Blue Screen - "mfeaack.sys" - Strange McAfee Behavior

rickia
New Helpee

Posts: 5

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Jul 28, 2015 18:02:53 GMT -8

Quote

Post by rickia on Jul 28, 2015 18:02:53 GMT -8

Recently, I've started getting a blue screen error shortly after startup that states that there are issues with "mfeaack.sys" and forces the computer to reboot. Then there seems to be a string of boot device errors... that, when I am able to finally get back to an operable Windows session, displays an issue with McAfee shutting down its primary scanning function and repeatedly turns off scanning when turned back on.

I have followed the posted instructions and run FRST64.exe as administrator. Here are the requested files:

FRST.txt

Addition.txt

-Rick

Last Edit: Jul 28, 2015 20:45:30 GMT -8 by rickia

dbrisen
Malware Removalists

Posts: 3,688

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Jul 28, 2015 21:31:47 GMT -8

Quote

Post by dbrisen on Jul 28, 2015 21:31:47 GMT -8

Download the latest version of TDSSKiller from here and save it to your Desktop.

[/b] to run the application, then click on Change parameters.

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
[/ul]

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

rickia New Helpee Posts: 5	Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Jul 31, 2015 0:29:33 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by rickia on Jul 31, 2015 0:29:33 GMT -8 Interesting. No threats found. TDSSKiller.3.1.0.5_31.07.2015_01.25.22_log.txt

dbrisen
Malware Removalists

Posts: 3,688

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 1, 2015 21:39:40 GMT -8

Quote

Post by dbrisen on Aug 1, 2015 21:39:40 GMT -8

Yes it is; FRST found a fourth partition that TDSSKiller does not but this could be from your industrial programming / testing tools. (I did that myself some years ago.)

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2384455974-1483467534-2981087686-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Rickia\AppData\Local\Temp\sswtqot\scrbeoc\wow64.dll ATTENTION! ====> ZeroAccess?
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll No File
C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-16]
C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
CHR Extension: (Skype Click to Call) - C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-02-20]
C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
CHR Extension: (SeaApp) - C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\eogikidelleflpkolmiiaeibjbaepila [2014-01-27]
C:\Users\Rickia\AppData\Local\Google\Chrome\User Data\Default\Extensions\eogikidelleflpkolmiiaeibjbaepila
CHR HKU\S-1-5-21-2384455974-1483467534-2981087686-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eogikidelleflpkolmiiaeibjbaepila] - C:\Users\Rickia\AppData\Local\chrome_6486.crx [2014-01-27]
C:\Users\Rickia\AppData\Local\chrome_6486.crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-05-01]
C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx
S3 cpuz134; \??\C:\Users\Rickia\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
C:\Users\Rickia\AppData\Local\Temp\cpuz134\cpuz134_x64.sys
C:\Users\Rickia\mbam-setup-1.62.0.1300.exe
C:\Users\Rickia\PCTools_Safe_Install.exe
C:\Users\Rickia\unhide.exe
C:\Users\Rickia\AppData\Local\Temp\avguidx.dll
C:\Users\Rickia\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Rickia\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Rickia\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Rickia\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Rickia\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Rickia\AppData\Local\Temp\oi_{32DEECE1-844D-47C8-8B88-0206167ECC97}.exe
C:\Users\Rickia\AppData\Local\Temp\oi_{586269B9-ADE9-44EA-BD67-E08952D5DC7C}.exe
C:\Users\Rickia\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Rickia\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Rickia\AppData\Local\Temp\sonarinst.exe
C:\Users\Rickia\AppData\Local\Temp\tmpline.exe
C:\Users\Rickia\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Rickia\AppData\Local\Temp\UNINSTALL.exe
C:\Users\Rickia\AppData\Local\Temp\_is26F1.exe
CustomCLSID: HKU\S-1-5-21-2384455974-1483467534-2981087686-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Users\Rickia\AppData\Local\Temp\sswtqot\scrbeoc\wow64.dll No File
C:\Users\Rickia\AppData\Local\Temp\sswtqot\scrbeoc\wow64.dll
Task: {6065A11C-A7B7-4F1B-98D3-2DB6B0911E61} - System32\Tasks\{B9ECA049-375F-4E1F-A9B3-3A37E636838C} => pcalua.exe -a "C:\Users\Rickia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G0JWA3SH\WBSP_IE_Setup.exe" -d C:\Users\Rickia\Desktop
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{3E1D2B5E-EBC2-413F-936B-A7495613E7C5}.exe <==== ATTENTION
C:\Windows\TEMP\{3E1D2B5E-EBC2-413F-936B-A7495613E7C5}.exe
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

