So I was looking at another infected laptop *sigh*......
This one was redirecting web traffic to all sorts of places and stopping processes such as rootkit revealer, process explorer dead in their tracks. Since I couldnt see nothing obvious in services, the run key or Task manager I suspected a driver based rootkit... and I was right :)
I looked in system32\drivers and noticed a file called vbma92a1.sys that was dated a few days ago so I renamed it to .old and it recreated itself on next reboot, aha!
I then booted into an offline environment and deleted it and created a dummy vbma92a1.sys file in its place, denying everyone and everything access to it.
Upon rebooting all of my tools now worked :)
just gotta give it a quick scan with something other than what is installed and it should be good to go ;)
hope this helps!
No comments:
Post a Comment