# Solved: How to remove all traces of Kaspersky online scanner



## Veryfrustratedus (Dec 6, 2009)

A few weeks ago I started to get a rootkit warning from AVG scans. I've been through Malware removal and they can't find anything.

The file/s are C:\INSTB32.SYS and the same file in C:\Windows\Temp
Removing them does not remove them as they reappear on restart.

Since I can only find others with the same question as me online, and the answers they get are ambiguous, On the off chance I emailed Spybot S&D even though it wasn't alerting to the program. 
Spybot said; 
"The file is not bad.
INST32.SYS and INST32B.SYS occur often after installation of Kaspersky 8 
(initial or reinstallation of later variant) _and_ reinstallation of 
Broadcom Bluetooth connectivity software linked to a Motorola phone. 
Other people have reported the phenomenon involving Kaspersky. Thinkpad 
computers also contain these files."

I don't have broadcom bluetooth and I've never had bluetooth turned on.
This file is new to me the last few weeks and I am pretty sure I downloaded Kaspersky after I got it but just on the off chance I want to remove Kaspersky completely to be sure.
I've removed ESET online scanner, and all bluetooth items. 
EDIT
I am having troubles with logins on this site. Often I get logged in and when I go to another page I'm no longer logged in? I haven't changed anything. Aslso links on the front page of the forum don't work when I log in, I get sent to another page telling me i'm not logged in and asking me to login again. I just went through 5 pages on this site and when I came back to this post to edit I was logged out again.

I don't think it's harmless. The dearth of information online and the nature of what is there as well as my having such difficulty finding an answer that satisfies indicates to me this is something bad.

I want to remove the files from my machine permanently and prevent reinstallation.


----------



## Phantom010 (Mar 9, 2009)

Do you have *LoJack* for Laptops installed?

If you do, Lojack is calling home and checking to see if your laptop has been reported stolen.


----------



## Veryfrustratedus (Dec 6, 2009)

Please read the EDIT above if you've missed it 
? I never installed it or turned it on. I understand best(WORST)buy installs something when they get them. Hijack this does show that Absolute Software Corp rpcnet.exe is on the machine. But as I said I never turned it on. 
I am the only owner and its only been in the hands of one tech prior to replacing the mobo myself and then it just went to Toshiba repair depot in Kentucky to have the password problem fixed. 
The file started showing up in scans a week or two after I got it back on 12-31-09.

Your suggestion is indicating to me what I feared somehow this machine has been hacked using an accepted "safe" program and is exporting information w/o my consent.


----------



## Phantom010 (Mar 9, 2009)

Please click *here* to download and install *version 2.0.2* of the *HijackThis Installer.* ​
Run it and select *Do a system scan and save a logfile*.

The log will be saved in Notepad. Copy and paste the log in your next post.

*Do not fix anything*​
Run HijackThis again.

Click on *Open The Misc Tools section*.

Click on *Open Uninstall Manager...*

Click on *Save list...*

Save the text file to the desktop.

Copy and paste the log (from Notepad) in your next post.​


----------



## Veryfrustratedus (Dec 6, 2009)

Hello Phantom thank You
The line o23 about absolute in a previous hijackthis scan is missing. My other post was Possible Keylogger? in Malware removal section.
Here is the requested scan I will get to the next part right now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:32 AM, on 1/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\AutoAns.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6438 bytes


----------



## Veryfrustratedus (Dec 6, 2009)

Before I had the idea to post here this morning, I deleted ESET online scanner.
Next log for uninstall manager 

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
AVG 9.0
Bejeweled 2 Deluxe
Blackhawk Striker 2
Blasterball 3
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
Desktop Dialer
Diner Dash - Flo on the Go
DVD MovieFactory for TOSHIBA
FATE
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) SE Runtime Environment 6
Mah Jong Quest
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
oggcodecs 0.71.0946
Penguins!
Picasa 2
Polar Bowler
Polar Golfer
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Game Console
TOSHIBA Hardware Setup
TOSHIBA Music
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinDVD for TOSHIBA
WinZip 14.0


----------



## Phantom010 (Mar 9, 2009)

Really looks like you've managed to remove Absolute Software/LoJack without too much trouble. If you had indeed run the program, it would have been a different story...