rickia
New Helpee

Posts: 5

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 2, 2015 4:42:11 GMT -8

Quote

Post by rickia on Aug 2, 2015 4:42:11 GMT -8

When I tried to run FRST, it said my system was incompatible and to run FRST64 instead. So I did that, and it placed the old FRST and FRST64 in a new folder. I then ran FRST64 as administrator and hit 'Fix.' Then I let the computer restart and boot up normally. After some time, I got the same mfeeack.sys blue screen, and I am now back in Safe Mode with Networking.

I apologize, I forgot to mention that I ran Malwarebytes before I ran into this forum. I cannot recall what it found and removed. =\ Perhaps that is why TDSSKiller didn't find anything?

Here is the fixlog: Fixlog.txt

Last Edit: Aug 2, 2015 7:01:23 GMT -8 by rickia

dbrisen
Malware Removalists

Posts: 3,688

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 2, 2015 20:43:39 GMT -8

Quote

Post by dbrisen on Aug 2, 2015 20:43:39 GMT -8

Let em see what this finds and fixes:

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

[/b][/font] Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
[/ul]

Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

rickia
New Helpee

Posts: 5

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 2, 2015 22:04:35 GMT -8

Quote

Post by rickia on Aug 2, 2015 22:04:35 GMT -8

Here it is! Looks like it took care of some stuff... AdwCleanerS0.txt (4.16 KB)

(For some reason the wikisend URL wouldn't paste properly... so I attached the .txt file instead...)

Still seem to be getting the blue screen, however... =\

Last Edit: Aug 2, 2015 23:24:29 GMT -8 by rickia

dbrisen Malware Removalists Posts: 3,688	Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 4, 2015 20:14:51 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Aug 4, 2015 20:14:51 GMT -8 Please see if the following McAfee Support Bulletin helps: service.mcafee.com/FAQDocument.aspx?id=TS100903
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

rickia
New Helpee

Posts: 5

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 6, 2015 6:08:06 GMT -8

Quote

Post by rickia on Aug 6, 2015 6:08:06 GMT -8

Ran an update in Safe Mode (only way it wouldn't crash), and that seemed to do the trick, oddly enough. Also ran a Full Scan, since I wonder if kicking off the scan was previously initiating the issue. That seemed to run fine...

Have had the computer on for awhile now... and it hasn't gone blue screen...

I think it's fixed!!

Thank you SO much for your help. Will make a donation for your time. Thank you!

dbrisen
Malware Removalists

Posts: 3,688

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior Aug 6, 2015 22:32:36 GMT -8

Quote

Post by dbrisen on Aug 6, 2015 22:32:36 GMT -8

Thank you for the update. I will have to remember that (about the Updating of McAfee in Safe Mode). Sometimes Safe Mode allows processes to 'unstick' themselves so good find.

We need to remove the tools we've used during the cleaning of your machine.

[/a]
Ensure the following is ticked:
Activate UAC
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
[/ul]

Then click Run. The program will run for a few moments and then notepad will open with a log.

Please paste the log in your next reply. Once you have the log file saved, please reboot your system to complete the clean up process.

Your system looks clean and your logs are fine. Unless you want something else done, you are done and free to go.

Final word from me: Surf safely, and watch when installing or letting anything add itself to your system. Remember, the best security is not on your system but in the chair in front of it. Take care and thanks for sticking with us. I will leave this open for a few days in case you need to come back (after the Delfix log is posted, that is).

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

Blue Screen - "mfeaack.sys" - Strange McAfee Behavior

Post by rickia on Jul 28, 2015 18:02:53 GMT -8

Post by dbrisen on Jul 28, 2015 21:31:47 GMT -8

Post by rickia on Jul 31, 2015 0:29:33 GMT -8

Post by dbrisen on Aug 1, 2015 21:39:40 GMT -8

Post by rickia on Aug 2, 2015 4:42:11 GMT -8

Post by dbrisen on Aug 2, 2015 20:43:39 GMT -8

Post by rickia on Aug 2, 2015 22:04:35 GMT -8

Post by dbrisen on Aug 4, 2015 20:14:51 GMT -8

Post by rickia on Aug 6, 2015 6:08:06 GMT -8

Post by dbrisen on Aug 6, 2015 22:32:36 GMT -8