FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY ID
Close
Support services
Scanners
Dr.Web vxCube
Trial
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.KillProc2.29886

Added to the Dr.Web virus database: 2025-07-17

Virus description added:

Technical Information

Malicious functions
Terminates or attempts to terminate
the following system processes:
  • %WINDIR%\explorer.exe
  • <SYSTEM32>\taskhost.exe
  • <SYSTEM32>\dwm.exe
the following user processes:
  • iexplore.exe
  • firefox.exe
Modifies file system
Creates the following files
  • %WINDIR%y1s2fctrp3
  • %CommonProgramFiles%\microsoft shared\ nom72kl boots .rar.exe
  • %ProgramFiles%\dvd maker\shared\mnho9y54 vjq39c1gwy .zip.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\yzw1afy girls b37oavmx289 .rar.exe
  • %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\f07qtt ddqayq mzwpstr8n uncut ejn547rbxhd1 .mpeg.exe
  • %ProgramFiles%\microsoft office\office14\groove\xml files\space templates\black horse mzwpstr8n uncut qq6w54yfhtqrbwcslg .mpg.exe
  • %ProgramFiles%\microsoft office\templates\f07qtt nude mzwpstr8n apv53deiq9fw cock latex (karin).rar.exe
  • %ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\z9z7rwe nude beast 7vepaqjm 779mipj (sandy,karin).mpeg.exe
  • %ProgramFiles%\windows journal\templates\eq7k2xcxt wep6b08 beast [milf] titts lady .rar.exe
  • %ProgramFiles%\windows sidebar\shared gadgets\s2fkave h93bklf gay uncut .mpg.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\8r3baiec wep6b08 tsomq34 uncut lzxyhb7k .avi.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\tsomq34 apv53deiq9fw .rar.exe
  • %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\ sgu4m7oc hotel .mpg.exe
  • %CommonProgramFiles(x86)%\microsoft shared\f07qtt cum horse nom72kl cock 50+ (2hbt8wr).avi.exe
  • %ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\fac71w2 porn horse sgu4m7oc cock ae2sd7u4xh .rar.exe
  • %ProgramFiles(x86)%\windows sidebar\shared gadgets\black w6csjja14n1 lpcu5ai3 big titts 8bgkvshe1 .rar.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\f1i7cm horse sperm apv53deiq9fw titts .avi.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\beast girls hole (haj1oyikd,2hbt8wr).avi.exe
  • %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\s2fkave w6csjja14n1 mnho9y54 ihthd33 hole (hyo87il,g6u8n4r).mpeg.exe
  • %ALLUSERSPROFILE%\microsoft\windows\templates\ uncut .mpeg.exe
  • %ALLUSERSPROFILE%\templates\f1i7cm 8ok6yf uncut glans 50+ .mpg.exe
  • %ALLUSERSPROFILE%\microsoft\rac\temp\eq7k2xcxt porn hot (!) (g6u8n4r).zip.exe
  • %ALLUSERSPROFILE%\microsoft\search\data\temp\black wep6b08 mzwpstr8n ihthd33 gsva2xn .avi.exe
  • %ALLUSERSPROFILE%\microsoft\windows\templates\w6csjja14n1 yzw1afy 7vepaqjm sgoibhh (sandy,jade).mpg.exe
  • %ALLUSERSPROFILE%\templates\yzw1afy vjq39c1gwy (liz).mpeg.exe
  • C:\users\default\appdata\local\microsoft\windows\<INETFILES>\lpcu5ai3 big .zip.exe
  • C:\users\default\appdata\local\temp\ sgu4m7oc titts latex (sarah).rar.exe
  • C:\users\default\appdata\local\<INETFILES>\eq7k2xcxt nude horse nom72kl cock (rdl1tfkz,liz).mpeg.exe
  • C:\users\default\appdata\roaming\microsoft\windows\templates\s2fkave cum horse hot (!) cock .mpg.exe
  • C:\users\default\templates\black w6csjja14n1 nom72kl uncut (g6u8n4r).rar.exe
  • %LOCALAPPDATA%\microsoft\windows\<INETFILES>\f1i7cm porn l9hwcs7vvnphd9 young .avi.exe
  • %TEMP%\horse [bangbus] glans .zip.exe
  • %LOCALAPPDATA%\<INETFILES>\mnho9y54 nom72kl (sarah).mpeg.exe
  • %LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\eq7k2xcxt cum mnho9y54 big (2hbt8wr).zip.exe
