sfwwin32.dll - Dangerous

sfwwin32.dll

Manual removal instructions:

Antivirus Report of sfwwin32.dll:
sfwwin32.dll Malware
sfwwin32.dllDangerous
sfwwin32.dllHigh Risk
sfwwin32.dll
We suggest you to remove KCA.exe from your computer as soon as possible.
KCA.exe is Trojan/Backdoor.
Kill the process KCA.exe and remove KCA.exe from Windows startup.

File: user.exe

Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.10 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.10 BackDoor.Generic_c.CKD
BitDefender 7.2 2009.08.11 Generic.IRC.Autorun.A2AD8C96
Comodo 1937 2009.08.11 Application.Win32.RiskWare.mIRC.~BAAA
DrWeb 5.0.0.12182 2009.08.11 IRC.Flood
F-Secure 8.0.14470.0 2009.08.10 Client-IRC.Win32.mIRC.603
Kaspersky 7.0.0.125 2009.08.10 not-a-virus:Client-IRC.Win32.mIRC.603
Microsoft 1.4903 2009.08.10 Backdoor:IRC/Cloner.gen
NOD32 4323 2009.08.10 probably a variant of Win32/IRCBot
Symantec 1.4.4.12 2009.08.10 Adware.2Search

Additional information
File size: 773236 bytes
MD5 : 8d7de0a84273c064ba2039419d48f836

Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys added:26
----------------------------------
HKLM\SOFTWARE\Classes\.cha
HKLM\SOFTWARE\Classes\.chat
HKLM\SOFTWARE\Classes\ChatFile
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon
HKLM\SOFTWARE\Classes\ChatFile\Shell
HKLM\SOFTWARE\Classes\ChatFile\Shell\open
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Classes\irc
HKLM\SOFTWARE\Classes\irc\DefaultIcon
HKLM\SOFTWARE\Classes\irc\Shell
HKLM\SOFTWARE\Classes\irc\Shell\open
HKLM\SOFTWARE\Classes\irc\Shell\open\command
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
HKCU\Software\Microsoft\Microsoft Agent
HKCU\Software\mIRC
HKCU\Software\mIRC\DateUsed
HKCU\Software\mIRC\License
HKCU\Software\mIRC\UserName

----------------------------------
Values added:47
----------------------------------
HKLM\SOFTWARE\Classes\.cha\: "ChatFile"
HKLM\SOFTWARE\Classes\.chat\: "ChatFile"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\ChatFile\Shell\open\command\: ""c:\windows\system32\KCA.exe" -noconnect"
HKLM\SOFTWARE\Classes\ChatFile\DefaultIcon\: ""c:\windows\system32\KCA.exe""
HKLM\SOFTWARE\Classes\ChatFile\: "Chat File"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\: "Connect"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\: "ms32"
HKLM\SOFTWARE\Classes\irc\Shell\open\ddeexec\: "%1"
HKLM\SOFTWARE\Classes\irc\Shell\open\command\: ""c:\windows\system32\KCA.exe" -noconnect"
HKLM\SOFTWARE\Classes\irc\DefaultIcon\: ""c:\windows\system32\KCA.exe""
HKLM\SOFTWARE\Classes\irc\: "URL:IRC Protocol"
HKLM\SOFTWARE\Classes\irc\EditFlags: 02 00 00 00
HKLM\SOFTWARE\Classes\irc\URL Protocol: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSmsFi: "KCA.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\DisplayName: "mIRC"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC\UninstallString: ""c:\windows\system32\KCA.exe" -uninstall"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\KCA.exe: "C:\WINDOWS\system32\KCA.exe:*:Enabled:mIRC"
HKCU\Software\Microsoft\CTF\MSUTB\ShowDeskBand: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\VoiceEnabled: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseVoiceTips: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\KeyHoldHotKey: 0x00000091
HKCU\Software\Microsoft\Microsoft Agent\UseBeepSRPrompt: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SRTimerDelay: 0x000007D0
HKCU\Software\Microsoft\Microsoft Agent\SRModeID: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKCU\Software\Microsoft\Microsoft Agent\EnableSpeaking: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseBalloon: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseCharacterFont: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\UseSoundEffects: 0x00000001
HKCU\Software\Microsoft\Microsoft Agent\SpeakingSpeed: 0x00000005
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetX: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetY: 0x000F423F
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetWidth: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetHeight: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\PropertySheetPage: 0x00000000
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLeft: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowTop: 0xFFFFFFFF
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowWidth: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowHeight: 0x000000C8
HKCU\Software\Microsoft\Microsoft Agent\CommandsWindowLocationSet: 0x00000000
HKCU\Software\mIRC\UserName\: "Bilgisayar"
HKCU\Software\mIRC\License\: "8262-886841"
HKCU\Software\mIRC\DateUsed\: "1250005446"

