PYCTYSSKE service ??

[cachetray]

This service was running on Windows XP Professional. I was shocked when I
noticed it in the Computer Management mmc snap-in. The executable was found
in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
certificate showed that the object did not have a valid digital signature.
Valid from 4-4-06 to 10-4-07
! Key Usage Digital Signature non-Repudiation (c0)
! Basic Constraints Subject type =CA, PathLength.....
I use an account that belongs to the users group and very rarely log on as
Administrator. The application was installed on an account with Administrator
rights. I found a log file that it made in the Temp folder as well.
Google fails to query a result and I am without an explanation.
Any clue??

 

[Faisal [MSFT]]

unknown services or binary images are always suspicious. It could be a
linked to possible rootkit. No single tool can assure that if the box is
rooted or not or if cleaned , so is it 100% clean.

As you mentioned the hash couldnt be verified then I would suggest :

1- disable the service.
2- ensure no serivces are linked to it or this one is not running as
dependency.
3- find the related bineries on file system
4- trace registries
5- startup items
6- you can do all this using a tool called process explorer from Microsoft
(sysinternal tool).
7- use process explorer in combination with Process monitor to trace
registires and file system using regmon and filemon.

All the nosie from these tools should give you enough information to start
cleaning it.

However even if you clean the malacious process out, there isno guarantee
that system is stillnot rooted .

Too verify RootKit , analyzer your system in offline mode i.e booting from
WinPE and doing DIFF analysis.

HTH





"cachetray" <cachetray@discussions.microsoft.com> wrote in message
news:88651696-24B5-4D16-92C8-981C4DC61EB0@microsoft.com...
> This service was running on Windows XP Professional. I was shocked when I
> noticed it in the Computer Management mmc snap-in. The executable was
> found
> in C:\Documents and Settings\LOCALS~\Temp.. The application that I found
> was
> Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> certificate showed that the object did not have a valid digital signature.
> Valid from 4-4-06 to 10-4-07
> ! Key Usage Digital Signature non-Repudiation (c0)
> ! Basic Constraints Subject type =CA, PathLength.....
> I use an account that belongs to the users group and very rarely log on as
> Administrator. The application was installed on an account with
> Administrator
> rights. I found a log file that it made in the Temp folder as well.
> Google fails to query a result and I am without an explanation.
> Any clue??
>

 

[Brian Komar]

I guess the biug quesiton is whether you installed the application at some
point.
The certificate used to sign the application has expired, and did not appear
to use a timestamp.
What happens if you set the date/time of your computer back to a date
between 4-4-06 anmd 10-4-07?
Brian

"cachetray" <cachetray@discussions.microsoft.com> wrote in message
news:88651696-24B5-4D16-92C8-981C4DC61EB0@microsoft.com...
> This service was running on Windows XP Professional. I was shocked when I
> noticed it in the Computer Management mmc snap-in. The executable was
> found
> in C:\Documents and Settings\LOCALS~\Temp.. The application that I found
> was
> Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> certificate showed that the object did not have a valid digital signature.
> Valid from 4-4-06 to 10-4-07
> ! Key Usage Digital Signature non-Repudiation (c0)
> ! Basic Constraints Subject type =CA, PathLength.....
> I use an account that belongs to the users group and very rarely log on as
> Administrator. The application was installed on an account with
> Administrator
> rights. I found a log file that it made in the Temp folder as well.
> Google fails to query a result and I am without an explanation.
> Any clue??
>

 

[cachetray]

As you said "However even if you clean the malacious process out, there isno
guarantee that system is stillnot rooted ." I have used Process explorer many
times in the past, its a great tool to expose malware. Although I did analyze
the system after disabling the service, I could not determine that the system
was 100% clean. Im a firm believer in reinstalling to be 100% sure.
Thanks for your Help


"Faisal [MSFT]" wrote:

