"\Device\mfeavfk01.sys" - clean or infected rootkit?

Discussion in 'Security and Viruses' started by dredge, Mar 14, 2010.

  1. dredge
    Offline

    dredge Active Member

    Joined:
    Oct 25, 2009
    Messages:
    223
    Trophy Points:
    26
    Ratings:
    +0 / 0 / -0
    I installed a trial version of AVG antivirus to my sister's laptop and it flagged a warning on the item:"\Device\mfeavfk01.sys" as a hidden driver rootkit. I wonder this might be a false positive as it looks like driver for mcafee.I googled but nothing refer to that so far. I presume that it is clean but in no way sure about it.Please help to identify this if anyone know about it.Thank you.
  2. Guest Ads
    Online

    Google King of the Internet

  3. hellnoire
    Offline

    hellnoire *nix Technical Support

    Joined:
    Jan 24, 2009
    Messages:
    8,925
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    Are you using McAfee with AVG?

    You're not supposed to run two anti-viruses at the same time... it leads to problems like this.
  4. Raymond
    Offline

    Raymond Administrator Staff Member

    Joined:
    Nov 6, 2006
    Messages:
    8,844
    Trophy Points:
    280
    Ratings:
    +72 / 0 / -1
    mfeavfk01.sys does seemed like belonging to McAfee.
    Try uploading the file to Virustotal.com and have it scanned with multiple antivirus.
    And like Hellnoire said, it is a general rule not to install multiple antivirus.
  5. leofelix
    Offline

    leofelix Distinguished Member

    Joined:
    Dec 27, 2008
    Messages:
    5,812
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    Hi
    The following driver is installed by Mc Afee

    c:\windows\system32\drivers\mferkdet.sys

    As Raymond said the driver flagged as hidden doesn't belong to Mc Afee

    If the path is like \Device\Harddisk0\ it is a Master Boot Record Rootkit

    Please download MalwareBytes' AntiMalware free to your desktop, install and update it, then run a scan and post the log file (copy and paste), please.


    Now download to C:\

    MBR rootkit detector (by Gmer)

    http://www2.gmer.net/mbr/mbr.exe (if your antivirus gives you a warning, ignore it since "mbr.exe" is clean)

    now Win + R (Start)>Run type "C:\mbr.exe" (without brackets) hit Enter.

    If you get something like:

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    malicious code @ sector 0x132c0ab6 size 0x1ce !
    copy of MBR has been found in sector 62 !


    Your system is infected by a MBR rootkit

    In case, reboot in safe mode (hit F8), then: Win + R (Start)>Run type "C:\mbr.exe -f" (without brackets) hit Enter.
    Last edited: Mar 14, 2010
  6. dredge
    Offline

    dredge Active Member

    Joined:
    Oct 25, 2009
    Messages:
    223
    Trophy Points:
    26
    Ratings:
    +0 / 0 / -0
    I couldn't find that file in that computer,even through windows search. But I found a similar one named "mfeavfk.sys" in system32/drivers folder. I uploaded that to virustotal.Below is the link for that result:
    http://www.virustotal.com/analisis/aad56f7371984ccbd73d443c7874c5fcee320af5c4b9b118528f2704f359c2a5-1268549950
    no virus found.
    @leofelix: I am still waiting malwarebytes to finish its scanning.

    this is the scan result from MBAM:
    Malwarebytes' Anti-Malware 1.44
    Database version: 3865
    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    3/14/2010 3:44:51 PM
    mbam-log-2010-03-14 (15-44-51).txt

    Scan type: Full Scan (D:\|)
    Objects scanned: 179330
    Time elapsed: 7 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    the result from GMER:
    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    all scan look like clean and safe.
    Last edited: Mar 14, 2010
  7. leofelix
    Offline

    leofelix Distinguished Member

    Joined:
    Dec 27, 2008
    Messages:
    5,812
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0


    Hi dredge,
    it is useless to upload to virustotal a different (even if similar) file.
    The infected file is another and you cannot find it because it is hidden and flagged as rootkit


    Well, would you please scan your C:\ drive now?

    Thank you
  8. Alboguy
    Offline

    Alboguy Experienced Member

    Joined:
    Sep 23, 2008
    Messages:
    1,635
    Trophy Points:
    106
    Ratings:
    +0 / 0 / -0
    When we're talking about AVG probably it's a false positive. Anyways did you check this file on virustotal cuz by it's name and extension it looks like a malware.
  9. hellnoire
    Offline

    hellnoire *nix Technical Support

    Joined:
    Jan 24, 2009
    Messages:
    8,925
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    I'm still thinking he's running two AVs at the same time... I'd like a response on that too.
  10. dredge
    Offline

    dredge Active Member

    Joined:
    Oct 25, 2009
    Messages:
    223
    Trophy Points:
    26
    Ratings:
    +0 / 0 / -0
    But, leofelix, the windows was installed in D drive.So, do I need to scan C drive as well?Sorry as I forgot to mention that.

    @hellnoire: may be you are right.I am going to uninstall mcafee now to see what happen next.
  11. hellnoire
    Offline

    hellnoire *nix Technical Support

    Joined:
    Jan 24, 2009
    Messages:
    8,925
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    Chances are good, once you do what the bolded text says, it will no longer have a problem.

    Never run two antiviruses at once. I don't know how many times I've had to say that over the past few months, but I'm certainly getting sick of those who think they can and get away with no bugs. If you can, congrats, power to you. But for most users, you're going to run into a billion and one other bugs. So DON'T DO IT.