Windows Defender detects and removes this threat.

See the Win32/Sirefef family description for more information.

Windows Defender detects and removes this threat.

See the Win32/Sirefef family description for more information.

Microsoft security software detects and removes this threat.

This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including:

• Downloading and running other files
• Contacting remote hosts
• Disabling security features

Members of the family can also change search results, which can generate money for the hackers who use Sirefef.

Variants of Win32/Sirefef might be installed by other malware, including variants of the Trojan:Win32/Necurs family.

Find out ways that malware can get on your PC.

Trojan:Win64/Sirefef.W is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.

Trojan:Win64/Sirefef.AE is a component of Win64/Sirefef - a multi-component family of malware that uses stealth to hide its presence on your computer. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Trojan:Win64/Sirefef.AF is a component of Win64/Sirefef - a multi-component family of malware that uses stealth to hide its presence on your computer. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Trojan:WinNT/Sirefef.N is a component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Trojan:Win32/Sirefef.BC is a component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Trojan:Win64/Sirefef.AI is a component of Win64/Sirefef - a multi-component family of malware that uses stealth to hide its presence on your computer. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Trojan:Win64/Sirefef.AB is a component of the Sirefef multi-platform rootkit, related to Win32/Sirefef. Sirefef is multi-component malware family that modifies search results when you search for something on the Internet and generates pay-per-click advertising revenue for its controllers. This particular component clicks on links supplied by a remote attacker to generate revenue.

Trojan:WinNT/Sirefef.J is a component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

Note: This Sirefef variant has been observed using specific ports for its peer-to-peer communications. We strongly encourage you to block access to the following ports to limit Sirefef’s communication channels and prevent additional Sirefef components being downloaded:

• 16464
• 16465
• 16470
• 16471

You can read more about how to block access to a port in this article: http://support.microsoft.com/kb/813878

Virus:Win32/Sirefef.gen!B is a component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

Virus:Win32/Sirefef.F is a component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing a payload.

Virus:Win64/Sirefef.A is a component of the Sirefef malware family. Sirefef modifies search results and generates pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components, or performing the main payload.

Virus:Win64/Sirefef.A launches an additional Sirefef component and is itself created by another Sirefef component, Trojan:Win32/Sirefef.P.

Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. If you are infected with Sirefef, we recommend you take the following steps to remove this threat from your computer:

Before you begin you will need:

- A computer that is not infected and is connected to the Internet. You will use this computer to download a copy of the Microsoft Safety Scanner
- A blank CD, DVD or USB drive. You will use this CD, DVD or USB drive to run the Scanner on your infected computer 

1. Download a copy of the Microsoft Safety Scanner from a clean, uninfected computer
2. Save a copy of the Scanner on a blank CD, DVD, or USB drive
3. Restart the infected computer
4. Insert the CD, DVD, or USB drive into your infected computer and run the Scanner
5. Let the Scanner clean your computer and remove any infections it finds

After running the Scanner, ensure that your antivirus product is up-to-date. You can update Microsoft security products by downloading the latest definitions at this link: Get the latest definitions.

As a consequence of being infected with this threat, you may need to repair and reconfigure some Windows security features. Please see Additional remediation steps in this entry for more information.

Windows Defender detects and removes this threat.

This trojan is a 64-bit component of Win32/Sirefef - a family of malware that uses stealth to hide its presence on your computer. Trojans in this family can do different things, including:

• Downloading and running other files
• Contacting remote hosts
• Disabling security features

Members of the family can also change search results, which can generate money for the attackers who use Sirefef.

Trojan:Win32/Sirefef.O is a trojan component of the Win32/Sirefef family, and is installed by variants of TrojanDropper:Win32/Sirefef. The trojan provides functionality for other installed Win32/Sirefef rootkit components.