"Freshbind" problem
To: pskelly
Thanx yr response. Appreciate. Sorry late. Bad connect
here - daily 4 past cple wks. Not get thru to this & many other sites.
Take yr advice soon as get to site w/post.
--------
Not think anytin seriously amiss w/system - except the
usual attrition due to old age, etc. - but no viri to be
found. Still mystery.
Am really urious abt this 'irsetup' & 'freshbind' thing,
which looking more like a false alarm to me.
All my AV 'scans' effectively negative. Nutin to report. Spybot
no any log I can find - just old 'Status' report, w/entries ALL
dated 30 Dec 99. These latter, past history & look fairly benign.
Ran HijackThis (v 1.99). Log at bottom of post. Also benign.
-----------
Did, as U hinted, some Google research & got thru to few places.
Some interesting extracts below - which may help some other
visitors here.
Looks like Spybot telling me I been 'trojaned'. Seems to base
this on file "irsetup.LGC", a copy of which held in zip in it's
Recovery folder:
C:\Windows\Application Data\Spybot - Search & Destroy\Recovery\ freshbind.zip.
Freshbind.zip holds these 2:
- IRSETUP.LGC
- sbRecovery.ini
The orig'l IRSETUP.LGC file is still in the C:\Windows\applog folder
as I not yet rqst repair. This is not an executable. No real danger
there. Full of lines w/ nr's and few ref's to DLL's & such. There's
nothing in it that that might give a clue as to the log's purpose.
Maybe should look inside some of the DLL's, etc., it refers to...
but probly just an install log. I put a piece of it at end for ref.
NOTE: Latest 'AVG-free' & 'TrojanHunter' scans found no
"IRSETUP" infections. I now know, after Google, that "IRSETUP.EXE"
has been an issue since at least 2003. All very interesting.
From my earlier post, you may note that Spybot implicates
IRSETUP.EXE, also - which was at that time in:
C:\WINDOWS\APPLOG\IRSETUP.EXE (now gone)
and was the only thing listed in
C:\WINDOWS\WININIT.INI
wininit.ini content was: "NUL=C:\WINDOWS\TEMP\irsetup.exe"
which meant 'irsetup.exe' was slated for deletion at next boot.
From the research I reckon the file was actually an "installer",
which, on completion of job, normally commits filicide.
Looks like Spybot was set up to ID IRSETUP.EXE as a 'trojan'.
Not so, as the below extracts will aim to show. Yet, I suppose
it is possible IRSETUP.EXE was infected by 'freshbind' and may
have internally been a 'bound' file w/malicious payload.
Or, the above may have happened sometime in
distant past & ever since the tag has stuck. Then again,
maybe somebody has been creating malicious programs
using that already extant file name.
To be sure, as the .exe file was already slated for
deletion, this should have ended the 'threat'
(if any) on reboot. Believe that the real Spybot target should
have been the malicious files (if any) which irsetup.exe may
have delivered; but my AV not detect any either. Back to
square 1.
But how would Spybot have determined this. My guess is that
alarm bells rang when it came across the base term "IRSETUP",
or, it assumed this from the presence of "IRSETUP.LGC",
which I haven't been able to find much info on. But it is just a
log file; and neither AVG nor TrojanHunter took any notice of it.
Think the file may have been a left over from an installation I
may have made between the last & current AVG run, so AVG
never checked it. I'll never now because it was deleted & I've
also cleaned out history, etc., via DOS & ccleaner - few times.
The event, whatever it was, must have occurred on 13 Feb 07,
which is the creation date of the log file. Oddly enough, the
only reference within the log file which refers directly to a
program, is the path in Program Files to WinPatrol - and Win
Patrol History itself lists a RUN_ONCE alert on that day.
BTW, from what I gather, many other anti-virus & similar aps
make same 'assumption' on IRSETUP.EXE being a Trojan. From
what I been reading, this could be one of those snowballing
false assumptions. Maybe nobody stopped to check yet.
Since the start I've wondered abt this being a possible
false alert, which is why I hesitated on the 'repair'. There
just didn't seem to be enuf clear, un-ambiguous info in the
sidebar on the issue for my poor brain to make a decision.
I would suggest that if there really is a malicious file by
name of 'irsetup.exe' making the rounds, it might be
an idea to also mention in side bar:
***
"Use caution. Confirm file status w/ AV before deleting.
A valid program by this name also exists. Check on
'Setup Factory 6.0' at www.indigorose.com"
***
- or somtin to that effect.
The below extracts from net (in particular from 'indigorose')
seem to affirm that IRSETUP.EXE, anyway, is NOT itself a trojan
nor malicious. Since its gone now, I wonder where and what is
the threat (if still any) to my system.
Altho IRSETUP.EXE is no longer, a 2nd Spybot scan still insists
that IRSETUP.LGC (a simple log file) is a 'threat'. I suppose it
could be if some trojan lurking in my system needs to reference
it; but can't find anything.
-----------
From Google:
http://www.indigorose.com/forums/showthread.php?t=9337
Jed Note 1:
The following is an extract from a 2003 indigorose forum thread.
