INSTB32.SYS Possible F/P?

Darkblade97 · 11-13-2008, 10:00 PM

Operating System: Windows Vista Home Premium. AVG version 8.0.199. Virus db version 270.9.3/1786. No other antivirus software installed. Protection Software: Windows Defender and Spybot Search and Destroy.

Hello TSF, I have a problem. It started in Wednesday and when I checked to see what my AVG was scanning, AVG detected 2 rootkits both named INSTB32.SYS. I researched the file online and found out that it was associated with my computer application named "Lojack for Laptops". I could not delete nor submit the file to virustotal.com or virusscan.jotti.org because they were both called "Hidden driver" and the result was "Object is hidden" and I do not have Administrator rights because my parents will not allow me because they also use the laptop. I can also show the picture of it if it was allowed. It is not doing any harm I suppose but I have not used the product but it seems legit. I also asked AVG support and they did not find me a solution but just gave me links about a different false positive. Help please.

tetonbob · 11-13-2008, 10:26 PM

Hello -

Seems the best course of action would be to bring it to your parents' attention, since it should require administrator privileges to handle no matter if it's a false positive or not.

If this machine has Lojack For Laptops installed, there should be Absolute Software properties on the file.

Darkblade97 · 11-13-2008, 10:36 PM

Should I consider removing Lojack For Laptops because it came with my Toshiba Laptop and I have never even used it or better yet never touched it till I got this notice?

tetonbob · 11-13-2008, 10:42 PM

Nope.

It's one of those applications you never use until you need it.

Again, I'd bring it to the computer administrator's (your parents) attention. It's their decision. If they wanted you to make such decisions, I'd think you'd be in the Administrators group.

If it's an FP, you want to tell AVG to ignore it, and place it in a safe zone so it won't detect it. If it's not an FP, then you'll need someone with administrator privileges to possibly run malware removal scans. But you need to determine whether or not it is a legit file, first.

Could be a recent update to AVG's definitions has caught a file which was always there...could be a new file...

Darkblade97 · 11-13-2008, 10:49 PM

Thank you for the information. I have a problem though how do I put it in the safe zone when it is in a hidden driver in which I can't find? I am not really sure about if it is a legit file or not because I read in a Kaspersky Forum it was safe but there have been other links saying it might be malware and I do not think it is and I would always need my parents to let me use their Admin. account just to try to remove it. Can I ask you tom. because I need to go now?

tetonbob · 11-13-2008, 10:57 PM

Please read what I've written.

Do not decide that just because AVG has identified it as a threat it needs to be removed. I'm not saying it isn't a threat, but you're telling me the machine has the software installed that this file can be associated with.

Protection software is not infallible. The file needs to be examined before a decision is made.

Quote:

a hidden driver in which I can't find

This can only be done with the proper permissions. From an admin account you should be able to find it via a search.

This topic will remain open for quite a while. Bring their attention to it, do not act without due consideration.

Darkblade97 · 11-13-2008, 11:11 PM

Ok I will examine the hidden driver tomorrow and post here with any luck if I have found something. I will come back here tomorrorow and see if I can find anything. Thanks again and good night tetonbob.

Darkblade97 · 11-16-2008, 10:26 PM

Hey tetonbob, I have a question how do I find the hidden driver because when I typed the location where AVG found it. It would always show an error in trying to find it. Do you know any software that can help? I also found out something weird though. Whenever AVG scans in around 5:30 pm, it would show zero results except a lot of cookies. Then when I scan it my computer in around 8:30 to check it would pop up in my results.

Darkblade97 · 11-17-2008, 09:34 PM

Please reply back.

tetonbob · 11-17-2008, 09:36 PM

Hi -

Apparently you're not understanding me...

There is not much you as a Limited User can do about this, and the file does not seem to be one that needs to have you so concerned.

This can only be addressed by the machine's administrator.

Darkblade97 · 11-17-2008, 10:13 PM

I did use the Administrator account and where AVG located it is in C:\Windows\Temp\INSTB32.SYS in which I tried to find it manually and it would say it cannot find the file you were looking for? Also Lojack for Laptops was never installed in my system. It was in my Desktop ever since and I have no interest in paying it whatsoever. It was just there because it was bundled in my Toshiba laptop.