The INSTB32.SYS prompt doesn't mean it really was reporting home. Kaspersky/AVG might have detected it in the program itself. The .SYS extension is related to a driver, possibly the one for LoJack.

Do you still get the security alert about INSTB32.SYS?


----------



## Veryfrustratedus (Dec 6, 2009)

"C:\WINDOWS\TEMP\INSTB32.SYS";"Hidden driver"
"c:\INSTB32.SYS";"Hidden driver"
Thats a copypaste from AVG scanner.
I haven't restarted since I removed ESET. AVG been scanning on schedule for about an hour. I'll remove them again and see if they come back when the scan is done.
I'm still paranoid that no one seems to know what these things are with any specificity. Even Spybot gave multiple possibilities.

EDIT
I didn't try to remove Absolute Software Corp Its gone on its own


----------



## Phantom010 (Mar 9, 2009)

I really do think they are from Absolute Software/LoJack. You did have the software on your computer. IMHO, the files are not malicious.

You could try *Autoruns*. There's a Drivers tab which will show you all drivers loading with Windows. You'll be able to disable or delete that driver if it shows.


----------



## Veryfrustratedus (Dec 6, 2009)

are the drivers I check in autoruns permanently off or do I have to shut them off on each startup


----------



## Phantom010 (Mar 9, 2009)

Veryfrustratedus said:


> are the drivers I check in autoruns permanently off or do I have to shut them off on each startup


If you uncheck a driver, it will be permanent until you decide to recheck it.


----------



## Veryfrustratedus (Dec 6, 2009)

Thank You

Io'll leave this open for a bit until I know what happens with the removal.


----------



## Phantom010 (Mar 9, 2009)

Can you see the driver in Autoruns?


----------



## Veryfrustratedus (Dec 6, 2009)

Sorry been away doing other stuff.
No I didn't see them in there but I shut off several remote access labeled programs. 
The sacn is done I'm going to remove the items and restart and I'll come back later I have more errands. 

Thank You


----------



## Veryfrustratedus (Dec 6, 2009)

Restarted and surfed to a page or two then ran rootkit scanner.
It picked up the items almost immediatly. I have to go do stuff I'll check in later. 
Thanks for the help.


----------



## Phantom010 (Mar 9, 2009)

> The specific laptop you have has our Computrace agent in the BIOS which means, once you have successfully installed Lojack on that machine, the agent in the BIOS gets activated. Once the agent has been activated, in the event you or the thief decides to reformat, replace your hard drive or even perform an OS reinstallation, the Computrace agent in the BIOS will automatically reinstall LoJack back into the OS.





> It embeds itself in the BIOS. Formatting or replacing the HD won't remove the protection. I think the Lojack website sometimes doesn't immediately update the call-in verification. Give it a little more time. This from Lojack:
> 
> Once the BIOS agent is active, you will not need to reinstall LoJack for Laptops even if you do a system restore, hard drive format or a hard drive replacement. *The only way to disable this feature would be to replace the entire Motherboard or remove LoJack for Laptops via our website by performing a Remove or Transfer. This will remove LoJack for Laptops and send a signal to turn off the BIOS agent on the computer which it was installed on.*


http://forum.notebookreview.com/showthread.php?t=221567


----------



## Veryfrustratedus (Dec 6, 2009)

Hi again,I just noticed that when I set items in the options in FF they don't remain permanent. When I open a new window and look at options they are all back to what they were.
Clear recent history is greyed out. 
I think this is sll related to this hidden driver. 
I think I forgot to mention that the first time AVg alerted was after I had been watching furturama at watchxonlineDOTcom. It has been there since.
I went back to that site today and now it hijacks my FF browser and reroutes it and when I go back it reroutes it again. I'm pretty sure this is malware. It just doesn't make sense that something legit is so hard to find on the machine or to find anything about it. 
I


----------



## Phantom010 (Mar 9, 2009)

If you really think your computer is infected, please click on the *Report* button and kindly ask to be moved to the *Malware Removal & HijackThis Logs* forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!


