Comodo asked to allow or block INSTW32.exe, what the heck is it?

Does anyone know what this is? Google points out it might be a trojan dropper. It was trying to access my hard disk according to the firewall. If it is, does anyone know if the firewall would know where it is stored cuz I sure as heck don’t. I don’t want it though, that’s for sure.


Hey psych1610,

Have a look at

instw32.exe is part of a malware chain that utilises MSN, Limewire and others to propogate.

The above link contains good info on how to remove it. The best instructions are towards the bottom of the link.

Hope this helps (and kudos to CFP3 for catching it!)
Ewen :slight_smile:

i read it also runs from AIM and Myspace

Panic, Ricky, thanks both for your responses.

Panic, I’m following the instructions listed in the link you posted, which basically were just run ATF-Cleaner and then AVG Antispyware. So far, no gold. :frowning:

Ricky, are you suggesting that the process is somehow legit? I’m wondering if thats not the case as my system is behaving perfectly and no one is telling me I’ve been spamming them with Instant Messages. It was just the firewall that alerted me to this and weekly scans with Nod32, Spybot, and Spyware Terminator have resulted in nothing. Oh the possibilities.

I’ll update this post sometime in the morning with the results from tonights scans, etc. Good night all.


Did you run it through or
[url=][/url] ?


everywhere i looked that has any info on instw32.exe, says that it is malware, under listings for INST.EXE it shows as Trojan.W32.RealSearch, probably a good idea to block it with Comodo, that file would show up in C:\WINDOWS\system32\instw32.exe, possibly try ad-aware to search? or even one or more of the online virus scanners.

Performed a bunch of scans last night, didn’t find anything. Will check in Win Systems 32 for something. I couldn’t submit it to Jotti or virus total because I have no idea where its hiding right now.

Will try Kapersky scan or something tonight…

Dumb question, if I find its hiding out in System 32 can I just delete that file and the problem is solved?

i read somewhere yesterday it can be deleted, but i’d find it first and run it through Jotti and Virus Total.

If you had an alert you should find a log entry in Defense+ Log.
There you can read the full path to that file.

I assume that you have done a file search (dumb question), so try searching from a boot disk. If you can find it by searching from a boot disk but not using a regular search, it may have been stealthed by a rootkit. No boot disk with a search utility? You can try running Rootkit Revealer or System Virginity Verifier, or just do a scan with Sophos Anitrootkit (this will possibly be able to remove the rootkit also). offers a free online scan, and there are a bunch of others. Rootkits are hard to track down and they have a nasty tendency to repair themselves if only partially removed. If it appears that you have a rootkit and Sophos does not work (the hackers work fast and it takes time for the good guys to catch up) your only resort is the forums and . Of course, you might have to format your HD and boot sector and re-install…

I think I found it located in System 32 and just erased it. It seemed it was registered to a company called absolute software (a legit company). I deleted it for the heck of it just to be safe as the company seems to make security chips for laptops (like lo jack i guess). So far no ill effects. It didn’t show up in a regular search actually. Will use the references you suggested AnotherOne to see if there is anything left or maybe I didn’t get it to begin with. Would really hate to reformat :frowning:

I emailed my reseller for Nod32 as per a suggestion on Wilders forums.

We’ll see what happens.

Virus Scan reports ESafe as the file being suspicious, Jotti calls everything safe.

Now to await the response of my reseller.

Will keep you informed.