You are the best. Wish I could buy you a beer.

  19. Jon

    Great solution! I would like to emphasize two things.

    1) Take time to look for ALL files that have been renamed as described. Any file listed by the O4 category of HijackThis reports is likely to have changed and not all of these show up in the registry as described above.

    2) Search the registry for wmpnscfg and delete all entries. I had two that were in other areas of the registry that had to be removed for the problem to go away.

  20. aNiZ

    Any more advice for people who are denied access to regedit?

  21. Gooch

    ANiz, i had the regedit locked out as well. Please search google. I found a simple step that required going into some control panel setting and changing something to enabled. Sorry I’m writing from memory here. it fixed the regedit problem

  22. martin

    Many, many thanks for this how to!

    To run regedit.exe you need to log in as the user “Administrator”. This account is disabled by default.

    Go to Manage computer, then Local Users and Groups > Administrator account and uncheck the Disable box. Next time you find Administartor in your list of users. With that user you can run regedit.
    Good luck.

  23. Virus Killah

    I got the wmpsftct.exe whatever bug in my IE folder and IT MUST DIE NOW. So I will try to follow your procedures. To those who can’t get the Admin Rights to get to the Task Manager and Regedit, get the MALWAREBYTES. BECAUSE IT SAVED MY COMPUTER FROM NEAR DEATH AND RESTORED IT TO GOOD WORKING HEALTH. Off to kill another virus now…

  24. Centime

    For those who cannot access regedit, it may have been disabled by this virus. If you run HijackThis you will find an O4 entry that shows a registry setting allowing for the disabling of regedit.

    Check the box next to this entry and then click “Fix Checked” in the lower left of the HijackThis screen. You should now be able to access regedit.

    This is what worked for me, so hopefully it will work for others.

    If you don’t have HijackThis, you can download it here:

    http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

    Thank you for posting this fix, and thanks to Kan for providing it. This has been such a frustrating thing to deal with, and this fix allowed me to finally wipe the virus from my PC (knock wood!).

    Many thanks.

  25. Ivan

    I followed instructions and deleted all copies of the virus from various folders and cleaned registry, but after reboot it comes back… What am I missing?
    Thanx

  26. dustnc

    Got a solution for those of you having problems opening regedit. You will have to copy this code to notepad and save it as “regedit.vbs” include the quotation marks so it keeps the vbs extension. Then just run this whenever the system is throwing you the “regedit has been disabled by the administrator” error. You will have to remove the virus before it will stop disabling it imediately but this should get regedit running for you every time so you can make changes even when its disabled. Here’s the script:

    On Error Resume Next
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)
    WSHShell.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
    WSHShell.RegDelete “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”
    WSHShell.Run “Regedit.exe”

  27. rrcccc

    This thing is nasty! I still can’t use regedit. It appears to have multiple disabling methods and downloads other virus to do other hidden damages. I just wanted to add: check System Volume Information and other places… it likes to back itself up. On my system it had over 40 backups. with it’s little red truck icon it uses on my system…. Good luck to us all.

  28. dustnc

    @rrcccc wow, sorry, I was able to get regedit running with that script, you must have some rootkits that are killing regedit once it notices it running. See if you can get Gmer from http://www.gmer.net/ then run your system in safe mode. Run Gmer and let it do its initial scan and just delete the items that show up in red. Run back through your system and clean up all of the “red truck” exe’s and rename your original exe’s. Also before restarting your system in normal mode run superantispyware and malwarebytes with their latest definitions to try to get rid of any leftovers that are giving this thing a helping hand. If they don’t currently have the latest updates, get to another computer and download the offline definitions updates for both programs, move them to the infected computer with a flash drive, and install them before running the programs. I kept having to start over because I missed something when I was working on this virus, but once I used the rootkit detector, malwarebytes, and superantispyware in conjunction with the instructions on this page I was finally able to kick it. Good Luck!

