?
Solved

Drcrypt GUID

Posted on 2010-01-11
4
Medium Priority
?
504 Views
Last Modified: 2013-12-06
Hi,

My GMER is detecting a GUID "DF6DA606-904D-4C18-823F-A4CFC3035E53" as root kit but I want to dcrypt it so as to undertsnad the behaviour of it, can some one help. Also there is a file by the name Ext.exe, using a SVCHOST port.... on my system, it kills the anti virus and it's services, no was to run a scan on this......
This is very urgent.
0
Comment
Question by:joshiap
  • 2
4 Comments
 
LVL 20

Accepted Solution

by:
Mal Osborne earned 750 total points
ID: 26290136
Regedit & search for part of the GUID string. Being a root kit, it probably has modified the operating system to prevent you from altering, or even seeing relevant files.  Best option would be to remove the HDD, then temporarily install it into another PC for scanning & analysis.
0
 
LVL 1

Author Comment

by:joshiap
ID: 26295184
Well am planning to analyse not remove it.
Some more  Infor I can gather :

File Name: Ext.exe
Details:
ext.exe" is identified as a threat in 87% cases.This  file "ext.exe" is known to be created under the following filenames:
 
%Profiles%\ext.exe
%ProgramFiles%\m.updat\updat.exe
%System%\svchost.exe:ext.exe
%Windir%\ext.exe
c:\recycler\susxup.exe
 
Background:
The file is mostly located at the below mentioned path in our environment, where-in %username%  is a variable referring to the file system directory containing user profile.
 C:\Documents and Settings\%username%\Application Data\Microsoft\Installer\ {DF6DA606-904D-4C18-823F-A4CFC3035E53}\ 
 
The GUID mentioned is the same in all the cases. This GUID is found to be associated with efax messenger 
 
 
Unable to submit the file sample on threat expert
The file is not accepted. Its format is not supported. 
 
 
When submitted the samples to the Sandbox, it failed with the following error message:
Error #1: The sample is no valid Win32 application.
 
 
 
http://www.pc1news.com/files/36351-ext-exe.html 
 
In the file properties:
Windows PIF Settings:
Custom MS-DOS initilazation files.
Autoexec file name
%SystemRoot%\SYSTEM32\AUTOEXEC.NT
Config Filename
%SystemRoot%\SYSTEM32\CONFIG.NT
 
File size 4.59 KB (4,710 bytes)
Size on disk : 8.00 KB (8,192 bytes)
 
Can some one asvide as to what this can be... ? And am not looking for directions but answers
0
 
LVL 2

Assisted Solution

by:ViR
ViR earned 750 total points
ID: 26340652
Download Process Explorer. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
You can see all the files that ext.exe is using

Do a search for the GUID in registry to know where it is, how it is launched.. like run or Active Component, etc..
0
 
LVL 1

Author Closing Comment

by:joshiap
ID: 31675898
No comments
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…

616 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question