Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
17642 Views 10 Replies Latest reply: Mar 17, 2012 12:05 PM by Ex_Brit RSS 1 2 Previous Next
DannyBoy_Chicago Newcomer 7 posts since
May 24, 2007
Currently Being Moderated

Mar 15, 2012 9:08 PM

Can anyone tell me what this file mfeavfk01.sys is?

I came across this only by chance as i ran Autoruns (Sysinternals Autoruns by Microsoft), and says file not found and also has a registry entry related to it in the mcafee registry folder. "I do not use cleaners or anything to do any cleaning to the registry", besides using the McAfee cleaning tools which even using that, I uncheck the registry option in fear of not knowing if it will delete anything it should not.

Googled all over and shows to be apart of mcafee, but checked here in the forums to find nothing regarding the file although i have seen that the file mfeavfk.sys seems to be a legit file.

 

what is the file mfeavfk01.sys for and is it a legit file?

 

Concerned that it is possibly a bad file seeing that "01" after the name or was it part of the install or removal process using the removal tool and re-installed after i had done a complete wipe of my computer months ago and had to remove the Mcafee Plus that came pre-installed and never used as I  put my Mcafee Total Protection back by downloading from my McAfee account online?

 

Virtual Tech runs and always stated good...

 

 

Thanks

Attachments:

ÐåňňŸ♂ßőŶ™ ╦╤─ - - - -
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    You know, I wondered if anyone else would ever find this discrepancy .... stand by for a very long answer.

     

    I noticed it some weeks ago in Autoruns and asked about it in one of the conference calls. They asked me to send in this (nonexistent) file so McAfee could analyse it ...

     

    After I raised the issue I was sent a text file with the title "McAfeeDellFix" with instructions on changing registry settings which was ostensibly meant to cure the problem but which doesn't actually mention mfeavk01.sys at all .... so now I get mfeavfk02.sys as well as mfeavfk01. And mfefirek01.sys as a bonus.

     

    Autoruns drivers.JPG

     

    These entries appear in Autoruns because there are registry entries for them : mfeavk01 is to be found at

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfeavfk01\.  The files themselves do not exist. Note the "AltServiceName" entry.

     

    Registry entries mfeavk01.JPG

     

    Like you I am suspicious about this entry and somewhat bothered that I still haven't received a proper explanation of why it appears in Autoruns. If you like I will add to this thread the message I originally posted in the Internal section (which no-one answered).  This has a number of references to other AV products detecting the file as Suspicious (in some cases as a rootkit) and showing it as a Hidden Process.

     

    Possibly McAfee isn't cleaning up correctly after an update, because I came across this instructive paragraph in an old post (about mfehidk.sys) from the Business section :

     

    The registry key listed is created by us, and notice the numeric appendage? mfehidk01.


     

    We create this key when that driver gets updated. It allows for another instance of the driver to exist in memory, while the older instance gets put into a pass-through mode. It's a clever way to update drivers without requiring a reboot.

     

     

    I like that explanation better than the alerts returned from GMER and AVG -

    ---- Services - GMER 1.0.15 ----


    Service (*** hidden *** ) [MANUAL] mfeavfk01 <-- ROOTKIT !!!

     

     

    and from TDSSKiller -

     

    14:54:26.0587 1856     Suspicious service (Hidden): mfeavfk01

    14:54:26.0618 1856     mfeavfk01 ( HiddenService.Multi.Generic ) - warning

    14:54:26.0618 1856     mfeavfk01 - detected HiddenService.Multi.Generic (1)

     

     

    Message was edited by: Hayton on 16/03/12 03:45:26 GMT

     

    Message was edited by: Hayton (correcting typos in file names)  on 17/03/12 04:05:26 GMT

    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    I suspect that if the registry entries are removed the problem will just go away. Of course, McAfee Access Protection needs to be turned Off to enable that removal, and the registry would have to be backed up first, just in case. I might try it later.

     

    The problem is not, for me, one to worry about. But then I'm not seeing ROOTKIT!!!! alarms in any of my scans :-)


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    I've put the question in for the call. Let's hope I get an answer. I've also asked about the registry entries, and I don't intend to touch the registry until after this has been discussed.

