Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef corrupted sound drivers - help please?


  • Please log in to reply
4 replies to this topic

#1 SHOTGUN CHUCK

SHOTGUN CHUCK

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 08 February 2015 - 07:21 PM

(This is happening on Windows XP SP3)

 

Last weekend, I attempted to download the DOS-based fighting game M.U.G.E.N., on the assumption (hoping I'm not making a derp here) that it was free to download.  The site wasn't an official MUGEN site, but I didn't bat an eye because the game is small and not well known - perhaps they didn't want to pay for hosting?

 

Big mistake.

 

It turned out to be one of those skeezy download sites that only looks legit, and their version of the game came with a free expansion pack for practicing hand-to-hand combat against malicious code.  The offenders seem to be Sirefef (or, as it should be called, the "ninja vampire cockroach" virus, because that's how hard this stupid thing is to find and kill) and a generic detection for Java exploits/malware.

 

The first thing I noticed was the sound acting goony, only playing for certain things and only some of the time.  When I tried to fix it, I found that any scanners were prevented from running by "software restriction policies", but a cursory look in both gpedit and secpol reveals that no such policies exist, and any attempts to skirt them by renaming things are blocked because this thing flips every folder on the computer to read-only, allowing you to fix them only to make them read-only again right away.

 

Over the past several days this computer has been subjected to so many virus scans I've lost count, from nearly as many products.  Most have found and fixed threats, but still the problems persist.  It's been run through TDSSKiller and ComboFix.  The camouflaged registry stuff (masquerading as Google updaters) has been manually deleted.  Avast (but not MBAM) has been snuck through the stupid restriction thing and now returns a clean bill of health.  And yet still, the sound and folders are screwed up!

 

Now my mother wants the sound back, pronto, and I'm not going to feel completely safe until the folders and MBAM are fixed as well.  To top it all off, I got burned by another sketchy download site while attempting to acquire TDSSKiller, and not only did I get a bunch of adware, I didn't even get TDSSKiller!  WebZoom might even still be here, being a very stubborn program that simply refuses to uninstall.

 

I know from reading around that some older variants of Sirefef like to disguise themselves as normal .sys files, one of which is a sound driver.  That would be why the sound dropped out on me.  With this infection, though, the folder in which it stores a clean copy of the original was never found, and an attempt to reinstall the sound drivers did absolutely nothing (which has been known to happen with Sirefef, apparently).  Where could this thing still be hiding?  What do I do now?


Edited by SHOTGUN CHUCK, 08 February 2015 - 07:23 PM.


BC AdBot (Login to Remove)

 


m

#2 SHOTGUN CHUCK

SHOTGUN CHUCK
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 09 February 2015 - 03:32 PM

Should I just repost this in the logs section?
 
(running the super tools was not my idea - well, TDSSKiller sort of was, but I got the instructions from elsewhere - and I'm pretty sure the logs are still around.)
 
zq6eZP.png
 
This is what happens when I attempt to open MBAM.  My mother managed somehow to reinstall Avast and skirt it past this, but the same could not be said of MBAM.
 
2vgpph.png
 
What the event viewer has to say about it.
 
jvBRHS.png
 
What it used to say about Avast.
 
eVx4Uo.png
 
There is no way this folder should be set to read-only, and attempting to turn off that attribute only results in it being set back to read-only.
 
FYMpjL.png
 
Meanwhile, WebZoom is still there, and refuses to respond to the "change/remove" button.
 
Lastly, does anyone know how to upload media to my BC account?  All I have at Imageshack is a trial account, which means my images are probably going to disappear in just over a month.  It used to be free. 
 
EDIT: I set Avast to scan much deeper than usual (including a rootkit scan) and while no residual Sirefef infection showed up (and it still refuses to recognize WebZoom as malware), it did return a couple of threats:
 
BX54HE.png

According to a web search, that "Agent-DSR" thing is quite a venerable trojan, around since late '06, and it allows a hacker to remote-control your computer. Glad I got rid of it, but the virus chest already contains a couple of generic dropper detections that it apparently found during auto-scans, one from the webzoom folder in application data and one from the system restore area. Somewhat scarily, both appeared at the same time, and the WZ folder one was "last changed" the day before I got WZ from that bad download! Where is all this stuff coming from?

Edited by SHOTGUN CHUCK, 09 February 2015 - 07:45 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:53 PM

Posted 12 February 2015 - 02:24 PM

Sorry for the delay, but this will require a deeper look.
 
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 SHOTGUN CHUCK

SHOTGUN CHUCK
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:53 PM

Posted 22 February 2015 - 04:13 AM

Equally sorry for the delay, but it seems the problem was solved at some point after my last post. I decided to test the sound shortly before running FRST (this was a while ago) and it worked!

I still ran FRST and can post a logs topic if you'd like. I myself do not know what finally got rid of this stupid thing.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:53 PM

Posted 23 February 2015 - 12:52 PM

Up to you ... we'll look at it. If you want to be sure it clean.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users