1. Please take 30 seconds to register your free account to remove most ads, post topics, make friends, earn reward points at our store, and more!  
     
    TalkBass.com has been uniting the low end since 1998.  Join us! :)

(Computer-related) This happened to me yesterday...

Discussion in 'Off Topic [BG]' started by Alvaro Martín Gómez A., Apr 17, 2006.


  1. Alvaro Martín Gómez A.

    Alvaro Martín Gómez A. TalkBass' resident Bongo + cowbell player

    ...and I think it's good to share my experience with all of you:

    Last night, my computer started to show a very weird behavior. Specifically, it became extremely slow, which is a very common situation among Windows users, but not for me because I know how to take care of it. I periodically delete unnecessary files, keep my antivirus software updated as well as my anti-spyware programs, also clean the registry...

    So I had no clue until my firewall (Sygate) started showing a message about a program called edlm2.exe asking for permission to connect to Internet. Today, after some research (Google has all the answers), I found this:



    "[BakerStreet]


    (New?) Trojan Warning

    ...and thanks to Sysinternals


    Sunday, March 05, 2006 By BakerStreet Discussion: PersonalComputing





    I've been wrestling with my pc for two days, and thanks to the tools at Sysinternals, I think I tracked down my problem.

    I have been infected with what I think may be a variant of TROJ_BAGLE.DM. I noticed crashes on every program that accessed the internet, and 100% cpu usage. I tracked the usage to winlogon.exe with ProcessExplorer, and found that a file called mloader32.dll file that I hadn't seen before and that didn't even draw hits on Google. After removing it, my CPU usage went back to normal, but my Internet-able applications still continued to crash, including my virus checker when I tried to update my definitions.

    Using the filemon and regmon programs from sysinternals, I banged around looking at the various Internet-able programs and found every one was creating files called edlm.exe, and edlm2.exe in my system folder. Accessing the registry to get the shell folders seemed to be causing some sort of a buffer overflow.

    Once I found that, I realized that, again, winlogon was loading stuff before each crash which was prompting the programs to create the files.. I found that it was loading a file that DID pop up on a Google search, called ldr64.dll. It is part of the TROJ_BAGLE.DM trojan. Evidently I was somehow infected on the 27th of last month. The registry key in question to get the process started is:

    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64"

    I'm not sure if this is a new variant of the older trojan or if more than one was working in tandem, but I was troubled that the first file I found wasn't listed, nor were the two exe files that it created by way of the legit programs. My virus checker seemed oblivious, maybe because it was unable to update.

    Just thought I'd post my trevails in case anyone else has the problem. I wanna give a big shout-out to Sysinternals for offering some great apps so that I didn't have to reinstall my ancient copy of Visual C++."



    I didn't find a file called mloader32.dll, but edlm.exe, edlm2.exe, ldr64.dll and the registry entry were in my system. What worried me the most is that I'm EXTREMELY CAREFUL about viruses and spyware, so I don't know how I got that. Before deleting the files, I scanned them with my updated antivirus (Avast) and it didn't report anything. Same with Ad-Aware, Spybot S&D and SpywareBlaster. I could delete the registry key from Regedit, but I had to reboot my system in safe mode since the files were "working", and after deleting them, everything is back to normal. So if you notice that your PC is becoming slow with no apparent reason, look for those files in your C:\WINDOWS\system32 folder. Also open Regedit and search for the key above (this is very important because it recreates edlm.exe and edlm2.exe on each startup if you delete them). Then KILL'EM ALL!

    Just in case. Hope this info will be helpful.
     
  2. Yay for Windows.
     

Share This Page