Rootkit reinfection?

Discussion in 'malware problems & news' started by listeruk, Nov 25, 2007.

Thread Status:
Not open for further replies.
  1. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    After stupidly opening an exe in an email, I got infected by Trojan.W32.Beagle, which disabled my AV (avast!), and prevented it being installed.

    I ran the AVG antirootkit and it found this

    I then used combofix to remove the malware, and it removed everything except -
    C:\WINDOWS\System32\Drivers\aghslwes.SYS

    After rebooting, I reinstalled avast! and ran a boot scan which it passed, however, eveytime i run AVG antirootkit, it comes up with an infected file like 'aghslwes.SYS' - and if I clean it and then reboot, there will be another file there with a different name.

    eg: C:\WINDOWS\System32\Drivers\ancmq6f7.SYS

    Does anyone know how to get rid of this?

    Thanks

    ps: I realise that a drive image would have solved all my problems, but I hadn't gotten round to it yet, and deleting the partition and formatting then reinstalling the OS (XP pro) and software would take days.
     
  2. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    576
    Maybe FileASSASSIN or Pocket Killbox can remove it. However, to be safe I suggest you consult an expert instead. Post a hijackthis log in one of the forums listed here.

    thanatos
     
  3. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    I see that posting unsolicited logs is expressly forbidden.

    I'll go elsewhere. thanks for replying though.
     
  4. controler

    controler Guest

  5. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    I'd already removed Beagle.

    Anyway, got it fixed in another forum, wasn't malware after all, lol!
     
  6. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    576
    Glad to here that everything is fine now :). So the file you were trying to remove was actually legitimate?

    thanatos
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.