Alzheimer?
2007-02-11, 09:27
Writing time: 6:33 AM 10-Feb-07
To: Safer Networking Forums
Specs: DELL Optiplex GX110, Intel Pentium III 800 megahertz ; 64MB RAM; Win98SE
Re: "Freshbind"
Question: Can anyone tell me for sure that IRSETUP.LGC is a malware file
that I should allow Spybot to "fix"? It doesn't look malicious to me and I'm
afraid it might be some kind of required valid file. Looks like a log.
Note: I note the latest update list at Forum mentions "Win32.IRCBot.yh".
Has this anything to do with "IRSETUP.LGC" or "IRSETUP.EXE"?
Just a while ago I updated and then ran Spybot. It reported a bot by name
of "Freshbind". The explanation in the right pane was unclear and ambiguous
to me. It did not help me decide what to do next. I'm not too 'up' on this and
was reluctant to "repair" anything, lest this was a false alert which might
cause me to possibly delete some required files in Windows. Happened before.
Please see attached "SpybotResult10Feb07.doc" file. Since I couldn't "copy &
paste" anything from the Spybot results window, I took a screen shot, saved
& split into 2 parts & enlarged each for better read, in Word. In case it's not
possible to attach, the below is a summary of content:
The first part shows the Spybot scan result, which was:
Freshbind
Log file
C:\WINDOWS\APPLOG\IRSETUP.EXE
Autorun settings
C:\WINDOWS\WININIT.INI
The 2nd part defines the Freshbind bot thing and is rather long:
Company: EvilEyeSoftware
Product: Freshbind2.01
Threat: Malware
Functionality: Freshbind 2.0 is a file binder which U can use to
combine 2 or more files into one executable... etc., etc. ...
Later I first checked out the implicated files via my old XTREE GOLD, XTREE
viewer. This allowed me to view the guts of these files passively for clues
as to their true nature and origin, before attempting a Spybot 'repair' :
In: "c:\windows\wininit.ini" (implicated by Spybot) I found only this entry :
[Rename]
NUL=C:\WINDOWS\TEMP\irsetup.exe
NOTE:
As I had not yet asked Spybot to repair anything, I think the entry may have
been made by some earlier 'anti-malware' or 'cleaner' I may have run just
prior. In any case, Spybot implicated this entry. I think maybe wininit.ini was
to be deleted on reboot automatically by Windows. Is Spybot just trying to
speed up the inevitable? Perhaps I should have rebooted before I ran it.
---------------------
In c:\windows\applog I found some files which may be related to the
Spybot report on the "Freshbind" find:
1 API_IRIS.LGC
2 IRSETUP.LGC (file date:10-Feb-07) <--- implicated by Spybot
3 ISIGNUP.LGC
NOTE:
I could not find any data in these files which revealed their origin or purpose.
I left them in place as is.
--------------------
I've been using XTREE on this old Win 98 comp for years and never had any
problems. Now, I was experiencing some problems and could not escape out
of a pane, as usual, by pressing the "Esc" key. This had never happened
before and appeared to have started only after I ran the "just-updated" Spybot.
Currently I still don't know whether it was just a 'puter glitch or Spybot related. Probably a glitch in the old box.
Afterwards, I re-booted to see how this would change the wininit.ini content
and if this fixed my XTREE DOS File Manager.
--------------------
After re-boot:
XTREE back to normal
wininit.ini was gone
NOTE: I FORGOT TO LOOK INTO C:\WINDOWS\TEMP initially but now it did not have the file "irsetup.exe" in it any more.
--------------------
Really appreciate any info on this from anyone at this forum. I especially
don't understand the 'Freshbind' thing.
Thank you,
Jed... :red:
pskelley
2007-02-12, 14:22
Hello Jed and welcome to the forum. You said Windows 98 and that creates issues since Microsoft no longer supports that Operating System and most of the tools we use will not run on it, but I will still do what I can to help, if you will do a few thngs for me.
Look up at the top of the forum where you posted and you will see important Pinned information, especially this:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
Read and follow directions and post the antivirus scan report and the HJT log using Post Reply to stay in this topic. I will be notified when you post and respond as soon as possible after that.
I also used http://www.google.com/ for you if it helps:
http://www.google.com/search?hl=en&q=Freshbind&btnG=Search
Thanks
Alzheimer?
