1 2 3 4 Previous Next 31 Replies Latest reply on Jun 27, 2015 12:23 PM by Peter M

    BSOD 000000F7 in mfehidk.sys

    lmarks

      I am using the att.net-distributed version of the McAfee suite. Recently I began having BSOD buffer overrun faults in mfehidk.sys. They occur whenever I access my internal or USB-attached CD/DVD drives (and probably other removable media like USB keys and USB-attached diskette drive, although I haven't tested them). They occur reliably, the instant I attempt to open a CD/DVD drive containing media, regardless of the media type. They occur in User or Administrator mode but not in Safe Mode. I uninstalled and reinstalled the entire McAfee suite but the problem continues.

       

      My version of mfehidk.sys is 15.1.0.674. File size is 576,048 bytes, dated June 20, 2014.

       

      I have literally dozens of minidumps and can send as many as you like.

       

      Please advise how to correct this situation.

        • 1. Re: BSOD 000000F7 in mfehidk.sys
          Peter M

          That usually means it's having problems interacting with some hardware/software on your system. 

          Best to contact Technical Support, it's free of charge by phone or online chat see link below.

          Toronto ▪ Canada
          Volunteer Moderator - Consumer Products
          I CAN'T HELP PRIVATELY - PLEASE POST IN THE FORUMS
          Use Advanced Search To Find Answers

          Consumer Technical Support (alter Country @ top right as needed)

          Consumer Customer Service (Accounts, Billing, Registration, etc.)
          Anti-Spyware/Malware/Hijacker Tools


          • 2. Re: BSOD 000000F7 in mfehidk.sys
            lmarks

            I wish I could report that your suggestion was helpful. I downloaded and installed the McAfee Virtual Technician. It installed updates (not including mfehidk.sys) and then reported that the system was clean. The crashes still occur.

             

            I searched the FAQs fruitlessly.

             

            Then, as you suggested, I started a chat session. The agent couldn't seem to read my messages and kept asking questions for which I had already provided answers. He didn't seem to know what a blue-screen crash was, or a minidump. He wanted to re-install McAfee, in spite of the fact that I had told him I had already uninstalled and re-installed it. He repeatedly declined to connect me to someone who could help and ultimately told me I would have to call a 900 number (per-minute charges) to get help with the problem.

             

            Here's the complete (awful) dialogue:

            GoToAssist (13:17:04):

            Thank you for contacting McAfee Consumer Support.  An agent will be with you shortly.

             

             

             

             

            Shahulhameed S (13:17:11):

            Thank you for contacting McAfee Technical support. This is Shahul. Please give me a moment while I review the description you have typed in.

             

             

            Customer (13:17:56):

            Hello. Getting blue-screen crashes from mfehidk.sys. Have uninstalled and reinstalled McAfee, and have run Virtual Technician.

            Customer (13:18:17):

            Have a few dozen minidumps.

             

             

            Shahulhameed S (13:18:46):

            To ensure that I understand, you are facing issue with installation of McAfee and also you get blue dumb error. Is that correct?

             

             

            Customer (13:19:07):

            No. I have no issues with installation. Please connect me to Level 2

             

             

            Shahulhameed S (13:20:07):

            I will do that for you. Before that let me check the records and also let me check with the resources.

            Shahulhameed S (13:20:19):

            I am unable to locate your account information with the e-mail address that you provided me. Have you used any alternate e-mail address to register your McAfee account?

             

             

            Customer (13:20:32):

            marks@bellsouth.net

            Customer (13:20:43):

            I am an AT&T customer.

            Customer (13:20:56):

            Please connect me to Level 2.

             

             

            Shahulhameed S (13:21:20):

            Thank you for the information, Please give me a moment let me check the records.

             

             

            Customer (13:21:31):

            Please connect me to Level 2.

             

             

            Shahulhameed S (13:23:51):

            It is important that I understand the exact nature of the issue. Could you please provide me a brief description of what you are experiencing?

             

             

            Customer (13:25:55):

            Did you not receive my first message? Here is the problem again: Any time I access media in either my internal CD/DVD player or my USB-attached player, the system immediately blue-screen crashes, 000000F7 buffer overrun in mfehidk.sys. This is a piece of McAfee software. I have a couple of dozen mini-dumps which show this.

            Customer (13:26:22):

            Please connect me to Level 2.

             

             

            Shahulhameed S (13:27:03):

            Laurence, I cannot go head and directly transfer the chat to level 2 team. If i need to transfer i need to do minimum trouble shootings. Let me try from my end to reinstall Mcafee and check it. If still issue persists then i will esclate this case to level 2.

             

             

            Customer (13:27:32):

            I told you that I had already re-installed it successfully. Did you not read that?

            Customer (13:27:41):

            Please pay better attention.

             

             

            Shahulhameed S (13:28:49):

            I have read the information as per your request i cannot go head and transfer the chat to level 2. I am extremely sorry Laurence, I do not have the provisions to transfer the chat to level2.

             

             

            Customer (13:28:52):

            I have uninstalled it and reinstalled it and have also run the McAfee Virtual Technician.