----------------------------------
Values modified:24
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}: FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 87 81 4A 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A C0 A8 AE 01 0F 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 ED 8D 81 4A 6C 6F 63 61 6C 64 6F 6D 61 69 6E 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A FF FF FF 00 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A 00 00 07 08 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A C0 A8 AE FE 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ED 8D 81 4A 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}: 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 CC 98 81 4A C0 A8 AE 01 0F 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 CC 98 81 4A 6C 6F 63 61 6C 64 6F 6D 61 69 6E 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 CC 98 81 4A FF FF FF 00 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 CC 98 81 4A 00 00 07 08 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 CC 98 81 4A C0 A8 AE FE 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 CC 98 81 4A 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8191C4
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A819548
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A8197EB
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A8198CC
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8191C4
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A819548
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A8197EB
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A8198CC
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000004
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000005
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime: E2 9A 62 AB 93 1A CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime: D0 47 9F 95 9A 1A CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinFinishTime: E2 9A 62 AB 93 1A CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinFinishTime: 2A AA A1 95 9A 1A CA 01

----------------------------------
Files added:58
----------------------------------
C:\WINDOWS\system32\bot\alo.txt
C:\WINDOWS\system32\bot\aman koyem.txt
C:\WINDOWS\system32\bot\Amc?k.txt
C:\WINDOWS\system32\bot\asl.txt
C:\WINDOWS\system32\bot\ask?m.txt
C:\WINDOWS\system32\bot\bilmem.txt
C:\WINDOWS\system32\bot\bot.txt
C:\WINDOWS\system32\bot\bye.txt
C:\WINDOWS\system32\bot\cevap.txt
C:\WINDOWS\system32\bot\eee.txt
C:\WINDOWS\system32\bot\evlenelim.txt
C:\WINDOWS\system32\bot\geldim.txt
C:\WINDOWS\system32\bot\gelemem.txt
C:\WINDOWS\system32\bot\gelim.txt
C:\WINDOWS\system32\bot\gelmem.txt
C:\WINDOWS\system32\bot\gidicem.txt
C:\WINDOWS\system32\bot\hay?r.txt
C:\WINDOWS\system32\bot\hosgeldin.txt
C:\WINDOWS\system32\bot\iyi.txt
C:\WINDOWS\system32\bot\kanal.sys
C:\WINDOWS\system32\bot\komik.txt
C:\WINDOWS\system32\bot\kufur.txt
C:\WINDOWS\system32\bot\mail.ini
C:\WINDOWS\system32\bot\merhaba.txt
C:\WINDOWS\system32\bot\nas?ls?n.txt
C:\WINDOWS\system32\bot\nas?ls?n?z.txt
C:\WINDOWS\system32\bot\nbr.txt
C:\WINDOWS\system32\bot\nerden.txt
C:\WINDOWS\system32\bot\off.txt
C:\WINDOWS\system32\bot\okey.txt
C:\WINDOWS\system32\bot\olabilir.txt
C:\WINDOWS\system32\bot\olmaz.txt
C:\WINDOWS\system32\bot\ordam?s?n.txt
C:\WINDOWS\system32\bot\oyun.sys
C:\WINDOWS\system32\bot\ozel.sys
C:\WINDOWS\system32\bot\peki.txt
C:\WINDOWS\system32\bot\salak.txt
C:\WINDOWS\system32\bot\selam.txt
C:\WINDOWS\system32\bot\s?k?ld?m.txt
C:\WINDOWS\system32\bot\tamam.txt
C:\WINDOWS\system32\bot\telefon.txt
C:\WINDOWS\system32\bot\tsk.txt
C:\WINDOWS\system32\bot\yas.txt
C:\WINDOWS\system32\bot\yas1.txt
C:\WINDOWS\system32\bot\yas2.txt
C:\WINDOWS\system32\bot\yas3.txt
C:\WINDOWS\system32\fucker
C:\WINDOWS\system32\KCA.exe
C:\WINDOWS\system32\KCA2.exe
C:\WINDOWS\system32\KCA3.exe
C:\WINDOWS\system32\KCA4.exe
C:\WINDOWS\system32\KCA5.exe
C:\WINDOWS\system32\KCA6.exe
C:\WINDOWS\system32\mIRC.ini
C:\WINDOWS\system32\Sfwwin32.dll
C:\WINDOWS\system32\sysingB32.dll
C:\WINDOWS\system32\win.ini
C:\WINDOWS\system32\WinSong.dll

----------------------------------
Files [attributes?] modified:6
----------------------------------
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

----------------------------------
Folders added:3
----------------------------------
C:\WINDOWS\system32\bot
C:\WINDOWS\system32\logs
C:\WINDOWS\system32\sounds

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:164
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: WinSmsFi
Author: mIRC Co. Ltd.
Related File: KCA.exe
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
KCA.exe

Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.07.30 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.07.31 BackDoor.Generic_c.CKD
BitDefender 7.2 2009.07.31 Trojan.Generic.1967263
Comodo 1825 2009.07.31 Application.Win32.RiskWare.mIRC.~BAAA
DrWeb 5.0.0.12182 2009.07.31 -
F-Secure 8.0.14470.0 2009.07.31 Client-IRC.Win32.mIRC.603
Kaspersky 7.0.0.125 2009.07.31 not-a-virus:Client-IRC.Win32.mIRC.603
Microsoft 1.4903 2009.07.31 BrowserModifier:Win32/IGetNet
NOD32 4294 2009.07.31 probably a variant of Win32/IRCBot
Symantec 1.4.4.12 2009.07.31 IRC.Backdoor.Trojan

Additional information
File size: 1771008 bytes
MD5 : 8ec1dc41329c12c454595fbfd39f88c2
SHA1 : 81aaa39802905c8b3ee132c978ddb3cc3f3db1b5
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove sfwwin32.dll now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.