11-13-2008, 10:00 PM	#1 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	INSTB32.SYS Possible F/P? Operating System: Windows Vista Home Premium. AVG version 8.0.199. Virus db version 270.9.3/1786. No other antivirus software installed. Protection Software: Windows Defender and Spybot Search and Destroy. Hello TSF, I have a problem. It started in Wednesday and when I checked to see what my AVG was scanning, AVG detected 2 rootkits both named INSTB32.SYS. I researched the file online and found out that it was associated with my computer application named "Lojack for Laptops". I could not delete nor submit the file to virustotal.com or virusscan.jotti.org because they were both called "Hidden driver" and the result was "Object is hidden" and I do not have Administrator rights because my parents will not allow me because they also use the laptop. I can also show the picture of it if it was allowed. It is not doing any harm I suppose but I have not used the product but it seems legit. I also asked AVG support and they did not find me a solution but just gave me links about a different false positive. Help please.

11-13-2008, 10:26 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,208 OS: 2000 Pro; XP Pro; XP Home	Re: INSTB32.SYS Possible F/P? Hello - Seems the best course of action would be to bring it to your parents' attention, since it should require administrator privileges to handle no matter if it's a false positive or not. If this machine has Lojack For Laptops installed, there should be Absolute Software properties on the file. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-13-2008, 10:36 PM	#3 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? Should I consider removing Lojack For Laptops because it came with my Toshiba Laptop and I have never even used it or better yet never touched it till I got this notice?

11-13-2008, 10:42 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,208 OS: 2000 Pro; XP Pro; XP Home	Re: INSTB32.SYS Possible F/P? Nope. It's one of those applications you never use until you need it. Again, I'd bring it to the computer administrator's (your parents) attention. It's their decision. If they wanted you to make such decisions, I'd think you'd be in the Administrators group. If it's an FP, you want to tell AVG to ignore it, and place it in a safe zone so it won't detect it. If it's not an FP, then you'll need someone with administrator privileges to possibly run malware removal scans. But you need to determine whether or not it is a legit file, first. Could be a recent update to AVG's definitions has caught a file which was always there...could be a new file... __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-13-2008, 10:49 PM	#5 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? Thank you for the information. I have a problem though how do I put it in the safe zone when it is in a hidden driver in which I can't find? I am not really sure about if it is a legit file or not because I read in a Kaspersky Forum it was safe but there have been other links saying it might be malware and I do not think it is and I would always need my parents to let me use their Admin. account just to try to remove it. Can I ask you tom. because I need to go now?

11-13-2008, 11:11 PM	#7 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? Ok I will examine the hidden driver tomorrow and post here with any luck if I have found something. I will come back here tomorrorow and see if I can find anything. Thanks again and good night tetonbob.

11-16-2008, 10:26 PM	#8 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? Hey tetonbob, I have a question how do I find the hidden driver because when I typed the location where AVG found it. It would always show an error in trying to find it. Do you know any software that can help? I also found out something weird though. Whenever AVG scans in around 5:30 pm, it would show zero results except a lot of cookies. Then when I scan it my computer in around 8:30 to check it would pop up in my results.

11-17-2008, 09:34 PM	#9 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? Please reply back.

11-17-2008, 09:36 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,208 OS: 2000 Pro; XP Pro; XP Home	Re: INSTB32.SYS Possible F/P? Hi - Apparently you're not understanding me... There is not much you as a Limited User can do about this, and the file does not seem to be one that needs to have you so concerned. This can only be addressed by the machine's administrator. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

11-17-2008, 10:13 PM	#11 (permalink)
Darkblade97 Registered User Join Date: May 2008 Posts: 12 OS: xp,sp2 pro	Re: INSTB32.SYS Possible F/P? I did use the Administrator account and where AVG located it is in C:\Windows\Temp\INSTB32.SYS in which I tried to find it manually and it would say it cannot find the file you were looking for? Also Lojack for Laptops was never installed in my system. It was in my Desktop ever since and I have no interest in paying it whatsoever. It was just there because it was bundled in my Toshiba laptop.