> unknown services or binary images are always suspicious. It could be a
> linked to possible rootkit. No single tool can assure that if the box is
> rooted or not or if cleaned , so is it 100% clean.
>
> As you mentioned the hash couldnt be verified then I would suggest :
>
> 1- disable the service.
> 2- ensure no serivces are linked to it or this one is not running as
> dependency.
> 3- find the related bineries on file system
> 4- trace registries
> 5- startup items
> 6- you can do all this using a tool called process explorer from Microsoft
> (sysinternal tool).
> 7- use process explorer in combination with Process monitor to trace
> registires and file system using regmon and filemon.
>
> All the nosie from these tools should give you enough information to start
> cleaning it.
>
> However even if you clean the malacious process out, there isno guarantee
> that system is stillnot rooted .
>
> Too verify RootKit , analyzer your system in offline mode i.e booting from
> WinPE and doing DIFF analysis.
>
> HTH
>
>
>
>
>
> "cachetray" <cachetray@discussions.microsoft.com> wrote in message
> news:88651696-24B5-4D16-92C8-981C4DC61EB0@microsoft.com...
> > This service was running on Windows XP Professional. I was shocked when I
> > noticed it in the Computer Management mmc snap-in. The executable was
> > found
> > in C:\Documents and Settings\LOCALS~\Temp.. The application that I found
> > was
> > Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> > certificate showed that the object did not have a valid digital signature.
> > Valid from 4-4-06 to 10-4-07
> > ! Key Usage Digital Signature non-Repudiation (c0)
> > ! Basic Constraints Subject type =CA, PathLength.....
> > I use an account that belongs to the users group and very rarely log on as
> > Administrator. The application was installed on an account with
> > Administrator
> > rights. I found a log file that it made in the Temp folder as well.
> > Google fails to query a result and I am without an explanation.
> > Any clue??
> >
>

 

[Faisal [MSFT]]

I do agree , reinstall is the choice to be 100%.


"cachetray" <cachetray@discussions.microsoft.com> wrote in message
news:1E80239A-F9B8-4B12-95E7-089108804D53@microsoft.com...
> As you said "However even if you clean the malacious process out, there
> isno
> guarantee that system is stillnot rooted ." I have used Process explorer
> many
> times in the past, its a great tool to expose malware. Although I did
> analyze
> the system after disabling the service, I could not determine that the
> system
> was 100% clean. Im a firm believer in reinstalling to be 100% sure.
> Thanks for your Help
>
>
> "Faisal [MSFT]" wrote:
>
>> unknown services or binary images are always suspicious. It could be a
>> linked to possible rootkit. No single tool can assure that if the box is
>> rooted or not or if cleaned , so is it 100% clean.
>>
>> As you mentioned the hash couldnt be verified then I would suggest :
>>
>> 1- disable the service.
>> 2- ensure no serivces are linked to it or this one is not running as
>> dependency.
>> 3- find the related bineries on file system
>> 4- trace registries
>> 5- startup items
>> 6- you can do all this using a tool called process explorer from
>> Microsoft
>> (sysinternal tool).
>> 7- use process explorer in combination with Process monitor to trace
>> registires and file system using regmon and filemon.
>>
>> All the nosie from these tools should give you enough information to
>> start
>> cleaning it.
>>
>> However even if you clean the malacious process out, there isno guarantee
>> that system is stillnot rooted .
>>
>> Too verify RootKit , analyzer your system in offline mode i.e booting
>> from
>> WinPE and doing DIFF analysis.
>>
>> HTH
>>
>>
>>
>>
>>
>> "cachetray" <cachetray@discussions.microsoft.com> wrote in message
>> news:88651696-24B5-4D16-92C8-981C4DC61EB0@microsoft.com...
>> > This service was running on Windows XP Professional. I was shocked when
>> > I
>> > noticed it in the Computer Management mmc snap-in. The executable was
>> > found
>> > in C:\Documents and Settings\LOCALS~\Temp.. The application that I
>> > found
>> > was
>> > Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
>> > certificate showed that the object did not have a valid digital
>> > signature.
>> > Valid from 4-4-06 to 10-4-07
>> > ! Key Usage Digital Signature non-Repudiation (c0)
>> > ! Basic Constraints Subject type =CA, PathLength.....
>> > I use an account that belongs to the users group and very rarely log on
>> > as
>> > Administrator. The application was installed on an account with
>> > Administrator
>> > rights. I found a log file that it made in the Temp folder as well.
>> > Google fails to query a result and I am without an explanation.
>> > Any clue??
>> >
>>

 

[MowGreen [MVP]]

There is no need to wipe and reinstall as this is expected behavior when
one runs RootKit Revealer:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

> We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of
> itself that runs as a Windows service.

