Virus 'W32.Spybot.Worm' identified in file 'wlmsngr.exe'

J

johngross

While cleaning up my laptop in preparation for upgrading to SP2,
Symantec AntiVirus identified a service and process running the file
'wlmsngr.exe' as infected by 'W32.Spybot.Worm'.

I selected the [Remove Risks Now] option, and SAV successfully stopped
the service, but failed to stop the process or delete/quarantine the
file.

It took two subsequent boots and scans before the risk was finally
cleaned up.

After upgrading to SP2 - and partly because this particular risk had
been so difficult to remove (among others!) - I decided to search the
registry for this name... and was quite surprised to find it mentioned
in a number of keys, as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

The original file (wlmsngr.exe) was in the WINDOWS folder, but it does
not appear to exist on the laptop now.

Subsequent SAV scans (and Ad-Aware and Spybot Search & Destroy) are
finding nothing, so I am wondering just what the above registry keys
are all about. (I am certain they were not in the pre-SP2 registry,
either before or after SAV apparently cleaned up this threat.)

Does anyone have any ideas about this?
 
G

Guest

johngross said:
While cleaning up my laptop in preparation for upgrading to SP2,
Symantec AntiVirus identified a service and process running the file
'wlmsngr.exe' as infected by 'W32.Spybot.Worm'.

I selected the [Remove Risks Now] option, and SAV successfully stopped
the service, but failed to stop the process or delete/quarantine the
file.

It took two subsequent boots and scans before the risk was finally
cleaned up.

After upgrading to SP2 - and partly because this particular risk had
been so difficult to remove (among others!) - I decided to search the
registry for this name... and was quite surprised to find it mentioned
in a number of keys, as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\

53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001

The original file (wlmsngr.exe) was in the WINDOWS folder, but it does
not appear to exist on the laptop now.

Subsequent SAV scans (and Ad-Aware and Spybot Search & Destroy) are
finding nothing, so I am wondering just what the above registry keys
are all about. (I am certain they were not in the pre-SP2 registry,
either before or after SAV apparently cleaned up this threat.)

Does anyone have any ideas about this?

My Guess these the Orphans Keys Left behind after the AV clean the Folder or
the whole application for the Worm, you can Back up the Registry on a
removeable Disk and Delete these Entries and Reboot and see if your system
will be affected in a bad way or it will stay stable.
This Keys can bring back the worm and be the Christmas Lights for other and
you don't need Father christmas instead of coming down from the chimney come
down from the registry do you?.
Download theses tools one or both check mark next these entries but be sure
you are checking the Right ones as these tools as much as helpful can be
damaging too? so take care when deleting:
http://www.ccleaner.com
http://www.purgeie.com/delinv/index.htm
Regards,
nass
 
J

johngross

nass said:
My Guess these the Orphans Keys Left behind after the AV clean the Folder or
the whole application for the Worm, you can Back up the Registry on a
removeable Disk and Delete these Entries and Reboot and see if your system
will be affected in a bad way or it will stay stable.
This Keys can bring back the worm and be the Christmas Lights for other and
you don't need Father christmas instead of coming down from the chimney come
down from the registry do you?.
Download theses tools one or both check mark next these entries but be sure
you are checking the Right ones as these tools as much as helpful can be
damaging too? so take care when deleting:
http://www.ccleaner.com
http://www.purgeie.com/delinv/index.htm
Regards,
nass

Thanks, nass, especially for your very quick response!

I'm still puzzled as to how these registry entries appeared *after* the
SP2 upgrade, because (as I wrote) I am quite certain they weren't there
before.

I will look at using CCleaner to get rid of them.

Regards,
John
 
J

johngross

Thanks, nass, especially for your very quick response!

I'm still puzzled as to how these registry entries appeared *after* the
SP2 upgrade, because (as I wrote) I am quite certain they weren't there
before.

I will look at using CCleaner to get rid of them.

Regards,
John

Just for your information...

I finally got around to downloading CCleaner and running it on the
laptop with the suspected leftovers from an infection.

It found a few things, but did not identify the registry keys listed
in my original post as any problem. I'm still puzzled, but not
particularly worried; I will probably go in and delete the keys myself
(carefully, of course!) if I feel it is necessary.

By the way, CCleaner looks like a very useful little tool; thanks for
pointing it out to me.

Regards,

John Gross
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top