Drcrypt GUID

Posted on 2010-01-11
Medium Priority
Last Modified: 2013-12-06

My GMER is detecting a GUID "DF6DA606-904D-4C18-823F-A4CFC3035E53" as root kit but I want to dcrypt it so as to undertsnad the behaviour of it, can some one help. Also there is a file by the name Ext.exe, using a SVCHOST port.... on my system, it kills the anti virus and it's services, no was to run a scan on this......
This is very urgent.
Question by:joshiap
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 19

Accepted Solution

Mal Osborne earned 750 total points
ID: 26290136
Regedit & search for part of the GUID string. Being a root kit, it probably has modified the operating system to prevent you from altering, or even seeing relevant files.  Best option would be to remove the HDD, then temporarily install it into another PC for scanning & analysis.

Author Comment

ID: 26295184
Well am planning to analyse not remove it.
Some more  Infor I can gather :

File Name: Ext.exe
ext.exe" is identified as a threat in 87% cases.This  file "ext.exe" is known to be created under the following filenames:
The file is mostly located at the below mentioned path in our environment, where-in %username%  is a variable referring to the file system directory containing user profile.
 C:\Documents and Settings\%username%\Application Data\Microsoft\Installer\ {DF6DA606-904D-4C18-823F-A4CFC3035E53}\ 
The GUID mentioned is the same in all the cases. This GUID is found to be associated with efax messenger 
Unable to submit the file sample on threat expert
The file is not accepted. Its format is not supported. 
When submitted the samples to the Sandbox, it failed with the following error message:
Error #1: The sample is no valid Win32 application.
In the file properties:
Windows PIF Settings:
Custom MS-DOS initilazation files.
Autoexec file name
Config Filename
File size 4.59 KB (4,710 bytes)
Size on disk : 8.00 KB (8,192 bytes)
Can some one asvide as to what this can be... ? And am not looking for directions but answers

Assisted Solution

ViR earned 750 total points
ID: 26340652
Download Process Explorer. http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
You can see all the files that ext.exe is using

Do a search for the GUID in registry to know where it is, how it is launched.. like run or Active Component, etc..

Author Closing Comment

ID: 31675898
No comments

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The canonical version of this article is on my web site here: http://iconoun.com/articles/collisions/ A companion presentation is available here: http://iconoun.com/articles/collisions/Unicode_Presentation.pdf
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question