is the 64-bit user-mode component of Win32/Sirefef - a multi-component family of malware that moderates your Internet experience by modifying search results, and generating pay-per-click advertising revenue for its controllers. The family consists of multiple parts that perform different functions, such as downloading updates and additional components, hiding existing components or performing a payload.
is installed and executed by other variants of Win32/Sirefef and may have the file name "80000000.@".
It visits the website "googl.com" to check whether your computer can access the Internet, and uses a web-based location service ("promos.fling.com/geo/txt/city.php") to determine your computer's geographical location, specifically the name of the city.
Installs and executes arbitrary files
may have additional trojan components that it installs in your computer. They may be installed as a service with the file name "adserxvice.exe", and may be detected as Trojan:Win32/Sirefef.P or Trojan:Win32/Sirefef.AA.
Analysis by Shali Hsieh
The following system changes may indicate the presence of this malware: