asked on

Drcrypt GUID

Hi,

My GMER is detecting a GUID "DF6DA606-904D-4C18-823F-A4CFC3035E53" as root kit but I want to dcrypt it so as to undertsnad the behaviour of it, can some one help. Also there is a file by the name Ext.exe, using a SVCHOST port.... on my system, it kills the anti virus and it's services, no was to run a scan on this......
This is very urgent.

ASKER CERTIFIED SOLUTION

Mal Osborne

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

joshiap

ASKER

Well am planning to analyse not remove it.
Some more Infor I can gather :

File Name: Ext.exe
Details:
ext.exe" is identified as a threat in 87% cases.This file "ext.exe" is known to be created under the following filenames:

%Profiles%\ext.exe
%ProgramFiles%\m.updat\updat.exe
%System%\svchost.exe:ext.exe
%Windir%\ext.exe
c:\recycler\susxup.exe

Background:
The file is mostly located at the below mentioned path in our environment, where-in %username% is a variable referring to the file system directory containing user profile.
C:\Documents and Settings\%username%\Application Data\Microsoft\Installer\ {DF6DA606-904D-4C18-823F-A4CFC3035E53}\

The GUID mentioned is the same in all the cases. This GUID is found to be associated with efax messenger

Unable to submit the file sample on threat expert
The file is not accepted. Its format is not supported.

When submitted the samples to the Sandbox, it failed with the following error message:
Error #1: The sample is no valid Win32 application.

http://www.pc1news.com/files/36351-ext-exe.html

In the file properties:
Windows PIF Settings:
Custom MS-DOS initilazation files.
Autoexec file name
%SystemRoot%\SYSTEM32\AUTOEXEC.NT
Config Filename
%SystemRoot%\SYSTEM32\CONFIG.NT

File size 4.59 KB (4,710 bytes)
Size on disk : 8.00 KB (8,192 bytes)

Can some one asvide as to what this can be... ? And am not looking for directions but answers

SOLUTION

ViR