Mysterious warning concerning Setup Launcher Unicode


A

Anthony Buckland

Every day, occasionally twice a day, I'm being bombarded
lately with slight variations on a mysterious warning from my
antivirus (ZoneAlarm). The latest version is now on my
screen, and reads (line breaks as in the message):

SUSPICIOUS BEHAVIOR

Setup Launcher Unicode may be trying to prevent
'ISSETUP' from running each time your computer is
started by modifying the registry key: HKLM\SOFTWA
RE\MICROSOFT\WINDOWS\CURRENTVERSION\
RUN

Since I accept automatic updating of Windows 7, there
may indeed be automatic restarts of my machine daily.

I'm invited to allow or deny, and so far I have denied
each time.

Does this remind anyone of anything? Thanks for any
comments.

(Machine: HP, model HPE-500f, running Windows 7 Home
Premium with SP1, fully updated, 64-bit; processor,
AMD Phenom II X6 1045T; networked)
 
Ad

Advertisements

V

VanguardLH

Anthony said:
Every day, occasionally twice a day, I'm being bombarded
lately with slight variations on a mysterious warning from my
antivirus (ZoneAlarm). The latest version is now on my
screen, and reads (line breaks as in the message):

SUSPICIOUS BEHAVIOR

Setup Launcher Unicode may be trying to prevent
'ISSETUP' from running each time your computer is
started by modifying the registry key: HKLM\SOFTWA
RE\MICROSOFT\WINDOWS\CURRENTVERSION\
RUN

Since I accept automatic updating of Windows 7, there
may indeed be automatic restarts of my machine daily.

I'm invited to allow or deny, and so far I have denied
each time.

Does this remind anyone of anything? Thanks for any
comments.

(Machine: HP, model HPE-500f, running Windows 7 Home
Premium with SP1, fully updated, 64-bit; processor,
AMD Phenom II X6 1045T; networked)
issetup.exe = InstallShield setup utility

InstallShield is used by LOTS of software to install itself but usually
run because you chose to install some software. Of course, the filename
could be a ruse since any program can use any filename. A filename
doesn't guarantee the identity of the program code inside.

You installed something whose installation completes on a reboot which
then adds a startup entry under the Run registry key. issetup is trying
to add something to the Run key but is already running during the
startup. Many installs complete by loading early during Windows startup
to replace files that were inuse or to add startup entries because part
of whatever you installed runs as a background process to do whatever it
does.

Too bad the prompt doesn't tell you WHAT entry (showing the program
file) that the setup utility wants to add as a startup item. That would
indicate what program you installed that wants to load on Windows
startup. Too bad the prompt doesn't tell you from where issetup.exe got
loaded so you could upload it to virustotal.com to check how many AV
programs think its clean or infected.

At the time you get this prompt, has enough of Windows loaded so there
is a desktop and you can run, say, SysInternal's Process Explorer to
right-click on the issetup.exe process and look at the image properties
to see from where issetup.exe gets loaded?
 
A

Anthony Buckland

issetup.exe = InstallShield setup utility

InstallShield is used by LOTS of software to install itself but usually
run because you chose to install some software. Of course, the filename
could be a ruse since any program can use any filename. A filename
doesn't guarantee the identity of the program code inside.

You installed something whose installation completes on a reboot which
then adds a startup entry under the Run registry key. issetup is trying
to add something to the Run key but is already running during the
startup. Many installs complete by loading early during Windows startup
to replace files that were inuse or to add startup entries because part
of whatever you installed runs as a background process to do whatever it
does.

Too bad the prompt doesn't tell you WHAT entry (showing the program
file) that the setup utility wants to add as a startup item. That would
indicate what program you installed that wants to load on Windows
startup. Too bad the prompt doesn't tell you from where issetup.exe got
loaded so you could upload it to virustotal.com to check how many AV
programs think its clean or infected.

At the time you get this prompt, has enough of Windows loaded so there
is a desktop and you can run, say, SysInternal's Process Explorer to
right-click on the issetup.exe process and look at the image properties
to see from where issetup.exe gets loaded?
I just did a bunch of manual restarts, and the warning didn't appear,
so I can't yet answer the last question. I've been assuming that
the reference to starting implies a real restart triggered the
warning, but that might not be the case. Anyway, I'll see if another
warning appears before tomorrow morning (as one did today), and dig
for more data. (My Windows update occurs in the small hours of the
morning, so I'm not aware of a restart triggered by it unless there's
other evidence such as the disappearance of some window I accidentally
left open.) Thanks.
 
J

Jolly polly

I just did a bunch of manual restarts, and the warning didn't appear,
so I can't yet answer the last question. I've been assuming that
the reference to starting implies a real restart triggered the
warning, but that might not be the case. Anyway, I'll see if another
warning appears before tomorrow morning (as one did today), and dig
for more data. (My Windows update occurs in the small hours of the
morning, so I'm not aware of a restart triggered by it unless there's
other evidence such as the disappearance of some window I accidentally
left open.) Thanks.
If as suggested a program wanted to carry installing after a reboot the
item would be place in the runonce folder no the run folder. The run folder
is for item to start each and every time Windows starts.
You can if you wish, click on the start orb, type 'msconfig' <enter> to
launch system configuration, goto startup tab and have a look at the
entries.
 
V

VanguardLH

Jolly said:
If as suggested a program wanted to carry installing after a reboot the
item would be place in the runonce folder no the run folder. The run folder
is for item to start each and every time Windows starts.
You can if you wish, click on the start orb, type 'msconfig' <enter> to
launch system configuration, goto startup tab and have a look at the
entries.
I assumed the OP was correct as to where the new entry got added (Run
registry key). There are many ways to run a program on Windows startup
other than using registry keys that could then modify the Run key.
Besides the RunOnce key (which Windows deletes after the entry there has
been loaded), the suspect could add a Run entry to create another Run
entry and then delete the 1st Run entry. Login scripts could be defined
so the program runs when you login to add its Run entry and then delete
itself from the login script. There are WinLogon events in the registry
as another startup item location. A task could be added to Task
Scheduler that runs on login (and could optionally delete itself after
it runs). Use SysInternals' AutoRuns to see the plethora of means of
running a program on Windows startup or upon login.
 
Ad

Advertisements

A

Anthony Buckland

I just did a bunch of manual restarts, and the warning didn't appear,
so I can't yet answer the last question. I've been assuming that
the reference to starting implies a real restart triggered the
warning, but that might not be the case. Anyway, I'll see if another
warning appears before tomorrow morning (as one did today), and dig
for more data. (My Windows update occurs in the small hours of the
morning, so I'm not aware of a restart triggered by it unless there's
other evidence such as the disappearance of some window I accidentally
left open.) Thanks.
Sorry for the delay, but things in the non-virtual world got
in the way :)

Anyway, the warning message's format had me fooled for a
little while. It offers more information, but underneath
that was "none", so I assumed there was indeed none. But,
if I click on the invite anyway, I find there is indeed information,
lots and lots of it. The request came from googleearth.exe,
which exists on my machine, I find, only in the right place
with the right modification date, and genuinely invokes Google Earth
with my recent searches intact. So I think it's the real one,
and I'm going to allow the modification the next time I get asked.

Thanks for everyone's time and effort.
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top