            Customer (13:29:15):

            Please transfer me to another agent.

            Customer (13:29:39):

            How do I get to Level 2?

             

             

            Shahulhameed S (13:31:02):

            I am really sorry Laurence, i cannot transfer the chat . We do not have the provisions of transfering the chat. May i know have you tried running full scan on pc?

             

             

            Customer (13:31:11):

            Yes, several times.

            Customer (13:31:35):

            I also took the drive out, put it in an enclosure in another up-to-date PC and scanned it again there.

             

             

            Shahulhameed S (13:33:46):

            I kindly suggest you to contact McAfee virus removal team who can help you in this issue . The number is 1-900-772-4511.

             

             

            Customer (13:34:03):

            What? You want me to pay for this service?

            Customer (13:34:25):

            900 numbers are fee-for-service?

            • 3. Re: BSOD 000000F7 in mfehidk.sys
              Peter M

              Phone support would be best and give them the last support session ID and ask for immediate escalation.

              He must have assumed it was due to infection.

              • 4. Re: BSOD 000000F7 in mfehidk.sys
                Hayton

                Error code 0xF7 is a driver error, as per Microsoft :

                A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned.

                 

                Explained here - Bug Check 0xF7: DRIVER_OVERRAN_STACK_BUFFER (Windows Debuggers)

                 

                Some suggestions for fixing it here -

                BSOD-- Stop 0xF7 - Microsoft Community  - from a Vista forum but should be applicable

                and here - 0xF7 BSOD in 3 minutes Solved - Windows 7 Help Forums

                 

                You need a stack dump analysis to be sure that the culprit is mfehidk.sys, and someone on the appropriate Microsoft forum might be able to help you with that.

                • 5. Re: BSOD 000000F7 in mfehidk.sys
                  lmarks

                  Errr, umm, Haydon, I wasn't born yesterday. I know what a 000000F7 fault is. Before I opened this thread I analyzed several minidumps that Windows captures when it blue-screens, and looked over a few dozen more. They all pointed to mfehidk.sys, all faulting at one or the other of two addresses.

                   

                  Would you like me to attach a minidump so you can re-check my work? A great tool, not mentioned most places is BlueScreenView which is free for consumer and commercial use. Not only does it list the call stack but it does the analysis for you and identifies exactly the failing module.

                   

                  I had actually looked at the both links you posted, prior to posting here.

                   

                  The first link is mostly useless. Too much of "Send your stuff to us gurus" and not enough "Here are the tools you need to figure it out for yourself." And the particular problem with BSOD 000000F7 is that it's a buffer overrun. Something went wrong with software and it started writing beyond its allotted space. Buffer overruns can also occur by malware which use the technique to get privilege elevations.  They write malicious code into spaces where privileged code runs (anti-virus or Windows system code) and get it to execute with "root" privilege. The problem is that ignorant people always hear "buffer overrun" and assume it's malware. Sometimes it's not--it's just broken code.

                   

                  Regarding the second link, that user identified a USB-to-VGA adapter. I (probably) used similar techniques to identify the McAfee driver, mfehidk.sys. As best I can tell (and this is just an educated guess), this driver is activated when you install removable media (memory key, CD, DVD) and pops up the window asking if you want a scan, and also initiates scans files on the removable media if you open one. It's not a bad link, but doesn't give you all the details you need to do the analysis.

                  • 6. Re: BSOD 000000F7 in mfehidk.sys
                    lmarks

                    Thanks for the suggestion. I called in and got a somewhat more cooperative agent. As soon as he started checking my license eligibility, he found out I was an AT&T customer and said he could not help me--that I had to call a different number. I called that number and it was instantly answered by an agent stating "McAfee Priority Service." I explained all the steps I had taken, running scans, uninstalling/reinstalling, running the McAfee Virtual Technician, and the dump analysis, as well as putting the drive in a USB enclosure and scanning it on a clean, up-to-date PC.

                     

                    He instantly told me, without any hassle, that he would need to have a Level 2 technician call me and made an appointment for Wednesday morning. I'm pretty pleased with this response.

                    • 7. Re: BSOD 000000F7 in mfehidk.sys
                      Peter M

                      lmarks wrote:

                       

                      Thanks for the suggestion. I called in and got a somewhat more cooperative agent. As soon as he started checking my license eligibility, he found out I was an AT&T customer and said he could not help me--that I had to call a different number. I called that number and it was instantly answered by an agent stating "McAfee Priority Service." I explained all the steps I had taken, running scans, uninstalling/reinstalling, running the McAfee Virtual Technician, and the dump analysis, as well as putting the drive in a USB enclosure and scanning it on a clean, up-to-date PC.

                       

                      He instantly told me, without any hassle, that he would need to have a Level 2 technician call me and made an appointment for Wednesday morning. I'm pretty pleased with this response.

                      That does sound promising and I'm glad someone is working on it.

                      Good luck.

                      BTW it's Hayton not Haydon, but I'm sure he wont mind.

