Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wrong path


  • Please log in to reply
24 replies to this topic

#1 mrb5162

mrb5162

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:56 PM

Posted 05 February 2015 - 05:42 PM

Oftentimes I read where a certain folder should be located. Many times it's correct, sometimes it's off by one piece of the path, and sometimes it's way off. For example, if a folders path should start in the system 32 folder but is in appdata under users. That's pretty far off, but I have found several like that. That is also the ONLY place I find it, not in system 32 at all. The theory being that if it has the wrong path (located in the wrong folder) it is a virus, right? Or not always?
Recently I came accross this recommended safe location-C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe. However there is no Installshield folder in c:\Program Files\Common Files, it is in the ProgramFiles (x86). OK,that's fine, but then the only folder in Common Files is Professional\runtime... which eventually leads to DotNetInstaller.exe and related files. 
So here is where I found the ISUSPM.exe.

 

c:\Program Data\Flexnet software updater\Connect\11\ISUSPM.exe

Along with other related files.

Should I be trying to get rid of these? All of them? My Norton Internet Security never finds anything.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 05 February 2015 - 06:30 PM

Hi mrb :)

I'll try to explain the following in really simple terms, so that it'll be easi to follow my explanation. If we were to follow that logic, pretty much every files on a system would be considered a malware, which is true. The path for a certain file changes depending of the system it's on, but also the program that needs it. This happens often with files that have generic names such as setup.exe. Or uninstall.msi. I can guarantee you that you have tons of these two files on your system. Does it means that they are malware? Not really. There's no "unique name" rule for files and folders, which means that Company A could have some of their files named the same as Company B for their own software. If you ever have a doubt on a file, you can always upload it to an online file analysis website, such as VirusTotal.com to see if the file is legitimate or not (and even there you have to be careful about false positive).

Also, the example you just gave is a bit tricky. Program Files (x86) is the folder for 32-bits based programs under Windows 64-bits. However, under Windows 32-bits, that folder is named Program Files. On the other hand, Program Files under Windows 64-bits is the folder for 64-bits program.

Windows 32-bits:
Program Files -> 32-bits programs

Windows 64-bits
Program Files (x86) -> 32-bits programs
Program Files -> 64-bits programs

I know, it can be quite confusing. Back to your example, the recommended safe location is in Program Files, yet you found the file in Program Files (x86), which means that the program is most likely 32-bits based. What if the person that gave the recommended path is working under Windows 32-bits. Program Files would be his folder for 32-bits programs. Are you still with me? :P I know it's hard to understand but if you don't, I can try to write it again in a more clear, detailled way for you.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 05 February 2015 - 07:09 PM

AppData (Application data) is a hidden sub-folder used to protect user data and settings from unwanted changes or deletion for any number of installed programs. User data that was previously stored in the %SystemDrive%\Documents and Settings directory in Windows XP is now stored in the %SystemDrive%\Users directory (for Vista and above) which includes a AppData folder.

Programs should not be running from a temp folder or user profile which is meant to hold data, preferences, settings, and configuration files. Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from and the user profile AppData, ProgramData, and temp folders are common hiding places for malicious files...see Virus Characteristics in this Virus Profile.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 05 February 2015 - 07:11 PM

Despite the fact that programs shouldn't run from the AppData folder, which is true, some of them still do so you have to be careful about that (identifying the malicious ones from the legitimate ones).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 05 February 2015 - 07:15 PM

RKill will find them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 05 February 2015 - 07:17 PM

Oh yes it does, a lot of legitimate programs gets killed by RKill or deleted by Junkware Removal Tool and AdwCleaner. I don't understand why developers don't store their programs where they belong, in Program Files. I know that usually, programs installs themself in the AppData folder when a user pick the option to install the program for him only and not all the users, but even there, they aren't using AppData for what its meant to be used.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 05 February 2015 - 07:22 PM

I don't understand why developers don't store their programs where they belong, in Program Files.

HeeHee...Grinler says that all the time when someone complains in the RKill discussion topic about a targeted file. :wink:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 05 February 2015 - 07:53 PM

I don't understand why developers don't store their programs where they belong, in Program Files.

HeeHee...Grinler says that all the time when someone complains in the RKill discussion topic about a targeted file. :wink:


I have to go read that :lol: They had it coming too when using programs that install themself in AppData. I understand the fact that installing a program there is a good way to ensure that only the "user" that installed it have access to it, but they could do the same thing by installing the program where it belongs, in Program Files, and allowing only the user that installed it the right to use the program, via permissions. Oh well, I can keep on dreaming I guess. I think that even Spotify launches itself from AppData.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 rp88

rp88

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:56 AM

Posted 06 February 2015 - 01:58 PM

I have ISUSPM.exe on my machine, it is rubbish but harmless rubbish. I just disabled it form automatically starting using CCleaner and haven't worried since. The file is part of something called flexnet which is a harmless, but useles thing preinstalled on some machines. It manages updates for installed programs, but the programs generally do this themselves anyway. If you suspect your file might be something nastier trying to use the same name, you coud alwys try uploading it to virustotal and seeing if any of the antiviruses find a detection in it.

