"\Device\mfeavfk01.sys" - clean or infected rootkit?

[dredge]

I installed a trial version of AVG antivirus to my sister's laptop and it flagged a warning on the item:"\Device\mfeavfk01.sys" as a hidden driver rootkit. I wonder this might be a false positive as it looks like driver for mcafee.I googled but nothing refer to that so far. I presume that it is clean but in no way sure about it.Please help to identify this if anyone know about it.Thank you.

[hellnoire]

Are you using McAfee with AVG?

You're not supposed to run two anti-viruses at the same time... it leads to problems like this.

[Raymond]

mfeavfk01.sys does seemed like belonging to McAfee.
Try uploading the file to Virustotal.com and have it scanned with multiple antivirus.
And like Hellnoire said, it is a general rule not to install multiple antivirus.

[leofelix]

Hi
The following driver is installed by Mc Afee

c:\windows\system32\drivers\mferkdet.sys

As Raymond said the driver flagged as hidden doesn't belong to Mc Afee

If the path is like \Device\Harddisk0\ it is a Master Boot Record Rootkit

Please download MalwareBytes' AntiMalware free to your desktop, install and update it, then run a scan and post the log file (copy and paste), please.


Now download to C:\

MBR rootkit detector (by Gmer)

http://www2.gmer.net/mbr/mbr.exe (if your antivirus gives you a warning, ignore it since "mbr.exe" is clean)

now Win + R (Start)>Run type "C:\mbr.exe" (without brackets) hit Enter.

If you get something like:

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
malicious code @ sector 0x132c0ab6 size 0x1ce !
copy of MBR has been found in sector 62 !

Your system is infected by a MBR rootkit

In case, reboot in safe mode (hit F8), then: Win + R (Start)>Run type "C:\mbr.exe -f" (without brackets) hit Enter.

[dredge]

I couldn't find that file in that computer,even through windows search. But I found a similar one named "mfeavfk.sys" in system32/drivers folder. I uploaded that to virustotal.Below is the link for that result:
http://www.virustotal.com/analisis/aad56f7371984ccbd73d443c7874c5fcee320af5c4b9b118528f2704f359c2a5-1268549950
no virus found.
@leofelix: I am still waiting malwarebytes to finish its scanning.

this is the scan result from MBAM:
Malwarebytes' Anti-Malware 1.44
Database version: 3865
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/14/2010 3:44:51 PM
mbam-log-2010-03-14 (15-44-51).txt

Scan type: Full Scan (D:\|)
Objects scanned: 179330
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

the result from GMER:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

all scan look like clean and safe.

[leofelix]

I couldn't find that file in that computer,even through windows search. But I found a similar one named "mfeavfk.sys" in system32/drivers folder. I uploaded that to virustotal.Below is the link for that result:
http://www.virustotal.com/analisis/aad56f7371984ccbd73d443c7874c5fcee320af5c4b9b118528f2704f359c2a5-1268549950
no virus found.

Hi dredge,
it is useless to upload to virustotal a different (even if similar) file.
The infected file is another and you cannot find it because it is hidden and flagged as rootkit

this is the scan result from MBAM:
Malwarebytes' Anti-Malware 1.44
Database version: 3865
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/14/2010 3:44:51 PM
mbam-log-2010-03-14 (15-44-51).txt

Scan type: Full Scan (D:\|)

all scan look like clean and safe

Well, would you please scan your C:\ drive now?

Thank you

[Alboguy]

When we're talking about AVG probably it's a false positive. Anyways did you check this file on virustotal cuz by it's name and extension it looks like a malware.

[hellnoire]

I'm still thinking he's running two AVs at the same time... I'd like a response on that too.

[dredge]

Hi dredge,
it is useless to upload to virustotal a different (even if similar) file.
The infected file is another and you cannot find it because it is hidden and flagged as rootkit




Well, would you please scan your C:\ drive now?

Thank you

But, leofelix, the windows was installed in D drive.So, do I need to scan C drive as well?Sorry as I forgot to mention that.

@hellnoire: may be you are right.I am going to uninstall mcafee now to see what happen next.

[hellnoire]

may be you are right.I am going to uninstall mcafee now to see what happen next.

Chances are good, once you do what the bolded text says, it will no longer have a problem.

Never run two antiviruses at once. I don't know how many times I've had to say that over the past few months, but I'm certainly getting sick of those who think they can and get away with no bugs. If you can, congrats, power to you. But for most users, you're going to run into a billion and one other bugs. So DON'T DO IT.