How-To Geek reader Kan wrote in with a full guide to getting rid of the nasty wmpscfgs.exe virus, and we figured we should just share it with everybody, just in case anybody else comes across the same problem in the future.
Note that this is a specific guide to getting rid of a specific virus, and was tested by a specific reader. We’ve not tested these steps personally.
Symptoms of the wmpscfgs.exe Virus
- If you have Malwarebytes or Superantispyware software, these guys will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work.
- A warning about IE not being your default browser will always popup without even clicking or opening up IE. I would not advise to click either yes or no on it. Just move the window in one of your monitor corners and see solution below.
- Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This is gave the virus away for me hence i start scanning and investigating. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot.
- Microsoft Security Essentials will detect that your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong!
If you have the above symptoms, you pretty much have the virus I had yesterday. Here is what you can do to get rid of it. Don’t bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.
- Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one.
- Open up windows explorer and go to Tools -> Folder options .
a. Make sure the following are TICKED -> Show hidden files and folders
b. Make sure the following are UNticked -> Hide Extensions for known file types
- Go to the following directories (this is for vista home premium):
C:\Program Files\Internet Explorer
And you will see there a file called wmpscfgs.exe. Delete them.
- Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it.
Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.
- Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run
- Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it. For me from this point almost all of the things written in the NET currently don’t have the steps below. And its the reason why this virus keeps coming back.
- Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
- Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list.
Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:
- mcagent.exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file.
- mcagent .exe -> the original mcagent file, renamed.
- mcagent.exe.delme<some random number> -> delete this one as well. I don’t see this occurring every time, but i have seen some apps with this file in them and very recently created.
- You first need to kill the corresponding process of the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn’t infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn’t help as well as the former Trojan exe file will be retained in the application directory.
This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses.
- Once you have verified that each application in your run list has been restored. To be fully sure that you don’t have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files.
- If you want to be 100% sure, next thing you need to do is double check every process running in your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them, you should see an option there called “Open File Location”. Then follow steps 7 above.
- Reboot and that’s it!
Thanks to reader Kan for writing in with this guide, and hopefully it helps somebody else!
Programmer by day, geek by night, The Geek, also known as Lowell Heddings, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on Google+ if you'd like.
- Published 01/31/10