     

    Your question about an exploit : I don't think so. Any file that was created and put into the location pointed to by the registry entry would have to be a valid McAfee file. Just changing an entry in the registry would not be enough to include a unsigned driver file and, in any case, there is a repository of information which McAfee uses (in MVT and elsewhere) about which files and registry entries make up the McAfee application. Any file not included in that repository which someone tried to substitute for a genuine McAfee file would, I think, cause an error. In addition, McAfee Access Protection (see in the Security Center) prevents changes to or deletion or replacement of McAfee components.

     

    That's a bit tortuous, but in essence : no, I don't think an exploit of the kind you had in mind would work.

     

    Final thought : when I first came across this I went into msconfig and, in Boot.ini, selected the '/Bootlog' entry. I ended up with a text file named ntbtlog.txt which listed all the files being loaded, or not loaded.

     

    In several places were the two following entries :

    Did not load driver \SystemRoot\system32\drivers\mfeavfk.sys

    Loaded driver \Device\mfeavfk01.sys

     

    But there were also exactly the same number of occurrences of

    Loaded driver \SystemRoot\system32\drivers\mfeavfk.sys

     

    Enable boot logging and look at the output and you'll probably see the same.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Ex_Brit Volunteer Moderator 59,543 posts since
    May 6, 2004
    Currently Being Moderated
    6. Mar 17, 2012 3:56 AM (in response to Hayton)
    Re: Can anyone tell me what this file mfeavfk01.sys is?

    Just a thought here directed to the original question.

     

    When you see a number, in this case '01', attached to a file name that already exists (without the number) all it means is that somehow remnants of a previous version were left behind and Windows, not allowing duplicate entries in certain directories, assigned it a number.   Normally a warning should have appeared somewhere alerting you to that fact, but as with all things Windows, that doesn't always happen. 

     

    In the case of the one above it can be deleted.

     

    Message was edited by: Ex_Brit on 17/03/12 4:56:13 EDT AM

    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Mar 17, 2012 11:15 AM (in response to Ex_Brit)
    Re: Can anyone tell me what this file mfeavfk01.sys is?

    I don't think it's Windows doing the filename assignation, but McAfee.

     

    We create this key when that driver gets updated. It allows for another instance of the driver to exist in memory, while the older instance gets put into a pass-through mode. It's a clever way to update drivers without requiring a reboot.

     

    If this is correct it's a way of updating a driver and somehow substituting the ...01 version for the original version within the running McAfee program. The existing process isn't exactly killed off but goes into "pass-through" mode, which I would like explained. It seems to be relegated to the shadows and hidden, but is still running - hence the detection by AVG, GMER and TDSSKiller. Hidden Process which can't be killed off (Access Protection?) = Rootkit. That's my best guess anyway. At shutdown/reboot things should be tidied up (and I assume they are) but still we get these registry keys left behind pointing to non-existent files. That should be easy enough to fix in a later release.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Ex_Brit Volunteer Moderator 59,543 posts since
    May 6, 2004
    Currently Being Moderated
    8. Mar 17, 2012 11:39 AM (in response to Hayton)
    Re: Can anyone tell me what this file mfeavfk01.sys is?

    Strange.   I haven't observed this in my installations at all.


    https://community.mcafee.com/servlet/JiveServlet/downloadImage/2-143933-5189/78-49/Peter.gif
    Toronto • Canada
    Volunteer Moderator
    I can't help you privately - please post in the Forums
    Use Advanced Forum Search To Find Answers
    Beta Test McAfee Products For PC & MAC
    How To Fix File Associations in Windows
    XP & Office 2003 End-Of-Life - 08 April, 2014
    Anti-Spyware/Malware & Hijacker Tools
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010
    Currently Being Moderated
    9. Mar 17, 2012 11:58 AM (in response to Ex_Brit)
    Re: Can anyone tell me what this file mfeavfk01.sys is?

    Have you looked in Autoruns or enabled the /Bootlog switch?


    Volunteer Moderator  Leeds, UK
    No PM's please
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points