  29. dustnc

    Also for those of you who are having problems getting into safe mode, try selecting safe mode with command prompt. Once you log in and the command prompt pops up type “explorer.exe” without the quotes and it should bring up the system and allow you to run the scanners and allow you to delete those pesky files that keep giving you “Access Denied” when in normal mode. Good Luck!

  30. Yolanda

    My son’s computer was infected by that file. He tried to do Ctrl+Alt+Delete, but the Task Manager was not there. What seems to be the problem?

  31. dustnc

    I would try to use this script to get task manager running for you, but like rrcccc said before it might still be blocking it, in which case you might be able to follow my response to his post to get the system running for you. You will have to copy this code to notepad and save it as “TaskMgr.vbs” include the quotation marks so it keeps the vbs extension. Then just run this whenever the task manager won’t come up for you. Again, you will have to remove the virus completely before it will stop disabling it imediately. Here’s the script:

    On Error Resume Next
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)
    WSHShell.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”
    WSHShell.RegDelete “HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”
    WSHShell.Run “taskmgr.exe”

  32. m8ms

    Great! Thanks it worked for my win 7 as well! Only that I deleted one Avast file recklessly and I guess I got another thing to repair now :)

  33. Rene

    He great man.
    Never found something better explained :-)
    Tomorrow I will reinstall that thing with a running sysdiff to check out what it really changes.

    Thanks a lot

    Rene

  34. dfgdfdf

    I got hit with this virus after visiting one of the websites on Google’s fast flip…hmmm. I had some but not al of the symptoms described above. Microsoft Security Essentials kept identifying the threts from Unruy.c and Cutwail.gen!F, saying it had cleaned them, and making me reboot.

    Anyway, to cut a long story short, I started the steps above, only to find wmpscfgs.exe copied itself back into the IE folder; and it copied itself onto regedit, and regedit.exe – no backups this time.

    At the point of despair, I did a system restore to a point yesterday – problem solved. Seems like that is the first thing to try!

  35. Dave

    Pure genius! You saved me a lot of time and aggravation. Thanks for the awesome post.

  36. T3kL0rD

    I would like to system restore, but the virus has locked me out of my own admin privileges. I’m hoping his method will work for me, wish me luck! If I hadn’t installed another version of Windows XP on this machine to dual boot, I would be completely SOL because the virus shuts down my PC completely in the version of Windows it infected.

  37. DSP

    Good luck, this is one nasty virus you have to literally battle against.

  38. Dan

    I had the virus. I found out that the virus keeps its own log in C:\Temp\log.txt (Win XP pro). It logs every exe it hijacks. PS! using Search and limiting it to recent files below 40 kb is a MUST do, only way i got rid of it eventually. I also had to delete a file called 0996336.exe or something like that. It had added itself to startup list. It also had a copy and an “original” with a space (….336 .exe) but that was actually the virus too.

  39. T3kL0rD

    Reformatting my hard drive and reinstalling Windows XP Home off of my HP recovery discs was the route I took. My Windows XP installation was ultra slow from all the programs I added over the years, so I needed to do this regardless. Don’t know how I could have done without being in dual boot mode though because the virus shut down my PC completely. When I knocked some of it out through the other OS, it disabled my every last option to put my system back to the way it was before.

  40. Tom

    I have been having multiple issues. this in addition to arcotray.exe are annoying the hell out of me. Arcotray is in the adobe folder and can’t be deleted. I solved this by moving it to the desktop, rebooting and then deleting immediately on startup. I am having a few different issues than the rest of you because I am running 64bit VISTA.

    “ctv290 .exe” seems to have started this whole mess on my computer. it also looks into http://verticalhorizonads.com/banner.php?aff_id=5534
    http://ad.seeknet2.com/goad/?aff_id=1273

    exe files must be run as admin to run and alot of other strange things are going on. I can’t run regedit, so I uninstalled adobe reader all together. I can’t figure out how to get into the run list. Can anyone tell me how to?

