System Restore (PSKILL-E)

Hi everyone,

avast! found the Pskill-E that another user mentioned.

I moved it to the Chest, turned off System Restore to remove all restore points (as the scan said the virus was in System Restore).

I still have system restore turned off–but latest scans still detect PSKILL-E, but when I move it to the Chest I receive an Error message that states No More Files.

?? Any ideas how I can totally remove this PSKILL problem?

What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?

If it was still in the system volume information folder, did you reboot after disabling system restore ?

Hi.

I did not reboot immediately after disabling System Restore, but I have since then.

The infected file was in two locations, according to the Virus Chest:

C:\System Volume Information_restore
C:\PMAIL\OEMCUST\TOOLS\WIN32

Well the first should now be gone after disabling system restore and rebooting. Since you didn’t give the infected file name (?) that I asked for, I can’t do a detailed search, so results are very sketchy.

I assume you have no program installed relating to that path C:\PMAIL\OEMCUST\TOOLS ?
Since it is a very strange location to install programs and a google search for that path returns no hits, it is only when you search for c:\pmail that you start to get hits, some relate to pegasus mail (I assume that you don’t have this), others malware like trojan downloaders.

Since avast is able to detect this and I presume deal with, there has to be another element restoring this malware. If you have ewido, then I suggest you do a scan from safe mode to try and find any other elements.

Ah! I do indeed have pegasus mail installed. Though I never use it. I installed it some years ago and did not really like it.

The infected file names are: PSKILL.EXE and A0109512.EXE

The latter relates to the system restore folder.

I will download and try the ewido tool now. Thank you. :slight_smile:

Do a search for pskill.exe and there are a huge number of hits some for a Tool PsKill.exe (Process Kill) from system internals, if this is one and the same I can’t see why it is in the pegasus mail folders.

A google search for pskill remove also returns many hits many of these relate to using the pskill.exe as a tool to kill off a process that otherwise won’t shut down.

Lets see what ewido turns up.