Fandom

Malware Wiki

KillAV.gcg

1,335pages on
this wiki
Add New Page
Comments0 Share


Trojan.Win32.KillAV.gcg or KillAV.gcg is the most common variant in the KillAV family. It terminates most known Antivirus solutions, making it difficult to remove.

Payload

Download of External Content

Firstly, the trojan attempts to download the following files from an external server.

kavbase.kdl
webav.kdl
vlns.kdl
mark.kdl
klavemu.kdl
kjim.kdl

Killing AVP service

The trojan will then search for the "avp" service. If searches return positive then the trojan will execute the following commands.

sc config avp start= disabled
cmd /c sc delete ekrn
taskkill.exe /im avp.exe /f

It will also kill the process completely with the following command.

taskkill.exe /f /t /im avp.exe

Killing Known Executables

The trojan then searches for the following executables and terminates them.

avp.exe

safeboxTray.exe

360Safebox.exe

360tray.exe

antiarp.exe

ekrn.exe

RsAgent.exe

mfeann.exe

egui.exe

RavMon.exe

RavMonD.exe

RavTask.exe

CCenter.exe

RavStub.exe

RsTray.exe

ScanFrm.exe

Rav.exe

AgentSvr.exe

CCenter.exe

QQDoctor.exe

McProxy.exe

mcshield.exe

rsnetsvr.exe

naPrdMgr.exe

MpfSrv.exe

MPSVC.exe

MPSVC1.exe

KISSvc.exe

KPfwSvc.exe

kmailmon.exe

KavStart.exe

engineserver.exe

KPFW32.exe

KVSrvXP.exe

ccSetMgr.exe

ccEvtMgr.exe

defwatch.exe

rtvscan.exe

ccapp.exe

vptray.exe

mcupdmgr.exe

mfevtps.exe

mcsysmon.exe

mcmscsvc.exe

mcnasvc.exe

mcagent.exe

vstskmgr.exe

FrameworkService.exe

mcshell.exe

mcinsupd.exe

bdagent.exe

livesrv.exe

vsserv.exe

xcommsvr.exe

ccSvcHst.exe

SHSTAT.exe

McTray.exe

udaterui.exe

KAVStart.exe

Uplive.exe

KWatch.exe

QQDoctorRtp.exe

DrUpdate.exe

rfwsrv.exe

RegGuide.exe

MPSVC2.exe

MPMon.exe

LiveUpdate360.exe

rssafety.exe

KABackReport.exe

KSWebShield.exe

360delays.exe

qutmserv.exe

kaccore.exe

360SoftMgrSvc.exe

360realpro.exe

DSMain.exe

360sd.exe

360rp.exe

ZhuDongFangYu.exe

360safe.exe

If 360rp.exe and ravmond.exe are detected

If either of these executables are detected, a sub-routine will run terminating the following services:

360rp
rsravmon

If ekrn.exe is detected

If ekrn.exe is detected it will run the following command in command prompt.

cmd /c sc delete ekrn

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.