Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

General Security General Security
Search Search
Search for:
Tech Support Guy > > >

Solved: How to remove all traces of Kaspersky online scanner


(!)

Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 12:09 PM #1
Solved: How to remove all traces of Kaspersky online scanner
A few weeks ago I started to get a rootkit warning from AVG scans. I've been through Malware removal and they can't find anything.

The file/s are C:\INSTB32.SYS and the same file in C:\Windows\Temp
Removing them does not remove them as they reappear on restart.

Since I can only find others with the same question as me online, and the answers they get are ambiguous, On the off chance I emailed Spybot S&D even though it wasn't alerting to the program.
Spybot said;
"The file is not bad.
INST32.SYS and INST32B.SYS occur often after installation of Kaspersky 8
(initial or reinstallation of later variant) _and_ reinstallation of
Broadcom Bluetooth connectivity software linked to a Motorola phone.
Other people have reported the phenomenon involving Kaspersky. Thinkpad
computers also contain these files."

I don't have broadcom bluetooth and I've never had bluetooth turned on.
This file is new to me the last few weeks and I am pretty sure I downloaded Kaspersky after I got it but just on the off chance I want to remove Kaspersky completely to be sure.
I've removed ESET online scanner, and all bluetooth items.
EDIT
I am having troubles with logins on this site. Often I get logged in and when I go to another page I'm no longer logged in? I haven't changed anything. Aslso links on the front page of the forum don't work when I log in, I get sent to another page telling me i'm not logged in and asking me to login again. I just went through 5 pages on this site and when I came back to this post to edit I was logged out again.

I don't think it's harmless. The dearth of information online and the nature of what is there as well as my having such difficulty finding an answer that satisfies indicates to me this is something bad.

I want to remove the files from my machine permanently and prevent reinstallation.

Last edited by Veryfrustratedus; 19-Jan-2010 at 12:19 PM..
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 12:17 PM #2
Do you have LoJack for Laptops installed?

If you do, Lojack is calling home and checking to see if your laptop has been reported stolen.
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 12:35 PM #3
Please read the EDIT above if you've missed it
? I never installed it or turned it on. I understand best(WORST)buy installs something when they get them. Hijack this does show that Absolute Software Corp rpcnet.exe is on the machine. But as I said I never turned it on.
I am the only owner and its only been in the hands of one tech prior to replacing the mobo myself and then it just went to Toshiba repair depot in Kentucky to have the password problem fixed.
The file started showing up in scans a week or two after I got it back on 12-31-09.

Your suggestion is indicating to me what I feared somehow this machine has been hacked using an accepted "safe" program and is exporting information w/o my consent.
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 12:37 PM #4
Please click here to download and install version 2.0.2 of the HijackThis Installer.

Run it and select Do a system scan and save a logfile.

The log will be saved in Notepad. Copy and paste the log in your next post.

Do not fix anything


Run HijackThis again.

Click on Open The Misc Tools section.

Click on Open Uninstall Manager...

Click on Save list...

Save the text file to the desktop.

Copy and paste the log (from Notepad) in your next post.
__________________

Please read instructions and questions carefully, and reply in a timely manner... Thank you.

Why don't you just Google it?
If your problem is solved, please click on the Mark Solved button.
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 12:43 PM #5
Hello Phantom thank You
The line o23 about absolute in a previous hijackthis scan is missing. My other post was Possible Keylogger? in Malware removal section.
Here is the requested scan I will get to the next part right now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:32 AM, on 1/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\AutoAns.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6438 bytes
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 12:47 PM #6
Before I had the idea to post here this morning, I deleted ESET online scanner.
Next log for uninstall manager

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
AVG 9.0
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 3
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Desktop Dialer
Diner Dash - Flo on the Go
DVD MovieFactory for TOSHIBA
FATE
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) SE Runtime Environment 6
Mah Jong Quest
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
oggcodecs 0.71.0946
Penguins!
Picasa 2
Polar Bowler
Polar Golfer
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Game Console
TOSHIBA Hardware Setup
TOSHIBA Music
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinDVD for TOSHIBA
WinZip 14.0
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 01:02 PM #7
Really looks like you've managed to remove Absolute Software/LoJack without too much trouble. If you had indeed run the program, it would have been a different story...

The INSTB32.SYS prompt doesn't mean it really was reporting home. Kaspersky/AVG might have detected it in the program itself. The .SYS extension is related to a driver, possibly the one for LoJack.

Do you still get the security alert about INSTB32.SYS?
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 01:07 PM #8
"C:\WINDOWS\TEMP\INSTB32.SYS";"Hidden driver"
"c:\INSTB32.SYS";"Hidden driver"
Thats a copypaste from AVG scanner.
I haven't restarted since I removed ESET. AVG been scanning on schedule for about an hour. I'll remove them again and see if they come back when the scan is done.
I'm still paranoid that no one seems to know what these things are with any specificity. Even Spybot gave multiple possibilities.

EDIT
I didn't try to remove Absolute Software Corp Its gone on its own
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 01:11 PM #9
I really do think they are from Absolute Software/LoJack. You did have the software on your computer. IMHO, the files are not malicious.

You could try Autoruns. There's a Drivers tab which will show you all drivers loading with Windows. You'll be able to disable or delete that driver if it shows.
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 01:21 PM #10
are the drivers I check in autoruns permanently off or do I have to shut them off on each startup
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 01:27 PM #11
Quote:
Originally Posted by Veryfrustratedus View Post
are the drivers I check in autoruns permanently off or do I have to shut them off on each startup
If you uncheck a driver, it will be permanent until you decide to recheck it.
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 01:31 PM #12
Thank You

Io'll leave this open for a bit until I know what happens with the removal.
Phantom010's Avatar
Phantom010 has a Photo Album
Computer Specs
Trusted Advisor with 32,317 posts.
 
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
19-Jan-2010, 01:32 PM #13
Can you see the driver in Autoruns?
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 02:11 PM #14
Sorry been away doing other stuff.
No I didn't see them in there but I shut off several remote access labeled programs.
The sacn is done I'm going to remove the items and restart and I'll come back later I have more errands.

Thank You
Veryfrustratedus's Avatar
Veryfrustratedus Veryfrustratedus is offline
Computer Specs
Member with 700 posts.
THREAD STARTER
 
Join Date: Dec 2009
Experience: Intermediate
19-Jan-2010, 02:23 PM #15
Restarted and surfed to a page or two then ran rootkit scanner.
It picked up the items almost immediatly. I have to go do stuff I'll check in later.
Thanks for the help.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