Writing time: 6:33 AM 10-Feb-07
To: Safer Networking Forums
Specs: DELL Optiplex GX110, Intel Pentium III 800 megahertz ; 64MB RAM; Win98SE
Re: "Freshbind"
Question: Can anyone tell me for sure that IRSETUP.LGC is a malware file
that I should allow Spybot to "fix"? It doesn't look malicious to me and I'm
afraid it might be some kind of required valid file. Looks like a log.
Note: I note the latest update list at Forum mentions "Win32.IRCBot.yh".
Has this anything to do with "IRSETUP.LGC" or "IRSETUP.EXE"?
Just a while ago I updated and then ran Spybot. It reported a bot by name
of "Freshbind". The explanation in the right pane was unclear and ambiguous
to me. It did not help me decide what to do next. I'm not too 'up' on this and
was reluctant to "repair" anything, lest this was a false alert which might
cause me to possibly delete some required files in Windows. Happened before.
Please see attached "SpybotResult10Feb07.doc" file. Since I couldn't "copy &
paste" anything from the Spybot results window, I took a screen shot, saved
& split into 2 parts & enlarged each for better read, in Word. In case it's not
possible to attach, the below is a summary of content:
The first part shows the Spybot scan result, which was:
Freshbind
Log file
C:\WINDOWS\APPLOG\IRSETUP.EXE
Autorun settings
C:\WINDOWS\WININIT.INI
The 2nd part defines the Freshbind bot thing and is rather long:
Company: EvilEyeSoftware
Product: Freshbind2.01
Threat: Malware
Functionality: Freshbind 2.0 is a file binder which U can use to
combine 2 or more files into one executable... etc., etc. ...
Later I first checked out the implicated files via my old XTREE GOLD, XTREE
viewer. This allowed me to view the guts of these files passively for clues
as to their true nature and origin, before attempting a Spybot 'repair' :
In: "c:\windows\wininit.ini" (implicated by Spybot) I found only this entry :
[Rename]
NUL=C:\WINDOWS\TEMP\irsetup.exe
NOTE:
As I had not yet asked Spybot to repair anything, I think the entry may have
been made by some earlier 'anti-malware' or 'cleaner' I may have run just
prior. In any case, Spybot implicated this entry. I think maybe wininit.ini was
to be deleted on reboot automatically by Windows. Is Spybot just trying to
speed up the inevitable? Perhaps I should have rebooted before I ran it.
---------------------
In c:\windows\applog I found some files which may be related to the
Spybot report on the "Freshbind" find:
1 API_IRIS.LGC
2 IRSETUP.LGC (file date:10-Feb-07) <--- implicated by Spybot
3 ISIGNUP.LGC
NOTE:
I could not find any data in these files which revealed their origin or purpose.
I left them in place as is.
--------------------
I've been using XTREE on this old Win 98 comp for years and never had any
problems. Now, I was experiencing some problems and could not escape out
of a pane, as usual, by pressing the "Esc" key. This had never happened
before and appeared to have started only after I ran the "just-updated" Spybot.
Currently I still don't know whether it was just a 'puter glitch or Spybot related. Probably a glitch in the old box.
Afterwards, I re-booted to see how this would change the wininit.ini content
and if this fixed my XTREE DOS File Manager.
--------------------
After re-boot:
XTREE back to normal
wininit.ini was gone
NOTE: I FORGOT TO LOOK INTO C:\WINDOWS\TEMP initially but now it did not have the file "irsetup.exe" in it any more.
--------------------
Really appreciate any info on this from anyone at this forum. I especially
don't understand the 'Freshbind' thing.
Thank you,
Jed...