We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Sirefef.AL
Aliases: Rootkit.ZeroAccess.Gen.4 (VirusBuster) Trojan.Sirefef.FZ (BitDefender) Trojan.Win32.Sirefef (Ikarus) Trojan.Win32.Zapchast.acao (Kaspersky) ZeroAccess.eh (McAfee) Troj/Sirefef-AZ (Sophos) TROJ_SIREFEF.EM (Trend Micro)
Summary
Microsoft security software detects and removes this threat.
This family of malware uses stealth to hide its presence on your PC. Trojans in this family can do different things, including:
- Downloading and running other files
- Contacting remote hosts
- Disabling security features
Members of the family can also change search results, which can generate money for the attackers who use Sirefef.
Variants of Win32/Sirefef may be installed by other malware, including variants of the Trojan:Win32/Necurs family.
For more information, please see the Win32/Sirefef family description.
Win32/Sirefef is a dangerous threat that uses advanced stealth techniques to hinder its detection and removal. If you are infected with Sirefef, we recommend you take the following steps to remove it.
Download and run the Microsoft Safety Scanner
Before you begin you will need:
- A PC that is not infected and is connected to the Internet. You will use this PC to download a copy of the Microsoft Safety Scanner
- A blank CD, DVD or USB drive. You will use this CD, DVD or USB drive to run the Scanner on your infected PC
- Download a copy of the Microsoft Safety Scanner from a clean, uninfected PC
- Save a copy of the Scanner on a blank CD, DVD, or USB drive
- Restart the infected PC
- Insert the CD, DVD, or USB drive into your infected PC and run the Scanner
- Let the Scanner clean your PC and remove any infections it finds
After running the scanner, make sure your antivirus software is up-to-date. You can update Microsoft security software by downloading the latest definitions.
The following Microsoft products detect and remove this threat:
- Microsoft Security Essentials or, for Windows 8, Windows Defender
- Microsoft Safety Scanner
Note that as part of the cleaning, our software might change some Windows services back to their default settings. If you had previously changed these settings, you might need to change them again.
The services that are reset include:
- BFE – Base Filtering Engine
- Iphlsvc – IP helper Service
- MSMpSvc – Microsoft Antimalware service – MSE/FEP/SCEP
- Sharedaccess – Internet Connection Sharing
- WinDefend – Microsoft Antimalware service
- Wscsvc - Windows Security Center
