View Full Version : Comments / warning / whatever - Possible Trojan

02-05-2006, 20:47:07
... and a general request for info on prefetch (,pf) files.

Left the PC running on the broadband over the long weekend and overnight. This morning something called edlm2.exe kept running 2 instances at a time. The PC was saying it had to terminate, would I like to tell MS. Thing was for every 'yes terminate' I clicked, a new instance started that the PC wanted to terminate also.

Must be a trojan. Google didn't seem to have too many hits but found one at bakerstreet.joeuser.com that seemed useful. Pinpointed the reg entries and the real cause of the problem.

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64"
edlm.exe, edlm2.exe, ldr64.dll (all in C:\Windows\System32)

Editing the reg and rebooting seems to have cured it, unless it starts up again in a while.

Search found a file called EDLM2.EXE-06AA0737.pf that made me suspicious, which is why I wondered if anyone could shed light on prefetch files for me ?

03-05-2006, 10:54:16
Ok so no one has the gen on prefetch files.

Short search seems to suggest they are created by XP every time an exe file is run. Something to do with capturing what it needs in place to start faster. Weird, but hey ! at least it seems it's not what infected the PC but was just created afterwards.

Leaves me not knowing how the hell it got on my PC in the first place then. :( Still seems to have gone with the reg edit.

10-05-2006, 07:29:47
Ever felt you're being picked on ? Got a 2nd virus in 2 days ! Yet I've not clicked on any email attachments, nor installed anything. For that matter I've not visited any dodgy sites apart from Counterglow !

I'm fully up to date with Windows upgrades too.

Luckily it doesn't seem as if anything untoward has run, just got to my hard drive.

And to top it all off, and the reason I'm updating this thread, in the absence of any interest from others, is to get the following off my chest.

In the last few minutes, on my work PC, I clicked an innocuous looking link (it's coffee time so no lectures) to a page about iPod uses (don't even have one, was just curious) and 2 windows open, and the Norton opens up a further window claiming I've just received a virus infected file ! What the hell ?!?!?!

Soon it'll be the case that one dare not surf anywhere ! This just isn't on. :( :mad:

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

10-05-2006, 14:12:04

http://virusinfo.prevx.com/pxparall.asp?PX5=e57f632a6fc32c10000000e7284c0d00a ab76d81

the text meant nothing to me, but its says edlm is bad

10-05-2006, 14:18:03

10-05-2006, 14:23:14

10-05-2006, 18:20:05
I run an extra anti-spyware layer at work because many clean sites often end up distributing viruses and/or spyware because someone hacks their major 3rd party advertiser.

Of course, I also get managerial memos that I am instructed to read through thoroughly, and those memos will often have 1 or more viruses embedded in them, but that's beside the point. ;)

11-05-2006, 08:27:00
Edlm was just the first of 3 infections, 2 at home (which were found during the regular scans), 1 at work (which Norton warned me about immediately).

I'd have to check the logs to recall the 2nd home one (something like /bagel.LM iirc), but the work one was WinFixer. As I have a decent broadband modem and a seperate firewall one might hope these things would stay away, but PCs look very vulnerable to getting stuff loaded onto the hard disk, even if less vulnerable to being run.

Half the time I'm hoping the scan software does find something. There must be a reason the PC is so damn slow. I swopped a paid for McAfee for the free AVG because McAfee was taking 'all' the CPU. Now IE seems to want it all instead, even when the windows are minimised, or not doing anything much.

11-05-2006, 08:39:52
PS thanks for the links, especially the third one which I've only just opened, makes me wonder if there is a connection between the two home infections.

If so it's some new form as I can't find the .LM ending anywhere on the Net, but AVG says that's what it cleared out.

Sir Penguin
11-05-2006, 15:09:13
Time to reinstall your operating system.


11-05-2006, 15:25:35
Gary, you can get a lot of bad stuff from just browsing the web.

I now use PC Tools Spyware Doctor. They have a free scanner at:

I had a nasty little thing that none of the other anti-malware layers I used could get rid of. Spyware Doctor did.

If you get their Registry Mechanic, you should be aware that it has a TSR that it starts up on any normal startup that guards the Windows Registry. This will block you from being able to run a "chkdsk /f" at bootup, and force you to go disable that steath feature in msconfig.exe (it literally is named blank in the registry, which looks very suspicious. Bastards). Shut that off, then set your chkdsk and reboot, and you'll be all set. Turn it back on if you want your registry guarded from various exploits once you are done with chkdsk on your c drive using msconfig.exe.

21-06-2006, 17:24:32