wmram.exe

There is an exe file in c:\winnt\system32 named wmram.exe it periodically spawn several of its own instances and bogs down the system to halt. Avast or Spybot does not detect it as suspicous activity. Where should I post the exe for inspection?

http://virusscan.jotti.org/

I’m sad to note another detection failure :cry: :stuck_out_tongue:

Google only finds one hit for this (.pl site) so if it was known, I would have expected many more, so this could quite well be a new or modified variant of adware/spyware.

The .pl link shows three hits, this is one http://forum.gazeta.pl/forum/72,2.html?f=430&w=25418562&a=25419031 and this shows it being shown in HiJackThis so it should be able to fix it by deleting the run command, stopping the process in task manager and then delete the file.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

OR

Hello sabit,

I have read the advice on the polish reference at Gazeta.pl forum (the biggest online magazine of Poland) and I suggest you download Toolbarcop 3.3. at this link:
http://www.majorgeeks.com/download4126.html to take this BHO out in a decent way, success,

Have a nice day,

polonus

Very handy having someone on the forums who can read Polish ‘polonus’, as my favourite toolAlta Vista Babel Fish doesn’t translate Polish

Czesc DavidR,

Well sometimes it comes in handy, actualy the polish thread on the Gazeta Forum advized to use killbox to take this “robak” out (robak=vermin is the Polish term for worm, sometimes they say robak-worm). There are not that many Dutch with a fair command of Polish, but in order to be able to communicate with your in-laws one does a lot. I finally mastered it, although it was murderously difficult, especially for people that speak a germanic language like Dutch, but then later you also have access to antivirus-forums (dostep do forum antywirusowego). Glad I could help you out here. You’re welcome.

Greets (=pozdrawiam)

polonus

Hi,

The only way to kill this file is to download killbox.exe http://www.bleepingcomputer.com/files/killbox.php , very safe. Find the file path, (Replace on Reboot) make sure you check use dummy file (very important). File gone.

The only way to kill this file is to download killbox.exe
I strongly doubt that this is the only way to kill this, not only did 'polonus' give a link to toolbarcop, which by all accounts can get rid of this (possibly supported by the fact that the original poster didn't come back for more help). There are many tools to kill a file on next boot, HiJackThis for one so they too would delete the file. However simply getting rid of the file may not resolve the problem as there are associated registry entries which will need removal and for this I would suggest the link 'polonus' gave for a tool bar removal tool or HiJackThis.

Hijack will not work, trust me, I’ve tried everything.

HJT has a function to ‘delete a file on reboot’ in the Configuration, Misc Tools section.

Hi riowalker and DavidR,

I agree with DavidR that toolbarcop can do the job. There are a few other things to consider in this why riowalker may have reacted in the way he did. In the first place cleaning files and killing processes is best done in safe mode. And the second thing and not a lot of people know this: SpywareBlaster can be a two-sided sword if it is installed on a machine that is not clean. It can actually keep the trash on your comp. This is a known fact. SpywareBlaster is a great security tool but ONLY THEN when it is installed on a 100% clean system.

yours truly,

polonus

It seems possible that their are many ways to delete the wmram.exe . Good luck.

wmram.exe is part of a virus
unstoppable, undeletable, creating multiple instances
and even recreating after deletion with ultimate boot CD
it’s part of a brand new virus !

This virus got the name
TR.Grobot
as H+BEDV Datentechnik GmbH the programmers of
AntiVir explained in an email I got today.

Next version ov AntiVir will know this virus signature.

The virus was seeded by the freeware “Change Harddisk … ID”
offered by Softpedia who deleted their offer in the meantime.

The best way to get rid of this virus: Backup your data on CD
and rebuild your whole system from scratch beginning with
formating your harddisk.

regular ms birthdays do ensure maximum system performance :slight_smile:

anyhow,

download ‘Autoruns’ [http://www.sysinternals.com/utilities/autoruns.html]
and extract it somewhere

reboot into safemode

load autoruns, and check out all the stuff that usually starts up :slight_smile:
plenty of crap to untick right?!!

look for section:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

and entry:

wininfo System Information (Not verified) Microsoft Corporation c:\windows\system32\wmram.exe

untick it (and the rest of that stuff that doesnt need to be there!) and presto ur set to reboot and back to normal…

NOTE:
Im not convinced it s a virus as such but it certainly is annoying,
I did NOT download the earlier specified program by ‘sophos or watever’ and as such have no idea how this file came to be on my pc. which is frustrating!

but this gets rid of it if cant be arsed reformat/installing ;D

cheers
Adam

Hi ye all,

The software Change Harddisk Volume 1.0 (of mPVO Software) apparently came with this worm, demolishing the system, people that use this software are advised to change to take Volume ID 2.0 now, made by sysinternals). There are more people that signal that other software has been infected and trojaned with TR Grobot. What is this trojan, and what is its’ action. The infection comes from CD’s that go with PC magazines.

greets,

polonus

OK, I worked on this for 5 hours. I too used the Volume ID change program when upgrading my HD. All of the processes above did not work to delete this trojan, they did however give me several clues and some great links.

I am running Trend Micro 2005 and there is nothing about this Trojan.Grobt on their website. Here is what I did to delete the Trojan.

First, I went to the Bitdefender website and d/l a 30 day copy of there virus program.

Then, turn off your exiting virus protection and/or uninstall if you have a high speed internet connection. I did not do this and I paid a 2 hour price trying to resolve confilcts, it took forever to load BD, but finally did.

Then update Bitdefender and do a scan on the Winnt directory, BAM, found the following and moved them to Quarantine:

c:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

Additional files that were found later were DC34.exe & DC33.exe with the same trojan.

These two files:

c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

may reside in a different location, but BD will find them.

As soon as the scan was complete I checked my running processes and found that WMRAM / WININFO were not running. I went to the registery and deleted all references to these 4 files. (Backup [export] first).

Do a full system scan with BD, this will take a couple of hours. I was shocked as to all the stuff it found, mostly in the email backups starting in Feb of 2000.

I first started using BD about 1.5 years ago and liked it but it was very slow. I changed to Trend Micro. After this, I think I will return to BD, they have come a long way in a year & a half…

Hope this helps guys…

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
Or you can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
If this is confirmed, it’s a shame this lack of detection :o

Unfortunately I deleted all files, I thought about it after I done it, that it was probably not a good idea, sorry.

Id be happy to send the files to every antivirus group out there if after I do you can help me get this crap off my pc.

:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

I cant seems to get rid of these.I have tried everything. Nonthing works. I delete the files. On next reboot they are back again.Avg,hijackthis,regedit,toolbarcop,bitdefender,regcleaner,autoruns,adaware,Spybot Search and destroy. I reboot and bam wmram.exe right in my face. Its not even in system32 folder iv deleted it so much,but it still comes up in registry and log files. How do I get rid of this. I have a Windows xp installer cd,think windows repair might work? How can I kill this? God save me.