Counterglow Forums  

Go Back   Counterglow Forums > General Discussions > Technoglow

Reply
 
Thread Tools Display Modes
Old 02-05-2006, 20:47:07   #1
Gary
Putting you lot right since 2001
 
Gary's Avatar
 
Join Date: Nov 2001
Location: Home
Cool Comments / warning / whatever - Possible Trojan

... and a general request for info on prefetch (,pf) files.

Left the PC running on the broadband over the long weekend and overnight. This morning something called edlm2.exe kept running 2 instances at a time. The PC was saying it had to terminate, would I like to tell MS. Thing was for every 'yes terminate' I clicked, a new instance started that the PC wanted to terminate also.

Must be a trojan. Google didn't seem to have too many hits but found one at bakerstreet.joeuser.com that seemed useful. Pinpointed the reg entries and the real cause of the problem.

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64"
edlm.exe, edlm2.exe, ldr64.dll (all in C:\Windows\System32)

Editing the reg and rebooting seems to have cured it, unless it starts up again in a while.

Search found a file called EDLM2.EXE-06AA0737.pf that made me suspicious, which is why I wondered if anyone could shed light on prefetch files for me ?
__________________
Aleph-null bottles of beer on the wall,
Aleph-null bottles of beer,
You take one down, and pass it around,
Aleph-null bottles of beer on the wall.
Gary is offline   Reply With Quote
Old 03-05-2006, 10:54:16   #2
Gary
Putting you lot right since 2001
 
Gary's Avatar
 
Join Date: Nov 2001
Location: Home
Ok so no one has the gen on prefetch files.

Short search seems to suggest they are created by XP every time an exe file is run. Something to do with capturing what it needs in place to start faster. Weird, but hey ! at least it seems it's not what infected the PC but was just created afterwards.

Leaves me not knowing how the hell it got on my PC in the first place then. Still seems to have gone with the reg edit.
__________________
Aleph-null bottles of beer on the wall,
Aleph-null bottles of beer,
You take one down, and pass it around,
Aleph-null bottles of beer on the wall.
Gary is offline   Reply With Quote
Old 10-05-2006, 07:29:47   #3
Gary
Putting you lot right since 2001
 
Gary's Avatar
 
Join Date: Nov 2001
Location: Home
Ever felt you're being picked on ? Got a 2nd virus in 2 days ! Yet I've not clicked on any email attachments, nor installed anything. For that matter I've not visited any dodgy sites apart from Counterglow !

I'm fully up to date with Windows upgrades too.

Luckily it doesn't seem as if anything untoward has run, just got to my hard drive.

And to top it all off, and the reason I'm updating this thread, in the absence of any interest from others, is to get the following off my chest.

In the last few minutes, on my work PC, I clicked an innocuous looking link (it's coffee time so no lectures) to a page about iPod uses (don't even have one, was just curious) and 2 windows open, and the Norton opens up a further window claiming I've just received a virus infected file ! What the hell ?!?!?!

Soon it'll be the case that one dare not surf anywhere ! This just isn't on.


Quote:
This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.
__________________
Aleph-null bottles of beer on the wall,
Aleph-null bottles of beer,
You take one down, and pass it around,
Aleph-null bottles of beer on the wall.

Last edited by Gary; 10-05-2006 at 07:47:04.
Gary is offline   Reply With Quote
Old 10-05-2006, 14:12:04   #4
MDA
Registered User
 
MDA's Avatar
 
Join Date: Nov 2001
Location: updated his email address and can look but not post
ug.

http://virusinfo.prevx.com/pxparall....4c0d00aab76d81

the text meant nothing to me, but its says edlm is bad
MDA is offline   Reply With Quote
Old 10-05-2006, 14:18:03   #5
MDA
Registered User
 
MDA's Avatar
 
Join Date: Nov 2001
Location: updated his email address and can look but not post
http://ivic.zonelabs.com/tmpl/body/C....jsp?VId=51568
MDA is offline   Reply With Quote
Old 10-05-2006, 14:23:14   #6
MDA
Registered User
 
MDA's Avatar
 
Join Date: Nov 2001
Location: updated his email address and can look but not post
http://securityresponse.symantec.com...beagle.dv.html
MDA is offline   Reply With Quote
Old 10-05-2006, 18:20:05   #7
Darkstar
will bitch for beer
 
Darkstar's Avatar
 
Join Date: Nov 2001
Location: Rocket City
I run an extra anti-spyware layer at work because many clean sites often end up distributing viruses and/or spyware because someone hacks their major 3rd party advertiser.

