Avast WEBforum

Other => Viruses and worms => Topic started by: rhavener on December 27, 2012, 04:53:34 PM

Title: Pragma Rootkit
Post by: rhavener on December 27, 2012, 04:53:34 PM

Avast is detecting Pragma on a friend's PC running Vista Pro, running as a service. 
I have tried Delete and Quarantine & performed the reboot as prompted, but it is not removed. 

GMER still detects the presence of the rootkit. 

Rootkit Revealer shows the file to be in \Windows\System32\drivers as PRAGMAyrbesxmecq.sys.
However, I cannot kill the process.
When I boot with a Knoppix disk and mount the drive, that particular file does not show up in the \drivers folder.
I know it is hidden, but I don't seem to have a good way to get to it.

The Threat Detected message from Avast is:
SVC:PRAGMAyrbesxmecq > ???
Severity: High
Result: Error: Error 0xA0000101. (-1610612479)

I have thrown everything but the kitchen sink at it (MBAM, Super AntiSpyware, etc.), and cannot get rid of it.

Any thoughts?

Title: Re: Pragma Rootkit
Post by: true indian on December 27, 2012, 04:56:51 PM

follow guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here..

Title: Re: Pragma Rootkit
Post by: rhavener on December 28, 2012, 02:03:37 AM

The first logs are attached to the beginning post.
MBAM came up empty.
Attached here are the remainder of the logs.
ASWMBR can see the service.

Title: Re: Pragma Rootkit
Post by: rhavener on January 02, 2013, 04:32:44 AM

Is anybody there?  I posted the logs in this thread last week & haven't heard any response.

Title: Re: Pragma Rootkit
Post by: Pondus on January 02, 2013, 06:26:53 AM

sorry we missed your post
Malware removers are now notified. it may take hours before one arrive so be patient

Title: Re: Pragma Rootkit
Post by: jeffce on January 02, 2013, 01:42:20 PM

Let me look this over....in the meantime please do the following:

(http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr.jpg) Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

• Double click the aswMBR icon to run it.
• Click the Scan button to start scan.
  
• If you are asked to update the Avast Virus database please allow it to do so.
• When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

(http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg) (http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg)
[SIZE="1"]Click the image to enlarge it[/SIZE]
----------

Title: Re: Pragma Rootkit
Post by: rhavener on January 04, 2013, 02:01:42 AM

Here is the ASWMbr log file.

Additional notes:
I attempted to run ComboFix as Administrator (have used it many times in the past when required).  However, it errored and told me that I must run it as Administrator.

Title: Re: Pragma Rootkit
Post by: jeffce on January 04, 2013, 02:28:26 AM

Hi,

Thanks for letting me know about ComboFix before.....let's give it another shot. 

ComboFix

Download Combofix from the link below, and save it to your desktop. 
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html)

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt for further review.

----------