If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:
- Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
- Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).
The malicious library exports the "testall" function which leads to the following actions being carried out.
If the system launches the "avp.exe" process, the trojan tries to download the following modules from the address space for this process:
kavbase.kdl webav.kdl vlns.kdl mark.kdl klavemu.kdl kjim.kdl
The trojan then cancels the automatic launch of the "avp" service, running the command:
sc config avp start= disabled
Then, using the "taskkill.exe" utility, the "avp.exe" process is completed:
taskkill.exe /f /t /im avp.exe
The trojan then runs a search of the system and carries out the following processes:
avp.exe safeboxTray.exe 360Safebox.exe 360tray.exe antiarp.exe ekrn.exe RsAgent.exe mfeann.exe egui.exe RavMon.exe RavMonD.exe RavTask.exe CCenter.exe RavStub.exe RsTray.exe ScanFrm.exe Rav.exe AgentSvr.exe CCenter.exe QQDoctor.exe McProxy.exe mcshield.exe rsnetsvr.exe naPrdMgr.exe MpfSrv.exe MPSVC.exe MPSVC1.exe KISSvc.exe KPfwSvc.exe kmailmon.exe KavStart.exe engineserver.exe KPFW32.exe KVSrvXP.exe ccSetMgr.exe ccEvtMgr.exe defwatch.exe rtvscan.exe ccapp.exe vptray.exe mcupdmgr.exe mfevtps.exe mcsysmon.exe mcmscsvc.exe mcnasvc.exe mcagent.exe vstskmgr.exe FrameworkService.exe mcshell.exe mcinsupd.exe bdagent.exe livesrv.exe vsserv.exe xcommsvr.exe ccSvcHst.exe SHSTAT.exe McTray.exe udaterui.exe KAVStart.exe Uplive.exe KWatch.exe QQDoctorRtp.exe DrUpdate.exe rfwsrv.exe RegGuide.exe MPSVC2.exe MPMon.exe LiveUpdate360.exe rssafety.exe KABackReport.exe KSWebShield.exe 360delays.exe qutmserv.exe kaccore.exe 360SoftMgrSvc.exe 360realpro.exe DSMain.exe 360sd.exe 360rp.exe ZhuDongFangYu.exe 360safe.exe
If it finds the following processes:
the trojan stops and deletes the service:
If it finds the process "ekrn.exe", it deletes the "ekrn" service by running the command:
cmd /c sc delete ekrn
If it finds the "avp.exe" process, it runs the command:
cmd /c sc config avp start= disabled taskkill.exe /im avp.exe /f
It therefore cancels the automatic launch of the "avp" service and completes the process "avp.exe". The trojan then shuts down.
A trojan program that carries out destructive actions on the user's computer. It is a Windows dynamic-link library (PE-DLL file). 9728 bytes. Written in C++.