Pskill Sophos

[Vannessa Rataj]

TheEnterprise Console found pskill on a client computer in the folder shown below. I can not find any information about what the tempThinClients folder may be. This is an HP desktop PC. Several users on this same PC but only one user has this folder? A Virus scan does not return anything. Would anyone have an idea what this is and how to get rid of it?

I'm not so sure about the path but PsKill is a Microsoft tool; part of the PSTools collection of command line tools - technet.microsoft.com/.../pstools.aspx. It is specially for killing processes from the command line.

Clearly it's not malicious in itself but sometimes this kind of tool can be bundled with malware to perform a task. In the case of the recent ramsomeware campaign, that was using another tool from the PsTools collection called PsExec.

If it was found on a developer/super user's computer then I would be less worried. If I found it on my say my mothering laws computer it's more likely to raise a few eyebrows as I can't imagine her downloading such a tool so did it come with some malware?

You can authorise the tool to be used if you're happy for the user to run it. I guess the bigger question here is how did it get there and what was the intent. I would probably as the user if they recall downloading it, why they might need it, etc... Can you find reference in any web proxy logs and do they have user-agent string to possibly prove it came down individually through a browser, do any other files have a similar timestamp based on the first detection time by Sophos. You should be able to see the detection in the Application Event log also.

These viruses do not exist on other virus databases except BitDefenders'. Therefore, these supposed viruses are really not viruses. These files do not pose a threat, as I have used them, and ZoneAlarm Internet Security Suite says they're clean. Please do not create your own virus definitions because you're trying to censor the type of files we have on our computers. In order to improve your anitvirus, I would remove these false virus "trojans". Else, users like myself become very annoyed and will not want to use your security products.

BitDefender's security suite has potential since it uses less than 10MB of background memory most of the time. This is the smallest I've seen any security suite run. However, the antivirus needs to have fake virus definitions removed.

I will tell you, however, that one of those files allows you to view your Windows XP product key. If other antivirus programs see no harm in those files, then they are not infected. Thus, those 3 signatures should be removed as no other antivirus program sees it as a threat.

No, the user can't remove those signatures manually the only thing you could do is to exclude the folder/folders whre these files are located from scanning until the people from BD will remove the detection if they are really FPs.

2) this would not be the first time when an AV detects some files as infected, when in fact they are clean. This doesn't mean that the signatures are "fake". Those signatures do not apply to only 2 files. They apply to all files that contain that signature, and those files might really be infected.

Why won't you upload the files? You asked that the detection should be removed. That will not happen without the files beeing checked by the BD Virus Analysts. So, if you don't want to help BD become better, your only option is to ignore those files from scan (like vladx said).

I moved your topic on "Malware discussion" because here only VR cand acces attached files. On the rest of the forums, everybody can acces them, making itt possible to infect other computers. Everytime you want to attach a possible infected file please attach it on "Malware talk".

I understand that it is a suggestion topic, but we can't allow users to download possible infected files on the forum. They can blame us for infecting their computer (from their ignorance). That's why I moved your topic here. These files could actualy be real trojans, and they could actually cause harm. Virus Researchers will take a look.

Sometimes BitDefender or any other antivirus detect some files also if they are legit. To give an example pskill is installed on some pc's. It can also be used by a hacker to let your computer countdown and afterwards shutdown itself.

If something was wrong with definition file than all the tools I downloaded must be detected. The problem is that I can't download the file because only virus researchers can download files here to protect people who accidentally download a virus. If you want to be really sure you can upload the files on these websites:

Did you installed a windows vista 30 day activation crack? Because that is also the information that sophos offers: So you don't have a point. It's the exact the same trojan. Also for the rest of your infections are also detected by other vendors: -software.com/threa...threatid=130083

This is just coincidence that BD detects those files as malware BUT take into consideration that they could be indeed malware. BD doesn't detect cracks, keygens etc. BD detects viruses, worms, trojans, spyware etc., and there aren't any definitions for keygens and cracks.