                      • 8. Re: BSOD 000000F7 in mfehidk.sys
                        lmarks

                        I wish I could say that this was a successful call and a good experience. It started out promising. The agent, Priyadarsan, seemed to be listening to and understanding all the troubleshooting I had done, and he didn't start out by asking me to re-boot five times, but it turned out that he had less understanding of the issue than I did, and was just being polite. He was sure that uninstalling and reinstalling the software would solve the problem in spite of my assurance that I had already done so. He once again installed the remote access software, then asked me to demonstrate the problem, a 0x000000F7 blue-screen crash when removable media was accessed. I reminded him that communications would be severed when the computer crashed. Three times I asked him "Are you sure?" He insisted, "No, no, I have to see the crash or I cannot help you." So I inserted a data DVD (no executables on it), and opened the drive in "My Computer." Then he asked (over the phone) why I had disconnected. I reminded him that I had told him the chat session would disconnect and read the contents of the blue screen, which seemed to baffle him. This confirmed my suspicion that things were not going to end well. I asked once again for an escalation to Level 3 or development and he declined. His next thought was to uninstall and reinstall the McAfee product. He somehow thought he could do it better than I did. Needless to say, 30 minutes later, and another blue screen

                         

                        At several times during this conversation, the agent needed to terminate the telephone conversation to "Consult His Resources." I'm not sure whether he was actually consulting someone with more knowledge, looking on these forums, or just taking a break while he left me twiddling my thumbs.

                         

                        After a reboot and reconnection of the chat session and phone call, the agent asked me how I knew that the cause of the problem was McAfee AV. I explained to him how Windows stores a "minidump" with every bluescreen crash and showed him on the shared screen how to view it with a "Blue Screen Viewer." We looked at dumps of te two crashes he had requested that morning. Both pointed to McAfee driver mfehidk.sys, as I had mentioned to him two hours previous. He seemed to understand this, but he might have been doing the telephonic equivalent of politely nodding.

                         

                        Then he decided to bring in the big guns. He uninstalled the AV again and then said he had to remove the "traces." I thought "Traces? McAfee has a trace buffer? Let's look in it and see what's causing the problem instead of simply deleting it." But it turned out that all he was doing was to open Regedit and delete registry keys relating to McAfee. Not just the important keys that invoked drivers--just everything, willy-nilly. Apparently someone had told him to "Remove every trace of McAfee AV from the system" and he thought that registry keys were called "traces."

                         

                        It was at about that point that I realized that the McAfee uninstaller was not doing a complete job. It had not removed its registry keys, nor had it deleted many of the files. McAfee AV scattershoots its files everywhere: in \Program Files\McAfee, in \Program Files\McAfee.com, in \Documents and Settings\%USER%\Application Data\McAfee, and in \Windows\System32\drivers. I noticed that the drivers in the latter folder were not removed by the uninstall. Based on the behavior of the uninstall--the green progress bar slowly crept up to about 50%, then suddenly went away--I concluded that it may have failed to run to completion.

                         

                        Then the agent downloaded and ran a McAfee "Preinstaller" which was supposed to clean things up further or check or something and the reinstalled the AV. Once again he asked me to insert a DVD and open the drive--and once again it blue-screened. Again he went away to "Consult His Resources". By then he had wasted four hours of my time, getting no further than I had already gotten. I told him I was unsatisfied with the progress and wanted the problem escalated. He declined to do that. I observed that the entire series of chat sessions and calls were recorded and I hoped they were reviewed. Once again he went to consult resources. When he came back, he said that I needed to install a newer version of the operating system. I pointed out that McAfee AV supports the version I am currently using. He declined to give any further help and I expect he closed the problem (which should have remained open). I asked whether he was going to remove all the extra software he had installed on my computer and he insisted that there was none. Anything left would go away on restart. This was an outright lie and, for me, the straw that broke the camel's back. No more McAfee on this computer.

                         

                        I had to find and delete the McAfee Pre-Install program. I think I deleted all the Citrix chat stuff. I had to uninstall the McAfee Virtual Technician (MVT) which is an absolute nightmare because the lazy programmers provided no Uninstall at all, neither in Control Panel nor as a standalone program. I had to delete about two dozen registry keys and find all the files. And then I had to delete all the residuals the AV left behind. The only thing that removed cleanly was McAfee Site Advisor.

                         

                        I imagine that over time updates add new files and registry keys as modules are created to deal with new malware types or to add additional function. I also imagine that no one ever thinks to go back and update/replace the uninstall scripts to remove these additional keys and modules. I would even venture to guess that in testing no one ever takes a perfectly clean new system, images the drive, then installs and removes McAfee, and then compares the two drive images. I bet there would be a lot of surprises.

                         

                        The bottom line is that everything works fine once McAfee was completely removed. I wasted over eight hours yesterday, between unqualified tech support and my own cleanup. McAfee is gone and will remain gone. I've installed a competitor product and I'm not looking back.

                        • 9. Re: BSOD 000000F7 in mfehidk.sys
                          Peter M

                          Strange about the Virtual Technician, it should have been listed as it's own programme in Control Panel.  Sorry you had to go through that rigmarole.

                          Not sure what else to suggest, I will email my contact at support and ask them to read this thread and maybe offer suggestions.

                          1 2 3 4 Previous Next