AVG Trojan Generic9.AVLZ

[tpolcha]

AVG identifies a threat Generic9.AVLZ that I cannot remove. 
Its path says C:\Program Files\Kaspersky Lab\ Kaspersky Internet Security 6.0\avp.exe

History: 2 years ago I tried a trial Kaspersky A/V offer.  I couldn't delete it on my own.  I solicited Kaspersky and they issued me an uninstall tool.  Kaspersky was always still in the background; how I know it is, avp.exe always showed up in the 'Task Manager'.  That being said, since then there has not been a problem, I also didn't know I should worry about it.

AVG now acknowledges the Trojan Generic9.AVLZ, I cannot remove it.  Threatfire once acknowledged it also.

Step 3 SAV conducted and no log to report.

Step 4 Dr Cureit conducted and no log to report.

Step 5 Eset Nod32 conducted and the same, no log to report.

Step 6 Java needs complied with.

Step 7.  HJT log.  Entry item 4 & 23   

I've tried using Window's Explorer to remove all Kaspersky files.  avp.exe doesn't show up in the task manager anymore but all the Kas files I find in Windows Explorer Kaspersky folders still refuse to be deleted. 
     
I hope that was clear and not confusing.  Thanks, Tom

[file cleanup - saving space - attachment deleted by admin]

[Broni]

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.


Open HJT. Checkmark following items:
- O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
- O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe (file missing)
Click "Fix checked".
Close HJT.

Restart in Safe Mode.
Open Windows Explorer, and delete Kaspersky Lab folder from C:\Program Files

Restart in Normal Mode.
Post new HJT log

P. S. If the above didn't work, we'll use some other means to remove Kaspersky's leftovers.

[tpolcha]

Attempted suggested repairs with some problems:

I successfully exited Spybot S&D Resident.

I ran a new HiJack This scan... Entry 4 was already missing.  I didn't have to remove it.

Entry #23 would not remove (FIX) and remained there.

Restarted in safe mode, used Window's Explorer and successfully deleted the files in the Kaspersky 6.0 Lab folder.  Restarted PC.

Ran a new HiJack This scan and save log.  Entry 23 remains present.

Looks like I need some more help.  Thanks, Tom

 


[file cleanup - saving space - attachment deleted by admin]

[Broni]

That's fine...

Go Start>Run, type in:
services.msc
Click OK.
Services window will open.
Find:
Kaspersky Internet Security service.
If it's listed as Running, right click on it, click Stop
Right click again, click Properties, and under Startup type select Disable from drop-down menu.
Close window.

Go Start>Run, type in:
sc delete AVP (<---- watch for "spaces")
Click OK.

Restart computer.
Post new HJT log.

[tpolcha]

Sorry, it was still unsuccessful.

I found the Kaspersky entry in services.msc  It is listed as 'automatic'. 

In properties, startup type; the choices are automatic, manual and disable.  I immedialty get a dialogue box that informs me '!access is denied'.  Thats all.  Closed services.msc

I continued with next instruction anyway.

Restarted PC and attached new HJT log.

[file cleanup - saving space - attachment deleted by admin]

[Broni]

I immedialty get a dialogue box that informs me '!access is denied'.

Did you right click, and click Stop, first?
Without it, you can't change Startup type.

[tpolcha]

Yes I rt clicked the entry, I don't get the option or chioce to 'stop'.  I guess because it is not listed as running or it is deeply protected by something.

It is listed as 'automatic'.  I went into properties to try and disable it and that's when I'm being told I can't, that "access is denied".  It won't allow me to apply any changes and I have to cancel myself out of properties.

[Broni]

What is its status, listed in Status column?

[tpolcha]

It is a blank entry under the 'status' column.

It is not reporting a status.

[Broni]

OK, then...

Click Start>Run and type in:
regedit
Click OK.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Scroll down the left pane, locate AVP service, right click it and select Delete.
Reboot the system.

Post new HJT log.

[tpolcha]

Unsuccessful.

I followed the path, rt clicked AVP and selected delete.

Dialogue box states: "Can't delete AVP: Error while deleting key".

[Broni]

Try Safe Mode

[Broni]

Oh, disable TeaTimer!

[patio]

You could also DLoad install and run Stinger and AVG Anti-Spyware as well...

[tpolcha]

You did it Broni. 

Incidently, from the beginning when you first mentioned I should exit from Spybot resident, I was ensuring that from all instructions.

In safe mode, I was able to delete AVP from the registry, see HJT log. 

Again thanks.  What was it?  Is Generic9 an actual malicious infection?

Would AVG been able to take care of it the first time it recognized it if Tea Timer was never there?  As soon as AVG originally picked it up so did Tea Timer and of course my first reaction was to not allow a registry change attempt. 

I know one of you folks made a comment somewhere to their disatisfaction with Tea Timer before.  Your advice please.

And once again thank you.  As soon as I am re-employed, I owe you guy's--no bull I'll do it.



[file cleanup - saving space - attachment deleted by admin]