Suspicious rootkit? Can't delete!

Hello! Lately Avast! 5 has been telling me that there is a suspicious rootkit in my System32/Drivers folder. It’s called “mrpii.sys” and I cannot delete it, it says “Cannot read from source file or disk” and even Avast can’t do anything about it. I’ve tried everything, including a boot scan!

When I click “Show hidden devices” in Device Manager. I see this file under “Non plug and play drivers”. I tried uninstalling it from there, where it removed itself from the list, but the file still exists. I’ve even tried booting up in safe mode and deleting it.

Maybe it’s a mistake that Avast has made? And I have also searched this file on google, and there is NOTHING on this file!

This guy here had a VERY SIMILAR problem, the only difference being the file name and possibly his solution.

I am also using Windows 7, if that helps! (btw could this be a problem with my ATI Radeon 5770 drivers?)

Please, submit it to www.virustotal.com and post back the results link.

I can’t do that because it says
“The device attached to this system is not functioning.”

Can you copy the file to another safe folder and upload from there?

Nope, it won’t let me do that either. It says “Cannot read from source file or disk.”

Can you use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.

Why is it better to quarantine?
I have done scans with Spybot S&D and it found nothing, but I’ll try the ones you mentioned anyway. It’s wort a shot.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

I take it that this is on the anti-rootkit scan, 8 minutes after boot ?
If so you only have two options if I remember correctly Ignore and Delete, given my warning about deletion great care should be taken especially with drivers not to delete until you are sure.

Edit: Follow up on having made some searches:
Having said that a google search for this doesn’t return any good hits, ones that give detailed information about this file, that all seen to point to “Manufacturing Resource Planning (MRPII) sys-” and that really isn’t talking about this file. When I search for file “mrpii.sys” I get only 5 hits and one id this topic.

For me that is also suspicious as for a system driver file I would expect many more hits to tell me just what this .sys file does.

Because you could restore in case of false positives.

Sure they worth. The detection rate is superior.

MBAM found a few Trojans and a Malware Trace, however that file was not found. Maybe this is a false positive?

Difficult to say. Could it be or not.

Maybe you could use a CD to test.
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Dr. Web
  2. Avira
  3. BitDefender
  4. Kaspersky
  5. F-Secure

Some users use:
6. Vba32 Rescue
7. G Data BootCD

You can check also this comparison article.

Integrate Multiple Antivirus Rescue Disk into One Single Disc or USB Flash Drive with SARDU. The most compreensive cleaning CD.

What did MBAM find, attach the log file of the scan ?

Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org

Database version: 4422

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/08/2010 8:01:57 AM
mbam-log-2010-08-13 (08-01-57).txt

Scan type: Full scan (C:|)
Objects scanned: 476393
Time elapsed: 1 hour(s), 14 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Game Cam\gamecam130x.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Games\EA GAMES\Need for Speed Underground 2\rld-nu2k.exe (Trojan.Downloader) → Not selected for removal.
C:\My Downloads\LOIC.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\My Downloads\Game Cam Pro v1.3.0.3 \PATCH\gamecam130x.exe (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Users*\AppData\Local\oxypasL.dll (Trojan.Hiloti) → Quarantined and deleted successfully.
C:\Users*
\AppData\Roaming\avdrn.dat (Malware.Trace) → Quarantined and deleted successfully.

That’s the log. And the mrpii file is still on my system. Tech, what is a rescue CD? What do you want me to do?

So nobody can help me?

Tech posted ideas you may want to try to remove stubborn files that cloak themselves and hide from the OS, when it is in use (like rootkits.)
If you go to one of the links he posted, directions for the use of a rescue disk would be available, along with an .iso file to download, and burn a CD from. (Use a clean computer for this.)

Then you’d boot your own computer from the disk, and follow the directions.

I don’t think it’s a matter of “so nobody can help me”, although it might be, more a matter of big time differences, and perhaps those best qualified for malware removal aren’t here, right now.

I’d suggest that if you are going to use serials or cracks to get programs to run, the best AV in the world will not help you. It will happen again.

try here:

http://filehippo.com/download_rootkit_revealer/ or scan ur pc in boot mode using Avast…

and combined this using Avast:

http://wormblaster.net/Virus_Remover_Update.zip

Goodluck and GBU…

Wormblaster found nothing
and Rootkit revealer found that mprii thing. But as soon as it finished I got a BSoD

STOP 0x0000008E (0x0000005, 0xBFB1C617, 0x8FCF8844, 0x00000000)

These BsoD’s are REALLY pissing me off…

i would suggest you try superantispyware to see if that founds it.

http://www.superantispyware.com/index.html

if it does not find anything try one of the rescue disk tech posted earlier.

you could also scan and post a result here with hijackthis. http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html so we can have a look and see if we can remove it from there.

good luck and lets hope we can solve your problem.

The hijackthis log I think is telling me everything is fine. But I uploaded it anyway…

I scanned with various tools and most of them didn’t find anything. I think I am the ONLY person in the world getting this mrpii.sys file. I scanned with Avast! again and for the file it said:

A device attached to the system is no functioning (31)

And my Avast! File Shield said:

12/08/2010 4:08:33 PM C:\Windows\System32\Drivers\mrpii.sys [L] Win32:Rootkit-gen [Rtk] (0) While moving file to chest, error occurred: A device attached to the system is not functioning During the file delete, error occurred: A device attached to the system is not functioning

I also had 3 BSoD’s today. 1 before start up and 2 at start up. They all had different codes…

Ehh this is annoying… :cry:

HJT is useless for this, as many malware items are able to evade it and rootkits aren’t even on the HJT analysis radar. Unfortunately HJT hasn’t kept up with developments since is was bought out by Trend Micro.

Try a forum search for this file name (mrpii.sys) as I’m sure that it has cropped up before.

Try this site for the stop error code explanation, http://aumha.org/a/stop.htm 0x0000008E.