[solved]C:swsetup\HP_ISM\ISMSetup.exe.....is it a virus?

[dinodawg]

Hi, I have been using avast! free edition ever since I got my computer. However, while running a scan today, it gave me a reading saying that the file C:swsetup\HP_ISM\ISMSetup.exe is malware. It have scanned my computer numerous times and this has never shown up as being a virus. Additionally, it says the file was last modified in March, which was about when this computer was made. (I got it in July)so I am beginning to think that it is a false positive. I have since moved it to the virus chest.

If this helps, my computer is an HP Probook 4530s. This is what avast! is telling me about this file: File name: ISMSetup.exe
Win32:malware gen
ID:1

I am running OEM Windows 7 64bit. I have no virus symptoms.

[true indian]

upload the file here:


www.virustotal.com

post the link to the results here...

[dinodawg]

So....the one in question is in a .cab file that is over 20mb, so I cannot send the file. However, the item in question is in the swsetup folder, so it is a driver. I do not believe that drivers can be infected though. And because it says HP in the name, I am believing that it is an HP driver that was incorrectly marked as malware. Am I correct?

[DavidR]

The win32:malware-gen is a generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

Given its location, an HP folder and it has been on the system for some time it is most likely an FP.

# What scan were you doing ?
The reason I ask is I believe this may be a file that is within an Archive file as 20MB would be big for a single file and archives generally aren't scanned by default.

# So can you give us the full path in the alert, go back to the scan computer, scan logs and open the log for your scan ?

If this file is in an archive file, it could be extracted from the archive and uploaded to VT for scanning. When we know one way or another I can show you how to safely extract it from the archive and upload it for scanning.

[Chilidawg]

Folks,  I'll be following this thread as I have exactly the same machine as Dinodawg and Avast found the same thing on mine.  I suspect that I didn't do a thorough job of removing the bloatware on mine.

[dinodawg]

Hi David,

I was running a full-system scan (I always use the full-system scan) when it detected it yesterday. The full path is C:swsetup\HP_ISM\ISM_Setup.exe

Now the ISM_Setup.exe is contained inside the archive, which I am somewhat scared of opening. It is a .cab file archive as well, so I am unable to open it with winRar. However, HP_ISM seems to be an internet-connectivity related driver. But all the files in the HP_ISM folder were modified before 3/11/2011, and I bought the computer in July.

[Pondus]

So....the one in question is in a .cab file that is over 20mb, so I cannot send the file.

how big.... www.jotti.org can scan 25mb and www.metascan-online.com can scan 40mb

[DavidR]

That's the thing, from your original and further information, I see no archive file mentioned in the path before the final file ismsetup.exe, whilst an exe setup file in its own right could be a self-extracting archive, what it doesn't go on to do is show what the subsequent file is, e.g. ismsetup.exe|>suspect_file.exe, etc. (the |> part showing that what comes after is within the last file.

In the path you have given the HP_ISM is a folder

So given you have said it is within a .cab file, that doesn't show in the information, e.g. C:swsetup\HP_ISM\whatever.cab|>ISM_Setup.exe and it is this .cab file name and where it is in this detection path.

I use 7zip and that can open an archive in safety, and extract the ISM_Setup.exe, but I really want to know what we are getting into first as we would have to create some sort of exclusion so avast doesn't alert when you extract it.

[dinodawg]

Okay, so I used metascan.com and now avast! is saying that the file tests negative. But instead, it says symantec is saying that it is a "malformed container violation." Can drivers be infected with malware? Because then this means that there is something wrong at the HP factory.

[DavidR]

The "malformed container violation." notice could mean nothing more than it is unable to pack the archive, can happen if there are multiple levels of archives involved. It can't unpack it to properly scan it.

[Pondus]

upload from chest to avast lab   

[dinodawg]

I have already sent it to the avast! labs and I am awaiting to hear from them. Most likely it seems to be a false-positive. Better than not detecting it I guess.

Well, thanks Indian Guy, David, and Pondus for your help. I will post the results when i hear back from avast.

[Pondus]

I have already sent it to the avast! labs and I am awaiting to hear from them.

well dont,as they usually dont reply.....but then again you may be lucky   

[dinodawg]

Seems to have been fixed with the latest virus defenition database. No longer showing up as a virus.

[Pondus]

Then you can edit your first post and add SOLVED to topic title