Several indigorose threads on the issue stretch thru 2006 but
no one seems to have gotten to the root of the matter. One has
to read all the posts in these threads to get a handle on this.
Here's just 1 of the posts:
------
Ted Sullivan's Avatar
Indigo Rose Staff
Join Date: Oct 2003
Posts: 731
irsetup.exe is the main Setup Factory 6.0 setup program. It is extracted to a
temporary folder when you run the setup.exe file and handles all of the actual
installation of your software. It is deleted after the installation or on system
reboot at the latest.
It is definitely not "adware" and I have no idea why download.com would say
that it is. We have literally millions and millions of setup.exe's out there
created with Setup Factory 6.0 by many thousands of different companies.
I can't speak for what is contained in your product or anyone else's, but
the idea that irsetup.exe is adware is definitely incorrect. There must be
something else going on there. You can have them contact Indigo Rose
directly for clarification - I don't know what "tools" they are using to assess their submissions, but that is completely wrong and an obviously simplistic.
---------
Jed Note 2: Note that the "ir" in "irsetup.exe" stands for "indigo rose".
---------
From:
http://www.oeone.net/spyware-removal/Irsetup-exe.html
Irsetup.exe
he file IRSETUP.EXE is not adware. It is actually
part of the extremely common Setup Factory 6.0 installer builder product
by Indigo Rose Software (
www.indigorose.com). It is extracted to a temp
folder when running a setup.exe created by Setup Factory 6.0 and used
to handle the main installation tasks. It is deleted at the end of the
installation process or at the next system reboot at the latest. Setup
Factory 6.0 is used by *millions* of setup.exe's and many thousands of
companies. The IRSETUP.EXE file itself is definitely not adware. The
same filename is Related to the ...
------
Another link:
http://servicestage.symantec.com/avcenter/venc/data/american.exe.file.threat.htm
Jed Note 3:
Symantec isn't too in-depth on the issue either but its summary does
seem to corroborate the indigorose statement that "irsetup.exe" is
not malware. It does exactly what it is supposed to do & deposits
itself in the temp folder after end installation, ready for auto-destruct
on re-boot.
Nothing wrong with that. Should be no reason for ANY anti-malware
to make an issue of it - unless it's basing its analysis purely on a
'file name' - rather than a 'file scan'.
----------
FRESHBIND
Here's what little I found so far:
(I note your link leads same places)
eTrust Spyware Encyclopedia - FreshBind 1.1
A tool that combines two or more files into a single file, usually for
the purpose of hiding one of them. A binder compiles the list of files
that you ...
(Note the word "usually" .... jed...)
www3.ca.com/securityadvisor/pest/pest.aspx?id=453075424 - 25k -
-------
from:
http://www.spywaredb.com/remove-trojandropper-win32-freshbind-11-a/
Name: TrojanDropper.Win32.FreshBind.11.a
Category: Dropper
Date: 2003-12-25
Author: Fresh
Dangerous: Yes
TrojanDropper.Win32.FreshBind.11.a belongs to Dropper spyware category.
It's presense means that your computer is infected with malicious software
and is insecure.
This Dropper is also known as:
•Trojan Horse - named by Panda.
• Win32.Fresh.11 - named by Computer Associates.
• Win32/FreshBind.11!Trojan - named by Computer Associates.
Below listed processes files are part of this spyware. To manually get rid
of it, follow these instructions (at your own risk).
TrojanDropper.Win32.FreshBind.11.a Removal Instructions:
Kill the following processes
freshbind.exe, stub.exe
Remove the following files
freshbind.exe, readme.txt, stub.exe.
------
from:
http://www.pestpatrol.com/zks/pestinfo/f/freshbind_1_1.asp
FreshBind 1.1
From the doc: 'Features: - Stub is 21kb uncompressed (12k compressed
with UPX 1.23) - Binds and executes up to 9 files - Use any type of files
(not just exe) - Configurable name after extraction - Each file can be
extracted to the temp, windows, system or current directory - Choose
Visible, hidden, or no execution.
Note: a file instructed to run with the hidden execution function will not
always execute hidden. This is not a bug in the program, it's simply the
way windows works.'
Alias:
Trojan Horse [Panda], TrojanDropper.Win32.FreshBind.11.b [Kaspersky],
Win32.Fresh.11.B [Computer Associates], Win32/Fresh.11.B!Trojan
[Computer Associates]
Category:
Binder: A tool that combines two or more files into a single file, usually
for the purpose of hiding one of them. A binder compiles the list of files
that you select into one host file, which you can rename. A host file is a
simple custom compiled program that will decompress and launch the
source programs. When you start the host, the embedded files in it are
automatically decompressed and launched. When a trojan is bound
with Notepad, for instance, the result will appear to be Notepad, and
appear to run like Notepad, but the Trojan will also be run.
Dropper: In viruses and trojans, the dropper is the part of the program
that installs the hostile code onto the system.
Trojan: Any program with a hidden intent. Trojans are one of the leading
causes of breaking into machines. If you pull down a program from a
chat room, new group, or even from unsolicited e-mail, then the program
is likely trojaned with some subversive purpose. The word Trojan can
be used as a verb: To trojan a program is to add subversive functionality
to an existing program. For example, a trojaned login program might be
programmed to accept a certain password for any user's account that
the hacker can use to log back into the system at any time. Rootkits
often contain a suite of such trojaned programs.