  • %LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\tsomq34 [milf] titts (sonja,cy4xpd).mpg.exe
  • %LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\f1i7cm 8ok6yf sperm girls hole boots (jade).rar.exe
  • %APPDATA%\microsoft\templates\f1i7cm xakmpl xxx uncut zn3tvn .mpg.exe
  • %APPDATA%\microsoft\windows\templates\sperm 7vepaqjm cock boots (y8oxsqa).rar.exe
  • %APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\black xakmpl nom72kl 7vepaqjm glans lzxyhb7k .mpeg.exe
  • %APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\8r3baiec horse nom72kl vjq39c1gwy lzxyhb7k .mpeg.exe
  • %HOMEPATH%\templates\nom72kl apv53deiq9fw glans .avi.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\8r3baiec porn nom72kl bq4kno glans ejn547rbxhd1 .rar.exe
  • %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\nom72kl uncut glans .zip.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\tsomq34 big titts .avi.exe
  • %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\upfgetx 8ok6yf lpcu5ai3 nom72kl titts zn3tvn .rar.exe
  • %WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\upfgetx w6csjja14n1 horse ihthd33 glans boots .mpg.exe
  • %WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\sperm 7vepaqjm hole 6tl9zg0uqa .rar.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\eq7k2xcxt 8ok6yf lpcu5ai3 big .avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\mzwpstr8n l9hwcs7vvnphd9 ol6p1tua .avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\sperm girls feet young (liz).mpeg.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\s2fkave porn ihthd33 titts 50+ .mpg.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\black 7nd83wovj horse uncut boots (dehod0,2hbt8wr).avi.exe
  • %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\eq7k2xcxt xakmpl gay apv53deiq9fw feet girly .mpeg.exe
  • %WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\black bd1l5ir mzwpstr8n uncut qx2j1b5 (sandy,jade).zip.exe
  • %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\yzw1afy girls feet hotel .rar.exe
  • %WINDIR%\assembly\temp\8r3baiec 8ok6yf xxx apv53deiq9fw .avi.exe
  • %WINDIR%\assembly\tmp\f07qtt w6csjja14n1 tsomq34 sgu4m7oc shoes .zip.exe
  • %WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\eq7k2xcxt h93bklf apv53deiq9fw glans js80j73 .mpeg.exe
  • %WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\ hot (!) 50+ (rdl1tfkz,y8oxsqa).avi.exe
  • %WINDIR%\pla\templates\ [free] zmc8ujp .avi.exe
  • %WINDIR%\security\templates\tsomq34 ihthd33 glans (haj1oyikd,jade).mpg.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e nude gay apv53deiq9fw wifey .zip.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\local\temp\f07qtt 8ok6yf mzwpstr8n [free] sm .avi.exe
  • %WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\sperm l9hwcs7vvnphd9 feet 779mipj (cy4xpd).mpg.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\z9z7rwe ddqayq gay big cock .avi.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\local\temp\mzwpstr8n hot (!) glans (rdl1tfkz,dxocjwba).rar.exe
  • %WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\eq7k2xcxt horse sperm sgu4m7oc (liz).avi.exe
  • %WINDIR%\syswow64\config\systemprofile\mzwpstr8n nom72kl hole b37oavmx289 (jade).avi.exe
  • %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\beast hot (!) b37oavmx289 .mpg.exe
Miscellaneous
Searches for the following windows
  • ClassName: 'Progman' WindowName: ''
  • ClassName: 'Proxy Desktop' WindowName: ''
Restarts the analyzed sample
Executes the following
  • '%WINDIR%\explorer.exe'

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play