Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: J J on November 10, 2006, 04:50:20 PM
-
i scanned my computer and it found 6 malaware all with the same infection, infection= Win32-Pskill-E[Tool]
4 were found in C:\System Volume Information\_restore
1 was found in C:\WINDOWS\RESTORE.INS\C:\DEMCUST\TOOLS\WIN32\PSKILL.EXE
1 was found In: C:\WINDOWS\system\RESTORE.INS\C:\DEMCUST\TOOLS\WIN32\PSKILL.EXE
My operating system is windows XP home edition.
If i try to delete it the following error occurs- Error occurred during file deleting. there are no more files.
If i try to move it to the chest the following error occurs. - Error occurred during moving file to chest. There are no more files.
If i try to repair it the following error occurs. - error occurred during file repair.
What should i do. any help will be much appreciated.
-
Firstly what files and what locations ?
What is your operating system ?
Secondly the important piece here is [Tool], based on the location of the infected files can you say if you installed this [Tool] ?
Thirdly, deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.
Some of these problems may occure because the file is in use.
-
'System Restore' area is protected from anyone or any software gaining access to files stored there. You'll need to temporarily disable System Restore to get rid of those files... reboot... then create new "restore points". Once you've done that, all files stored in the 'System Restore' area are deleted -- including any malware. See below:
About System Restore:
Windows uses System Restore to restore files on your computer in case they become damaged. System Restore is enabled by default. Windows Me keeps the restore information in the _RESTORE folder. Windows XP stores this information in the System volume information folder. These folders are updated when the computer restarts. If the computer is infected with a virus, the virus could be backed up in these folders.
Repairing System Restore:
By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by an AV (Anti-Virus) product will fail. To work around this, you must disable System Restore, and restart the computer. This will purge the contents of the _RESTORE or System volume information folder. You must then run a full system scan. [/list]
-
Cheers for the info, but can you tell me how to disable system restore.
-
Windows help files, a search on this forum or
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
will show you how.
HTH and GL
-
These may be something to do the your system (PC) manufacturer, PsKill.exe is a utility used to kill processes, this has often been used to remove/kill stubborn processes. Some anti-virus tool kits come with this tools to kill a process prior to deleting the file, that processes .exe file can't be removed whilst the process is running. So as I have already said you need to identify what placed/installed the [tool].
I also think your path is incorrect C:\WINDOWS\system\RESTORE.INS\C:\DEMCUST\TOOLS\WIN32\PSKILL.EXE.
I believe it should be C:\WINDOWS\system\RESTORE.INS\C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE
There are lots of hits on a search relating to OEMCUST\TOOLS\WIN32\PSKILL.EXE, and look like tools installed by the OEM (Original Equipment Manufacturer) system builder. Who made/built your system ?
The fact that it also related to RESTORE.INS this could be something to do with the ability to restore your system back to how it was when it was built using a recovery partition image.
-
I don't know what placed/installed the tool. how can i check? By manufacturer i guess you mean the make of the P.C. Packard Bell.
-
Yes, Packard Bell is the OEM and you are the CUST(omer) that the path may relate too, so it is possible that they have a means of restoring your system to its factory default, that may include the pskill.exe tool. The fact that you can't delete things in this area would seem to support this is somehow protected.
I have no way of telling if this is correct, that is something that you would need to check in your documentation of Packard Bell.
The other strange thing is the path, C:\WINDOWS\system\RESTORE.INS\C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE restore.ins is usually associated with a file name with a file type and anything after that would indicate it is an archive file. So again I suspect this may a restore installation file containing lots of other files/tools to help in this restoration of your system, but that is all it is supposition as I know nothing about Packard Bell systems.
How big is the c:\windows\system\restore.ins file ?
If you right click on it and select Properties, does it give any useful information ?
You may need to show hidden files and folders to be able to do this as it is in a system folder.
-
I can't check the size or properties because i can't move it to the chest. although here's some information that might help:
I do have a floppy disk which restores the computer in case of system failure and i have used it once.
-
I can't check the size or properties because i can't move it to the chest.
You don't need to move it to the chest, using windows explorer, navigate to the c:\windows\system\restore.ins file.
Well that floppy isn't large enough to do anything other than initiate the process, there has to be something on your system, probably a hidden partition with other things possibly in the restore.ins file.
-
I did a search on restore files and it found two, and yes they were both infected. the following shows the information:
Name In folder Size Type
Restore C:\WINDOWS 1,695KB Internet communication settings
Restore C:\WINDOWS\restore 1,695KB Internet communication settings
and both were modified on 7/5/2006 at 21:11
-
They are very big, so the could well be used to restore your system, but why the same restore.ins is in more than one location is weird. I think windows is screwing up the file type naming, whilst .ins might well be Internet communication settings, I strongly doubt that is what these files are.
What happened to the one in c:\windows\system you are showing c:\windows\restore I assume this is a typo ?
Did you right click on the file and select properties ?
This usually returns more information that what you have give which can be obtained in explorer. However it could simply be the creator of the restore.ins file may not have included any additional information.
Unfortunately none of this gets to your problem with a detection, is it to be ignored or acted on, yes there are way to get past the protection and delete the file but that could ruin your day if you ever needed it. Personally I don't think you have a problem because of its location I doubt it was installed maliciously but I can't say that with and degree of certainty.
I think you are going to have to consult your system documentation or contact the retailer.
-
I have had the same problem with "PSKILL.EXE"----
I was just about to make a new post on it but thought I would keep it in this thread.
This is the message I get:
---
C:\WINDOWS\RESTORE.INS\C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE [L] Win32:Pskill-E [Tool] (0)
During the file delete, error occurred: There are no more files
C:\WINDOWS\system\RESTORE.INS\C:\OEMCUST\TOOLS\WIN32\PSKILL.EXE [L] Win32:Pskill-E [Tool] (0)
During the file delete, error occurred: There are no more files
---
And I have had this problem for quite awhile (at least since August). (I had switched system restore off, but when I turn it on again, same problem)
I ran TrendMicro scan and am going to do another scan with Symantec, but no other scans pick it up.
Please let us know if you find a solution.
Thanks.
(And sorry that I could not be of help)
-
PSKILL.EXE is a tool that can be used for good or bad so if it is part of your OEM restore sector or a known tool that you use then it can safely be added to the ignore list
-
I've decided to ignore this problem because it hasn't seemed to have effected the P.C.
But thanks to everyone for there input. If anyone does have a good way of dealing with it please post it in. Again thanks for the help.
-
See this http://forum.avast.com/index.php?topic=24846.msg203549#msg203549 about excluding the file from scanning otherwise when you do an on-demand scan it will be detected again, interrupting the scan and waiting for your input. So you don't want to ignore as avast won't allow you to ignore, take action and exclude it from scans.
-
I've excluded them and it seems to have worked because i done a quick scan and it worked. hopefully it will also work when doing the other scans.
Anyways thanks for all the help.
-
provided you have also added the exclusions to the Program Settings, Exclusions list, this covers the on-demand scans, then it should.