home

dpinstx86.exe

Driver Package Installer (DPInst)

SMSC

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable dpinstx86.exe, “Driver Package Installer” has been detected as malware by 30 anti-virus scanners. The file is most likely infected with the Neshta virus, a Russian virus that gathers system information and send it to a remote command and cotrol server.
Publisher:
Microsoft Corporation  (signed by SMSC)

Product:
Driver Package Installer (DPInst)

Description:
Driver Package Installer

Version:
2.1

MD5:
ef3854d65bd344121d8763a88e0f51a8

SHA-1:
7b965fb242ec5225922b413af8dfbd08258d6a20

SHA-256:
32d18f75fadf652843e3a7e27d73e2aad35ef3b588f4aece7735f192eb1b6e17

Scanner detections:
30 / 68

Status:
Malware

Explanation:
Infected with the direct-infection Neshta file infector virus.

Analysis date:
4/23/2024 10:21:18 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
Win32/Neshta
2012.04.05

Avira AntiVirus
W32/Neshta.a
7.11.27.24

avast!
Win32:Neshta
2014.9-141125

AVG
Worm/Delf
2015.0.3280

Bitdefender
Win32.Neshta.A
1.0.20.1645

Clam AntiVirus
W32.Neshuta.A
0.98/18155

Comodo Security
Win32.Neshta.A
12000

Dr.Web
Win32.HLLP.Neshta
9.0.1.0329

Emsisoft Anti-Malware
Virus.Win32.Neshta!IK
8.14.11.25.09

ESET NOD32
Win32/Neshta
8.7031

Fortinet FortiGate
W32/Neshta.A
11/25/2014

F-Prot
W32/HLLP.41472
v6.4.6.5.141

F-Secure
Win32.Neshta.A
11.2014-25-11_3

G Data
Win32.Neshta
14.11.22

IKARUS anti.virus
Virus.Win32.Neshta
t3scan.1.1.118.0

K7 AntiVirus
Virus
13.136.6595

Kaspersky
Virus.Win32.Neshta
14.0.0.2893

McAfee
W32/HLLP.41472.e
5600.6936

Microsoft Security Essentials
Virus:Win32/Neshta.A
1.163.1557.0

Norman
W32/Neshta.C
11.20141125

nProtect
Virus/W32.Neshta
12.04.05.01

Panda Antivirus
W32/Neshta.A
14.11.25.09

Quick Heal
W32.Neshta.A
11.14.12.00

Rising Antivirus
Win32.Netsha.a
23.00.65.141123

Sophos
W32/Bloat-A
4.73 TP

Trend Micro House Call
PE_NESHTA.A
7.2.329

Trend Micro
PE_NESHTA.A
10.465.25

Vba32 AntiVirus
Virus.Win32.Neshta.a
3.12.16.4

VIPRE Antivirus
Virus.Win32.Neshta.a
11755

ViRobot
Win32.Neshta.B
2012.4.5.5025

File size:
774.7 KB (793,328 bytes)

Product version:
2.1

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
DPInst.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\x86\dpinstx86.exe

Digital Signature
Signed by:
SMSC

Authority:
VeriSign, Inc.

Valid from:
10/22/2006 8:00:00 PM

Valid to:
11/1/2009 6:59:59 PM

Subject:
CN=SMSC, OU=SSG, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SMSC, L=Hauppauge, S=NY, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
11A8E6364AA1F8858BFE04F4B11FB6E1

File PE Metadata
Compilation timestamp:
10/16/2006 7:47:22 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:f2BG1lkWPemh/CsOs5Un05pJg6fjlhFbLdG3sBtbIPjVXH+u8s5NwOPL66:uc19PtCsOsCn01g6L9aPM26OPV

Entry address:
0x213B9

Entry point:
E8, 2D, 3B, 00, 00, E9, 1A, FE, FF, FF, CC, CC, CC, CC, CC, 8B, FF, 55, 8B, EC, 5D, E9, F6, 01, 00, 00, CC, CC, CC, CC, CC, 8B, FF, 55, 8B, EC, 5D, E9, E5, FF, FF, FF, CC, CC, CC, CC, CC, 6A, 14, 68, C0, BB, 05, 01, E8, E8, 1B, 00, 00, 83, 65, FC, 00, FF, 4D, 10, 78, 3A, 8B, 4D, 08, 2B, 4D, 0C, 89, 4D, 08, FF, 55, 14, EB, ED, 8B, 45, EC, 89, 45, E4, 8B, 45, E4, 8B, 00, 89, 45, E0, 8B, 45, E0, 81, 38, 63, 73, 6D, E0, 74, 0B, C7, 45, DC, 00, 00, 00, 00, 8B, 45, DC, C3, E8, 41, 3B, 00, 00, 8B, 65, E8, C7, 45...
 
[+]

Entropy:
5.8697

Code size:
391 KB (400,384 bytes)

Remove dpinstx86.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.