  41. Kol W

    Hi All

    First of all I just want to say thank you to Kan for submitting this invaluable guide but it needs some extra steps. I have just spent many hours wrestling with this and after finally clearing it out there’s some bits missing from his guide which is why some people keep getting re-infected (in fairness the issue is mentioned but only in passing). Anyway I hope that this post is useful to people.

    The steps described by Kan are absolutely correct other than you need to locate and remove both registry keys and files with a filetype of “.delmennn” (where nnn is a number). On my machine (XP) the virus infected rundll32 (which always runs at windows startup). Even after replacing rundll32 with the correct version the virus still overwrote this with the corrupt version.

    OK – please also bear in mind that this doesn ‘tjust affect files in the startup list it can also affect other executable files that you run manually. So additional steps to Kan’s guide (after being in safe mode, running task manager etc.).

    1/ A quick and dirty way to “box” this in while you are going through the removal process is to go to c:\program files\internet explorer and delete both wmpscfgs.exe and js,mui (if you’ve run a scanner these are the files that are detected). Then copy a safe program (I used notepad.exe from C:\Windows\System32) into c:\program files\internet explorer and rename it to wmpscfgs.exe from this point, although you still have the virus it is effectively “neutered” as it is the wmpscfgs.exe that causes the threat and downloads the additional spyware. At this stage you will get Notepad starting every hour or so but big deal, your system is safe you just have to close notepad.

    2/ Open Start –> Programs –> Accessories –> System Tools –> Task Scheduler
    In the Task Scheduler you will notice about 24 jobs name “at1″ to “at24″ or similar – DELETE ALL OF THESE. It is these tasks that run the “wmpscfgs.exe” program.

    3/ Run Regedit and search for all occurrences of “.delme” and delete any keys with this string

    4/ Run a disk search of your hard drive looking for “*.delme*” and DELETE ANY FILES FOUND. This, coupled with the scheduled tasks and reistry entries) is the culprit that recreates the wmpscfgs.exe file when windows starts (if wmpscfgs.exe doesn’t exist which is why the quick and dirty workaround in step 1 works).

    5/ Run the rest of Kan’s process and it will clear this out (this can be validated when you’ve completed cleaning by running MalwareBytes AntiMalware when you’re finished).

    6/ When you have finished remember to delete the wpmscfgs.exe file that your created in step 1

    Just another couple of comments:

    1/ When searching for the .exe files that had been renamed to include a space (or in some instances multiple spaces) I found the utility FileSearchEX to be invaluable as it lets you do a disk search for “* .exe” (note the space) – if you use this just enter * .exe without the quotes and search the c: drive.

    2/ This brings me to the awkward bit – where did it come from in the first place? I don’t have a definitive answer to this and I am in now way maligning (or pointing fingers at) any of these programs but in my case I suspected it was due to either Google Chrome, Google Updater or InstallShield (ISUS). I removed all of these to be safe and have had no problems.

    As I said I hope this is of use to people.

    Kol

  42. Vinz

    Hi all, I had problems with wmpscfgs on my win7 ultimate x64, even if I was running mbam and antivr personal 10; I found wmpscfgs.exe in IE’s directory, a loader as acrotray and a dll (app_dll.dll) that was difficult to remove. However I read a lot and tried different solutions, but I won against the malware by using regalyzer instead of the blocked regedit, superantispyware and spybot search and destroy (and sysinternals process explorer to check unwanted process like avira’s sched.exe, that loaded a copy of wmpscfgs.exe).
    I wrote a rule to stop wmpscfgs.exe in ie’s dir using the Local Security Policy of the Administrative Tools

    so my 2 cents:
    1.reboot in safe mode (no bad process will be launched)
    2.use sas
    3.use spybot sad
    4.reboot in safe mode
    5.use regalyzer to find wmpscfgs.exe or app_dll.dll
    you shouldn’t have any infections