----------



## Veryfrustratedus (Dec 6, 2009)

I think I mentioned that I had already been to that forum and dvk01 didn't find anything. "Possible Keylogger?" is the thread.
I just discovered that my flashplayer settings manager isn't staying as I set it either. I've also started getting a lot of popups after I increased the level in IE which should have eliminated all of them. I've given up on FF until I figure out whats up. I did change the settings on a lot of activex to ask or don't allow, I thought I was increasing security but apparently something is letting them through. 
I do think this may be meant to be a lojack, or at least look like one, but I believe it is being used to gain illegitimate access to my computer to make it a bot or to use "excess" processor speed for a gamer.

I just want you to know I appreciate all the effort and time you've put into this. I think I also mentioned that Toshiba is going to have someone contact me about this. 

Thank You


----------



## Phantom010 (Mar 9, 2009)

Since LoJack has been initially installed by Toshiba, I think they're best suited to address your concerns.


----------



## Veryfrustratedus (Dec 6, 2009)

Hi again,
OK Toshiba denies loading anything and sidesteps my question about whether it was installed at manufacture by offering to have me send it back to them. It is out of warranty. $Ca-ching$ I suspect they activated it when they reset my BIOS password. Deciding whether or not intentionally, is up to ones temperment and experience.
Anyway as a test I completely erased the hard drive and reinstalled back to factory spec. An AVG scan turned up the same bugs indicating to me that it is in the BIOS. I am also having the same CPU problem, it is running at 90-100% all the time slowing everything down. My updates are having a heck of a time installing. To check whats what I tried diagnose and repair the connection and it stopped the cpu running at 100% for a few moments then it was right back up. Which says to me something online is connecting to my machine. 

So I'm frustrated and stuck I don't know how to identify, find, or stop this problem. All scans and malware help has indicated no problems. 
Could it be the mobo I got from ebay and installed? It gave me no trouble until I sent it to Toshiba for the recall password repair.

I'm hoping that updates is for some reason using the CPU so extensively even though I've not seen it do this before. At least now its at 29 of 55


----------



## Phantom010 (Mar 9, 2009)

> It embeds itself in the BIOS. Formatting or replacing the HD won't remove the protection. I think the Lojack website sometimes doesn't immediately update the call-in verification. Give it a little more time. This from Lojack:
> 
> Once the BIOS agent is active, you will not need to reinstall LoJack for Laptops even if you do a system restore, hard drive format or a hard drive replacement. *The only way to disable this feature would be to replace the entire Motherboard or remove LoJack for Laptops via our website by performing a Remove or Transfer. This will remove LoJack for Laptops and send a signal to turn off the BIOS agent on the computer which it was installed on.*


----------



## Veryfrustratedus (Dec 6, 2009)

Thx, 
I spoke to them by phone and was treated like a criminal. I didn't appreciate that. I may try again. Apparently I have to find three year old proof of purchase and mail it in before they will give me anything usefull.

I knew that if it were a lojack it would still be there after a wipe and install, but since I couldn't find any information that satisfied I figured it would be a good test to see if it were a virus. I guess now I know its Lojack. That's more than I had.


----------



## Phantom010 (Mar 9, 2009)

They're not taking any chances in case you would be a computer thief trying to get information on how to remove the device...


----------



## Veryfrustratedus (Dec 6, 2009)

It feels like extortion. Even the Toshiba li9nk to OEM installed products kicked back as invalid I had to send an email to general info. The only thing that was consistant about their site was the constant selling of the product that is ruining my computer. 
Hmmm extortion sound more and mores like the tactic to me rather than security. I can't be the only one to have this problem there should be info on how to handle it easily available. There are methods to help me w/o compromising anyone.


----------



## Veryfrustratedus (Dec 6, 2009)

I'm looking at rescource minitor and I don't know whats normal. I have about a million instances of avgcrsvx.exe running is that normal? My CPU is still running close to and at 100% all the time.


----------



## Veryfrustratedus (Dec 6, 2009)

I've gone back to my thread in Malware removal thank you for the help. I'll let you know what happens.

very frustrated user


----------



## Veryfrustratedus (Dec 6, 2009)

vinaya thank you. That wasn't my issue. I was removing Kaspersky as part of the process of elimination to narrow down the source of my problem.
Very Frustrated User


----------

