Remove Sirefef (Virus Removal Guide) - updated Dec 2019
Sirefef – prolific malware that seeks to open a backdoor on the host machine
Sirefef, or otherwise known as ZeroAccess or max++, is a malware-dropper that is known for its ability to hide itself on the infected computer. Numerous versions of the threat have been released over the years, although its main function is to gather relevant information about the machine and then use it as a tool to insert additional malware payloads. Rootkit.sirefef.spy distribution methods can vary, although it is usually proliferated with the help of other malware, such as Necurs Trojan.
Sirefef virus is a multi-functional malware, meaning that it employs several modules that perform different tasks on the system. For example, one component is set to open a backdoor, another one – block the firewall and security software, the next one can be used for downloading malicious files and updates from the internet, and so on. Besides, Rootkit.sirefef.spy trojan can also intercept and redirect HTTP traffic[1] to pre-determined sites, consequently generating ad revenue for the attackers.
| Name | Sirefef |
| Type | Trojan, rootkit, backdoor |
| Also known as | Rootkit.sirefef.spy, ZeroAccess, Zero Access, max++, Win32/Sirefef, Patched.B.Gen |
| Operating system | All versions of Windows (64 and 32-bit) |
| Distribution | Security researchers noticed various versions of Sirefef being distributed via software cracks/keygens, exploits or by exploiting software vulnerabilities |
| Functionality |
The malware is multi-functional, and can be set to perform a variety of different tasks, including, but not limited to:
|
| Symptoms | The only infection indicator is the warnings from security software (if not disabled). In some rare cases, victims might notice increased amount of ads, high CPU/memory usage, crashing programs, etc. |
| Removal | Use most up-to-date security software and perform a full system scan in Safe Mode with Networking |
| Recovery | To restore Windows registry and recover from system crashes post-infection, use Reimage Reimage Cleaner Intego |
Because Rootkit.sirefef.spy is a Trojan and its functionality mainly consists of background activities, it can remain on the system undetected for days or even months. However, because some variants of the virus are known to redirect traffic to unknown domains, aggressive ads and redirects on Google Chrome, Mozilla Firefox, Internet Explorer or another browser can serve as a good sign of system compromise.
However, be aware that the Sirefef rootkit is not the only threat that can cause browser redirects, as it is also a functionality of adware, as well as browser hijackers, which are both much lesser threats than Rootkit.sirefef.spy Trojan. The best way to check for malicious activity is to scan the computer with anti-malware software, such as SpyHunter 5Combo Cleaner, Malwarebytes, or another reputable security program.
Other symptoms that might be related to Rootkit.sirefef.spy infection includes (although users will rarely experience anything at all, making the detection and Sirefef removal a much more complicated task):
- High CPU or memory usage
- Crashing applications or Windows
- Overall slow computer operation
It is important to note that Sirefef Trojan can disable some security applications post-infection, which only increases its prevalence n the infected device. Due to this, as well as the low occurrence of signs of the infection, users might not be aware that they are infected for weeks or even months. This is why regular computer scans with anti-malware are so important. As evident, if you have an anti-malware installed and it is not performing pre-determined scans, there is a good chance that malware like Rootkit.sirefef.spy has disabled it.
To remove Sirefef rootkit and to prevent from stopping the anti-virus, experts[2] advise accessing Safe Mode with Networking and performing a full system scan with anti-malware software. The Safe Mode launches with only necessary drivers and system components, disabling malware' functions.
However, be aware that rootkits and other malicious software might permanently damage system components on Windows. To repair that damage done by viruses, we suggest employing a PC repair tool Reimage Reimage Cleaner Intego.
Infection routine
As previously mentioned, there have been multiple Sirefef variants released over the years, and each possesses some differences from another version, and distribution, prevalence, and obfuscation techniques may vary.
Some of the variants were noticed to come as an executable GoogleUpdate.exe – it is very common for malicious actors to disguise the primary executable under legitimate names to prevent users from being suspicious. The executable is placed into a newly created folder inside the %ProgramFiles% and %APPDATA% directories, begging the infection routine.
Rootkit.sirefef.spy also initiates changes inside Windows registry,[3] modifying the following keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
Sirefef also creates a separate folder here multiple files are dropped, and the malicious code inside is used to communicate with other infected devices as well as attackers' servers via peer-to-peer. This ensures that hackers can enable new functions or update malware when desired remotely.
Rootkit.sirefef.spy tampers with system drivers by replacing legitimate ones with malicious ones. These drivers might be picked up by AV vendors as Virus:Win32/Sirefef or TrojanDropper:Win32/Sirefef.B. Additionally, the malware turns off various system components that are vital to secure OS, including Windows Firewall, Windows Update, RemoteAccess, etc.
Pirated software installers and software vulnerabilities are the most common attack vectors
Most of the users will come close to malicious attacks when using Windows computers, but whether they infect them with malware depends on multiple factors, and the most important one is awareness. As evident, acting responsibly online and secure the OS with powerful anti-malware software will bring the best results.
First thing's first: do not download pirated software, as well as keygens/cracks that can enable full version of the program that is otherwise not free. Torrent and similar P2P networks are known to be insecure as not much effort are put into protecting users on those sites. In fact, some website owners allow malicious actors to insert JavaScript-based ads that would download and install malware automatically (by exploiting software vulnerabilities).[4]
To avoid the latter, you need to ensure that all your browsers and the operating system are running the latest versions. For that, you should never delay the updates and rather enable the auto-update feature.
Access Safe Mode to remove Sirefef virus
Trojans are very malicious cyber threats, so it is important to remove Sirefef from your computer because it may not only use it and your Internet resources for illegal purposes, it can also try to delete your valuable files, steal your sensitive information and so on. Additionally, it may open a remote control connection to your PC and let additional threats inside your computer.
When trying to perform Sirefef removal on your system, it may kill your anti-spyware and its processes. The easiest way to bypass this functionality is by entering Safe Mode with Networking, as explained in the instructions below. Once inside, you should employ the most up-to-date anti-malware tool and run a full system scan.
To remove Sirefef, follow these steps:
Remove Sirefef using Safe Mode with Networking
Rootkit.sirefef.spy can disable various anti-malware tools, along with other security components, in order to prevent its removal. Access Safe Mode with Networking and perform a full system scan:
-
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Safe Mode with Networking from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
-
Step 2: Remove Sirefef
Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Sirefef removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Sirefef and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.
The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login.
VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.
If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
- ^ Elie Bursztein. Understanding the prevalence of web traffic interception. Elie. Security blog.
- ^ Bedynet. Bedynet. Security advice from Russia.
- ^ Tim Fisher. What Is the Windows Registry?. Lifewire. Tech Untangled.
- ^ Vulnerability (computing). Wikipedia. The free encyclopedia.
July 31st, 2012 at 3:02 pm
i cant access the internet, probably because of the virus. Can i download spyhunter in safe mode
August 30th, 2012 at 7:15 am
Malwarebytes didnt even detect it. We have Forefront and it gets detected, but after removal it just comes right back in only a couple of minutes.
March 1st, 2013 at 8:40 pm
malwarebytes did not find it at all..it found trojans and some other thingy…i went to http://www.freeavg.com and downloaded thier free one and it found sirefef and got rid of it in no time.