Pragma Rootkit

Avast is detecting Pragma on a friend’s PC running Vista Pro, running as a service.
I have tried Delete and Quarantine & performed the reboot as prompted, but it is not removed.

GMER still detects the presence of the rootkit.

Rootkit Revealer shows the file to be in \Windows\System32\drivers as PRAGMAyrbesxmecq.sys.
However, I cannot kill the process.
When I boot with a Knoppix disk and mount the drive, that particular file does not show up in the \drivers folder.
I know it is hidden, but I don’t seem to have a good way to get to it.

The Threat Detected message from Avast is:
SVC:PRAGMAyrbesxmecq > ???
Severity: High
Result: Error: Error 0xA0000101. (-1610612479)

I have thrown everything but the kitchen sink at it (MBAM, Super AntiSpyware, etc.), and cannot get rid of it.

Any thoughts?

follow guide: http://forum.avast.com/index.php?topic=53253.0

attach all logs here…

The first logs are attached to the beginning post.
MBAM came up empty.
Attached here are the remainder of the logs.
ASWMBR can see the service.

Is anybody there? I posted the logs in this thread last week & haven’t heard any response.

sorry we missed your post
Malware removers are now notified. it may take hours before one arrive so be patient

Let me look this over…in the meantime please do the following:

http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr.jpg
Please download aswMBR to your desktop.

[*]Double click the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[]If you are asked to update the Avast Virus database please allow it to do so.
[
]When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.


http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg

Click the image to enlarge it

Here is the ASWMbr log file.

Additional notes:
I attempted to run ComboFix as Administrator (have used it many times in the past when required). However, it errored and told me that I must run it as Administrator.

Hi,

Thanks for letting me know about ComboFix before…let’s give it another shot.

ComboFix

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.