Sirefef (aka Trojan.Dropper.Sirefef) is a malicious multicomponent trojan family, which modifies search results, generated pay-per-click traffic for cybercriminals. This family consists of different components, which performs different tasks like downloading updates and additional malware, then hiding it from the system and running payloads. This classifies it as Dropper Trojan. Sirefef variants may display pop up advertisements that interrupt the user of computer. Additionally some of them may even destroy data. Other variants gather personal information about finances, usernames and passwords. It also may open remote access connection to the infected computer. Quite typically, it causes redirects during search and blocking legitimate security-related websites.
Typically, one receives Sirefef rogues from various exploit kits, like Blackhole one. These kits identify browser version and displays suitable exploit to infect your PC. The infection fails if your system does not have known vulnerabilities, though lots of PCs get infected daily. In some cases one does not even see the infection taking places, as the malicious script is run from small iframe. In some cases the install is disguised as Adobe Flash update, Windows Media player update or other software. In some cases you will not see what is installed. Additionally, Sirefef and other trojans were distributed as fake updates for Flash and other software through paid advertisements.
There are several symptoms, which shows that you’re infected with Sirefef. Here is a list of them:
1. If your Google or Yahoo searches gets redirected, or desktop background image and browser homepage gets changed, you might be having Sirefef on your PC.
2. if your computer is working slower than it should or even it seems that it is stuck. That includes also the speed of opening programs, shutting down your computer and slow internet.
3. A lot of unwanted pop ups. Trojan Sirefef modifies the registry to pop up advertisements out of nowhere.
Note, That Sirefef might rename or replace system files. The files renamed and replaced might vary, thus it is is advisable to use anti-rootkit programs like TDSS Killer or spyhunter to detect malicious files and processes. So even if it is tough, it is very important to remove Sirefef parasites from ones PC.
A presence of files logevent.dll (a copy of replaced system DLL) and win32k.sys (malicious file) might mean your system is infected with malware from Sirefef family, though you should always use software to confirm.
Sirefef like other similar parasites can be prevented by strong antivirus or anti-malware application. Like other similar parasites, It is easier prevented than cured.
How to get rid of Sirefef and related infections
Sirefef is tough to remove. Some versions of parasite will block antivirus sites and prevent execution of antivirus software. Also, not all antivirus versions are capable to remove rootkits. This is especially true for on 64 bit Windows. Following options exist:
- Removing Sirefef with regular anti-malware programs. On 32 versions of windows Hitman Pro works quite ok. Spyhunter works on both 32 and 64 bit versions. As with all rootkits, results might vary – these parasites change quite often.
- Using anti-rootkit programs. TDSS Killer is one of the most popular anti-rootkit program today, and that is for a good reason. If it does not work, try GMER Or Webroot anti-rootkit program.
- Using Alternate OS Scanner. These programs launch from bootable CD and thus run with rootkit disabled already. The results depend on freshness of Antivirus DB. Using Alternate OS scanners is the most time consuming option. More information about Alternate OS Scanners available here : https://www.2-viruses.com/alternate-os-scanners-introduction
Here a video guide on using Spyhunter against rootkit infections like Sirefef:
Automatic Malware removal tools
4 responses to “Sirefef”
Thanks. This helped me understand what was going on in my system, and now im trying to get rid of it. I can’t the process “random” though. Is there any other processes i need to find? I really need help…
Mathew: Sirefef names processes randomly depending on its versions. Scan with TDSS Killer.
Tried downloading Spyhunter but the virus blocks it. This happens even in safe mode. What do I do?! 🙁
Download Hitman Pro on other PC (http://www.2-viruses.com/reviews/hitman-pro )
Then create Kickstarter USB disk and boot infected machine from it. Scan.