I am using Total Protection with winXP SP3 computer, firewall rules are pretty strict. I am connecting like this ISP->router->few computers(2 with Total Protection on default or even stricter settings). Yesterday Firewall blocked like 450 incoming connections and then after some time it finally crashed my pc with blue screen. Before it crashed I found that I am shut off internet(ping command sending back error message), and my ipconfig /all returns strange readings - teredo tunnel(which I have never used before and never had that output from ipconfig before neither). I had some apps running, but those apps are of the kind I trust personally, and Ive been running them before without any problem. In fact other computers protected by same Total Protection started to use Teredo for that session. Now I have no idea how Teredo Tunneling turned itself on by itself(there were some online apps running in backgroudn but that never happend before with them, as Ive been using them for ages and none used teredo). After short time I couldnt even launch command line because it returned error 0xc0000142.
Another thing comes from Event Viewer, source is mfehidk:
Process **\SVCHOST.EXE pid (1636) could not be successfully validated with the mfevtp service and would have been blocked from performing a privileged operation with a McAfee driver if enforcement was enabled.
Other logs around the one above are suspicious, from Service Control Manager:
The McAfee Validation Trust Protection Service service entered the stopped state.
After restart everything went back to normal and I dont have that svchost with that PID running anymore.
I have attached crash dump and event log, and both are linking to mfehidk. Event log should be read from 3/14/2013 6:05:43 AM
Now as McAfee has been working flawlessly on my computer for ages, I am wondering if it was targeted attack not only on my computer but also on whole network. I can provide more details if requested.
Technical Support would be the best people to analyze those logs or hopefully a technician will look in here. They are linked under Useful Links at the top of the page, free by phone or online chat.
Teredo Tunneling according to Wikipedia: Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network.
You might want to give your ISP a call to see if they are experimenting with or actually changing, their internet connectivity protocols.
Meanwhile run the Virtual Technician and see if it finds and fixes anything untoward: http://mvt.mcafee.com/
I found out that teredo came with utorrent update. Seems that utorrent somehow activated teredo on my computer by itself. I consider it as security flaw and uninstalled utorrent and then disabled and uninstalled teredo(with netsh) as well.
Anyway after I queued some download with utorrent and went afk those eventID messages started to pop up - first unsuccessful validation and then mcafee validation service stopping. All that happend when I was afk, when I came back I had no internet, firewall reported lots of incoming connections(many blocked), all those messages have shown in eventid, I had no access to key windows services like ping or ipconfig and few minutes later I have even lost access to cmd.exe with 0xc0000142. Then bluescreen crash. Really wondering if it was succesful attack.
I have utorrent - latest version, and had no similar problems so I would suspect the source of your downloads as being a source of malware as well.
Boot to Safe Mode and try to initiate System Restore to before all this started.
Also take a look in that last link in my signature below and try running Stinger and perhaps Malwarebytes Free.
Re. Teredo (from an answer on stackoverflow.com)
Usually this is because of the automatic IPv6-in-IPv4 Teredo tunneling in Windows. It not reliable for normal use but as BitTorrent distributes the load across many connection anyway some of those Teredo connections might actually work :-)
Windows systems only try to use Teredo when connecting explicitly to an IPv6 address when no other IPv6 access is available. Teredo won't be used when connecting to a hostname instead of an explicit address.
For a warning about the vulnerability of IPv6-over-IPv4 tunnelling see
“IPv6 tunneling gives attackers a green light to penetrate networks,” says Jeremy Duncan, senior director and IPv6 network architect for Salient Federal Systems.
Duncan is concerned about uTorrent, which is an IPv6-capable freeware client for theBitTorrent peer-to-peer protocol that’s used to share large files such as music and movies. Duncan says uTorrent runs very well over Teredo, and that the BitTorrent community is discovering IPv6 as a way of avoiding network congestion controls that are used by ISPs to manage BitTorrent traffic on IPv4 networks.
Some forums will not help you if you have P2P software installed unless you remove or disable it. I fully agree with the risk assessment by the Malwarebytes Moderator below -
It is very likely that you have inadvertently downloaded malware which is disabling McAfee and interfering with your Internet connection. Try running the following -
1. A McAfee Full Scan, if McAfee is still working (download updates first if possible)
2. Malwarebytes - the free version. In the settings make sure that it's not skipping P2P checking.
3. Another antivirus program. The one I prefer is the Microsoft Safety Scanner, but others go for Eset or Kaspersky. This is to make sure that nothing has been missed by the main AV scan.
As I stated above, I have removed uTorrent and don't plan to reinstall it at all after what I've seen. Never thought that such a popular and well known application can act in such a way by itself, as I totally blame it for what happend. Note, that its probably on top of worlds internet most downloaded applications. Also, I do assume that it wasn't malware but possibly some kind of unknown exploit, maybe even in uTorrent itself, that possible hacker used to mess my computer.
On things working - everything works fine now, without any problem, but that doesn't mean that I wasn't attacked. I will perform necessary scanning, and if anything suspicious will show, I'll post it here.
I did not launch those files which were beeing downloaded by me, the whole situation happend when those files were like 30% complete, so even if something was launched - it would be done by uTorrent itself.
Also, I have finished Full Scans with McAfee, MBAM Trial and Microsoft Security Scanner, they didn't find anything suspicious, so I guess that I'm good to go. I'd like to point that any application that is launching teredo by itself is in my opinion dangerous, I've read some websites with people talking about the problem and almost everyone consider it to be potentialy dangerous - both, teredo activation without notice and teredo itself.
Cheers, I think that I am done with this problem.Message was edited by: septos6689 on 3/15/13 7:13:46 AM CDT
uTorrent is a weird one. I found it behaves far better with the ads turned off and you don't need the Plus version to do that.
Uninstall McAfee Security Scan Plus if that's what you meant by Security Scanner - it's not necessary with already installed antivirus.
MBAM trial is the Pro version. I would uninstall it. If you need the Free version simply don't accept the trial offer when reinstalling.
Anyway, glad you are OK now.