Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 17785 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise Console found pskill.exe

Zebra

The Enterprise Console found pskill on a client computer in the folder shown below.  I can not find any information about what the tempThinClients folder may be.  This is an HP desktop PC.  Several users on this same PC but only one user has this folder?  A Virus scan does not return anything.  Would anyone have an idea what this is and how to get rid of it?

 

File "C:\Users\"username"\AppData\Roaming\tempThinClients\pskill.exe" belongs to adware or PUA 'PsKill' (of type Hacking tool).



This thread was automatically locked due to age.
Parents
  • 0

    I'm not so sure about the path but PsKill is a Microsoft tool; part of the PSTools collection of command line tools - technet.microsoft.com/.../pstools.aspx. It is specially for killing processes from the command line.

    Clearly it's not malicious in itself but sometimes this kind of tool can be bundled with malware to perform a task. In the case of the recent ramsomeware campaign, that was using another tool from the PsTools collection called PsExec.

    If it was found on a developer/super user's computer then I would be less worried. If I found it on my say my mothering laws computer it's more likely to raise a few eyebrows as I can't imagine her downloading such a tool so did it come with some malware?

    Legitimate software cannot distribute such a tool legally so it would have to come with something a little unsavoury. 

    You can authorise the tool to be used if you're happy for the user to run it.  I guess the bigger question here is how did it get there and what was the intent.  I would probably as the user if they recall downloading it, why they might need it, etc... Can you find reference in any web proxy logs and do they have  user-agent string to possibly prove it came down individually through a browser, do any other files have a similar timestamp based on the first detection time by Sophos.  You should be able to see the detection in the Application Event log also.

    Regards,

    Jak

Reply
  • 0

    I'm not so sure about the path but PsKill is a Microsoft tool; part of the PSTools collection of command line tools - technet.microsoft.com/.../pstools.aspx. It is specially for killing processes from the command line.

    Clearly it's not malicious in itself but sometimes this kind of tool can be bundled with malware to perform a task. In the case of the recent ramsomeware campaign, that was using another tool from the PsTools collection called PsExec.

    If it was found on a developer/super user's computer then I would be less worried. If I found it on my say my mothering laws computer it's more likely to raise a few eyebrows as I can't imagine her downloading such a tool so did it come with some malware?

    Legitimate software cannot distribute such a tool legally so it would have to come with something a little unsavoury. 

    You can authorise the tool to be used if you're happy for the user to run it.  I guess the bigger question here is how did it get there and what was the intent.  I would probably as the user if they recall downloading it, why they might need it, etc... Can you find reference in any web proxy logs and do they have  user-agent string to possibly prove it came down individually through a browser, do any other files have a similar timestamp based on the first detection time by Sophos.  You should be able to see the detection in the Application Event log also.

    Regards,

    Jak

Children
No Data
Unfiltered HTML