Fandom

Malware Wiki

KillAV.ks

1,328pages on
this wiki
Add New Page
Comments0 Share

Trojan.Win32.KillAV.ks or KillAV.ks is a batch trojan that deletes critical system keys and files. 

PayloadEdit

Once run, it will search for the following files and will terminate them.

nod32kui.exe
nod32krn.exe
avpcc.exe
avpm.exe
DRWEB32.EXE
nmain.exe
bdmcon.exe
bdnagent.exe
bdoesrv.exe
bdss.exe
DrWebScd.exe
mcagent.exe
mcshell.exe
mcvsshld.exe
mcuimgr.exe
mcupdui.exe

It will also delete the following keys from [HKLM\Software\Microsoft\Windows\CurrentVersion\Run].

KAVPersonal50
kav
McLogLch_exe
nod32kui
DrWebScheduler
SpIDerMail
SpIDerNT
ccApp
osCheck
Outpost Firewall
OutpostFeedBack
Zone Labs Client
SmcService
BDMCon
BDOESRV
BDNewsAgent
avast!
APVXDWIN
AVG7_CC
AVGCtrl

It will also delete the following system keys.

[HKLM\System\CurrentControlSet\Services\kavsvc]
[HKLM\System\CurrentControlSet\Services\AVP]
[HKLM\System\CurrentControlSet\Services\McLogManagerService]
[HKLM\System\CurrentControlSet\Services\mcmispupdmgr]
[HKLM\System\CurrentControlSet\Services\McNASvc]
[HKLM\System\CurrentControlSet\Services\McODS]
[HKLM\System\CurrentControlSet\Services\mcpromgr]
[HKLM\System\CurrentControlSet\Services\McRedirector]
[HKLM\System\CurrentControlSet\Services\McShield]
[HKLM\System\CurrentControlSet\Services\McSysmon]
[HKLM\System\CurrentControlSet\Services\mctskshd.exe]
[HKLM\System\CurrentControlSet\Services\mcusrmgr]
[HKLM\System\CurrentControlSet\Services\MpfService]
[HKLM\System\CurrentControlSet\Services\mfeavfk]
[HKLM\System\CurrentControlSet\Services\mfebopk]
[HKLM\System\CurrentControlSet\Services\mfesmfk]
[HKLM\System\CurrentControlSet\Services\MPFP]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\NOD32 Context Menu Shell Extension]
[HKLM\System\CurrentControlSet\Services\NOD32krn]
[HKLM\System\CurrentControlSet\Services\spidernt]
[HKLM\System\CurrentControlSet\Services\ccEvtMgr]
[HKLM\System\CurrentControlSet\Services\ccSetMgr]
[HKLM\System\CurrentControlSet\Services\navapsvc]
[HKLM\System\CurrentControlSet\Services\CLTNetCnService]
[HKLM\System\CurrentControlSet\Services\SymAppCore]
[HKLM\System\CurrentControlSet\Services\NPFMntor]
[HKLM\System\CurrentControlSet\Services\SNDSrvc]
[HKLM\System\CurrentControlSet\Services\SPBBCSvc]
[HKLM\System\CurrentControlSet\Services\OutpostFirewall]
[HKLM\System\CurrentControlSet\Services\vsmon]
[HKLM\System\CurrentControlSet\Services\SmcService]
[HKLM\System\CurrentControlSet\Services\bdss]
[HKLM\System\CurrentControlSet\Services\VSSERV]
[HKLM\System\CurrentControlSet\Services\XCOMM]
[HKLM\System\CurrentControlSet\Services\aswUpdSv]
[HKLM\System\CurrentControlSet\Services\avast! Antivirus]
[HKLM\System\CurrentControlSet\Services\PAVFIRES]
[HKLM\System\CurrentControlSet\Services\PAVFNSVR]
[HKLM\System\CurrentControlSet\Services\PavProt]
[HKLM\System\CurrentControlSet\Services\PavPrSrv]
[HKLM\System\CurrentControlSet\Services\PAVSRV]
[HKLM\System\CurrentControlSet\Services\PREVSRV]
[HKLM\System\CurrentControlSet\Services\PSIMSVC]
[HKLM\System\CurrentControlSet\Services\cpoint]
[HKLM\System\CurrentControlSet\Services\netflt]
[HKLM\System\CurrentControlSet\Services\PavProc]
[HKLM\System\CurrentControlSet\Services\Avg7Alrt]
[HKLM\System\CurrentControlSet\Services\Avg7UpdSvc]
[HKLM\SYSTEM\CurrentControlSet\Services\AntiVirService]
[HKLM\SYSTEM\CurrentControlSet\Services\avgntdw]

It then forces restart, leaving you without any Anti-Virus protection.

SourcesEdit

SecureList

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.