c671.dll - Dangerous
c671.dll
Manual removal instructions:
Antivirus Report of c671.dll:
c671.dll
We suggest you to remove c671.dll from your computer as soon as possible.
C671.dll is Trojan/Backdoor.
Kill the file c671.dll and remove c671.dll from Windows startup.
Malware dropper: s1627.exe
Removed: C:\WINDOWS\system32\c671.dll, C:\WINDOWS\Downlo~1\lhmau.dll, C:\WINDOWS\Downlo~1\dcjqjlqf.dll, C:\WINDOWS\system32\67751.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
Kaspersky 7.0.0.125 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
McAfee 5771 2009.10.14 Downloader.gen.a
Microsoft 1.5101 2009.10.15 TrojanDropper:Win32/Agent
NOD32 4510 2009.10.15 Win32/TrojanDropper.Agent.NHD
Symantec 1.4.4.12 2009.10.15 Adware.Rugo
Additional information
File size: 468480 bytes
MD5 : bb6e5ee4b0e429ae734d995026e01c20
SHA1 : f0c0dc9f7c282c697b7caff9df70e7d86483c522
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:29
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHpr.Invoke
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:39
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID\: "IEHpr.Invoke"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib\: "{ABBF3E09-6453-43cc-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\: "Invoke Class"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\: "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\: "IInvoke"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR\: "C:\WINDOWS\system32\"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\: "IEHpr 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\: "Invoke Class"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\: "Invoke Class"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lhmau: "rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\dcjqjlqf: "rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Service: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\DeviceDesc: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\EventMessageFile: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ImagePath: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\DisplayName: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Description: "Fax 2Client"
----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'ms_2fax WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\Downloaded Program Files\dcjqjlqf.dll
C:\WINDOWS\Downloaded Program Files\lhmau.dll
C:\WINDOWS\system32\-54-16133
C:\WINDOWS\system32\26e
C:\WINDOWS\system32\5c1.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\-95-16133
C:\WINDOWS\3ead1.txt
C:\WINDOWS\73e1.exe
C:\WINDOWS\871.bmp
C:\WINDOWS\a1ff3d21
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:4
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\h31m01p6
C:\Documents and Settings\Administrator\Local Settings\Temp\tw79ge
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\ad
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:86
----------------------------------
-------------------------------------------------------------------------------------
Detected by UnHackMe:
Item Name: {5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
Author:
Related File: C:\WINDOWS\system32\c671.dll
Type: Browser Helper Objects
Item Name: lhmau
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start
Type: Explorer Run
Item Name: dcjqjlqf
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run
Type: Explorer Run
Item Name: ms_2fax
Author: Microsoft Corporation
Related File: C:\WINDOWS\system32\67751.exe
Type: Auto Services
Item Name: 67751.exe
Author:
Related File: C:\WINDOWS\SYSTEM32\67751.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
c671.dll | Malware |
c671.dll | Dangerous |
c671.dll | High Risk |
C671.dll is Trojan/Backdoor.
Kill the file c671.dll and remove c671.dll from Windows startup.
Malware dropper: s1627.exe
Removed: C:\WINDOWS\system32\c671.dll, C:\WINDOWS\Downlo~1\lhmau.dll, C:\WINDOWS\Downlo~1\dcjqjlqf.dll, C:\WINDOWS\system32\67751.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
Kaspersky 7.0.0.125 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
McAfee 5771 2009.10.14 Downloader.gen.a
Microsoft 1.5101 2009.10.15 TrojanDropper:Win32/Agent
NOD32 4510 2009.10.15 Win32/TrojanDropper.Agent.NHD
Symantec 1.4.4.12 2009.10.15 Adware.Rugo
Additional information
File size: 468480 bytes
MD5 : bb6e5ee4b0e429ae734d995026e01c20
SHA1 : f0c0dc9f7c282c697b7caff9df70e7d86483c522
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:0
----------------------------------
----------------------------------
Keys added:29
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHpr.Invoke
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:39
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID\: "IEHpr.Invoke"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib\: "{ABBF3E09-6453-43cc-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\: "Invoke Class"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\: "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\: "IInvoke"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR\: "C:\WINDOWS\system32\"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\: "IEHpr 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\: "Invoke Class"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\: "Invoke Class"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lhmau: "rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\dcjqjlqf: "rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Service: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\DeviceDesc: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\EventMessageFile: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ImagePath: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\DisplayName: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Description: "Fax 2Client"
----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'ms_2fax WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\Downloaded Program Files\dcjqjlqf.dll
C:\WINDOWS\Downloaded Program Files\lhmau.dll
C:\WINDOWS\system32\-54-16133
C:\WINDOWS\system32\26e
C:\WINDOWS\system32\5c1.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\-95-16133
C:\WINDOWS\3ead1.txt
C:\WINDOWS\73e1.exe
C:\WINDOWS\871.bmp
C:\WINDOWS\a1ff3d21
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:4
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\h31m01p6
C:\Documents and Settings\Administrator\Local Settings\Temp\tw79ge
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\ad
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:86
----------------------------------
-------------------------------------------------------------------------------------
Detected by UnHackMe:
Item Name: {5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
Author:
Related File: C:\WINDOWS\system32\c671.dll
Type: Browser Helper Objects
Item Name: lhmau
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start
Type: Explorer Run
Item Name: dcjqjlqf
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run
Type: Explorer Run
Item Name: ms_2fax
Author: Microsoft Corporation
Related File: C:\WINDOWS\system32\67751.exe
Type: Auto Services
Item Name: 67751.exe
Author:
Related File: C:\WINDOWS\SYSTEM32\67751.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.