  43. Max

    Few advices for those who can’t access registry:
    1. it is group policy setting – gpedit.msc -> user config -> Admin Templates -> System -> prevent access to registry editing tools -> make it disabled or not configured.
    2. Alternatively you can access registry remotely from another machine, just start remote registry service on target machine.
    3. App_dll.dll monitors registry keys responsible for accessing registry keeping it disabled. Attempts to delete App_dll.dll lead nowhere – access denied or file in use or some other bs.
    Resolution: either boot from some bootable CD (WinPE) and do it from there or use sysinternals tool MoveFile http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx. – it will delete App_dll.dll on reboot.
    4. While you’re there check other sysinternals tools (autoruns, process monitor e t c) – every single one of them works. It is a shame that Mark sold out to M$, but thats a whole another story.
    5. Practice safe computing!

  44. Dean

    hey, i tried your method, and i have a few probs,
    ive got windows xp. I booted in safe mode and performed the first two steps , then i opened this directory
    C:\Program Files\Internet Explorer
    and for that file, but i’m unable to delete it. i get the following msg:

    Cannot delete wmpscfsg: Access is denied
    Make sure the disk is not full or write-proteced and that the file is not currently in use

    and further, i am unable ot acceess my registry editor. i’ve tried the above mentioned method, but i’m still gettin the same msg…. :-(

    Please help…..

  45. dvd

    Hello,
    first thing I want to say is thank you for this article!
    It helped me get rid of the virus.
    First thing I did was to scan with antivirus (bitdefender) then spybot S&D.
    Computer was infected with other virus too.
    Then I renamed all the files that the virus replaced (a lot!) like described.
    Then I booted on a livecd and removed wmpscfgs.exe, then copy notepad.exe in the folder and finally renamed notepad.exe to wmpscfgs.exe.
    On the next boot notepad launched each time I opened a program.
    I decided to fix the exe (search fixexe.reg in google).
    Then i deleted all the scheduled tasks related to the virus.
    After that the system seems to be clean, but I ran antivirus and anti-spybot again.

    Hope this will help,
    dvd

  46. Taco

    The procedure seemed to have worked fine. I had to do an extra round of removing files, as there were a lot of them. After the first round, my Norton antivirus also started helping me out. The infected files on my computer were 31KB. I also removed a js.mui file from my Internet Explorer directory, it was created the same date and 31KB. Thanks a lot.
    Taco.

  47. Jenkins

    This was one hell of a nasty trojan, never seen anything like it before.

    First of all i wanted to thank the OP and Kol W for their insight.. the task scheduler thing eluded me and im glad i came here :)

    Second of all the trojan didnt originate with the wmpscfgs.exe file, i think mine originated from a file called “reader_s.exe”

    The symptoms i first noticed were unusual cpu usage, i opened task manager and saw more than 11 instances of iexplorer.exe, services.exe (trojan not from MS), lsass.exe with a command line containing the worst exe in this whole bunch “ixkubm.exe”. Another thing was it kept playing a sound file about some stocks shit, and i found a cookie in Temp Internet Files called stocksaving.txt [1] or something similar to that.

    Also when i try to end these processes, they immediately restart and i cannot end them. Thankfully Spybot s&d picked up on them, and i was able to delete them with a full scan and reboot… However i’m still getting lots of damage even after the files have been completely removed.

    I cannot enable my firewall (Says something about Group Policies) and things like AVG watchdog are crashing constantly. There are no more entries in startup, also i double checked msconfig aswell and nothing is there, ive gone thru the registry in the locations mentioned in the article and in the comments above and found nothing (Already ran ccleaner registry clean and removed those entries) and i downloaded Avast AV aswell and the avast services wont start..
    .
    Ive just installed MalwareBytes AntiMalware and i’m going to see if it catches anything the other 2 programs cannot.

    Here is a Spybot dump to illustrate the infected files.

