s1627.exe - Dangerous

Application database

Startupapps.com recommends you:

Malware Tests - removal of the newest malware.

Detect and remove hidden rootkits using UnHackMe Free fully functional 30-days trial.

RegRun Security Suite = 24 system utilities for protecting your computer. Get it!

I would like to say that RegRun has helped me on more than 1 occasion when it comes to spyware/adware by letting me know automatically that a piece of it got added to Windows startup. There is so much spyware/addware out there today it's hard to imagine being without RegRun. I like many other features too including the daily registry backups and file protection.

Chris Wagers

s1627.exe - Dangerous

s1627.exe

We suggest you to remove c671.dll from your computer as soon as possible.
C671.dll is Trojan/Backdoor.
Kill the file c671.dll and remove c671.dll from Windows startup.

Malware dropper: s1627.exe
Removed: C:\WINDOWS\system32\c671.dll, C:\WINDOWS\Downlo~1\lhmau.dll, C:\WINDOWS\Downlo~1\dcjqjlqf.dll, C:\WINDOWS\system32\67751.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
F-Secure 8.0.14470.0 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
Kaspersky 7.0.0.125 2009.10.15 Trojan-Dropper.Win32.Agent.dgc
McAfee 5771 2009.10.14 Downloader.gen.a
Microsoft 1.5101 2009.10.15 TrojanDropper:Win32/Agent
NOD32 4510 2009.10.15 Win32/TrojanDropper.Agent.NHD
Symantec 1.4.4.12 2009.10.15 Adware.Rugo

Additional information
File size: 468480 bytes
MD5 : bb6e5ee4b0e429ae734d995026e01c20
SHA1 : f0c0dc9f7c282c697b7caff9df70e7d86483c522
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:0
----------------------------------

----------------------------------
Keys added:29
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHpr.Invoke
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:39
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\VersionIndependentProgID\: "IEHpr.Invoke"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\TypeLib\: "{ABBF3E09-6453-43cc-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\ProgID\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}\: "Invoke Class"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\: "{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{27FF85BC-FF68-40B9-BB0D-E92D065C0370}\: "IInvoke"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\0\win32\: "C:\WINDOWS\system32\c671.dll"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\HELPDIR\: "C:\WINDOWS\system32\"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{ABBF3E09-6453-43CC-BC46-879C5DC5CB07}\1.0\: "IEHpr 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CurVer\: "IEHpr.Invoke.1"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke\: "Invoke Class"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\: "{5FB8C5D4-929F-4870-89E2-7E3EE26EE701}"
HKLM\SOFTWARE\Classes\IEHpr.Invoke.1\: "Invoke Class"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lhmau: "rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\dcjqjlqf: "rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Service: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\0000\DeviceDesc: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MS_2FAX\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\EventMessageFile: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ms_2fax\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ImagePath: "C:\WINDOWS\system32\67751.exe"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\DisplayName: "ms_2fax"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ms_2fax\Description: "Fax 2Client"

----------------------------------
Values modified:2
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Sources: 'ms_2fax WSH WMIAdapter WmdmPmSN WinMgmt Winlogon Windows Product Activation Windows 3.1 Migration WebClient VSS vmtools VBRuntime Userinit Userenv Tlntsvr SysmonLog Starter SpoolerCtrs Software Restriction Policies Software Installation SecurityCenter SclgNtfy SceSrv SceCli safrslv SAFrdms RPC Remote Assistance PerfProc PerfOS PerfNet Perfmon Perflib PerfDisk Perfctrs Offline Files Oakley ntbackup MSSQLSERVER/MSDE MSSHA MsiInstaller MSDTC Client MSDTC mnmsrvc Microsoft H.323 Telephony Service Provider Microsoft (R) Visual C# 2005 Compiler LoadPerf HelpSvc Folder Redirection File Deployment EventSystem ESENT DrWatson Dot3Svc DiskQuota crypt32 COM+ COM Ci Chkdsk AutoEnrollment Autochk ASP.NET 2.0.50727.0 Application Management Application Hang Application Error .NET Runtime Optimization Service .NET Runtime 2.0 Error Reporting .NET Runtime Application'

----------------------------------
Files added:12
----------------------------------
C:\WINDOWS\Downloaded Program Files\dcjqjlqf.dll
C:\WINDOWS\Downloaded Program Files\lhmau.dll
C:\WINDOWS\system32\-54-16133
C:\WINDOWS\system32\26e
C:\WINDOWS\system32\5c1.dll
C:\WINDOWS\system32\67751.exe
C:\WINDOWS\system32\c671.dll
C:\WINDOWS\-95-16133
C:\WINDOWS\3ead1.txt
C:\WINDOWS\73e1.exe
C:\WINDOWS\871.bmp
C:\WINDOWS\a1ff3d21

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:4
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\h31m01p6
C:\Documents and Settings\Administrator\Local Settings\Temp\tw79ge
C:\Documents and Settings\All Users\Application Data\t
C:\Documents and Settings\All Users\Application Data\t\ad

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:86
----------------------------------

-------------------------------------------------------------------------------------
Detected by UnHackMe:

Item Name: {5FB8C5D4-929F-4870-89E2-7E3EE26EE701}
Author:
Related File: C:\WINDOWS\system32\c671.dll
Type: Browser Helper Objects

Item Name: lhmau
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\lhmau.dll",start
Type: Explorer Run

Item Name: dcjqjlqf
Author: Microsoft Corporation
Related File: rundll32 "C:\WINDOWS\Downlo~1\dcjqjlqf.dll",Run
Type: Explorer Run

Item Name: ms_2fax
Author: Microsoft Corporation
Related File: C:\WINDOWS\system32\67751.exe
Type: Auto Services

Item Name: 67751.exe
Author:
Related File: C:\WINDOWS\SYSTEM32\67751.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Removal: s1627.exe is removed by RegRun.

UnHackMe - Rootkit/Malware killer

Also recommended software:
RegRun Security Suite Platinum - removal and protection.

UnHackMe is a part of RegRun Security Suite Platinum.

RegRun - User's Choice

Vista Programs - full info...

What is hidden in MSDN?
.NET Secrets Revealed

Why software developers prefer Win32.FreeTechSecrets.com?

All Unix Manuals in Alphabetical Order

C# controls for .NET in 3 simple steps.

Constantly updated. Last update: November 16 2009

Interesting information about Vista programs...
Need consultation?

Would you like to add your opinion?

Quick Links: What's new?
RSS Feed
Add to AppDatabase
Ask Experts
Join forum
Links
Articles: Virus or not? SPTD####.sys
What is mc21.tmp, mc22.tmp, mc23.tmp?
Select: Necessary
Useless
At your option
Dangerous