Hello! Lately Avast! 5 has been telling me that there is a suspicious rootkit in my System32/Drivers folder. It’s called “mrpii.sys” and I cannot delete it, it says “Cannot read from source file or disk” and even Avast can’t do anything about it. I’ve tried everything, including a boot scan!
When I click “Show hidden devices” in Device Manager. I see this file under “Non plug and play drivers”. I tried uninstalling it from there, where it removed itself from the list, but the file still exists. I’ve even tried booting up in safe mode and deleting it.
Maybe it’s a mistake that Avast has made? And I have also searched this file on google, and there is NOTHING on this file!
This guy here had a VERY SIMILAR problem, the only difference being the file name and possibly his solution.
I am also using Windows 7, if that helps! (btw could this be a problem with my ATI Radeon 5770 drivers?)
Can you use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
I take it that this is on the anti-rootkit scan, 8 minutes after boot ?
If so you only have two options if I remember correctly Ignore and Delete, given my warning about deletion great care should be taken especially with drivers not to delete until you are sure.
Edit: Follow up on having made some searches:
Having said that a google search for this doesn’t return any good hits, ones that give detailed information about this file, that all seen to point to “Manufacturing Resource Planning (MRPII) sys-” and that really isn’t talking about this file. When I search for file “mrpii.sys” I get only 5 hits and one id this topic.
For me that is also suspicious as for a system driver file I would expect many more hits to tell me just what this .sys file does.
Tech posted ideas you may want to try to remove stubborn files that cloak themselves and hide from the OS, when it is in use (like rootkits.)
If you go to one of the links he posted, directions for the use of a rescue disk would be available, along with an .iso file to download, and burn a CD from. (Use a clean computer for this.)
Then you’d boot your own computer from the disk, and follow the directions.
I don’t think it’s a matter of “so nobody can help me”, although it might be, more a matter of big time differences, and perhaps those best qualified for malware removal aren’t here, right now.
I’d suggest that if you are going to use serials or cracks to get programs to run, the best AV in the world will not help you. It will happen again.
The hijackthis log I think is telling me everything is fine. But I uploaded it anyway…
I scanned with various tools and most of them didn’t find anything. I think I am the ONLY person in the world getting this mrpii.sys file. I scanned with Avast! again and for the file it said:
A device attached to the system is no functioning (31)
And my Avast! File Shield said:
12/08/2010 4:08:33 PM C:\Windows\System32\Drivers\mrpii.sys [L] Win32:Rootkit-gen [Rtk] (0)
While moving file to chest, error occurred: A device attached to the system is not functioning
During the file delete, error occurred: A device attached to the system is not functioning
I also had 3 BSoD’s today. 1 before start up and 2 at start up. They all had different codes…
HJT is useless for this, as many malware items are able to evade it and rootkits aren’t even on the HJT analysis radar. Unfortunately HJT hasn’t kept up with developments since is was bought out by Trend Micro.
Try a forum search for this file name (mrpii.sys) as I’m sure that it has cropped up before.