    Win32.Agent.ieu: [SBI $AEF3B6B0] Executable (File, fixed)
    C:\Windows\services.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Microsoft.Windows.Explorer: [SBI $DA080EA7] User settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions

    Microsoft.WindowsSecurityCenter.FirewallOverride: [SBI $0C94D702] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

    Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

    Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

    Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

    Microsoft.Windows.disableSystemRestore: [SBI $6296EC95] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR

    Microsoft.WindowsSecurityCenter.RegistryTools: [SBI $D60CD1E3] Settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools

    DNSFlush.cws: [SBI $893785D8] Autorun settings (16934) (Registry value, fixing failed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16934

    DNSFlush.cws: [SBI $893785D8] Program file (File, fixed)
    C:\Users\Jenkins\AppData\Local\Temp\ixkubm.exe
    Properties.size=23040
    Properties.md5=CDE62E1ECC78C12874E04292471AE3C1
    Properties.filedate=1271481920
    Properties.filedatetext=2010-04-17 15:25:19

    DNSFlush.cws: [SBI $455D41DA] User settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Internet Explorer\New Windows\PopupMgr

    DNSFlush.cws: [SBI $9C28881C] User settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

    DNSFlush.cws: [SBI $FB926B58] User settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

    DNSFlush.cws: [SBI $A1906895] User settings (Registry change, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden

    PWS.LDPinchIE: [SBI $32D83D62] User settings (Registry value, fixed)
    HKEY_USERS\S-1-5-21-3257203932-3686277470-1923465384-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\idstrf

    Win32.Joleee.K: [SBI $39C82568] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del

    Win32.Virut.bg: [SBI $EB4AA03C] Executable (File, fixed)
    C:\Windows\System32\reader_s.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Win32.Virut.bg: [SBI $57174D45] Executable (File, fixed)
    C:\Users\Jenkins\reader_s.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Virtumonde.sci: [SBI $EFC6E8D5] Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9BA40A1-74F1-52BD-F431-00B15A2C8953}

    Virtumonde.sci: [SBI $1A3C6884] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{A9BA40A1-74F1-52BD-F431-00B15A2C8953}

    Virtumonde.sci: [SBI $544AF722] Class ID (Registry value, fixed)
    HKEY_CLASSES_ROOT\CLSID\{A9BA40A1-74F1-52BD-F431-00B15A2C8953}\InprocServer32\=…C:\Windows\SysWow64\ue2rb.dll…

    Virtumonde.sci: [SBI $7B5D9136] Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{A9BA40A1-74F1-52BD-F431-00B15A2C8953}

    Virtumonde.sci: [SBI $69D3F216] Library (File, fixed)
    C:\Windows\SysWOW64\ue2rb.dll
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Virtumonde.sdn: [SBI $CA6D3FF8] Library (File, fixed)
    C:\Windows\System32\msxsltsso.dll
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Win32.Agent.ie: [SBI $28E93B4C] Executable (File, fixed)
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    Properties.size=0
    Properties.md5=D41D8CD98F00B204E9800998ECF8427E

    Now the weirdest part is that i was browsing MediaMonkey Wiki at the time of getting this trojan, more specifically looking at the Skins page and then my system started going bonkers.

    Thanks again for the help and i hope i dont have to format to fully get rid of this pesky bugger :|

    -Jenkins

  48. The.Hanyeé

    This nasty little bugger infected my computer this weekend and I spent the better part of the weekend sorting it out.

    Thanks for all the guidance, tips, steps provided here especially by Kan. They were really helpful in fighting off this Trojan.

    Some additional notes from my experience:
    – Disconnect from the internet immediately.
    – I ran Malware and my updated McAfee antivirus program. They detected the trojan & deleted the files. Upon restarting, the trojans were back as though they had not been removed.

    – In addition to the wmpscfgs.exe virus (which was in my c:\program files\Internet Explorer folder), I also found another file – wwwman32.exe – in my startup menu folder (in my case C:\Documents and Settings\xxxxx\Start Menu\Programs\Startup). You have to delete these files manually.

    – I went through the list of all Run apps in the registry as detailed by Kan above. I also ran msconfig (Start > Run > msconfig) and went to the Startup tab. I went to the folder of each of the items on both these lists (most of them are the same items).

