Re: PYCTYSSKE service ??

unknown services or binary images are always suspicious. It could be a linked to possible rootkit. No single tool can assure that if the box is rooted or not or if cleaned , so is it 100% clean.

As you mentioned the hash couldnt be verified then I would suggest :

1- disable the service.
2- ensure no serivces are linked to it or this one is not running as dependency.
3- find the related bineries on file system
4- trace registries
5- startup items
6- you can do all this using a tool called process explorer from Microsoft (sysinternal tool).
7- use process explorer in combination with Process monitor to trace registires and file system using regmon and filemon.

All the nosie from these tools should give you enough information to start cleaning it.

However even if you clean the malacious process out, there isno guarantee that system is stillnot rooted .

Too verify RootKit , analyzer your system in offline mode i.e booting from WinPE and doing DIFF analysis.

HTH





"cachetray" <cachetray@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:88651696-24B5-4D16-92C8-981C4DC61EB0@xxxxxxxxxxxxxxxx
This service was running on Windows XP Professional. I was shocked when I
noticed it in the Computer Management mmc snap-in. The executable was found
in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
certificate showed that the object did not have a valid digital signature.
Valid from 4-4-06 to 10-4-07
! Key Usage Digital Signature non-Repudiation (c0)
! Basic Constraints Subject type =CA, PathLength.....
I use an account that belongs to the users group and very rarely log on as
Administrator. The application was installed on an account with Administrator
rights. I found a log file that it made in the Temp folder as well.
Google fails to query a result and I am without an explanation.
Any clue??


.

Quantcast