The location of the executable and the log is correct, too. To remove
the Service you will have to edit the registry. PYCTYSSKE will be
located here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Delete it's subfolder under Services and reboot the system.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



cachetray wrote:

> This service was running on Windows XP Professional. I was shocked when I
> noticed it in the Computer Management mmc snap-in. The executable was found
> in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
> Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> certificate showed that the object did not have a valid digital signature.
> Valid from 4-4-06 to 10-4-07
> ! Key Usage Digital Signature non-Repudiation (c0)
> ! Basic Constraints Subject type =CA, PathLength.....
> I use an account that belongs to the users group and very rarely log on as
> Administrator. The application was installed on an account with Administrator
> rights. I found a log file that it made in the Temp folder as well.
> Google fails to query a result and I am without an explanation.
> Any clue??
>

 

[cachetray]

This advice is nonsense. Most of what you explained below is not
true.Approximately ten minutes ago I downloaded, and extracted Root Kit
Revealer to see if I was wasting my time when I reinstalled. I do not see
anything out of the ordinary, no suspicious service, nothing to delete in the
registry, and also if I run cmd as a privileged user, C:\Windows\Documents
and Settings\Locals~ is empty. I am using an account that belongs to the
users and network configuration group and everything I extracted is under

C:\Windows\Documents and
Settings\LocalSettings\TheAccountThatBelongsToTheUsersGroup.
Why should I believe what you are trying to tell me?
You stated "> We've therefore updated RootkitRevealer to execute its scan
from a randomly named copy of
> itself that runs as a Windows service. "
A windows service is not a suspicious service.
The only reason I have ever had to dig through and edit the registry to
delete a key or string value is because of malware, or a Trojan virus.
Thanks but no thanks.
"MowGreen [MVP]" wrote:

> There is no need to wipe and reinstall as this is expected behavior when
> one runs RootKit Revealer:
> http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
>
> > We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of
> > itself that runs as a Windows service.
>
> The location of the executable and the log is correct, too. To remove
> the Service you will have to edit the registry. PYCTYSSKE will be
> located here:
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
>
> Delete it's subfolder under Services and reboot the system.
>
> MowGreen [MVP 2003-2008]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
>
> cachetray wrote:
>
> > This service was running on Windows XP Professional. I was shocked when I
> > noticed it in the Computer Management mmc snap-in. The executable was found
> > in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
> > Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> > certificate showed that the object did not have a valid digital signature.
> > Valid from 4-4-06 to 10-4-07
> > ! Key Usage Digital Signature non-Repudiation (c0)
> > ! Basic Constraints Subject type =CA, PathLength.....
> > I use an account that belongs to the users group and very rarely log on as
> > Administrator. The application was installed on an account with Administrator
> > rights. I found a log file that it made in the Temp folder as well.
> > Google fails to query a result and I am without an explanation.
> > Any clue??
> >
>

 

[MowGreen [MVP]]

I stated NOTHING, it was copied and pasted from the RootKit Revealer
page found here:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx

All that was related was from running a previous copy of RKR. If the
present Version of it behaves differently, then I'm unaware of such
behavior.
If you think that what I posted is nonsense, then read this thread from
the RootKit Revealer forum:

Removing junk in services list
http://forum.sysinternals.com/forum_posts.asp?TID=1650

You're welcome, but not welcome.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



cachetray wrote:

> This advice is nonsense. Most of what you explained below is not
> true.Approximately ten minutes ago I downloaded, and extracted Root Kit
> Revealer to see if I was wasting my time when I reinstalled. I do not see
> anything out of the ordinary, no suspicious service, nothing to delete in the
> registry, and also if I run cmd as a privileged user, C:\Windows\Documents
> and Settings\Locals~ is empty. I am using an account that belongs to the
> users and network configuration group and everything I extracted is under
>
> C:\Windows\Documents and
> Settings\LocalSettings\TheAccountThatBelongsToTheUsersGroup.
> Why should I believe what you are trying to tell me?
> You stated "> We've therefore updated RootkitRevealer to execute its scan
> from a randomly named copy of
>
>>itself that runs as a Windows service. "
>
> A windows service is not a suspicious service.
> The only reason I have ever had to dig through and edit the registry to
> delete a key or string value is because of malware, or a Trojan virus.
> Thanks but no thanks.
> "MowGreen [MVP]" wrote:
>
>
>>There is no need to wipe and reinstall as this is expected behavior when
>>one runs RootKit Revealer:
>>http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
>>
>>
>>>We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of
>>>itself that runs as a Windows service.
>>
>>The location of the executable and the log is correct, too. To remove
>>the Service you will have to edit the registry. PYCTYSSKE will be
>>located here:
>>
>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
>>
>>Delete it's subfolder under Services and reboot the system.
>>
>>MowGreen [MVP 2003-2008]
>>===============
>> *-343-* FDNY
>>Never Forgotten
>>===============
>>
>>
>>
>>cachetray wrote:
>>
>>
>>>This service was running on Windows XP Professional. I was shocked when I
>>>noticed it in the Computer Management mmc snap-in. The executable was found
>>>in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
>>>Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
>>>certificate showed that the object did not have a valid digital signature.
>>>Valid from 4-4-06 to 10-4-07
>>>! Key Usage Digital Signature non-Repudiation (c0)
>>>! Basic Constraints Subject type =CA, PathLength.....
>>>I use an account that belongs to the users group and very rarely log on as
>>>Administrator. The application was installed on an account with Administrator
>>>rights. I found a log file that it made in the Temp folder as well.
>>>Google fails to query a result and I am without an explanation.
>>>Any clue??
>>>
>>