Date of Origin: March, 2003
Storage Required: # FreshBind 1.1: at least 273 KB
Manual Removal:
Follow these steps to remove FreshBind 1.1 from your machine.
Begin by backing up your registry and your system, and/or setting a
Restore Point, to prevent trouble if you make a mistake.
Kill these running processes with Task Manager:
freshbind.exe stub.exe
Remove these files (if present) with Windows Explorer:
freshbind.exe readme.txt stub.exe
Research By: # PestPatrol's Pest Research Center
Last Revised: April 03, 2005
====
Remarks:
There's no 'runnig task/process' nor any file on my system, called
"stub.exe", "fresbind.exe" or freshbind.anythingelse (the only
place the term "freshbind" is found is in the Spybot Recovery
folder).
There were no rootkits, malware, virus, etc., found by other aps
I ran, either. (For the rootkit check I ran only RootkitRevealer).
As I said, t's possible a trojan got 'bound in' with 'irsetup.exe' -
but latter file long gone; and there's no other evidence.
Another possibility is that since irsetup.exe is an 'installer', it
may inherently be a 'binder' - and being such (which, by
convention at some distant past, was tagged as 'malicious'
software), irsetup.exe was automatically put on the list.
---------
Am wondering if you or Spybot staff might be able to shed
some more light on the issue or perhaps checkas to
how it got on the list - or explain why it belongs there when
owner of the file is a legit, longstanding software enterprise,
or so it appears. This just might tie up some loose ends.
---------
Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 04:20:07, on 19-Feb-07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
NOTE:
Am fairly comfortable w/the below - except maybe the
"O2 - BHO: (no name) ... " - but think it been
around long time... I'm not going to delete unless i
get firm evidence of what it is. jed...
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\AGRSMMSG.EXE <--- (Agere Systems Modem)
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\GRAB TEXT\OCR.EXE
C:\PROGRAM FILES\WORDWEB\WWEB32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\TMPSTORE\X-APS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - <--- not sure yet C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\PROGRAM FILES\SITEADVISOR\SAIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\PROGRAM FILES\SITEADVISOR\SAIE.DLL
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE"
O4 - HKLM\..\RunServices: [KB891711] c:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Grab Text] C:\PROGRAM FILES\GRAB TEXT\OCR.EXE
O4 - Startup: GOLARM.PIF = C:\GOLARM.BAT
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Dell Home - {53E21C00-F654-11D4-9FE8-00B0D0ACF629} -
http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) -
http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) -
http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
------------------------------------------------------------------
Here's top portion of 'irsetup.lgc':
{
o ce9ba6f0 62000 "C:\WINDOWS\TEMP\IRSETUP.EXE"
R ce9ba6f0 0 40
R ce9ba6f0 e8 f8
R ce9ba6f0 e8 198
R ce9ba6f0 5a000 1000
R ce9ba6f0 50000 1000
R ce9ba6f0 51000 1000
R ce9ba6f0 52000 600
o c1739410 2b000 "C:\WINDOWS\SYSTEM\COMDLG32.DLL"
R c1739410 1b000 1000
R c1739410 1c000 1000
o c1604740 63e00 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL"
R c1604740 59400 1000
o c1604990 47035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL"
R c1604990 3a000 1000
-------
Here's FROM:
http://www.auditmypc.com/process/irsetup.asp
irsetup.exe - Here is the scoop on lolok trojan as it pertains to computer
network security. The big question: what is irsetup.exe and is it spyware,
a trojan and if so, how do I get rid of lolok trojan?
If irsetup.exe is running on your pc, your pc may be infected with a trojan
that goes by the name of lolok.
irsetup.exe is considered to be a security risk, not only because antivirus
programs flag lolok trojan as a trojan, but also because other sites consider
it a Trojan as well.
lolok trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of irsetup.exe
may cause serious harm to your system and will likely cause a number of
problems, loss of data, loss of control or leaking private information.
You should visit our free spyware removal page to make sure your system
does not have other programs like irsetup.exe.
IRSETUP.EXE - Disclaimer
Every attempt has been made to provide you with the correct information
for irsetup.exe or LOLOK TROJAN. Many spyware/malware programs use
filenames of usual, non-malware programs. If we have included information about irsetup.exe that is inaccurate, we would greatly appreciate your help
by updating the spy bot database and we'll promptly correct it.
You should verify the accuracy of information we provided about irsetup.exe. lolok trojan may have had a status change since this page was published.
© AuditMyPC.com . Network Security - Access Code For Wednesday,
February 14, 2007 is xtiCsjxHqq.
-----
OK, that it. Thanx. Will read what U told me & do accordingly, soon as
get back into this forum but 1st post this, while have chance.
Jed...
====
PS. OK. Just got in and read all. Got gist of it. Digest later
some more. Think am on the right track, tho. Got to post this
b4 another crash or acct runs dry... (had to trim 2.5K off here)
