Microsoft security software detects and removes this threat.

It is a user-mode component of Win32/Sirefef - a multi-component family of malware that meddles with your Internet experience by changing search results and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that do different functions, like downloading updates and additional components, hiding existing components, or doing a payload.

What to do now

The following free Microsoft software detects and removes this threat:

Run the Microsoft Safety Scanner

If you're having trouble cleaning Win32/Sirefef, the Microsoft Safety Scanner may help you remove it:

After you've used the Microsoft Safety Scanner, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.

The services that are reset include:

  • BFE – Base Filtering Engine
  • Iphlsvc – IP helper Service
  • MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
  • Sharedaccess – Internet Connection Sharing
  • WinDefend – Microsoft Antimalware service
  • Wscsvc - Windows Security Center

You can also visit the Microsoft virus and malware community for more help.

Threat behavior


Sirefef.P is installed and run by other variants of Sirefef. It might have any of these file names:

  • n
  • desktop.ini
Note that the file desktop.ini is the name of a legitimate Windows system file. This component of Sirefefprovides selected function calls for other components to establish network connections.

Sirefef.P runs another component of Sirefef, usually named one of the following:


Intercepts Windows system calls

Sirefef.P replaces the following system APIs with its own malicious instructions so that calls made to the original API will run the malicious code instead:

  • AcceptEx
  • GetAcceptExSockaddrs
  • Getnetbyname
  • Inet_network
  • NSPStartup
  • TransmitFile

Sirefef.P hooks the API WSPStartup to enable it to run.

Additional information

Refer to our Win32/Sirefef encyclopedia description for more information about this family.

Analysis by Shali Hsieh


The following could indicate that you have this threat on your PC:


Alert level: Severe
First detected by definition: 1.121.566.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 28, 2012
This entry was first published on: Jun 19, 2012
This entry was updated on: Feb 03, 2014

This threat is also detected as:
  • Trojan.Sirefef.FS (BitDefender)
  • Win64/Sirefef.W (ESET)
  • HEUR:Backdoor.Win64.Generic (Kaspersky)
  • ZeroAccess (McAfee)
  • Troj/Sirefef-AP (Sophos)
  • TROJ_SIREFEF.RB (Trend Micro)