How-To Geek reader Kan wrote in with a full guide to getting rid of the nasty wmpscfgs.exe virus, and we figured we should just share it with everybody, just in case anybody else comes across the same problem in the future.
极客方法指南的读者Kan撰写了完整的指南,以摆脱讨厌的wmpscfgs.exe病毒,我们认为我们应该与所有人共享它,以防万一将来其他人遇到相同的问题。
Note that this is a specific guide to getting rid of a specific virus, and was tested by a specific reader. We’ve not tested these steps personally.
请注意,这是摆脱特定病毒的特定指南,并已由特定读者进行了测试。 我们尚未亲自测试这些步骤。
Symptoms of the wmpscfgs.exe Virus
wmpscfgs.exe病毒的症状
- If you have Malwarebytes or Superantispyware software, these guys will detect it on every scan and will try to remove this virus. But the virus will just come back after a reboot. Even a safe mode boot (with or without network) will not work. 如果您拥有Malwarebytes或Superantispyware软件,这些家伙将在每次扫描时检测到它,并尝试删除该病毒。 但是病毒会在重新启动后重新出现。 即使是安全模式启动(带有或不带有网络)也将无法工作。
- A warning about IE not being your default browser will always popup without even clicking or opening up IE. I would not advise to click either yes or no on it. Just move the window in one of your monitor corners and see solution below. IE不再是您的默认浏览器的警告将始终弹出,甚至无需单击或打开IE。 我不建议单击是或否。 只需将窗口移到显示器的一个角落,然后查看下面的解决方案。
- Windows UAC will misbehave and will keep on prompting whether you want to execute a previously executed startup program. This is gave the virus away for me hence i start scanning and investigating. If you try to allow one, UAC will be disabled. Strangely enough, if you enabled it, windows doesn’t prompt you to reboot which is also a giveaway that something is wrong! As changing the UAC settings will definitely ask for a reboot. Windows UAC行为异常,并会继续提示您是否要执行以前执行的启动程序。 这是为我送走的病毒,因此我开始扫描和调查。 如果尝试允许一个,UAC将被禁用。 奇怪的是,如果启用了它,则Windows不会提示您重新启动,这还可以说明出现了问题! 由于更改UAC设置肯定会要求重新启动。
- Microsoft Security Essentials will detect that your startup programs (virus software, anti spyware/malware software, etc are viruses) and flag it as a virus. Another giveaway that something is awfully wrong! Microsoft Security Essentials将检测您的启动程序(病毒软件,反间谍软件/恶意软件等)为病毒,并将其标记为病毒。 另一个赠品是出了点大错了!
If you have the above symptoms, you pretty much have the virus I had yesterday. Here is what you can do to get rid of it. Don’t bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.
如果您有上述症状,则您几乎感染了我昨天感染的病毒。 这是您可以摆脱它的方法。 不要担心扫描,因为扫描仪无法完全解决您的问题,并且最终会破坏您的应用程序。
- Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one. 以安全模式启动。 原因是在安全模式下没有太多的进程在运行。 您需要在下面的步骤9中进行此设置,因为该病毒是讨厌的病毒。
Open up windows explorer and go to Tools -> Folder options .
打开Windows资源管理器,然后转到工具->文件夹选项。
a. Make sure the following are TICKED -> Show hidden files and folders
一个。 确保已勾选以下选项->显示隐藏的文件和文件夹
b. Make sure the following are UNticked -> Hide Extensions for known file types
b。 确保未选中以下选项->隐藏已知文件类型的扩展名
Go to the following directories (this is for vista home premium):
转到以下目录(这用于Vista Home Premium):
C:\Program Files\Internet Explorer
C:\ Program Files \ Internet Explorer
C:\Users\user\AppData\Local\Temp
C:\ Users \ user \ AppData \ Local \ Temp
And you will see there a file called wmpscfgs.exe. Delete them.