 

[cachetray]

Excuse the misunderstanding.
The reason why I questioned was because I did not download Root Kit Revealer
from sysinternals in the first place.

Somehow it was placed in a temp folder belonging to a privileged user with a
very suspicious name running a very suspicious service without my knowledge.

I have a good understanding of how Windows XP can
become a target for

certian vulnerabilities on a network, which is why I can not find a reason
to believe that this was normal.

Thank you for your time and concern.

I have resolved this issue and I am moving on..


"MowGreen [MVP]" wrote:

> I stated NOTHING, it was copied and pasted from the RootKit Revealer
> page found here:
> http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
>
> All that was related was from running a previous copy of RKR. If the
> present Version of it behaves differently, then I'm unaware of such
> behavior.
> If you think that what I posted is nonsense, then read this thread from
> the RootKit Revealer forum:
>
> Removing junk in services list
> http://forum.sysinternals.com/forum_posts.asp?TID=1650
>
> You're welcome, but not welcome.
>
> MowGreen [MVP 2003-2008]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
>
> cachetray wrote:
>
> > This advice is nonsense. Most of what you explained below is not
> > true.Approximately ten minutes ago I downloaded, and extracted Root Kit
> > Revealer to see if I was wasting my time when I reinstalled. I do not see
> > anything out of the ordinary, no suspicious service, nothing to delete in the
> > registry, and also if I run cmd as a privileged user, C:\Windows\Documents
> > and Settings\Locals~ is empty. I am using an account that belongs to the
> > users and network configuration group and everything I extracted is under
> >
> > C:\Windows\Documents and
> > Settings\LocalSettings\TheAccountThatBelongsToTheUsersGroup.
> > Why should I believe what you are trying to tell me?
> > You stated "> We've therefore updated RootkitRevealer to execute its scan
> > from a randomly named copy of
> >
> >>itself that runs as a Windows service. "
> >
> > A windows service is not a suspicious service.
> > The only reason I have ever had to dig through and edit the registry to
> > delete a key or string value is because of malware, or a Trojan virus.
> > Thanks but no thanks.
> > "MowGreen [MVP]" wrote:
> >
> >
> >>There is no need to wipe and reinstall as this is expected behavior when
> >>one runs RootKit Revealer:
> >>http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
> >>
> >>
> >>>We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of
> >>>itself that runs as a Windows service.
> >>
> >>The location of the executable and the log is correct, too. To remove
> >>the Service you will have to edit the registry. PYCTYSSKE will be
> >>located here:
> >>
> >>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
> >>
> >>Delete it's subfolder under Services and reboot the system.
> >>
> >>MowGreen [MVP 2003-2008]
> >>===============
> >> *-343-* FDNY
> >>Never Forgotten
> >>===============
> >>
> >>
> >>
> >>cachetray wrote:
> >>
> >>
> >>>This service was running on Windows XP Professional. I was shocked when I
> >>>noticed it in the Computer Management mmc snap-in. The executable was found
> >>>in C:\Documents and Settings\LOCALS~\Temp.. The application that I found was
> >>>Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
> >>>certificate showed that the object did not have a valid digital signature.
> >>>Valid from 4-4-06 to 10-4-07
> >>>! Key Usage Digital Signature non-Repudiation (c0)
> >>>! Basic Constraints Subject type =CA, PathLength.....
> >>>I use an account that belongs to the users group and very rarely log on as
> >>>Administrator. The application was installed on an account with Administrator
> >>>rights. I found a log file that it made in the Temp folder as well.
> >>>Google fails to query a result and I am without an explanation.
> >>>Any clue??
> >>>
> >>
>