FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.KillProc2.25016

Added to the Dr.Web virus database: 2025-07-02

Virus description added:

Technical Information

Malicious functions
Terminates or attempts to terminate
the following system processes:
  • %WINDIR%\explorer.exe
  • <SYSTEM32>\taskhost.exe
  • <SYSTEM32>\dwm.exe
the following user processes:
  • iexplore.exe
  • firefox.exe
Modifies file system
Creates the following files
  • %WINDIR%y1s2fctrp3
  • %CommonProgramFiles%\microsoft shared\jxaglwti lpcu5ai3 sgu4m7oc .mpg.exe
  • %ProgramFiles%\dvd maker\shared\w6csjja14n1 w6csjja14n1 nom72kl .avi.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\wpjwijv wep6b08 mzwpstr8n [bangbus] .mpeg.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\gzn4ud7e gay mnho9y54 7vepaqjm titts .mpg.exe
  • %ProgramFiles%\microsoft office\office14\groove\xml files\space templates\porn [milf] ash sweet .avi.exe
  • %ProgramFiles%\microsoft office\templates\eq7k2xcxt nude mnho9y54 epyxwn feet .zip.exe
  • %ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\black 8ok6yf bd1l5ir uncut sgoibhh (sonja,jenna).mpeg.exe
  • %ProgramFiles%\windows journal\templates\f07qtt 8ok6yf h93bklf sgu4m7oc sweet .avi.exe
  • %ProgramFiles%\windows sidebar\shared gadgets\wep6b08 ddqayq [bangbus] mg9fvb2xk9 .mpeg.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\f07qtt lpcu5ai3 uncut legs 40+ .avi.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\gay porn 7vepaqjm .mpeg.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\wpjwijv mnho9y54 xxx uncut lzxyhb7k (g6u8n4r,36mho73).avi.exe
  • %CommonProgramFiles(x86)%\microsoft shared\mnho9y54 ihthd33 ol6p1tua .mpeg.exe
  • %ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\gzn4ud7e sperm xxx [milf] .rar.exe
  • %ProgramFiles(x86)%\windows sidebar\shared gadgets\asian h93bklf bd1l5ir epyxwn .rar.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\xxx [milf] legs (rdl1tfkz,sonja).mpg.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\4h1e2a346 nom72kl nom72kl boots .zip.exe
  • %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\jxaglwti nude horse sgu4m7oc 50+ .avi.exe
  • %ALLUSERSPROFILE%\microsoft\windows\templates\black nom72kl tsomq34 vjq39c1gwy 8bgkvshe1 .mpg.exe
  • %ALLUSERSPROFILE%\templates\gzn4ud7e 8ok6yf w6csjja14n1 l9hwcs7vvnphd9 fishy (dxocjwba,haj1oyikd).avi.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\mnho9y54 mnho9y54 [free] ash .avi.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\0287zh 7nd83wovj porn 7vepaqjm zn3tvn .rar.exe
  • %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\z9z7rwe mnho9y54 mzwpstr8n vjq39c1gwy titts lady (sonja).zip.exe
  • %ALLUSERSPROFILE%\microsoft\windows\templates\horse l9hwcs7vvnphd9 legs .zip.exe
  • %ALLUSERSPROFILE%\templates\jxaglwti h93bklf xxx uncut .zip.exe
  • C:\users\default\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt nude apv53deiq9fw .zip.exe
  • C:\users\default\appdata\local\temp\wep6b08 nude 7vepaqjm hole (36mho73,c4w8hqa).avi.exe
  • C:\users\default\appdata\local\<INETFILES>\wep6b08 mnho9y54 hot (!) zn3tvn (g6u8n4r,y8oxsqa).mpg.exe
  • C:\users\default\appdata\roaming\microsoft\windows\templates\zc8giv9 nude xxx vjq39c1gwy 779mipj .mpg.exe
  • C:\users\default\templates\z9z7rwe mnho9y54 l9hwcs7vvnphd9 (2hbt8wr).mpeg.exe
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\sperm cum vjq39c1gwy glans gsva2xn (karin).zip.exe
  • %TEMP%\gay wep6b08 [free] lady .mpeg.exe
  • %LOCALAPPDATA%\<INETFILES>\asian ddqayq uncut hole ol6p1tua (2hbt8wr,rdl1tfkz).mpg.exe
  • %LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\beast horse ihthd33 ash nmibe2 .mpeg.exe
  • %LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\4h1e2a346 w6csjja14n1 ddqayq l9hwcs7vvnphd9 boots (2hbt8wr).zip.exe
  • %LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\tsomq34 beast [free] qq6w54yfhtqrbwcslg .rar.exe
  • %APPDATA%\microsoft\templates\gzn4ud7e beast tsomq34 [milf] ol6p1tua .avi.exe
  • %APPDATA%\microsoft\windows\templates\horse nom72kl nom72kl hole gsva2xn (sarah).zip.exe
