Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Connects to the internet without permission
  • Normal system programs crash immediatelly
  • System crashes
  • Slow Computer


You are unlikely to realize when Saefko slithers in and when it performs highly intrusive and malicious actions. Unfortunately, stealthiness is the strength of this infection, and some victims discover it only when they randomly decide to scan their systems or when they implement security software to guard them. How did you learn about this dangerous Trojan? Regardless of your answer, you need to make sure that you remove Saefko as quickly as you can because every second that this threat exists, your virtual security becomes weaker and weaker. While we are sure that you will be able to delete the infection using the tips and instructions provided in this report, we cannot know what will happen next. That depends on what kinds of actions the attackers were able to perform before successful detection, and that is impossible to know for sure. The first thing you should do is change all passwords because there is a good chance that this malware could have stolen them all.

According to malware experts, Saefko is most likely to be distributed using phishing emails. Imagine that you receive a new message. You open it, and it looks completely legitimate. Maybe it looks out-of-place or strange, but it might be convincing enough. The message instructs you to click a link or open an attached file. This sounds pretty harmless, right? Well, that is enough to drop malware onto your system, and if it is not protected, the execution is initiated without any warning. If Saefko is able to hide itself, it can do all kinds of things for a long long time. Our research team classifies it as a RAT, which stands for “remote access tool,” and that means that the infection can be controlled remotely via an exposed security backdoor. The attackers behind the infection can do whatever they want, and that is why this malware is completely unpredictable. To add insult to the injury, it appears that this RAT is sold online, which means that anyone can purchase and use it, and that makes it even more unpredictable. It is impossible to say how many different parties could be exploiting this malware for their benefit.

When Saefko is executed, it waits for commands from a remote server, and, depending on these commands, it can start doing intrusive things. For example, the infection could start capturing screenshots and recording keystrokes to steal login credentials and other sensitive data. It also could hijack the webcam and the microphone to spy on you. The attackers could also use Saefko to drop and execute malicious files, which could belong to new infections. The RAT is supposed to provide cybercriminals with administrative control, and so they could easily terminate and run processes, execute and delete files, mess with the Windows Registry, and do other terrible things. The Trojan could also gather data using your web browser, and it could check what sites you visit. It is likely to specifically check when the victim visits Facebook, Instagram, YouTube, Gmail, online banking, and payment websites, as well as crypto-currency related websites. Most likely, this is done so that the infection could be more efficient in recording login information that, later on, could help cybercriminals hijack accounts.

If Saefko slithers into a personal computer, it can cause great damage, but if it attacks companies and governments, unthinkable amounts of private and sensitive data could be leaked. This could lead to major data breaches, national security issues, and production problems. In any case, this Trojan is truly intrusive, and deleting it is crucial. Hopefully, you can delete Saefko using the guide below, but we advise employing anti-malware software because you do not know what other kinds of malware could have invaded your system or could have been downloaded by the Trojan itself. Also, you clearly need reliable protection. After you remove the Trojan, you also need to check your removable drives. If they were connected to the computer while the Trojan was active, they could have been infected too. Needless to say, if you do not clean your removable drives, the malicious threat could spread further, and we are sure that you do not want to be blamed for that.

Saefko Removal

  1. Launch Windows Explorer by tapping keys Win and E at the same time.
  2. Enter %APPDATA% into the field at the top.
  3. Delete all suspicious files and folders that belong to the RAT (be careful not to delete normal files).
  4. Enter %LOCALAPPDATA% into the field at the top and then repeat step 3.
  5. Launch Run by tapping keys Win and R at the same time and then enter regedit into the box.
  6. In Registry Editor, move to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
  7. If you can identify Trojan-related values, immediately Delete them.
  8. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and then repeat step 7.
  9. Empty Recycle Bin and then connect to your removable drives.
  10. Delete files named sas.exe, usbspread.vbs, and usbstart.exe.
  11. Finally, perform a full Window system scan using a legitimate and trusted malware scanner.
  12. If leftovers are found, delete them as quickly as possible.
Download Spyware Removal Tool to Remove* Saefko
  • Quick & tested solution for Saefko removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.