1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: How to remove all traces of Kaspersky online scanner

Discussion in 'General Security' started by Veryfrustratedus, Jan 19, 2010.

Thread Status:
Not open for further replies.
  1. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    A few weeks ago I started to get a rootkit warning from AVG scans. I've been through Malware removal and they can't find anything.

    The file/s are C:\INSTB32.SYS and the same file in C:\Windows\Temp
    Removing them does not remove them as they reappear on restart.

    Since I can only find others with the same question as me online, and the answers they get are ambiguous, On the off chance I emailed Spybot S&D even though it wasn't alerting to the program.
    Spybot said;
    "The file is not bad.
    INST32.SYS and INST32B.SYS occur often after installation of Kaspersky 8
    (initial or reinstallation of later variant) _and_ reinstallation of
    Broadcom Bluetooth connectivity software linked to a Motorola phone.
    Other people have reported the phenomenon involving Kaspersky. Thinkpad
    computers also contain these files."

    I don't have broadcom bluetooth and I've never had bluetooth turned on.
    This file is new to me the last few weeks and I am pretty sure I downloaded Kaspersky after I got it but just on the off chance I want to remove Kaspersky completely to be sure.
    I've removed ESET online scanner, and all bluetooth items.
    I am having troubles with logins on this site. Often I get logged in and when I go to another page I'm no longer logged in? I haven't changed anything. Aslso links on the front page of the forum don't work when I log in, I get sent to another page telling me i'm not logged in and asking me to login again. I just went through 5 pages on this site and when I came back to this post to edit I was logged out again.

    I don't think it's harmless. The dearth of information online and the nature of what is there as well as my having such difficulty finding an answer that satisfies indicates to me this is something bad.

    I want to remove the files from my machine permanently and prevent reinstallation.
  2. Sponsor

  3. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Do you have LoJack for Laptops installed?

    If you do, Lojack is calling home and checking to see if your laptop has been reported stolen.
  4. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Please read the EDIT above if you've missed it
    ? I never installed it or turned it on. I understand best(WORST)buy installs something when they get them. Hijack this does show that Absolute Software Corp rpcnet.exe is on the machine. But as I said I never turned it on.
    I am the only owner and its only been in the hands of one tech prior to replacing the mobo myself and then it just went to Toshiba repair depot in Kentucky to have the password problem fixed.
    The file started showing up in scans a week or two after I got it back on 12-31-09.

    Your suggestion is indicating to me what I feared somehow this machine has been hacked using an accepted "safe" program and is exporting information w/o my consent.
  5. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Please click here to download and install version 2.0.2 of the HijackThis Installer.

    Run it and select Do a system scan and save a logfile.

    The log will be saved in Notepad. Copy and paste the log in your next post.

    Do not fix anything

    Run HijackThis again.

    Click on Open The Misc Tools section.

    Click on Open Uninstall Manager...

    Click on Save list...

    Save the text file to the desktop.

    Copy and paste the log (from Notepad) in your next post.​
  6. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Hello Phantom thank You
    The line o23 about absolute in a previous hijackthis scan is missing. My other post was Possible Keylogger? in Malware removal section.
    Here is the requested scan I will get to the next part right now.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:40:32 AM, on 1/19/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18865)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ltmoh\ltmoh.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
    C:\Program Files\Toshiba\SmoothView\SmoothView.exe
    C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG9\avgui.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\AutoAns.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
    O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
    O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
    O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    End of file - 6438 bytes
  7. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Before I had the idea to post here this morning, I deleted ESET online scanner.
    Next log for uninstall manager

    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Atheros Driver Installation Program
    AVG 9.0
    Bejeweled 2 Deluxe
    Blackhawk Striker 2
    Blasterball 3
    Bluetooth Stack for Windows by Toshiba
    CD/DVD Drive Acoustic Silencer
    Desktop Dialer
    Diner Dash - Flo on the Go
    DVD MovieFactory for TOSHIBA
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java(TM) SE Runtime Environment 6
    Mah Jong Quest
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office 2000 SR-1 Professional
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Mozilla Firefox (3.5.7)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    oggcodecs 0.71.0946
    Picasa 2
    Polar Bowler
    Polar Golfer
    Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
    Realtek High Definition Audio Driver
    Spybot - Search & Destroy
    Synaptics Pointing Device Driver
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Game Console
    TOSHIBA Hardware Setup
    TOSHIBA Music
    Toshiba Registration
    TOSHIBA SD Memory Utilities
    TOSHIBA Software Modem
    TOSHIBA Software Upgrades
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    WinDVD for TOSHIBA
    WinZip 14.0
  8. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Really looks like you've managed to remove Absolute Software/LoJack without too much trouble. If you had indeed run the program, it would have been a different story...

    The INSTB32.SYS prompt doesn't mean it really was reporting home. Kaspersky/AVG might have detected it in the program itself. The .SYS extension is related to a driver, possibly the one for LoJack.

    Do you still get the security alert about INSTB32.SYS?
  9. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    "C:\WINDOWS\TEMP\INSTB32.SYS";"Hidden driver"
    "c:\INSTB32.SYS";"Hidden driver"
    Thats a copypaste from AVG scanner.
    I haven't restarted since I removed ESET. AVG been scanning on schedule for about an hour. I'll remove them again and see if they come back when the scan is done.
    I'm still paranoid that no one seems to know what these things are with any specificity. Even Spybot gave multiple possibilities.

    I didn't try to remove Absolute Software Corp Its gone on its own
  10. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    I really do think they are from Absolute Software/LoJack. You did have the software on your computer. IMHO, the files are not malicious.

    You could try Autoruns. There's a Drivers tab which will show you all drivers loading with Windows. You'll be able to disable or delete that driver if it shows.
  11. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    are the drivers I check in autoruns permanently off or do I have to shut them off on each startup
  12. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    If you uncheck a driver, it will be permanent until you decide to recheck it.
  13. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Thank You

    Io'll leave this open for a bit until I know what happens with the removal.
  14. Phantom010

    Phantom010 Trusted Advisor

    Mar 9, 2009
    Can you see the driver in Autoruns?
  15. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Sorry been away doing other stuff.
    No I didn't see them in there but I shut off several remote access labeled programs.
    The sacn is done I'm going to remove the items and restart and I'll come back later I have more errands.

    Thank You
  16. Veryfrustratedus

    Veryfrustratedus Thread Starter

    Dec 6, 2009
    Restarted and surfed to a page or two then ran rootkit scanner.
    It picked up the items almost immediatly. I have to go do stuff I'll check in later.
    Thanks for the help.
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/895517