LOGO

Remove wmpscfgs.exe Virus - Reader's Guide

January 31, 2010
Topics:WindowsFilesCloud & Internet
Remove wmpscfgs.exe Virus - Reader's Guide

Dealing with the wmpscfgs.exe Virus: A Comprehensive Guide

A How-To Geek reader, Kan, submitted a detailed procedure for eliminating the troublesome wmpscfgs.exe virus. We are sharing this information to assist anyone who may encounter the same issue. Please be aware that this is a reader-tested solution for a specific virus, and we have not independently verified all steps.

Symptoms of the wmpscfgs.exe Virus

  • Malwarebytes or Superantispyware may consistently detect the virus during scans and attempt removal, but it will reappear after a system restart. Safe mode boots, with or without networking, prove ineffective.
  • A persistent warning regarding Internet Explorer not being the default browser will surface, even without initiating or opening the browser. It is recommended to avoid clicking 'yes' or 'no' on this prompt.
  • Windows User Account Control (UAC) may function erratically, repeatedly requesting permission to execute previously authorized startup programs. This behavior can indicate a problem. Allowing an execution may disable UAC, while enabling it may not trigger the expected reboot prompt.
  • Microsoft Security Essentials might incorrectly identify legitimate startup programs (antivirus, anti-spyware, etc.) as viruses.

If you are experiencing these symptoms, it is likely you are infected with the virus described. Standard scanning procedures are often insufficient and can lead to application corruption.

Removal Steps

  • Begin by booting your computer into safe mode. This minimizes running processes, which is crucial for the following steps.
  • Open Windows Explorer and navigate to Tools, then Folder Options.
    • Ensure "Show hidden files and folders" is checked.
    • Ensure "Hide extensions for known file types" is unchecked.
  • Locate and delete the wmpscfgs.exe file from the following directories (for Vista Home Premium):
    • C:\Program Files\Internet Explorer
    • C:\Users\user\AppData\Local\Temp
  • Open Task Manager, enable "Show all processes," and terminate any running instances of wmpscfgs.exe.

The following steps require a higher level of technical proficiency. If you are uncomfortable performing these actions, seek assistance from a qualified individual.

  • Open the Registry Editor (regedit) and navigate to: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Look for an entry named "Adobe_reader" with the data value: "%ProgramFiles%\Internet Explorer\wmpscfgs.exe". Delete this entry.
  • Examine all entries within "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". This virus often hijacks multiple applications listed in the Run list.
  • The virus typically renames original executable files, adding a space after the filename before the extension (e.g., "mcagent .exe"). It then creates a copy of itself with the original filename.
  • When an infected application is executed, the virus runs first, followed by the legitimate program. You may find multiple files with similar names in the application's directory, such as:

  • mcagent.exe – A recently created file, approximately 39 KB in size, representing the virus.
  • mcagent .exe – The original executable file, renamed.
  • mcagent.exe.delme – Delete this file if present.

To resolve this, terminate any running processes associated with the infected file, remove the 39 KB virus file, and rename the original executable back to its original filename. Repeat this process for each application in your Run list.

Microsoft Security Essentials may flag these restored startup executables as viruses because of the previous infection. Uninstalling and reinstalling the applications will not resolve the issue, as the Trojan executable will remain in the application directory.

After restoring the Run list entries, perform a drive search for any files with a size of 39 KB that were recently created. Carefully examine each file to determine if it is a copy of an original executable. Follow step 7 for each instance found.

Double-check all processes running in Task Manager to ensure their legitimacy. Right-clicking a process should reveal an "Open File Location" option, allowing you to verify its source and apply step 7 if necessary.

Reboot your system. The virus should now be eliminated.

Conclusion

We extend our gratitude to reader Kan for providing this detailed guide. It is hoped that this information will be beneficial to others facing the same viral threat.

#wmpscfgs.exe#virus removal#malware removal#computer virus#remove virus#windows virus