2007-02-19, 13:28
To: pskelly
Thanx yr response. Appreciate. Sorry late. Bad connect
here - daily 4 past cple wks. Not get thru to this & many other sites.
Take yr advice soon as get to site w/post.
--------
Not think anytin seriously amiss w/system - except the
usual attrition due to old age, etc. - but no viri to be
found. Still mystery.
Am really urious abt this 'irsetup' & 'freshbind' thing,
which looking more like a false alarm to me.
All my AV 'scans' effectively negative. Nutin to report. Spybot
no any log I can find - just old 'Status' report, w/entries ALL
dated 30 Dec 99. These latter, past history & look fairly benign.
Ran HijackThis (v 1.99). Log at bottom of post. Also benign.
-----------
Did, as U hinted, some Google research & got thru to few places.
Some interesting extracts below - which may help some other
visitors here.
Looks like Spybot telling me I been 'trojaned'. Seems to base
this on file "irsetup.LGC", a copy of which held in zip in it's
Recovery folder:
C:\Windows\Application Data\Spybot - Search & Destroy\Recovery\ freshbind.zip.
Freshbind.zip holds these 2:
- IRSETUP.LGC
- sbRecovery.ini
The orig'l IRSETUP.LGC file is still in the C:\Windows\applog folder
as I not yet rqst repair. This is not an executable. No real danger
there. Full of lines w/ nr's and few ref's to DLL's & such. There's
nothing in it that that might give a clue as to the log's purpose.
Maybe should look inside some of the DLL's, etc., it refers to...
but probly just an install log. I put a piece of it at end for ref.
NOTE: Latest 'AVG-free' & 'TrojanHunter' scans found no
"IRSETUP" infections. I now know, after Google, that "IRSETUP.EXE"
has been an issue since at least 2003. All very interesting.
From my earlier post, you may note that Spybot implicates
IRSETUP.EXE, also - which was at that time in:
C:\WINDOWS\APPLOG\IRSETUP.EXE (now gone)
and was the only thing listed in
C:\WINDOWS\WININIT.INI
wininit.ini content was: "NUL=C:\WINDOWS\TEMP\irsetup.exe"
which meant 'irsetup.exe' was slated for deletion at next boot.
From the research I reckon the file was actually an "installer",
which, on completion of job, normally commits filicide.
Looks like Spybot was set up to ID IRSETUP.EXE as a 'trojan'.
Not so, as the below extracts will aim to show. Yet, I suppose
it is possible IRSETUP.EXE was infected by 'freshbind' and may
have internally been a 'bound' file w/malicious payload.
Or, the above may have happened sometime in
distant past & ever since the tag has stuck. Then again,
maybe somebody has been creating malicious programs
using that already extant file name.
To be sure, as the .exe file was already slated for
deletion, this should have ended the 'threat'
(if any) on reboot. Believe that the real Spybot target should
have been the malicious files (if any) which irsetup.exe may
have delivered; but my AV not detect any either. Back to
square 1.
But how would Spybot have determined this. My guess is that
alarm bells rang when it came across the base term "IRSETUP",
or, it assumed this from the presence of "IRSETUP.LGC",
which I haven't been able to find much info on. But it is just a
log file; and neither AVG nor TrojanHunter took any notice of it.
Think the file may have been a left over from an installation I
may have made between the last & current AVG run, so AVG
never checked it. I'll never now because it was deleted & I've
also cleaned out history, etc., via DOS & ccleaner - few times.
The event, whatever it was, must have occurred on 13 Feb 07,
which is the creation date of the log file. Oddly enough, the
only reference within the log file which refers directly to a
program, is the path in Program Files to WinPatrol - and Win
Patrol History itself lists a RUN_ONCE alert on that day.
BTW, from what I gather, many other anti-virus & similar aps
make same 'assumption' on IRSETUP.EXE being a Trojan. From
what I been reading, this could be one of those snowballing
false assumptions. Maybe nobody stopped to check yet.
Since the start I've wondered abt this being a possible
false alert, which is why I hesitated on the 'repair'. There
just didn't seem to be enuf clear, un-ambiguous info in the
sidebar on the issue for my poor brain to make a decision.
I would suggest that if there really is a malicious file by
name of 'irsetup.exe' making the rounds, it might be
an idea to also mention in side bar:
***
"Use caution. Confirm file status w/ AV before deleting.