I had bad experiences with their firewall. Installation issues where my pc rebooted itself again and again. I can't argue about the security suite. But I read a review in pc magazine where they say that in that particular test zonealarm was only capable of detecting 34 % of zoo files. That was with version 6.0.

BitDefender detects because cracks and other software to bypass registration or protection have a high chance to be infected. That's why BitDefender detects them.Other vendors marks also cracks as viruses or as riskware. Cracks,keygens,... are all illegal.

You are wrong by saying that. Kaspersky sometimes doesn't have definitions for some malware. This was the case for a new msn virus where the files were undetected. I can give you a link to a security site the only thing it's in Dutch: If you first take a look when they uploaded it for checking Kaspersky didn't find anything first. Scroll down and you will find an answer where someone of Kaspersky lab say they going to add a detection file.

Well Eric just because an AV doesn't detect a file as beeing infected this doesn't mean it's not. You have to be carreful, because even the bets AV's make mistakes sometimes... even BD makes sometimes.

What bluesprite said is right. Every antivirus misses sometimes a virus. Mostly when it is a new variant. I uploaded the infected files so Softwin can add them to their signatures. I was referring to the example of that msn virus.

Ok then... Let's put it this way. If both Kasperky and AntiVir (www.free-av.com - Best free virus scanner from the Germans) do not see it as a virus, it's not a virus. IN all of my cases BitDefender thinks I have a virus in those files. That's wrong though because I've run the WIndows Product Key Viewer thousands of times. You have even reassured me that there is no virus in that file.

We're not trying to tell you that, and we aren't trying to tell that other AV are bad. What we're trying to say is that just if some AV didn't detect a program as a malware, this dowesn't mean it isn't malware. Every time a new virus/worm/trojan appears, no AV can detect it until a deffinition is added. Let's suppose that BD guys were faster and they add the deffinition faster for that malware than Kaspersky, Avira etc etc. What does that mean? That BD detects a FP (False Positive) just because some other AV's don't detect it as well?

DO NOT EXIST. Only one other website that has a security product that I have never heard of also has these virus definitions. Obviously, they are flaud, as we saw that my files are not infected. Therefore, I recommend the removal of these definitions as they only apply to XP key views and XP anything that is not stock.

You don't seem to be willing to understand, that a file CAN contain a virus even if the "God-chosen" Kaspersky and Antivir say it's clean. That's what we need to clear up first. Take a look at some tests and you'll see that Kaspersky isn't always the top-performing product, and neither is Antivir. You're going as far as saying that the tests that they scored less than 100 % are actually incorrect, and the missed samples weren't actually viruses.

On the subject with your particular files, I'm sure they're not infected, and that they're false positives. Kaspersky detects some cracks or keygens as viruses as well, if you use the extensive database, which includes "potentially unwanted programs". It even detected mIRC once, which is not even illegal. So it's really unnecessary to make such a big deal because BD detected your cracks. Exclude the folder where you keep them from scanning and voila. I would imagine that software developers pay antivirus vendors to include cracks for their products in the virus definitions database, and I can't blame them. If you're going to use their software for free, at least bear with their efforts to protect themselves.

Ad-aware detects it also for the same reason. Detects it as hacktool.keyfinder Again BitDefender is not the only one who detect it because it can be used without any notice. Also sometimes they (other virusvendors) didn't detect it because nobody gave that files to check them. Sophos is also a good antivirus that also detect the windows vista crack. So the files that BitDefender finds are also marked as infections by other security vendors. I've posted the links to prove it.

Niels, I agree that the key finder could pose a risk because someone else could see your key, but can it be done remotely? Does the file start a server? What about the other files mentioned? I don't think so, they never try to access the internet. So the risk of someone using the tool to steal your cd-key is close to none if he would have to start it manually on your computer. It's easier to steal it from the hologram sticker on the PC case. Yet, the files are labeled as "Trojan", which is misleading. They should be labeled as hack tools or cracks, which they are.

3a8082e126