J
johngross
While cleaning up my laptop in preparation for upgrading to SP2,
Symantec AntiVirus identified a service and process running the file
'wlmsngr.exe' as infected by 'W32.Spybot.Worm'.
I selected the [Remove Risks Now] option, and SAV successfully stopped
the service, but failed to stop the process or delete/quarantine the
file.
It took two subsequent boots and scans before the risk was finally
cleaned up.
After upgrading to SP2 - and partly because this particular risk had
been so difficult to remove (among others!) - I decided to search the
registry for this name... and was quite surprised to find it mentioned
in a number of keys, as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
The original file (wlmsngr.exe) was in the WINDOWS folder, but it does
not appear to exist on the laptop now.
Subsequent SAV scans (and Ad-Aware and Spybot Search & Destroy) are
finding nothing, so I am wondering just what the above registry keys
are all about. (I am certain they were not in the pre-SP2 registry,
either before or after SAV apparently cleaned up this threat.)
Does anyone have any ideas about this?
Symantec AntiVirus identified a service and process running the file
'wlmsngr.exe' as infected by 'W32.Spybot.Worm'.
I selected the [Remove Risks Now] option, and SAV successfully stopped
the service, but failed to stop the process or delete/quarantine the
file.
It took two subsequent boots and scans before the risk was finally
cleaned up.
After upgrading to SP2 - and partly because this particular risk had
been so difficult to remove (among others!) - I decided to search the
registry for this name... and was quite surprised to find it mentioned
in a number of keys, as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WLMSNGR\0000]
"Service"="wlmsngr"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\0001\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware
Profiles\Current\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,77,00,6c,00,6d,00,73,00,6e,00,67,00,72,00,2e,00,65,00,78,00,65,\
00,22,00,00,00
"DisplayName"="wlmsngr"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
00,00,00,00,00,00,00,00,00
"Description"="wlmsngr"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlmsngr\Enum]
"0"="Root\\LEGACY_WLMSNGR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR]
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_WLMSNGR\0000]
"CSConfigFlags"=dword:00000001
The original file (wlmsngr.exe) was in the WINDOWS folder, but it does
not appear to exist on the laptop now.
Subsequent SAV scans (and Ad-Aware and Spybot Search & Destroy) are
finding nothing, so I am wondering just what the above registry keys
are all about. (I am certain they were not in the pre-SP2 registry,
either before or after SAV apparently cleaned up this threat.)
Does anyone have any ideas about this?