On 23/11/2011 10:34 AM, Anthony Buckland wrote:
> On 22/11/2011 11:18 PM, VanguardLH wrote:
>> Anthony Buckland wrote:
>>
>>> Every day, occasionally twice a day, I'm being bombarded
>>> lately with slight variations on a mysterious warning from my
>>> antivirus (ZoneAlarm). The latest version is now on my
>>> screen, and reads (line breaks as in the message):
>>>
>>> SUSPICIOUS BEHAVIOR
>>>
>>> Setup Launcher Unicode may be trying to prevent
>>> 'ISSETUP' from running each time your computer is
>>> started by modifying the registry key: HKLM\SOFTWA
>>> RE\MICROSOFT\WINDOWS\CURRENTVERSION\
>>> RUN
>>>
>>> Since I accept automatic updating of Windows 7, there
>>> may indeed be automatic restarts of my machine daily.
>>>
>>> I'm invited to allow or deny, and so far I have denied
>>> each time.
>>>
>>> Does this remind anyone of anything? Thanks for any
>>> comments.
>>>
>>> (Machine: HP, model HPE-500f, running Windows 7 Home
>>> Premium with SP1, fully updated, 64-bit; processor,
>>> AMD Phenom II X6 1045T; networked)
>>
>> issetup.exe = InstallShield setup utility
>>
>> InstallShield is used by LOTS of software to install itself but usually
>> run because you chose to install some software. Of course, the filename
>> could be a ruse since any program can use any filename. A filename
>> doesn't guarantee the identity of the program code inside.
>>
>> You installed something whose installation completes on a reboot which
>> then adds a startup entry under the Run registry key. issetup is trying
>> to add something to the Run key but is already running during the
>> startup. Many installs complete by loading early during Windows startup
>> to replace files that were inuse or to add startup entries because part
>> of whatever you installed runs as a background process to do whatever it
>> does.
>>
>> Too bad the prompt doesn't tell you WHAT entry (showing the program
>> file) that the setup utility wants to add as a startup item. That would
>> indicate what program you installed that wants to load on Windows
>> startup. Too bad the prompt doesn't tell you from where issetup.exe got
>> loaded so you could upload it to virustotal.com to check how many AV
>> programs think its clean or infected.
>>
>> At the time you get this prompt, has enough of Windows loaded so there
>> is a desktop and you can run, say, SysInternal's Process Explorer to
>> right-click on the issetup.exe process and look at the image properties
>> to see from where issetup.exe gets loaded?
>
> I just did a bunch of manual restarts, and the warning didn't appear,
> so I can't yet answer the last question. I've been assuming that
> the reference to starting implies a real restart triggered the
> warning, but that might not be the case. Anyway, I'll see if another
> warning appears before tomorrow morning (as one did today), and dig
> for more data. (My Windows update occurs in the small hours of the
> morning, so I'm not aware of a restart triggered by it unless there's
> other evidence such as the disappearance of some window I accidentally
> left open.) Thanks.
>
Sorry for the delay, but things in the non-virtual world got
in the way
Anyway, the warning message's format had me fooled for a
little while. It offers more information, but underneath
that was "none", so I assumed there was indeed none. But,
if I click on the invite anyway, I find there is indeed information,
lots and lots of it. The request came from googleearth.exe,
which exists on my machine, I find, only in the right place
with the right modification date, and genuinely invokes Google Earth
with my recent searches intact. So I think it's the real one,
and I'm going to allow the modification the next time I get asked.
Thanks for everyone's time and effort.
Similar Threads
