wmram.exe

[sabit]

There is an exe file in c:\winnt\system32 named wmram.exe it periodically spawn several of its own instances and bogs down the system to halt. Avast or Spybot does not detect it as suspicous activity. Where should I post the exe for inspection?

[Omar]

http://virusscan.jotti.org/

[Lisandro]

I'm sad to note another detection failure  :'( 

[DavidR]

Google only finds one hit for this (.pl site) so if it was known, I would have expected many more, so this could quite well be a new or modified variant of adware/spyware.

The .pl link shows three hits, this is one http://forum.gazeta.pl/forum/72,2.html?f=430&w=25418562&a=25419031 and this shows it being shown in HiJackThis so it should be able to fix it by deleting the run command, stopping the process in task manager and then delete the file.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

OR
- Post your hijackthis-Log here for a diagnosis: tomcoyote.org/hjt

[polonus]

Hello sabit,

I have read the advice on the polish reference at Gazeta.pl forum (the biggest online magazine of Poland) and I suggest you download Toolbarcop 3.3. at this link:
http://www.majorgeeks.com/download4126.html to take this BHO out in a decent way, success,

Have a nice day,

polonus

[DavidR]

Very handy having someone on the forums who can read Polish 'polonus', as my favourite toolAlta Vista Babel Fish doesn't translate Polish

[polonus]

Czesc DavidR,

Well sometimes it comes in handy, actualy  the polish thread on the Gazeta Forum advized  to use killbox to take this "robak" out (robak=vermin is the Polish term for worm, sometimes they say robak-worm). There are not that many Dutch with a fair command of Polish, but in order to be able to communicate with your  in-laws one does a lot.  I finally mastered it, although it was murderously difficult, especially for people that speak a germanic language like Dutch, but then later you also have access to antivirus-forums (dostep do forum antywirusowego). Glad I could help you out here. You're welcome.

Greets (=pozdrawiam)

polonus

[riowalker]

Hi,

The only way to kill this file is to download killbox.exe http://www.bleepingcomputer.com/files/killbox.php , very safe. Find the file path, (Replace on Reboot) make sure you check use dummy file (very important). File gone.

[DavidR]

The only way to kill this file is to download killbox.exe

I strongly doubt that this is the only way to kill this, not only did 'polonus' give a link to toolbarcop, which by all accounts can get rid of this (possibly supported by the fact that the original poster didn't come back for more help).
There are many tools to kill a file on next boot, HiJackThis for one so they too would delete the file. However simply getting rid of the file may not resolve the problem as there are associated registry entries which will need removal and for this I would suggest the link 'polonus' gave for a tool bar removal tool or HiJackThis.

[riowalker]

Hijack will not work, trust me, I've tried everything.

[DavidR]

HJT has a function to 'delete a file on reboot' in the Configuration, Misc Tools section.

[polonus]

Hi riowalker and DavidR,

I agree with DavidR that toolbarcop can do the job. There are a few other things to consider in this why riowalker may have reacted in the way he did. In the first place cleaning files and killing processes is best done in safe mode. And the second thing and not a lot of people know this: SpywareBlaster can be a two-sided sword if it is installed on a machine that is not clean. It can actually keep the trash on your comp. This is a known fact. SpywareBlaster is a great security tool but ONLY THEN when it is installed on a 100% clean system.

yours truly,

polonus

[riowalker]

It seems possible that their are many ways to delete the wmram.exe . Good luck.

[Martin221]

wmram.exe is part of a virus
unstoppable, undeletable, creating multiple instances
and even recreating after deletion with ultimate boot CD
it's part of a brand new virus !

This virus got the name
TR.Grobot
as H+BEDV Datentechnik GmbH the programmers of
AntiVir explained in an email I got today.

Next version ov AntiVir will know this virus signature.

The virus was seeded by the freeware "Change Harddisk .. ID"
offered by Softpedia who deleted their offer in the meantime.

The best way to get rid of this virus: Backup your data on CD
and rebuild your whole system from scratch beginning with
formating your harddisk.

[adam666]

regular ms birthdays do ensure maximum system performance

anyhow,

download 'Autoruns' [http://www.sysinternals.com/utilities/autoruns.html]
and extract it somewhere

reboot into safemode

load autoruns, and check out all the stuff that usually starts up
plenty of crap to untick right?!!

look for section:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run         

and entry:

wininfo   System Information   (Not verified) Microsoft Corporation   c:\windows\system32\wmram.exe

untick it (and the rest of that stuff that doesnt need to be there!) and presto ur set to reboot and back to normal...

NOTE:
           Im not convinced it s a virus as such but it certainly is annoying,
I did NOT download the earlier specified program by 'sophos or watever' and as such have no idea how this file came to be on my pc. which is frustrating!

but this gets rid of it if cant be arsed reformat/installing 

cheers
Adam