This post is just an FYI for anyone else that comes across this behavior and executable files that are named like they're malware. TLDR; they're not, and you should let it run so that the 1Password installer finished properly on reboot.
I just installed the latest version of 1Password for Windows (v126.96.36.1993) and SpyBot's TeaTimer told me that the following registry entry was attempted:
Category: System Startup global entry Change: Value added Entry: InnoSetupRegFile.0000000001 New Data: "C:\Windows\is-2KIFU.exe" /REG /REGSVRMODE
This immediately set off warning bells - what was this weirdly named exe and why was it trying to get itself to run at startup? Sounds like malware, doesn't it? Now the mitigating factor was that this warning popped up immediately after my install of 1Password completed, so I figured either it was legit or my download was infected. I wandered over to the
C:\Windows directory and found not only that
is-2KIFU.exe but also another one called
is-F4KHF.exe from Jun 30 2013. The .exe files had the 1Password icons, but looking at file Properties showed no identifying info (no Agilebits, no 1Password, etc.). I also scanned it using the Sysinternals tool sigcheck. It also came up empty.
So far, not great. Not horrible, but not great. Scanning them (with AVG) thankfully came up empty.
The sigh of relief came when I saw that those executables also have 2 sibling files: same prefix, but with the extensions .lst and .msg. The .lst file contained this:
; This file was created by the installer for: ; 1Password 188.8.131.523 ; Location: D:\Documents and Settings\user\My Documents\Downloads\1Password-184.108.40.2063.exe ; List of files to be registered on the next reboot. DO NOT EDIT! [s.]C:\WINDOWS\system32\ChilkatCrypt2.dll [s.]C:\WINDOWS\system32\ChilkatZip2.dll
Now I know what it's for, and I can click Allow in TeaTimer.
However, I'm disappointed in a few things:
The installed sticks files in C:\Windows for installation purposes and doesn't clean them up
The installer _doesn't tell you _that it needs to do this.
Those files aren't well-documented. At a minimum, they should note the publisher (AgileBits) and the date.