Author Topic: wmram.exe (Read 16693 times)

polonus · « **Reply #15 on:** September 17, 2005, 05:42:27 PM »

Hi ye all,

The software Change Harddisk Volume 1.0 (of mPVO Software) apparently came with this worm, demolishing the system, people that use this software are advised to change to take Volume ID 2.0 now, made by sysinternals). There are more people that signal that other software has been infected and trojaned with TR Grobot. What is this trojan, and what is its' action. The infection comes from CD's that go with PC magazines.

greets,

polonus

navybuff · « **Reply #16 on:** September 25, 2005, 08:13:06 PM »

OK, I worked on this for 5 hours. I too used the Volume ID change program when upgrading my HD. All of the processes above did not work to delete this trojan, they did however give me several clues and some great links.

I am running Trend Micro 2005 and there is nothing about this Trojan.Grobt on their website. Here is what I did to delete the Trojan.

First, I went to the Bitdefender website and d/l a 30 day copy of there virus program.

Then, turn off your exiting virus protection and/or uninstall if you have a high speed internet connection. I did not do this and I paid a 2 hour price trying to resolve confilcts, it took forever to load BD, but finally did.

Then update Bitdefender and do a scan on the Winnt directory, BAM, found the following and moved them to Quarantine:

c:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

Additional files that were found later were DC34.exe & DC33.exe with the same trojan.

These two files:

c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

may reside in a different location, but BD will find them.

As soon as the scan was complete I checked my running processes and found that WMRAM / WININFO were not running. I went to the registery and deleted all references to these 4 files. (Backup [export] first).

Do a full system scan with BD, this will take a couple of hours. I was shocked as to all the stuff it found, mostly in the email backups starting in Feb of 2000.

I first started using BD about 1.5 years ago and liked it but it was very slow. I changed to Trend Micro. After this, I think I will return to BD, they have come a long way in a year & a half.....

Hope this helps guys...

Lisandro · « **Reply #17 on:** September 26, 2005, 03:18:00 AM »

Quote from: navybuff on September 25, 2005, 08:13:06 PM

c:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
Or you can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
If this is confirmed, it's a shame this lack of detection

navybuff · « **Reply #18 on:** September 26, 2005, 06:09:24 AM »

Unfortunately I deleted all files, I thought about it after I done it, that it was probably not a good idea, sorry.

afunguy24 · « **Reply #19 on:** October 10, 2005, 10:16:28 AM »

Quote from: Tech on September 26, 2005, 03:18:00 AM

Quote from: navybuff on September 25, 2005, 08:13:06 PM
c:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt
Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
Or you can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
If this is confirmed, it's a shame this lack of detection

Id be happy to send the files to every antivirus group out there if after I do you can help me get this crap off my pc.

:\winnt\system32\wmram.exe infected: Trojan.Grobt
c:\winnt\system32\winifo.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt
c:\winnt\system32\wmpcld.dll infected: Trojan.Grobt
c:\winnt\system32\stunel.dll infected: Trojan.Grobt

I cant seems to get rid of these.I have tried everything. Nonthing works. I delete the files. On next reboot they are back again.Avg,hijackthis,regedit,toolbarcop,bitdefender,regcleaner,autoruns,adaware,Spybot Search and destroy. I reboot and bam wmram.exe right in my face. Its not even in system32 folder iv deleted it so much,but it still comes up in registry and log files. How do I get rid of this. I have a Windows xp installer cd,think windows repair might work? How can I kill this? God save me.

afunguy24 · « **Reply #20 on:** October 10, 2005, 11:26:42 AM »

Avg sux all I did was download norton sarc,after 5 minuites the virus was gone. Scanned one folder detected and deleted. All ten of thoses programs i tried none of them workd. Didint even have to run thru safe mode.

Author Topic: wmram.exe (Read 16693 times)

polonus

Re: wmram.exe

navybuff

Re: wmram.exe, wmpcld.dll, stunel.dll, winifo.dll

Lisandro

Re: wmram.exe, wmpcld.dll, stunel.dll, winifo.dll

navybuff

Re: wmram.exe

afunguy24

Re: wmram.exe, wmpcld.dll, stunel.dll, winifo.dll

afunguy24

Re: wmram.exe