Avast is detecting Pragma on a friend’s PC running Vista Pro, running as a service.
I have tried Delete and Quarantine & performed the reboot as prompted, but it is not removed.
GMER still detects the presence of the rootkit.
Rootkit Revealer shows the file to be in \Windows\System32\drivers as PRAGMAyrbesxmecq.sys.
However, I cannot kill the process.
When I boot with a Knoppix disk and mount the drive, that particular file does not show up in the \drivers folder.
I know it is hidden, but I don’t seem to have a good way to get to it.
The Threat Detected message from Avast is:
SVC:PRAGMAyrbesxmecq > ???
Severity: High
Result: Error: Error 0xA0000101. (-1610612479)
I have thrown everything but the kitchen sink at it (MBAM, Super AntiSpyware, etc.), and cannot get rid of it.
[*]Double click the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[]If you are asked to update the Avast Virus database please allow it to do so.
[]When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
Additional notes:
I attempted to run ComboFix as Administrator (have used it many times in the past when required). However, it errored and told me that I must run it as Administrator.
Thanks for letting me know about ComboFix before…let’s give it another shot.
ComboFix
Download Combofix from the link below, and save it to your desktop. Link
Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.