1 2 Previous Next 14 Replies Latest reply: Jul 29, 2013 9:46 AM by Vinod R RSS

    Odd Service MFE_RR

    keekem

      Hello

      I recently found this service mfe_rr.sys in my C:\DOCUMENT\owner\LOCAL\Temp folder. Is MFE_RR a McAfee service? If so why is it located there?

       

      Thank You

        • 1. Re: Odd Service MFE_RR
          Hayton

          I don't think this is a McAfee file, and its presence in that location is suspicious.

           

          Also, that filename crops up in a number of posts in other forums where users report they have a ZeroAccess rootkit infection. May be coincidence, but maybe not.

           

          Download and run these two McAfee programs and see what they report. Don't forget to read the 'How to Use' instructions, links to which are on these webpages.

           

          Rootkit Remover -

          http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

           

          Stinger -

          http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

          • 2. Re: Odd Service MFE_RR
            Hayton

            On the assumption that this is a sign of a malware infection I've moved the question to Security Awareness /  Malware Discussion / Home User Assistance.

            • 3. Re: Odd Service MFE_RR
              keekem

              Ran both tools earlier. Niether detected any issues. I`m at a loss. I am running XP Home SP3.

               

               

               

              Thank You

               

              Message was edited by: keekem on 7/18/13 8:43:05 PM CDT

               

              Message was edited by: keekem on 7/18/13 8:44:02 PM CDT
              • 4. Re: Odd Service MFE_RR
                Hayton

                I checked on XP and I don't have it. Still a suspicious file.

                 

                If you haven't deleted it yet, run GetSusp. If that program finds unknown files it send them off for analysis.

                http://www.mcafee.com/us/downloads/free-tools/getsusp.aspx

                http://www.mcafee.com/us/downloads/free-tools/how-to-use-getsusp.aspx

                 

                In this situation I'd also run Malwarebytes Free to get a second opinion. Given that this is hiding in a strange location I'd opt for a full scan.

                • 5. Re: Odd Service MFE_RR
                  keekem

                  I ran GetSusp and MBAM. Several files in question in Getsusp but they checked out. However the mentioned service was not listed Uploaded to McAfee. MBAM was clean

                  A tad mind boggled.

                   

                  Is it proper to just delete it without knowing? Will that cause more complicated issue?

                   

                  Thank You

                   

                  Message was edited by: keekem on 7/18/13 9:42:39 PM CDT

                   

                  Message was edited by: keekem on 7/18/13 9:46:45 PM CDT
                  • 6. Re: Odd Service MFE_RR
                    Peacekeeper

                    upload the file to www.virustotal.com and see what they say

                    • 7. Re: Odd Service MFE_RR
                      keekem

                      IT turns out that MFE_RR is a service from McAfee Rootkit Remover. It installs to that location. What alarmed me was that in all searches of this services was tied to user post that were infected with the ZeroAccess trojan (mostly).

                      I am a tad surprised non of the McAfee folks chimed in on this.

                      The issue now is how to get rid of this service.

                       

                      Thank you

                       

                      Message was edited by: keekem on 7/20/13 10:44:23 AM CDT

                       

                      Message was edited by: keekem on 7/20/13 11:09:10 AM CDT
                      • 8. Re: Odd Service MFE_RR
                        Hayton

                        Well, if the .sys file is a leftover from Rootkit Remover that accounts for its presence in all those rootkit-removal threads.

                         

                        Once you've run Rootkit Remover the file (and any service associated with it) is probably not needed any more.

                         

                        Try deleting the file. If it's in use and you can't delete it, look for a running service associated with it and stop the service manually, then try again.

                         

                        If you still can't delete the file there is a utility from Malwarebytes called FileAssassin which is said to be effective (I can't vouch for it because I haven't used it yet).

                         

                        Edit :

                        keekem wrote:  I am a tad surprised non of the McAfee folks chimed in on this.

                         

                         

                        The McAfee people don't come down these mean streets very often. They prefer the rarified atmosphere of the Enterprise section - the starship zone to our near-space-shuttle park. That's how we can get away with sometimes being stroppy and insubordinate. Heaven forfend that the senior suits from McAfee or Intel should ever turn their attention to our little enclave

                         

                        We can always get their attention if it's important though.

                         

                        Message was edited by: Hayton on 20/07/13 19:08:20 IST
                        • 9. Re: Odd Service MFE_RR
                          Peacekeeper

                          You tried clearing all temp folders with the windows disk cleanup tool?

                          1 2 Previous Next