Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - wmpscfgs.exe


  • Please log in to reply
22 replies to this topic

#1 Markel69

Markel69

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 09 January 2010 - 07:03 PM

I've now reached meltdown and need help.
I continuously have the file wmpscfgs.exe opening on restart on my computer. I have done everything that I have seen on these forums without any success. I have currently downloaded HJT but have yet to install. I have it on my laptop, the issue is with my Desktop.
Although most of the programs identify and remove the operating file wmpscfgs.exe, they fail to remove the item causing it to run. The problem does not appear when in safe mode, only when logged in as per normal usage.
Since first appearing on my system on 1 Jan I have severely limited acces to the internet and hope that I have not let the Malware spread too far into the system. I have not had most of pervious people's problems. I don't have any pop up windows appearing, or music running in the background. All that I have is various wmpscfgs.exe files running, along with iexplore.exe running uncomanded.
I am currently running ESET NOD32 which has picked up wmpscfgs.exe in two folders calling it Win/32TrojanDownloader.Unruy.AY and says it is cleaned by deletion.
I was running Norton360, have tried SmitFraud, MalwareBytes, SUPERAntispyware,Spybot, DrWebCureit and now NOD32 which is currently running.
I think the only thing that has kept it at bay at the moment is Security Task Manager where I disable the files when they appear.
Can anyone please guide me further as I have just read on a windows forum that this re-writes some Key files that cannot be immediately replaced by deletion.
I have run the scans in normal mode, safe mode and safe mode with networking and am running an Athlon Dual core on Windows XP SP3>
To be honest I've tried so much even I don't know exactly what I've done

*** Edited - Sorry I forgot to add I've also intalled CC ***

Edited by Markel69, 09 January 2010 - 07:19 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 10 January 2010 - 01:09 PM

Did you remove Norton360 before installing NOD32? If not, you need to do so as ssing more than one anti-virus program is not advisable. The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.[/i]
  • Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 January 2010 - 02:59 PM

Thanks for the reply, sorry I didin't get back sooner. With my e-mail abandoned at the moment for fear of what will happen I am receiveing notifications through my Blackberry, I didn't realise it had gone off.
I didn't uninstall Norton just disabled it. Do I need to uninstall them or disable them to run a Kasperky scan?

Edited by Markel69, 10 January 2010 - 02:59 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 10 January 2010 - 03:19 PM

Even when one of them is disabled for use as a stand-alone scanner, it can affect the other. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as malicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. Nonetheless, to avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Then temporarily disable the remaining anti-virus so you can run the Kaspersky scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 January 2010 - 03:26 PM

I am currently downloading the Kaspersky database. I will uninstall one Virus software and diable the other. Once done I will post the log. Thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 10 January 2010 - 03:39 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 January 2010 - 10:53 AM

Was Kaspersky supposed to produce a log? I have come home form work after leaving the computer scanning and there is nothing. No window open, browser closed down, no trace of a log?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 11 January 2010 - 10:59 AM

Once the scan is complete (the 'status' will show complete), and you have to click on View Scan Report. Any infected objects will be shown.

Then you have to click on Save Report As... and change the Files of type to Text file (.txt)

Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.

Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 January 2010 - 11:17 AM

the browser window ws shut down. Nothing to click on. Would someone using the computer cause this to happen. My daughter came home from school and used the computer but she said that she minimised the program? It had been scanning for 13hrs at 1000 this morning and had only completed 8%
So I'm not only confused but frustrated as well.
I am currently removing my website from the computer which has too many file in it, this isn't helping in the scan time. I'm going to delete all the documents in "My DOcuments" folder, since I already have them backed up. The run the scan again. I had downloaded the trial software from Kaspersky, is it worth running that?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 11 January 2010 - 11:34 AM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
To speed up your scans, uninstall unnecessary programs, clean out the temporary files or use ATF Cleaner first, close all open programs and do not use the computer during the scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 January 2010 - 11:56 AM

I backed up the files, the drive is 120Gb and is 50% free, it was just the 600,000 files that I keep as a backup to my website, this has slowed every scnniong software down, joys of being a photographer. I will clear the undesireable and scan again, then post the results. SPeak to you later or tomorrow, thanks.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 11 January 2010 - 12:23 PM

Not a problem.

I keep my photos and personal data files on an external hard drive which I can disconnect when scanning. In the event of an emergency (weather) and you have a leave the house quickly, an external HD is easy to take with you.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 11 January 2010 - 12:50 PM

Yes i do too, all 4 hard drives of them. Really got to back up to another media. Blueray hopfully. Weddings have got so big, up to about 15gb, that I can't even fit them on a double sided DVD any more.
Its just 6years with a photography website, you never know when you are going to need to upload an event, anything to make a sale. There are about 600,00 files in there, and that has created a bottleneck when scanning. It took 5hrs just to transfer them to another hard drive. They're not that big, just lots of them.
Just about finished shaving off the excess on the drive, I'll post the log once scanned.

#14 Markel69

Markel69
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 12 January 2010 - 01:17 PM

Ok once I disconnected the other drives the scan went a lot quicker. Please find the result below.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 11, 2010 15:12:17
Records in database: 3298535
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
O:\

Scan statistics:
Objects scanned: 494912
Threats found: 2
Infected objects found: 1
Suspicious objects found: 1
Scan duration: 15:00:29


File name / Threat / Threats count
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Password-protected-EXE 1
D:\Downloads\xp-tweaks-unlocked-setup.exe Infected: Trojan.Win32.Agent2.clvp 1

Selected area has been scanned.


_________________________________________________________________________________________________________________________________

That was the first scan completed at 0900 this morning. I realised that I had the other droves connected and Norton re-activated, so I ran another scan. Please find the result below.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, January 12, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, January 11, 2010 15:12:17
Records in database: 3298535
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\
F:\

Scan statistics:
Objects scanned: 219166
Threats found: 1
Infected objects found: 0
Suspicious objects found: 1
Scan duration: 06:21:12


File name / Threat / Threats count
C:\Documents and Settings\Mark\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Password-protected-EXE 1

Selected area has been scanned.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:38 PM

Posted 12 January 2010 - 02:15 PM

Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware files.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file to remove using the drop down box next to "Look in:" at the top.
    • D:\Downloads\xp-tweaks-unlocked-setup.exe <- this file
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users