|
Posted by Faisal [MSFT] on October 23, 2007, 8:17 am
If you were Registered and logged in, you could reply and use other advanced thread options
> As you said "However even if you clean the malacious process out, there
> isno
> guarantee that system is stillnot rooted ." I have used Process explorer
> many
> times in the past, its a great tool to expose malware. Although I did
> analyze
> the system after disabling the service, I could not determine that the
> system
> was 100% clean. Im a firm believer in reinstalling to be 100% sure.
> Thanks for your Help
>
>
> "Faisal [MSFT]" wrote:
>
>> unknown services or binary images are always suspicious. It could be a
>> linked to possible rootkit. No single tool can assure that if the box is
>> rooted or not or if cleaned , so is it 100% clean.
>>
>> As you mentioned the hash couldnt be verified then I would suggest :
>>
>> 1- disable the service.
>> 2- ensure no serivces are linked to it or this one is not running as
>> dependency.
>> 3- find the related bineries on file system
>> 4- trace registries
>> 5- startup items
>> 6- you can do all this using a tool called process explorer from
>> Microsoft
>> (sysinternal tool).
>> 7- use process explorer in combination with Process monitor to trace
>> registires and file system using regmon and filemon.
>>
>> All the nosie from these tools should give you enough information to
>> start
>> cleaning it.
>>
>> However even if you clean the malacious process out, there isno guarantee
>> that system is stillnot rooted .
>>
>> Too verify RootKit , analyzer your system in offline mode i.e booting
>> from
>> WinPE and doing DIFF analysis.
>>
>> HTH
>>
>>
>>
>>
>>
>> > This service was running on Windows XP Professional. I was shocked when
>> > I
>> > noticed it in the Computer Management mmc snap-in. The executable was
>> > found
>> > in C:\Documents and Settings\LOCALS~\Temp.. The application that I
>> > found
>> > was
>> > Root Kit Revealer from Sysinternals renamed as PYCTYSSKE.exe. The CA
>> > certificate showed that the object did not have a valid digital
>> > signature.
>> > Valid from 4-4-06 to 10-4-07
>> > ! Key Usage Digital Signature non-Repudiation (c0)
>> > ! Basic Constraints Subject type =CA, PathLength.....
>> > I use an account that belongs to the users group and very rarely log on
>> > as
>> > Administrator. The application was installed on an account with
>> > Administrator
>> > rights. I found a log file that it made in the Temp folder as well.
>> > Google fails to query a result and I am without an explanation.
>> > Any clue??
>> >
>>
| 
XML site map