If you’re experiencing problems with your computer, one of the first things you should do is to check for and remove any viruses. Unfortunately, there are a number of viruses that can affect your computer without you even knowing it. One of these viruses is the wmpscfgs.exe virus. The wmpscfgs.exe virus is a small program that hijacks your browser and sends all of your online traffic to a malicious website. This can lead to identity theft, financial ruin, and more. If you think that you may have the wmpscfgs.exe virus on your computer, here are some steps that you can take to remove it:

  1. Start your computer in Safe Mode by pressing F8 when starting up your computer or by selecting “Safe Mode with Networking” from the Windows start menu.
  2. Remove any programs that might be causing problems, such as antivirus software or adware programs.
  3. Check for and remove any hidden files and folders by using search tools like Windows Explorer or File Explorer on Mac OS X systems. These files might contain the wmpscfgs.exe virus if they have been infected with it.
  4. Use an anti-virus program to scan your system for any signs of infection and remove any detected threats. ..

Note that this is a specific guide to getting rid of a specific virus, and was tested by a specific reader. We’ve not tested these steps personally.

Symptoms of the wmpscfgs.exe Virus

If you have Malwarebytes or Superantispyware software, these guys will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work. A warning about IE not being your default browser will always popup without even clicking or opening up IE. I would not advise to click either yes or no on it. Just move the window in one of your monitor corners and see solution below. Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This is gave the virus away for me hence i start scanning and investigating. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot. Microsoft Security Essentials will detect that  your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong!

If you have the above symptoms, you pretty much have the virus I had yesterday. Here is what you can do to get rid of it. Don’t bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.

Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one. Open up windows explorer and go to Tools -> Folder options .     a. Make sure the following are TICKED -> Show hidden files and folders    b. Make sure the following are UNticked  -> Hide Extensions for known file types Go to the following directories (this is for vista home premium):     C:\Program Files\Internet Explorer     C:\Users\user\AppData\Local\Temp   And you will see there a file called wmpscfgs. exe. Delete them. Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it.

Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.

Open up regedit and go to:  HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs. exe“. Delete it. For me from this point almost all of the things written in the NET currently don’t have the steps below. And its the reason why this virus keeps coming back. Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above. Basically it renames the old exe file from say “mcagent. exe” to “mcagent . exe”. With a space between the filename and the “. exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list. Thus if you go to the location of say of McAfee mcagent. exe application you will see two to three files with almost the same filename: mcagent. exe             -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs. exe file. mcagent . exe            -> the original mcagent file, renamed. mcagent. exe. delme     -> delete this one as well. I don’t see this occurring every time, but i have seen some apps with this file in them and very recently created. You first need to kill the corresponding process of  the infected file if they are running in task manager, manually remove the existing . exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn’t infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn’t help as well as the former Trojan exe file will be retained in the application directory. This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses. Once you have verified that each application in your run list has been restored. To be fully sure that you don’t have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files. If you want to be 100% sure, next thing you need to do is double check every process running in  your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them,  you should see an option there called “Open File Location”. Then follow steps 7 above. Reboot and that’s it!

Thanks to reader Kan for writing in with this guide, and hopefully it helps somebody else!