A valid program by this name also exists. Check on
'Setup Factory 6.0' at www.indigorose.com"
***
- or somtin to that effect.
The below extracts from net (in particular from 'indigorose')
seem to affirm that IRSETUP.EXE, anyway, is NOT itself a trojan
nor malicious. Since its gone now, I wonder where and what is
the threat (if still any) to my system.
Altho IRSETUP.EXE is no longer, a 2nd Spybot scan still insists
that IRSETUP.LGC (a simple log file) is a 'threat'. I suppose it
could be if some trojan lurking in my system needs to reference
it; but can't find anything.
-----------
From Google:
http://www.indigorose.com/forums/showthread.php?t=9337
Jed Note 1:
The following is an extract from a 2003 indigorose forum thread.
Several indigorose threads on the issue stretch thru 2006 but
no one seems to have gotten to the root of the matter. One has
to read all the posts in these threads to get a handle on this.
Here's just 1 of the posts:
------
Ted Sullivan's Avatar
Indigo Rose Staff
Join Date: Oct 2003
Posts: 731
irsetup.exe is the main Setup Factory 6.0 setup program. It is extracted to a
temporary folder when you run the setup.exe file and handles all of the actual
installation of your software. It is deleted after the installation or on system
reboot at the latest.
It is definitely not "adware" and I have no idea why download.com would say
that it is. We have literally millions and millions of setup.exe's out there
created with Setup Factory 6.0 by many thousands of different companies.
I can't speak for what is contained in your product or anyone else's, but
the idea that irsetup.exe is adware is definitely incorrect. There must be
something else going on there. You can have them contact Indigo Rose
directly for clarification - I don't know what "tools" they are using to assess their submissions, but that is completely wrong and an obviously simplistic.
---------
Jed Note 2: Note that the "ir" in "irsetup.exe" stands for "indigo rose".
---------
From: http://www.oeone.net/spyware-removal/Irsetup-exe.html
Irsetup.exe
he file IRSETUP.EXE is not adware. It is actually
part of the extremely common Setup Factory 6.0 installer builder product
by Indigo Rose Software (www.indigorose.com). It is extracted to a temp
folder when running a setup.exe created by Setup Factory 6.0 and used
to handle the main installation tasks. It is deleted at the end of the
installation process or at the next system reboot at the latest. Setup
Factory 6.0 is used by *millions* of setup.exe's and many thousands of
companies. The IRSETUP.EXE file itself is definitely not adware. The
same filename is Related to the ...
------
Another link:
http://servicestage.symantec.com/avcenter/venc/data/american.exe.file.threat.htm
Jed Note 3:
Symantec isn't too in-depth on the issue either but its summary does
seem to corroborate the indigorose statement that "irsetup.exe" is
not malware. It does exactly what it is supposed to do & deposits
itself in the temp folder after end installation, ready for auto-destruct
on re-boot.
Nothing wrong with that. Should be no reason for ANY anti-malware
to make an issue of it - unless it's basing its analysis purely on a
'file name' - rather than a 'file scan'.
----------
FRESHBIND
Here's what little I found so far:
(I note your link leads same places)
eTrust Spyware Encyclopedia - FreshBind 1.1
A tool that combines two or more files into a single file, usually for
the purpose of hiding one of them. A binder compiles the list of files
that you ...
(Note the word "usually" .... jed...)
www3.ca.com/securityadvisor/pest/pest.aspx?id=453075424 - 25k -
-------
from: http://www.spywaredb.com/remove-trojandropper-win32-freshbind-11-a/
Name: TrojanDropper.Win32.FreshBind.11.a
Category: Dropper
Date: 2003-12-25
Author: Fresh
Dangerous: Yes
TrojanDropper.Win32.FreshBind.11.a belongs to Dropper spyware category.
It's presense means that your computer is infected with malicious software
and is insecure.
This Dropper is also known as:
•Trojan Horse - named by Panda.
• Win32.Fresh.11 - named by Computer Associates.
• Win32/FreshBind.11!Trojan - named by Computer Associates.
Below listed processes files are part of this spyware. To manually get rid
of it, follow these instructions (at your own risk).
TrojanDropper.Win32.FreshBind.11.a Removal Instructions:
Kill the following processes
freshbind.exe, stub.exe
Remove the following files
freshbind.exe, readme.txt, stub.exe.