There are some legitimate circumstances for a program to run from a temp folder, when a user updates VLC media player it will save an installer for the latest version somewhere in there and run it to update the user to the latest version of VLC.

Edited by rp88, 06 February 2015 - 01:59 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 06 February 2015 - 02:01 PM

...There are some legitimate circumstances for a program to run from a temp folder, when a user updates VLC media player it will save an installer for the latest version somewhere in there and run it to update the user to the latest version of VLC.

I don't consider that legitimate. The vendor is forcing folks to do that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 06 February 2015 - 02:07 PM

...There are some legitimate circumstances for a program to run from a temp folder, when a user updates VLC media player it will save an installer for the latest version somewhere in there and run it to update the user to the latest version of VLC.


We aren't talking about the AppData\Local\Temp folder, but the actual AppData folder. For example, lightshot installs itself under AppData\Lightshot, and the executable is launched from that folder, when it shouldn't. Of course there are executable files in temp folder and it's understandable, some run there when they are being called by another program, process, etc. But they shouldn't be "installed" there. Hence the difference.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 06 February 2015 - 02:22 PM

I have seen files deliberately installed in the AppData\Local\Temp folder but no as much these days since malware likes that location too.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,539 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 06 February 2015 - 02:24 PM

I have seen files deliberately installed in the AppData\Local\Temp folder but no as much these days since malware likes that location too.


There's just no words to describe how a developper could do that. It shows that these developpers aren't aware of how Windows works and how to use its folders properly.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:56 PM

Posted 06 February 2015 - 02:28 PM

Or they don't care.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mrb5162

mrb5162
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:56 PM

Posted 06 February 2015 - 02:31 PM

Hi mrb :)

I'll try to explain the following in really simple terms, so that it'll be easi to follow my explanation. If we were to follow that logic, pretty much every files on a system would be considered a malware, which is true. The path for a certain file changes depending of the system it's on, but also the program that needs it. This happens often with files that have generic names such as setup.exe. Or uninstall.msi. I can guarantee you that you have tons of these two files on your system. Does it means that they are malware? Not really. There's no "unique name" rule for files and folders, which means that Company A could have some of their files named the same as Company B for their own software. If you ever have a doubt on a file, you can always upload it to an online file analysis website, such as VirusTotal.com to see if the file is legitimate or not (and even there you have to be careful about false positive).

Also, the example you just gave is a bit tricky. Program Files (x86) is the folder for 32-bits based programs under Windows 64-bits. However, under Windows 32-bits, that folder is named Program Files. On the other hand, Program Files under Windows 64-bits is the folder for 64-bits program.

Windows 32-bits:
Program Files -> 32-bits programs

Windows 64-bits
Program Files (x86) -> 32-bits programs
Program Files -> 64-bits programs

I know, it can be quite confusing. Back to your example, the recommended safe location is in Program Files, yet you found the file in Program Files (x86), which means that the program is most likely 32-bits based. What if the person that gave the recommended path is working under Windows 32-bits. Program Files would be his folder for 32-bits programs. Are you still with me? :P I know it's hard to understand but if you don't, I can try to write it again in a more clear, detailled way for you.

 

I have ISUSPM.exe on my machine, it is rubbish but harmless rubbish. I just disabled it form automatically starting using CCleaner and haven't worried since. The file is part of something called flexnet which is a harmless, but useles thing preinstalled on some machines. It manages updates for installed programs, but the programs generally do this themselves anyway. If you suspect your file might be something nastier trying to use the same name, you coud alwys try uploading it to virustotal and seeing if any of the antiviruses find a detection in it.

There are some legitimate circumstances for a program to run from a temp folder, when a user updates VLC media player it will save an installer for the latest version somewhere in there and run it to update the user to the latest version of VLC.

So if an installer is in the Temp folder I could actually delete it? Wouldn't a new version or update that is being requested just download that installer or update file again? So glad to hear there is a place that I can upload the program to rather than downloading a program to my computer. I installed Malwarebytes a while ago and must have somehow gotten it from a 3rd party site. It completely destroyed me. I guess that may be why my original Malwarebytes program disappeared, Someone wanted to download their own "version".






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users