Rootkit reinfection?

Discussion in 'malware problems & news' started by listeruk, Nov 25, 2007.

Thread Status:
Not open for further replies.
  1. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    After stupidly opening an exe in an email, I got infected by Trojan.W32.Beagle, which disabled my AV (avast!), and prevented it being installed.

    I ran the AVG antirootkit and it found this

    I then used combofix to remove the malware, and it removed everything except -
    C:\WINDOWS\System32\Drivers\aghslwes.SYS

    After rebooting, I reinstalled avast! and ran a boot scan which it passed, however, eveytime i run AVG antirootkit, it comes up with an infected file like 'aghslwes.SYS' - and if I clean it and then reboot, there will be another file there with a different name.

    eg: C:\WINDOWS\System32\Drivers\ancmq6f7.SYS

    Does anyone know how to get rid of this?

    Thanks

    ps: I realise that a drive image would have solved all my problems, but I hadn't gotten round to it yet, and deleting the partition and formatting then reinstalling the OS (XP pro) and software would take days.
     
  2. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Maybe FileASSASSIN or Pocket Killbox can remove it. However, to be safe I suggest you consult an expert instead. Post a hijackthis log in one of the forums listed here.

    thanatos
     
  3. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    I see that posting unsolicited logs is expressly forbidden.

    I'll go elsewhere. thanks for replying though.
     
  4. controler

    controler Guest

  5. listeruk

    listeruk Registered Member

    Joined:
    Apr 30, 2005
    Posts:
    5
    I'd already removed Beagle.

    Anyway, got it fixed in another forum, wasn't malware after all, lol!
     
  6. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Glad to here that everything is fine now :). So the file you were trying to remove was actually legitimate?

    thanatos
     
Loading...
Thread Status:
Not open for further replies.