PSKill on new computer

I would be grateful for advice on 'PSKill' I was asked to help a friend who has just bought a computer with XP HE installed. (I run XP also) she has McAfee Security Suite and when scanning the result shows 'unwanted program' PSKill but will not delete this. I found a few of the locations indicated this was in her System Restore points which when clean was fine but when another scan was complete it still had 2 entries for PSkill I ran Ad-aware and Spybot but neither find this.

I have searched with Google and discover this is a process killer but can be used remotely (System Internal) As this is a new computer and she has not installed anything bar her printer/scanner does anyone know how this is on her computer and is it safe to delete if I find the folder it resides in?

According to McAfee results they cannot clean but advise delete or I can quaratine but I was totally unsure about this

 

pskill

miniB,

I would follow the advice to delete the program. I would also make sure that a firewall is installed, such as the free zonealarm:
http://grc.com/zonealarm.htm

and tested by clicking "shields up" at:
http://grc.com/

 

Post a hijackthis log so we can get a better look at it.

The proccess probaly needs to be killed then the run deleted.

 

Thank you for your replies and I would love to post a HijackThisLog today but it was my friend's computer I was working with and unfortuately she lives a little from me so I will have to arrange a time to go back to her house.

As she is new to computers I am not sure if I can instruct her to run this scan for me - I will try and see if she is confident to do this and e-mail the result to me as soon as possible.

Sorry about this bit but I was so tired yesterday after working on her computer I didn't think of running HijackThis when I discovered this

I will see if I can contact her today but if not I will try to arrange a time to call back and do this myself.
Thanks again

BTW I have susbscribed to this thread but have not received the e-mail notification about the replies very nice new style on the board

 

She definitely has a firewall installed and I tested this at GRC for full stealth report but this was after I had made a few security changes in the OS services and disabled DCom in the registry - maybe the firewall was not totally stealth when she was first running the computer!

 

My friend has run HJT and this is the scan (note from the log she has installed to a temporary directory but I have advised her on running it from a permanent one on C before anything would be fixed)

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\slrundll.exe
C:\Documents and Settings\FIONA M\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\MCAGENT.EXE
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Privacy Bar (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\commonyinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE1AB3AA-7910-4316-8872-6C016B3FF4BD}: NameServer = 213.1.119.98 213.1.119.97

 

Yep its also being ran from inside a zipped file, that will work
but anything it fix's will be delete when the zip is closed
have then set there zip program up so it wont automaticly open or unzip anything

Where exactly is this unwanted program found "PSKill" ?

Ive briefily searched and saw a free tool w/same name from sysinternals,
have you came up with any info ?

This is Odd have them check the properties if it
C:\WINDOWS\slrundll.exe
Possible a smart link modem ?

I will Look more later tonight meanwhile I hope the other's have some imput.

 

PSKill is a great tool for an admin and especially one who needs to work with remote systems. It allows you to stop a running process that otherwise is locked and can't be stopped. I've used it for years beginning with NT4.

Available for download at www.sysinternals.com and written by a very smart and reputible software guy.

However, if it is on a PC where the owner didn't download it then it's either a utility that some OEM ships with their systems to help with remote support or else it's a tool some bad guy has decided to use.

If PSKill is running (you'll see it in services) then stop it and delete the pskill.exe file and you should be rid of all traces of the app.

 

Thank you for your replies, I think we have managed to remove this now as my friend is a very new user of computers and would not even understand the way it works (a bit safer when this is not on her computer now) She was alarmed at the fact it was constantly showing in her scans with McAfee as unwanted. I will be checking her compter the next time I go to her house but to date everything is working without this being reported each time a scan is done. I am very unsure how she got it in the first place so feel happier it is not there in case it was used remotely but anyone!

I think the slrundll may be part of the modem as I searched for this one with Google and it did seem to be something like this - she has a dial up internal modem but I wonder if this has anything to do with the fact that she ran the trial with AOL and has since changed to BT. I am not sure if this would be anything let from the way AOL dial??

Thanks for the link in case she needs to re-install PSKill but as far as I know a newbie would be safer without this.

I really appreciate all the help and advice on this matter even though it was not my own computer