------
from: http://www.pestpatrol.com/zks/pestinfo/f/freshbind_1_1.asp
FreshBind 1.1
From the doc: 'Features: - Stub is 21kb uncompressed (12k compressed
with UPX 1.23) - Binds and executes up to 9 files - Use any type of files
(not just exe) - Configurable name after extraction - Each file can be
extracted to the temp, windows, system or current directory - Choose
Visible, hidden, or no execution.
Note: a file instructed to run with the hidden execution function will not
always execute hidden. This is not a bug in the program, it's simply the
way windows works.'
Alias:
Trojan Horse [Panda], TrojanDropper.Win32.FreshBind.11.b [Kaspersky],
Win32.Fresh.11.B [Computer Associates], Win32/Fresh.11.B!Trojan
[Computer Associates]
Category:
Binder: A tool that combines two or more files into a single file, usually
for the purpose of hiding one of them. A binder compiles the list of files
that you select into one host file, which you can rename. A host file is a
simple custom compiled program that will decompress and launch the
source programs. When you start the host, the embedded files in it are
automatically decompressed and launched. When a trojan is bound
with Notepad, for instance, the result will appear to be Notepad, and
appear to run like Notepad, but the Trojan will also be run.
Dropper: In viruses and trojans, the dropper is the part of the program
that installs the hostile code onto the system.
Trojan: Any program with a hidden intent. Trojans are one of the leading
causes of breaking into machines. If you pull down a program from a
chat room, new group, or even from unsolicited e-mail, then the program
is likely trojaned with some subversive purpose. The word Trojan can
be used as a verb: To trojan a program is to add subversive functionality
to an existing program. For example, a trojaned login program might be
programmed to accept a certain password for any user's account that
the hacker can use to log back into the system at any time. Rootkits
often contain a suite of such trojaned programs.
Date of Origin: March, 2003
Storage Required: # FreshBind 1.1: at least 273 KB
Manual Removal:
Follow these steps to remove FreshBind 1.1 from your machine.
Begin by backing up your registry and your system, and/or setting a
Restore Point, to prevent trouble if you make a mistake.
Kill these running processes with Task Manager:
freshbind.exe stub.exe
Remove these files (if present) with Windows Explorer:
freshbind.exe readme.txt stub.exe
Research By: # PestPatrol's Pest Research Center
Last Revised: April 03, 2005
====
Remarks:
There's no 'runnig task/process' nor any file on my system, called
"stub.exe", "fresbind.exe" or freshbind.anythingelse (the only
place the term "freshbind" is found is in the Spybot Recovery
folder).
There were no rootkits, malware, virus, etc., found by other aps
I ran, either. (For the rootkit check I ran only RootkitRevealer).
As I said, t's possible a trojan got 'bound in' with 'irsetup.exe' -
but latter file long gone; and there's no other evidence.
Another possibility is that since irsetup.exe is an 'installer', it
may inherently be a 'binder' - and being such (which, by
convention at some distant past, was tagged as 'malicious'
software), irsetup.exe was automatically put on the list.
---------
Am wondering if you or Spybot staff might be able to shed
some more light on the issue or perhaps checkas to
how it got on the list - or explain why it belongs there when
owner of the file is a legit, longstanding software enterprise,
or so it appears. This just might tie up some loose ends.
---------
Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 04:20:07, on 19-Feb-07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
NOTE:
Am fairly comfortable w/the below - except maybe the
"O2 - BHO: (no name) ... " - but think it been
around long time... I'm not going to delete unless i
get firm evidence of what it is. jed...