    – In the folders where these exe files are, the trojan names itself after the exe file and renames the original exe file with a space just before the “.exe”. The trojan files can easily be identified as they have an icon that looks like a stripped red love heart. I closed the running processes using Task Manager, manually deleted the trojan and renamed the authentic file name by removing the said space.

    – In my case, the trojan files were all approx. 30.5KB. Run a search of all files with the same size as the wmpscfgs.exe file. The trojan files are easily identifiable via the stripped red love heart icon.

    – Clear the cache, history etc on your browser(s) – you can use CCleaner to do this. Even after cleaning out the infected files, once I reconnected to the web, windows to random, dodgy-looking websites kept popping up once in a while.

    I am still running random checks once in a bit to ensure I got the infection out completely. Hope that the tips above are helpful.

    Cheers!

  49. Matt

    Thanks to everyone above for your help on this. I had a horrible time with this virus for a number of hours. The information above helped me to finally get rid of the little devil.

    I might be repeated other advice but just thought it might be worth mentioning that the repetitive nature of the virus (ie it kept coming back on reboots) turned out to be a SYSTEM STARTUP issue as much as anything else. Going into msconfig and checking my startup items I finally found that the virus had attached itself to (in my case) YouSendIt. It was only after I checked off all YouSendIt startup items that I finally managed to break the cycle….After I did this I no longer got the virus reappearing in the Internet Explorer folder of my Program Files.

    Perhaps I should have sniffed this out earlier, because an error message regarding YouSendIt was one of the first signs of something wrong with my computer.

    I should also add that I’d followed many of the steps listed above and removed several (potentially infected) programs from my system before I finally kicked the virus with the startup menu revelation.

    Thanks again everyone.

  50. Jolle

    Thanks again for all the help. I’m still trying to kill it off on a friends computer, but at least I have enough options to find the last copy of this sucker. If you forget one, you can start all over again.

    As to where it comes from : I’ve caught the bastard from WTSO.net Quite some of the videos there are infected with this and a couple of other virusses. At least, they get downloaded whenever I watch specific videos. The fullscreen mode suddenly disappears, and the appdata\local\temp is filled with crap. I don’t know whether it is contained in the videos itself or if it is coming from some ads on the page, but it’s always happening with the same videos.

  51. Jeff

    Wow, thanks to all! In my case I was infected with virtumonde (vundo) and Unruy.c also. I was able to get rid of most issues using steps from here: http://forums.majorgeeks.com/showthread.php?t=35407
    I believe that MBAS and Combofix helped with virtumonde, and a Java update helped with unruy.c. However, I would not have been able to finish it off without these posts. I suggest that anyone having this problem read through all of the replies to this post before starting. The scheduled events every hour of every day are particularly evil. Well, at least I’m more familiar with regedit now…

  52. Axel

    One of my clients had this virus (im a webdesigner, but no computer technician), and i did all these steps BUT NOT in safe mode. I got the virus removed, but after that the whole computer was inoperable. It became so slow it was impossible to work with.

    Strange thing was that it is operable in safe-mode now.

    I did some virus scans and CCleaning.

    What can i do to save my clients computer?

    Best regards, Axel.

  53. Verbalist

    I was fighting for 3 weeks with pop-ups warning me that I’m going a Web page is going to be shut down and urging me to stay on this page. The page was:

    ad.seeknet2.com/goad/?aff.id+19026

    Tried various antivirus and antispyware programs, free and commercial but nothing worked. Finally I found your site and a solution. Except nothing worked in my case. There was no file wmpscfgs.exe anywhere. But I found a suspected file named: wmiprvse.exe and some other extension. Found the date created in the Properties and it looked as it was created right at the time of infection. Additionally, it was not certified by Microsoft as oposed to the small program of the same name and extension. This file was approximately 30Kb and after removing it while in the “Safe” mode and rebooting, the pop-ups disappeared. Hope this will help someone.

Enter Your Email Here to Get Access for Free:

Go check your email!