(This is happening on Windows XP SP3)
Last weekend, I attempted to download the DOS-based fighting game M.U.G.E.N., on the assumption (hoping I'm not making a derp here) that it was free to download. The site wasn't an official MUGEN site, but I didn't bat an eye because the game is small and not well known - perhaps they didn't want to pay for hosting?
It turned out to be one of those skeezy download sites that only looks legit, and their version of the game came with a free expansion pack for practicing hand-to-hand combat against malicious code. The offenders seem to be Sirefef (or, as it should be called, the "ninja vampire cockroach" virus, because that's how hard this stupid thing is to find and kill) and a generic detection for Java exploits/malware.
The first thing I noticed was the sound acting goony, only playing for certain things and only some of the time. When I tried to fix it, I found that any scanners were prevented from running by "software restriction policies", but a cursory look in both gpedit and secpol reveals that no such policies exist, and any attempts to skirt them by renaming things are blocked because this thing flips every folder on the computer to read-only, allowing you to fix them only to make them read-only again right away.
Over the past several days this computer has been subjected to so many virus scans I've lost count, from nearly as many products. Most have found and fixed threats, but still the problems persist. It's been run through TDSSKiller and ComboFix. The camouflaged registry stuff (masquerading as Google updaters) has been manually deleted. Avast (but not MBAM) has been snuck through the stupid restriction thing and now returns a clean bill of health. And yet still, the sound and folders are screwed up!
Now my mother wants the sound back, pronto, and I'm not going to feel completely safe until the folders and MBAM are fixed as well. To top it all off, I got burned by another sketchy download site while attempting to acquire TDSSKiller, and not only did I get a bunch of adware, I didn't even get TDSSKiller! WebZoom might even still be here, being a very stubborn program that simply refuses to uninstall.
I know from reading around that some older variants of Sirefef like to disguise themselves as normal .sys files, one of which is a sound driver. That would be why the sound dropped out on me. With this infection, though, the folder in which it stores a clean copy of the original was never found, and an attempt to reinstall the sound drivers did absolutely nothing (which has been known to happen with Sirefef, apparently). Where could this thing still be hiding? What do I do now?
Edited by SHOTGUN CHUCK, 08 February 2015 - 07:23 PM.