Win32:Sirefef-AO [Rtk]is a Trojan component of Win32:Sirefef – a family of malware that controls infected computer’s Internet activities by redirecting requested URL to a different one. This family of Trojans consists of several components that carry out different tasks like downloading more malware, concealing Trojan’s presence, and executing other payloads.
Damage Level: Medium
Systems Affected: Windows 9x/ME, Windows 2000, XP, Windows Vista, Windows 7
When executed, Win32:Sirefef-AO Rootkit will drop several files on various folders of your hard drive. Literally, Trojan’s file is placed under Windows system folder. It may also modify and add certain strings to the Windows registry to perform the following tasks:
- Load the Trojan every time Windows starts.
- Hide its presence on the infected computer.
- Disable antivirus programs from running.
- Infect Windows processes with a malicious code.
Once it is running, Win32:Sirefef-AO can take full control of your Internet activities. It can modify search result and point your browser to a different web address. Moreover, the Trojan may link your PC to another computer to download and install more threats.
To hide itself on the system’s running process, Win32:Sirefef-AO will embed its code to legitimate Windows DLL and processes. Thus, users as well as antivirus program will only see one legitimate process running.
Since Win32:Sirefef-AO belongs to a multi-component family, other members may have dropped this variant onto your computer. Users may also be in contact with the Trojan if they visit a malicious web site that carries the corrupt code.
Earlier versions of Win32:Sirefef-AO [Rtk] Rootkit first spread in Poland. Avast antivirus program users first reported the infection around November of 2011. Here is a screen capture of early detection of this Trojan.
How to Remove Win32:Sirefef-AO
Anti-rootkit utility called TDSSKiller is a free tool from Kasperksy that neutralizes complicated malware which effectively hides its process, folders, files and registry entries.
1. Download TDSSKiller from this link. Save the file to your desktop.
2. Extract the contents using archiver applications.
3. Reboot the computer in Safe Mode to avoid Win32:Sirefef-AO from loading at start-up. You may want to print this procedure as we have to restart the computer to complete the removal process.
- Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Select Safe Mode with Networking.
- Windows will now start in Safe Mode.
4. Locate and run the TDSSKiller.exe file.
5. On Object to Scan, please mark Services and drivers as well as Boot Sectors.
6. Click on Start Scan to begin scanning your system. This may take a while.
7. After the scan is finished, it will reboot the computer. That should complete the disinfection process.
Alternative Removal Method for Win32:Sirefef-AO
Option 1 : Use Windows System Restore to return Windows to previous state
If Win32:Sirefef-AO enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Win32:Sirefef-AO infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.