Re: PYCTYSSKE service ??
- From: "Faisal [MSFT]" <faisalhussain@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Oct 2007 16:17:17 +0400
I do agree , reinstall is the choice to be 100%.
"cachetray" <cachetray@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1E80239A-F9B8-4B12-95E7-089108804D53@xxxxxxxxxxxxxxxx
As you said "However even if you clean the malacious process out, there isno
guarantee that system is stillnot rooted ." I have used Process explorer many
times in the past, its a great tool to expose malware. Although I did analyze
the system after disabling the service, I could not determine that the system
was 100% clean. Im a firm believer in reinstalling to be 100% sure.
Thanks for your Help
"Faisal [MSFT]" wrote:
unknown services or binary images are always suspicious. It could be a
linked to possible rootkit. No single tool can assure that if the box is
rooted or not or if cleaned , so is it 100% clean.
As you mentioned the hash couldnt be verified then I would suggest :
1- disable the service.
2- ensure no serivces are linked to it or this one is not running as
dependency.
3- find the related bineries on file system
4- trace registries
5- startup items
6- you can do all this using a tool called process explorer from Microsoft
(sysinternal tool).
7- use process explorer in combination with Process monitor to trace
registires and file system using regmon and filemon.
All the nosie from these tools should give you enough information to start
cleaning it.
However even if you clean the malacious process out, there isno guarantee
that system is stillnot rooted .
Too verify RootKit , analyzer your system in offline mode i.e booting from
WinPE and doing DIFF analysis.
HTH
"cachetray" <cachetray@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:88651696-24B5-4D16-92C8-981C4DC61EB0@xxxxxxxxxxxxxxxx
> This service was running on Windows XP Professional. I was shocked when > I
> noticed it in the Computer Management mmc snap-in. The executable was
> found
> in C:\Documents and Settings\LOCALS~\Temp.. The application that I > found
> was
> Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> certificate showed that the object did not have a valid digital > signature.
> Valid from 4-4-06 to 10-4-07
> ! Key Usage Digital Signature non-Repudiation (c0)
> ! Basic Constraints Subject type =CA, PathLength.....
> I use an account that belongs to the users group and very rarely log on > as
> Administrator. The application was installed on an account with
> Administrator
> rights. I found a log file that it made in the Temp folder as well.
> Google fails to query a result and I am without an explanation.
> Any clue??
>
.
- References:
- PYCTYSSKE service ??
- From: cachetray
- Re: PYCTYSSKE service ??
- From: Faisal [MSFT]
- Re: PYCTYSSKE service ??
- From: cachetray
- PYCTYSSKE service ??
- Prev by Date: Re: decrypting email in pst file with efs data recovery certificat
- Next by Date: Re: EFS Certificate Needed
- Previous by thread: Re: PYCTYSSKE service ??
- Next by thread: Re: PYCTYSSKE service ??
- Index(es):
