FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.KillProc2.24987

Added to the Dr.Web virus database: 2025-07-02

Virus description added:

Technical Information

Malicious functions
Terminates or attempts to terminate
the following system processes:
  • %WINDIR%\explorer.exe
  • <SYSTEM32>\taskhost.exe
  • <SYSTEM32>\dwm.exe
the following user processes:
  • iexplore.exe
  • firefox.exe
Modifies file system
Creates the following files
  • %WINDIR%y1s2fctrp3
  • %CommonProgramFiles%\microsoft shared\upfgetx bd1l5ir mzwpstr8n girls hairy .mpeg.exe
  • %ProgramFiles%\dvd maker\shared\8r3baiec cum mzwpstr8n hot (!) titts .zip.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\mzwpstr8n l9hwcs7vvnphd9 .mpg.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\yzw1afy apv53deiq9fw glans young .zip.exe
  • %ProgramFiles%\microsoft office\office14\groove\xml files\space templates\eq7k2xcxt porn nom72kl uncut 6tl9zg0uqa .mpg.exe
  • %ProgramFiles%\microsoft office\templates\f1i7cm nude lpcu5ai3 sgu4m7oc zmc8ujp .zip.exe
  • %ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\tsomq34 hot (!) .zip.exe
  • %ProgramFiles%\windows sidebar\shared gadgets\4h1e2a346 mzwpstr8n l9hwcs7vvnphd9 glans 8pfmdyy (liz).mpg.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\beast ihthd33 (c4w8hqa).mpg.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\gzn4ud7e 8ok6yf gay nom72kl nmibe2 .avi.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\eq7k2xcxt horse [milf] hotel (jenna,dxocjwba).mpg.exe
  • %CommonProgramFiles(x86)%\microsoft shared\horse sgu4m7oc 8pfmdyy (hyo87il,jade).mpg.exe
  • %ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\gay sgu4m7oc feet (gina,karin).rar.exe
  • %ProgramFiles(x86)%\windows sidebar\shared gadgets\s2fkave horse gay [bangbus] feet ash (karin).avi.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\yzw1afy uncut .rar.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\f1i7cm nude yzw1afy apv53deiq9fw js80j73 .mpg.exe
  • %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\black w6csjja14n1 tsomq34 bq4kno cock .mpeg.exe
  • %ALLUSERSPROFILE%\microsoft\windows\templates\f1i7cm 7nd83wovj tsomq34 uncut b37oavmx289 .mpeg.exe
  • %ALLUSERSPROFILE%\templates\8r3baiec wep6b08 horse [bangbus] cock .mpg.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\s2fkave porn beast [milf] 8bgkvshe1 .zip.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\f07qtt horse lpcu5ai3 [milf] latex .zip.exe
  • %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\s2fkave cum mnho9y54 7vepaqjm feet (rdl1tfkz,g6u8n4r).rar.exe
  • %ALLUSERSPROFILE%\templates\porn l9hwcs7vvnphd9 cock zmc8ujp (2hbt8wr).zip.exe
  • C:\users\default\appdata\local\microsoft\windows\<INETFILES>\ girls girly (dehod0,y8oxsqa).avi.exe
  • C:\users\default\appdata\local\temp\beast [bangbus] titts rv0y8n .mpeg.exe
  • C:\users\default\appdata\local\<INETFILES>\f1i7cm ddqayq tsomq34 nom72kl titts wifey .rar.exe
  • C:\users\default\appdata\roaming\microsoft\windows\templates\eq7k2xcxt ddqayq tsomq34 girls cock gh5b6gd7wrv (karin).avi.exe
  • C:\users\default\templates\xxx [bangbus] balls .zip.exe
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\s2fkave 8ok6yf yzw1afy apv53deiq9fw balls (hyo87il,sarah).avi.exe
  • %TEMP%\ uncut hole .mpeg.exe
  • %LOCALAPPDATA%\<INETFILES>\xxx sgu4m7oc (cy4xpd).mpg.exe
  • %LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\8r3baiec h93bklf horse sgu4m7oc 779mipj .rar.exe
  • %LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\yzw1afy nom72kl titts (dehod0,2hbt8wr).rar.exe
  • %LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\black 8ok6yf epyxwn js80j73 .avi.exe
  • %APPDATA%\microsoft\templates\eq7k2xcxt bd1l5ir mnho9y54 apv53deiq9fw (2hbt8wr).avi.exe
  • %APPDATA%\microsoft\windows\templates\upfgetx wep6b08 gay girls young (haj1oyikd,g6u8n4r).mpg.exe
  • %APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\eq7k2xcxt wep6b08 l9hwcs7vvnphd9 .rar.exe
  • %HOMEPATH%\templates\8ok6yf lpcu5ai3 l9hwcs7vvnphd9 balls .avi.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\eq7k2xcxt w6csjja14n1 mnho9y54 bq4kno feet qx2j1b5 (y8oxsqa).zip.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\eq7k2xcxt h93bklf nom72kl hot (!) wifey (hyo87il,g6u8n4r).avi.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\gay big (2hbt8wr).avi.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\gzn4ud7e w6csjja14n1 xxx 7vepaqjm glans sgoibhh .zip.exe
  • %WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\sperm uncut feet .mpeg.exe
  • %WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\mnho9y54 nom72kl ash .zip.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\mzwpstr8n big hole .rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\f07qtt wep6b08 xxx l9hwcs7vvnphd9 qx2j1b5 (36mho73,g6u8n4r).mpg.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\upfgetx bd1l5ir sperm hot (!) titts .rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\horse [milf] (y8oxsqa).mpg.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\gay [milf] gsva2xn .avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\fac71w2 ddqayq tsomq34 sgu4m7oc cock .mpg.exe
  • %WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\gay [bangbus] glans .zip.exe
  • %WINDIR%\assembly\temp\mzwpstr8n epyxwn sweet .rar.exe
  • %WINDIR%\assembly\tmp\upfgetx horse tsomq34 big glans .mpg.exe
  • %WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\upfgetx wep6b08 sgu4m7oc glans girly .mpeg.exe
  • %WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\gzn4ud7e porn mnho9y54 [bangbus] (c4w8hqa).avi.exe
  • %WINDIR%\pla\templates\horse hot (!) balls .avi.exe
Miscellaneous
Searches for the following windows
  • ClassName: 'Progman' WindowName: ''
  • ClassName: 'Proxy Desktop' WindowName: ''
Restarts the analyzed sample
Executes the following
  • '%WINDIR%\explorer.exe'

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play