From Total Malware Info
It is a trojan program that performs destructive actions on a user's computer. It is a Windows DLL (PE-DLL file). Its size is 9,728 bytes. It is written in C++.
The malicious DLL exports the function called "testall". This function implements a functionality described below.
If the process "avp.exe" is found in the infected system, the trojan will attempt to unload the following modules from address space of this process:
kavbase.kdl webav.kdl vlns.kdl mark.kdl klavemu.kdl kjim.kdl
Then the trojan disables an automatic start of the service "avp". For this purpose the trojan runs the command:
sc config avp start= disabled
Then the process "avp.exe" is terminated by using the system utility "taskkill.exe":
taskkill.exe /f/t/im avp.exe
Next the trojan performs search and termination of the following processes:
avp.exe safeboxTray.exe 360Safebox.exe 360tray.exe antiarp.exe ekrn.exe RsAgent.exe mfeann.exe egui.exe RavMon.exe RavMonD.exe RavTask.exe CCenter.exe RavStub.exe RsTray.exe ScanFrm.exe Rav.exe AgentSvr.exe CCenter.exe QQDoctor.exe McProxy.exe mcshield.exe rsnetsvr.exe naPrdMgr.exe MpfSrv.exe MPSVC.exe MPSVC1.exe KISSvc.exe KPfwSvc.exe kmailmon.exe KavStart.exe engineserver.exe KPFW32.exe KVSrvXP.exe ccSetMgr.exe ccEvtMgr.exe defwatch.exe rtvscan.exe ccapp.exe vptray.exe mcupdmgr.exe mfevtps.exe mcsysmon.exe mcmscsvc.exe mcnasvc.exe mcagent.exe vstskmgr.exe FrameworkService.exe mcshell.exe mcinsupd.exe bdagent.exe livesrv.exe vsserv.exe xcommsvr.exe ccSvcHst.exe SHSTAT.exe McTray.exe udaterui.exe KAVStart.exe Uplive.exe KWatch.exe QQDoctorRtp.exe DrUpdate.exe rfwsrv.exe RegGuide.exe MPSVC2.exe MPMon.exe LiveUpdate360.exe rssafety.exe KABackReport.exe KSWebShield.exe 360delays.exe qutmserv.exe kaccore.exe 360SoftMgrSvc.exe 360realpro.exe DSMain.exe 360sd.exe 360rp.exe ZhuDongFangYu.exe 360safe.exe
In case of finding the processes:
the trojan stops and deletes the services:
If the process "ekrn.exe" is found, the trojan will delete the service "ekrn" by using the following command:
cmd /c sc delete ekrn
If the process "avp.exe" is found, the trojan will run the commands:
cmd /c sc config avp start= disabled taskkill.exe /im avp.exe /f
Thus, the trojan disables an automatic start of the service "avp" as well as terminates the process "avp.exe".
After this, the trojan terminates.
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
1. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
2. Perform a full system scan with an antivirus with updated databases.