Elusive trojan

I had the following nasty incident last night:

After getting a bizarre message indicating that my firewall’s driver was tampered with which crashed my Win98 pc, I rebooted and ran Adaware. As the latter was running, avast flashed a warning that a virus was found. The info given in the popup window was as follows:

File name: C:\WINDOWS\TEMP\AAWTMP\C1824652\324041\PSKILL.EXE

Malware name: Win32:Pskill-E [Tool]

Malware type: Other potentially dangerous program

VPS version: 0638-1, 09/22/2006

Opting to put the virus in the chest (and later to delete the virus) produced the message

Cannot process “C:\WINDOWS\TEMP.…\PSKILL.EXE” file

Thus I was left with no other option but click “No action.” At the same time, attempting to run a boot time scan proved impossible as the respective option was greyed out in the relevant avast window. Is this something that the virus caused or is the boot time scan option unavailable for Win98?

Meanwhile, attempting to navigate to the purported location of the infected file got me only as far as C:\WINDOWS\TEMP\AAWTMP since the AAWTMP folder looks empty despite the fact that under Folder Options > View the “Show All Files” option is ticked.

Googling for PSKILL.EXE produced a lot of entries referring to a tool by Sysinternals whose executable is also named “PSKILL.EXE” and a single entry entry from McAfee recognizing my problem as a trojan (interestingly coded as ‘Egghead’) but offering no removal tool except for paying customers. Further googling unearthed an offer by auditmypc.com to right out all wrongs automatically, which proved to be a real dud. By then it was time to go to bed and entrust matters to the combined hands of this forum first thing in the morning, which I am just doing.

Any leads ?

not on 98

I would suggest running a thorough scan, on line scan and using something like A squared. A search of the forum will give you the link.

We know you have win 98 and adaware, anything else?

Which provider detected the trojan? I only ask because I had a similar message from the mail scanner when it apparently stopped a infected e-mail, the only course of action I had was “no action”. So I was thinking, IF you are always connected, the web shield may have picked something up and stopped it from downloading?? Only a thought.

http://www.sysinternals.com/Utilities/PsKill.html see this from sysinternals refernce their file pskill it is benign if you got it from them

The operative word is [Tool] and it can be used for good or evil avast doesn’t know which, now if you installed the tool no problem, some other programs have it for a legitimate purpose. I don’t know if adaware might use it to kill a process in order to deal with a malware infection.

Please use the forum search function pskill [tool] has been discussed very recently as you can see there can be many reasons for having pskill.exe http://forum.avast.com/index.php?topic=23676.0

Pskill as far as I’m aware is a stand alone executable and isn’t installed as such so deletion of the file should resolve the problem. However, that would no longer be available for whatever purpose it was intended.

The location, c:\windows\temp\ could well be where adaware does its work and once complete deletes the files so the unpacked and executed pskill.exe no longer exists in that location.