lhmau.dll - Dangerous

lhmau.dll

Manual removal instructions:

Antivirus Report of lhmau.dll:
lhmau.dll Malware
lhmau.dllDangerous
lhmau.dllHigh Risk
lhmau.dll
We suggest you to remove c671.dll from your computer as soon as possible.
C671.dll is Trojan/Backdoor.
Kill the file c671.dll and remove c671.dll from Windows startup.

Malware dropper: s1627.exe
Removed: C:\WINDOWS\system32\c671.dll, C:\WINDOWS\Downlo~1\lhmau.dll, C:\WINDOWS\Downlo~1\dcjqjlqf.dll, C:\WINDOWS\system32\67751.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
Kaspersky 7.0.0.125 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
McAfee 5771 2009.10.14 Downloader.gen.a
Microsoft 1.5101 2009.10.15 TrojanDropper:Win32/Agent
NOD32 4510 2009.10.15 Win32/TrojanDropper.Agent.NHD
Symantec 1.4.4.12 2009.10.15 Adware.Rugo

Additional information
File size: 468480 bytes
MD5 : bb6e5ee4b0e429ae734d995026e01c20
SHA1 : f0c0dc9f7c282c697b7caff9df70e7d86483c522
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:0
----------------------------------

----------------------------------
Keys added:29
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHpr.Invoke
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:39
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID\: "IEHpr.Invoke"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib\: "{ABBF3E09-6453-43cc-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\: "Invoke Class"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\: "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\: "IInvoke"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR\: "C:\WINDOWS\system32\"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\: "IEHpr 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\: "Invoke Class"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\: "Invoke Class"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lhmau: "rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\dcjqjlqf: "rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Service: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\DeviceDesc: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\EventMessageFile: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ImagePath: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\DisplayName: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Description: "Fax 2Client"

----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'ms_2fax WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'

----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\Downloaded Program Files\dcjqjlqf.dll
C:\WINDOWS\Downloaded Program Files\lhmau.dll
C:\WINDOWS\system32\-54-16133
C:\WINDOWS\system32\26e
C:\WINDOWS\system32\5c1.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\-95-16133
C:\WINDOWS\3ead1.txt
C:\WINDOWS\73e1.exe
C:\WINDOWS\871.bmp
C:\WINDOWS\a1ff3d21

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:4
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\h31m01p6
C:\Documents and Settings\Administrator\Local Settings\Temp\tw79ge
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\ad

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:86
----------------------------------

-------------------------------------------------------------------------------------
Detected by UnHackMe:

Item Name: {5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
Author:
Related File: C:\WINDOWS\system32\c671.dll
Type: Browser Helper Objects

Item Name: lhmau
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start
Type: Explorer Run

Item Name: dcjqjlqf
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run
Type: Explorer Run

Item Name: ms_2fax
Author: Microsoft Corporation
Related File: C:\WINDOWS\system32\67751.exe
Type: Auto Services

Item Name: 67751.exe
Author:
Related File: C:\WINDOWS\SYSTEM32\67751.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)


Remove lhmau.dll now!

Reviewed by:

by

lhmau.dll Dangerous Rating: 5 out of 5

Jeff's Story:

My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.

I sought a solution on the Internet and discovered your product and tried out the trial of UnHackMe.

You quickly found the rootkit and SAVED my PC!

I haven't had any problems since, and I'm extremely grateful.