  • %APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\mnho9y54 7nd83wovj nom72kl boobs shoes .mpg.exe
  • %APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\7b6fhxi mzwpstr8n ihthd33 fishy .mpg.exe
  • %HOMEPATH%\templates\f1i7cm cum uncut .mpeg.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\ ihthd33 legs (c4w8hqa).mpg.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\f07qtt 8ok6yf girls (jenna).mpeg.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\gzn4ud7e gay l9hwcs7vvnphd9 .rar.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\z9z7rwe xakmpl epyxwn 6tl9zg0uqa .rar.exe
  • %WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\7nd83wovj [milf] ejn547rbxhd1 .mpg.exe
  • %WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\wpjwijv bd1l5ir xakmpl hot (!) (haj1oyikd,jenna).rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\0287zh cum vjq39c1gwy .rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\f1i7cm mzwpstr8n vjq39c1gwy ae2sd7u4xh (jade,cy4xpd).rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\s2fkave xxx xakmpl epyxwn b37oavmx289 (hyo87il,c4w8hqa).mpeg.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\s2fkave horse apv53deiq9fw .avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\8ok6yf [free] latex .avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\fac71w2 beast 7vepaqjm girly .zip.exe
  • %WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\wpjwijv horse big (2hbt8wr).mpg.exe
  • %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\s2fkave yzw1afy nom72kl .mpg.exe
  • %WINDIR%\assembly\temp\mnho9y54 [milf] gsva2xn .zip.exe
  • %WINDIR%\assembly\tmp\z1qxwcd h93bklf 7nd83wovj uncut .rar.exe
  • %WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\mnho9y54 l9hwcs7vvnphd9 glans .zip.exe
  • %WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\4h1e2a346 yzw1afy bq4kno jxqgtp girly (sonja,dxocjwba).mpg.exe
  • %WINDIR%\pla\templates\gay apv53deiq9fw mg9fvb2xk9 (rdl1tfkz).mpeg.exe
  • %WINDIR%\security\templates\black tsomq34 h93bklf epyxwn .rar.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\ddqayq nude nom72kl boobs .rar.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\local\temp\8ok6yf mzwpstr8n hot (!) kfp2yqq .zip.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\ [bangbus] .avi.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\xakmpl sgu4m7oc .rar.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\local\temp\ddqayq sgu4m7oc titts (liz,sarah).mpeg.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\ikdyfwhy w6csjja14n1 big glans .avi.exe
  • %WINDIR%\syswow64\config\systemprofile\4h1e2a346 nude horse [bangbus] zmc8ujp .zip.exe
  • %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt xxx ihthd33 hole .mpg.exe
  • %WINDIR%\syswow64\fxstmp\4h1e2a346 xxx epyxwn zn3tvn .mpeg.exe
  • %WINDIR%\syswow64\ime\shared\gzn4ud7e sperm ihthd33 qq6w54yfhtqrbwcslg (36mho73,liz).rar.exe
  • %WINDIR%\syswow64\config\systemprofile\ sgu4m7oc .mpg.exe
  • %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\beast w6csjja14n1 epyxwn (karin).mpeg.exe
  • %WINDIR%\syswow64\fxstmp\f1i7cm yzw1afy girls .rar.exe
  • %WINDIR%\syswow64\ime\shared\upfgetx nude l9hwcs7vvnphd9 boots .mpeg.exe
  • %WINDIR%\temp\zc8giv9 xxx xxx nom72kl .mpeg.exe
  • %WINDIR%\winsxs\installtemp\tsomq34 girls zn3tvn .rar.exe
  • <Current directory>\sqjaed7r1vnw
  • %CommonProgramFiles%\microsoft shared\fac71w2 xakmpl uncut hotel .avi.exe
  • %ProgramFiles%\dvd maker\shared\ikdyfwhy tsomq34 vjq39c1gwy .mpg.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\upfgetx horse hot (!) (hyo87il,rdl1tfkz).avi.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\0287zh sperm vjq39c1gwy (rdl1tfkz,g6u8n4r).mpeg.exe
Miscellaneous
Searches for the following windows
  • ClassName: 'Progman' WindowName: ''
  • ClassName: 'Proxy Desktop' WindowName: ''
Restarts the analyzed sample
Executes the following
  • '%WINDIR%\explorer.exe'

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play