您将看到一个名为wmpscfgs.exe的文件。 删除它们。
- Open up your task manager, make sure the ‘show all processes’ is ticked and look for the same process. If it is running. Kill it. 打开您的任务管理器,确保选中“显示所有进程”并寻找相同的进程。 如果正在运行。 杀死它。
Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.
从这一部分开始,步骤需要更多的技术经验。 如果您不满意执行以下步骤,请寻找可以帮助您的人。
- Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run 打开regedit并转到:HKLM->软件-> Microsoft-> Windows-> CurrentVersion –>运行
Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it. For me from this point almost all of the things written in the NET currently don’t have the steps below. And its the reason why this virus keeps coming back.
查找包含以下数据的Adobe_reader条目:“ %ProgramFiles%\ Internet Explorer \ wmpscfgs.exe ”。 删除它。 从现在开始,对我来说,几乎所有用NET编写的东西都没有下面的步骤。 这也是该病毒不断复发的原因。
- Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above. 希望您在“ HKLM->软件-> Microsoft-> Windows-> CurrentVersion->运行”下没有太多的应用程序。 因为您必须逐个访问它们,因为该病毒劫持了上面RUN列表中的几乎所有应用程序。
Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list.
基本上,它将旧的exe文件从“ mcagent.exe”重命名为“ mcagent .exe”。 在文件名和“ .exe”或扩展名之间留一个空格。 然后,它将使用与可执行文件相同的文件名创建自己的副本,以便当某人执行您的文件时,先执行病毒,然后执行您的文件。 它将对“运行”列表中的每个应用程序执行此操作。
Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:
因此,如果转到McAfee mcagent.exe应用程序的“说”的位置,您将看到两到三个文件名几乎相同的文件:
- mcagent.exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file. mcagent.exe->这是一个39 KB的文件,是最近创建的,并且是不断添加回wmpscfgs.exe文件的病毒。
- mcagent .exe -> the original mcagent file, renamed. mcagent .exe->原始mcagent文件,已重命名。
- mcagent.exe.delme<some random number> -> delete this one as well. I don’t see this occurring every time, but i have seen some apps with this file in them and very recently created. mcagent.exe.delme <一些随机数>->还要删除此一个。 我并没有每次都看到这种情况,但是我看到了一些带有此文件的应用程序,它们是最近创建的。
You first need to kill the corresponding process of the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn’t infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn’t help as well as the former Trojan exe file will be retained in the application directory.
如果它们在任务管理器中运行,则首先需要杀死受感染文件的相应进程,手动删除仅39KB左右的现有.exe文件,然后将旧的可执行文件重命名为其以前的文件名。 对上面“运行”列表中的每个应用程序重复此操作。 我唯一看到的这种病毒没有感染的就是Windows Defender应用程序。 我的“运行”列表中的其余部分都搞砸了。 卸载并重新安装它们无济于事,因为以前的Trojan exe文件将保留在应用程序目录中。
This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses.
这就是Microsoft Security Essentials抱怨启动可执行文件是病毒的原因。
- Once you have verified that each application in your run list has been restored. To be fully sure that you don’t have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files. 一旦确认运行列表中的每个应用程序都已还原。 要完全确定您的系统中没有任何此类文件,请执行驱动器搜索任何大小为39KB且刚创建的文件,并仔细检查每个文件是否只是原始可执行文件的副本。 每次出现时,请执行步骤7。 到目前为止,我只看到该病毒将自身附加到可执行文件中。
- If you want to be 100% sure, next thing you need to do is double check every process running in your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them, you should see an option there called “Open File Location”. Then follow steps 7 above. 如果要100%确定,下一步要做的就是仔细检查任务管理器中运行的每个进程是否合法。 某些进程(特别是系统启动的进程)将无法带您进入其进程文件,但是,如果右键单击它们,大多数情况下,您应该在其中看到一个名为“打开文件位置”的选项。 然后按照上面的步骤7。
- Reboot and that’s it! 重启就可以了!
Thanks to reader Kan for writing in with this guide, and hopefully it helps somebody else!
感谢读者Kan编写了本指南,希望对其他人有所帮助!
4897
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