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE <--- (Agere Systems Modem)
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\GRAB TEXT\OCR.EXE
C:\PROGRAM FILES\WORDWEB\WWEB32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\TMPSTORE\X-APS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - <--- not sure yet C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\PROGRAM FILES\SITEADVISOR\SAIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\PROGRAM FILES\SITEADVISOR\SAIE.DLL
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE"
O4 - HKLM\..\RunServices: [KB891711] c:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Grab Text] C:\PROGRAM FILES\GRAB TEXT\OCR.EXE
O4 - Startup: GOLARM.PIF = C:\GOLARM.BAT
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Dell Home - {53E21C00-F654-11D4-9FE8-00B0D0ACF629} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
------------------------------------------------------------------
Here's top portion of 'irsetup.lgc':
{
o ce9ba6f0 62000 "C:\WINDOWS\TEMP\IRSETUP.EXE"
R ce9ba6f0 0 40
R ce9ba6f0 e8 f8
R ce9ba6f0 e8 198
R ce9ba6f0 5a000 1000
R ce9ba6f0 50000 1000
R ce9ba6f0 51000 1000
R ce9ba6f0 52000 600
o c1739410 2b000 "C:\WINDOWS\SYSTEM\COMDLG32.DLL"
R c1739410 1b000 1000
R c1739410 1c000 1000
o c1604740 63e00 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL"
R c1604740 59400 1000
o c1604990 47035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL"
R c1604990 3a000 1000
-------
Here's FROM: http://www.auditmypc.com/process/irsetup.asp
irsetup.exe - Here is the scoop on lolok trojan as it pertains to computer
network security. The big question: what is irsetup.exe and is it spyware,
a trojan and if so, how do I get rid of lolok trojan?
If irsetup.exe is running on your pc, your pc may be infected with a trojan
that goes by the name of lolok.
irsetup.exe is considered to be a security risk, not only because antivirus
programs flag lolok trojan as a trojan, but also because other sites consider
it a Trojan as well.
lolok trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of irsetup.exe
may cause serious harm to your system and will likely cause a number of
problems, loss of data, loss of control or leaking private information.
You should visit our free spyware removal page to make sure your system
does not have other programs like irsetup.exe.
IRSETUP.EXE - Disclaimer
Every attempt has been made to provide you with the correct information
for irsetup.exe or LOLOK TROJAN. Many spyware/malware programs use
filenames of usual, non-malware programs. If we have included information about irsetup.exe that is inaccurate, we would greatly appreciate your help
by updating the spy bot database and we'll promptly correct it.
You should verify the accuracy of information we provided about irsetup.exe. lolok trojan may have had a status change since this page was published.
© AuditMyPC.com . Network Security - Access Code For Wednesday,
February 14, 2007 is xtiCsjxHqq.
-----
OK, that it. Thanx. Will read what U told me & do accordingly, soon as
get back into this forum but 1st post this, while have chance.
Jed...
====
PS. OK. Just got in and read all. Got gist of it. Digest later
some more. Think am on the right track, tho. Got to post this
b4 another crash or acct runs dry... (had to trim 2.5K off here)
pskelley
2007-02-19, 16:05
Well Jeb, there is no way I can read everything you posted without being lost for the rest of the day. I can't allow that to happen because around 50 other folks are depending on me.
Here are my suggestions after a quick glance:
1) I have a Compaq 7360 with Windows98SE that I dearly love since it was my first computer. It runs like new (reformat) but I take it out for a Sunday drive two or three times a year, and I am well protected, just update my programs and put it back in the garage.
2) If you have questions that relate to how Spybot S&D handle anything (best freeware in existance, ask me) please post those here:
http://forums.spybot.info/forumdisplay.php?f=4
3) If you have questions for me that I may or may not be able to answer dealing with malware, please post them.
4) Logfile of HijackThis v1.99.1 Scan saved at 04:20:07, on 19-Feb-07
Unless you set this, you can use HJT to remove it:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
This is the marker for Spybot Search & Destroy and is safe. You should be running V1.4, have it updated and run it often.
C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE: If this is the trial version uninstall it. Using resources Win98 needs badly as you know.
C:\PROGRAM FILES\GRAB TEXT\OCR.EXE <<< appears ok as long as you know it.
O4 - Startup: GOLARM.PIF = C:\GOLARM.BAT <<< no idea what that is?
C:\Program Files\Java\jre1.5.0_04\ <<< out of date and very unsafe, update to the newest version and uninstall all old versions in Add Remove programs. Se this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
I see nothing that is obviously malware in this HJT log.
IRSETUP.EXE <<< first it in a Temp folder, you can always delete anything in a Temp folder. Second a-squared whom I trust indicates it may be from an old Avast! install? Did you install Avast at some point? One way or another delete all the files in that
C:\WINDOWS\TEMP\ <<< delete the contents, NOT THE FOLDER.
http://www.hijackfree.com/en/processdetails/?id=610 and the Google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=IRSETUP%2eEXE
Thanks
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.