Author Topic: Pragma Rootkit  (Read 3704 times)

0 Members and 1 Guest are viewing this topic.

rhavener

  • Guest
Pragma Rootkit
« on: December 27, 2012, 04:53:34 PM »
Avast is detecting Pragma on a friend's PC running Vista Pro, running as a service. 
I have tried Delete and Quarantine & performed the reboot as prompted, but it is not removed. 

GMER still detects the presence of the rootkit. 

Rootkit Revealer shows the file to be in \Windows\System32\drivers as PRAGMAyrbesxmecq.sys.
However, I cannot kill the process.
When I boot with a Knoppix disk and mount the drive, that particular file does not show up in the \drivers folder.
I know it is hidden, but I don't seem to have a good way to get to it.

The Threat Detected message from Avast is:
SVC:PRAGMAyrbesxmecq > ???
Severity: High
Result: Error: Error 0xA0000101. (-1610612479)

I have thrown everything but the kitchen sink at it (MBAM, Super AntiSpyware, etc.), and cannot get rid of it.

Any thoughts?

« Last Edit: December 28, 2012, 01:59:07 AM by rhavener »

true indian

  • Guest
Re: Pragma Rootkit
« Reply #1 on: December 27, 2012, 04:56:51 PM »
follow guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here..

rhavener

  • Guest
Re: Pragma Rootkit
« Reply #2 on: December 28, 2012, 02:03:37 AM »
The first logs are attached to the beginning post.
MBAM came up empty.
Attached here are the remainder of the logs.
ASWMBR can see the service.

rhavener

  • Guest
Re: Pragma Rootkit
« Reply #3 on: January 02, 2013, 04:32:44 AM »
Is anybody there?  I posted the logs in this thread last week & haven't heard any response.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Pragma Rootkit
« Reply #4 on: January 02, 2013, 06:26:53 AM »
sorry we missed your post
Malware removers are now notified. it may take hours before one arrive so be patient

jeffce

  • Guest
Re: Pragma Rootkit
« Reply #5 on: January 02, 2013, 01:42:20 PM »
Let me look this over....in the meantime please do the following:

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

[SIZE="1"]Click the image to enlarge it[/SIZE]
----------

rhavener

  • Guest
Re: Pragma Rootkit
« Reply #6 on: January 04, 2013, 02:01:42 AM »
Here is the ASWMbr log file.

Additional notes:
I attempted to run ComboFix as Administrator (have used it many times in the past when required).  However, it errored and told me that I must run it as Administrator.


jeffce

  • Guest
Re: Pragma Rootkit
« Reply #7 on: January 04, 2013, 02:28:26 AM »
Hi,

Thanks for letting me know about ComboFix before.....let's give it another shot. 

ComboFix

Download Combofix from the link below, and save it to your desktop. 
Link

**Note:  It is important that it is saved directly to your desktop**
 If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.
----------