This virus wmpscfgs.exe will drive you crazy... Skip the craziness and use your back up image...
What it is and how it works.
I downloaded a program a couple of weeks ago to test and evaluate for this
Well the program was cripple ware and not worth the money the publisher wanted me to pay for it. I might do an article on it at some future date.
What I got in addition to the program was one of the worst virus I have ever came across.
Although the program package was infected with the virus if you DON'T read the pdf document in the package you will not get the virus because the virus in in the Adobe Reader that comes with the package. The virus is activated by reading the pdf. Very devious.
What makes this virus so bad is the persistence that it has in replicating itself and the devious way it hides.
The name of the virus is wmpscfgs.exe, and the only program that I use (of the top ten AV programs) that found it was Trojan Remover by
Simply Super Software
Unfortunately it could not clean out all the infections as you will see later on
in this article.
What it does:
- It replicates it self by renaming a running program then names itself as the executable. It uses programs in the registry that are in the Run keys for the System and the User.
- It uses either Windows Internet Explorer or Firefox browser to contact it's home base.
- It sets up a schedule task to open the browser in the background to transmit the data it has stolen.
- You will find it in your temp directories and in the browser directory.
- You will also find it in this key in the registry: HKLM\SOFTWARE\Microsoft\Windows\
To see the virus check your run keys then go to each folder and look at the names of the executable, there will be two or more of them, the virus will be the first executable, then the executable will be the same name with a space between the name and the period before the file extension such as:
Troubleshoot, repair, maintain, upgrade & secure...
With the Task Manager look at the Running Processes, if you see two of the same executable and one or more has a space or spaces between the end of the executable name and the period then your computer is infected.
After Trojan Remover cleaned the infection and a restart the virus was still there.
You can try to eradicate the virus but after two tries I just put a clean image back on my computer.
If you want to try cleaning the virus this page has the instructions:
This little exercise proves three things:
- Backup your data and make an image of your system drive
- Keep your AV up to date
- Keep an eye on the Task Manage for anomalies if you download programs to
Better still I should take my own advice about viruses such as the
wmpscfgs.exe and run these programs in a VM! (Virtual Machine)
You will find more information and techniques on cleaning viruses in the
Self Computer Repair Unleashed! 2nd Edition