instb32.exe - Malware?

Last night i did a windows update to my vista machine. This afternoon,
Threatfire my marware behavior detection program detected "suspicious"
activety. A program called INSTB32.SYS in C:\windows\temp\INSTB32.SYS was
trying to install itself as instb32.exe to the windows system file
C:windows\System32\instb32.exe.

Is either INSTB.SYS or instb.exe a ligitimate windows file? Is this malware.
How come this was not detected with the install if its ligit? I have found
no answers to this so far. I have both files quarenteened until I get an
asnwer.

Sincerly

Frank

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Frank wrote:
> Last night i did a windows update to my vista machine. This afternoon,
> Threatfire my marware behavior detection program detected "suspicious"
> activety. A program called INSTB32.SYS in C:\windows\temp\INSTB32.SYS was
> trying to install itself as instb32.exe to the windows system file
> C:windows\System32\instb32.exe.
>
> Is either INSTB.SYS or instb.exe a ligitimate windows file? Is this
> malware.
> How come this was not detected with the install if its ligit? I have found
> no answers to this so far. I have both files quarenteened until I get an
> asnwer.
>
> Sincerly
>
> Frank

Did you check the Properties of the suspect file ?
Right click both instb32.exe and instb32.sys then click the Version tab
to see if they are legit are not.
And/or have them scanned at:
http://virusscan.jotti.org/
or
http://www.virustotal.com/

Did you submit the suspect files to Threatfire for analysis ?
Which 'windows update' was installed ?
It would have to be an update to a driver since no security update that
came out on Patch Tuesday contained either of the files you've posted.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



Frank wrote:

> Last night i did a windows update to my vista machine. This afternoon,
> Threatfire my marware behavior detection program detected "suspicious"
> activety. A program called INSTB32.SYS in C:\windows\temp\INSTB32.SYS was
> trying to install itself as instb32.exe to the windows system file
> C:windows\System32\instb32.exe.
>
> Is either INSTB.SYS or instb.exe a ligitimate windows file? Is this malware.
> How come this was not detected with the install if its ligit? I have found
> no answers to this so far. I have both files quarenteened until I get an
> asnwer.
>
> Sincerly
>
> Frank