Of course, I also get managerial memos that I am instructed to read through thoroughly, and those memos will often have 1 or more viruses embedded in them, but that's beside the point.
__________________
> clue++;
> display clue;
-878923403
Darkstar is offline   Reply With Quote
Old 11-05-2006, 08:27:00   #8
Gary
Putting you lot right since 2001
 
Gary's Avatar
 
Join Date: Nov 2001
Location: Home
Edlm was just the first of 3 infections, 2 at home (which were found during the regular scans), 1 at work (which Norton warned me about immediately).

I'd have to check the logs to recall the 2nd home one (something like /bagel.LM iirc), but the work one was WinFixer. As I have a decent broadband modem and a seperate firewall one might hope these things would stay away, but PCs look very vulnerable to getting stuff loaded onto the hard disk, even if less vulnerable to being run.

Half the time I'm hoping the scan software does find something. There must be a reason the PC is so damn slow. I swopped a paid for McAfee for the free AVG because McAfee was taking 'all' the CPU. Now IE seems to want it all instead, even when the windows are minimised, or not doing anything much.
__________________
Aleph-null bottles of beer on the wall,
Aleph-null bottles of beer,
You take one down, and pass it around,
Aleph-null bottles of beer on the wall.

Last edited by Gary; 11-05-2006 at 08:30:08.
Gary is offline   Reply With Quote
Old 11-05-2006, 08:39:52   #9
Gary
Putting you lot right since 2001
 
Gary's Avatar
 
Join Date: Nov 2001
Location: Home
PS thanks for the links, especially the third one which I've only just opened, makes me wonder if there is a connection between the two home infections.

If so it's some new form as I can't find the .LM ending anywhere on the Net, but AVG says that's what it cleared out.
__________________
Aleph-null bottles of beer on the wall,
Aleph-null bottles of beer,
You take one down, and pass it around,
Aleph-null bottles of beer on the wall.

Last edited by Gary; 11-05-2006 at 08:49:20.
Gary is offline   Reply With Quote
Old 11-05-2006, 15:09:13   #10
Sir Penguin
Wise sprite
 
Sir Penguin's Avatar
 
Join Date: Nov 2001
Location: command.com
Time to reinstall your operating system.

SP
__________________
Whether 'tis nobler in the plane to suffer
The asps and adders of outrageous fortune,
Or to take arms against a sea of bitch-ass motherfuckers
And by opposing fuck them up?

-- Samuel L. Jackson as Hamlet
Sir Penguin is offline   Reply With Quote
Old 11-05-2006, 15:25:35   #11
Darkstar
will bitch for beer
 
Darkstar's Avatar
 
Join Date: Nov 2001
Location: Rocket City
Gary, you can get a lot of bad stuff from just browsing the web.

I now use PC Tools Spyware Doctor. They have a free scanner at:
http://www.pctools.com/spyware-doctor/

I had a nasty little thing that none of the other anti-malware layers I used could get rid of. Spyware Doctor did.

If you get their Registry Mechanic, you should be aware that it has a TSR that it starts up on any normal startup that guards the Windows Registry. This will block you from being able to run a "chkdsk /f" at bootup, and force you to go disable that steath feature in msconfig.exe (it literally is named blank in the registry, which looks very suspicious. Bastards). Shut that off, then set your chkdsk and reboot, and you'll be all set. Turn it back on if you want your registry guarded from various exploits once you are done with chkdsk on your c drive using msconfig.exe.
__________________
> clue++;
> display clue;
-878923403
Darkstar is offline   Reply With Quote
Old 21-06-2006, 17:24:32   #12
MattHiggs
Higgelhoff
 
MattHiggs's Avatar
 
Join Date: Nov 2001
Location: Worsley
Bump
MattHiggs is offline   Reply With Quote
Reply
Forum Jump

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT. The time now is 23:49:16.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© Counterglow 2001-2012. All rights reserved.