McAfee Stinger installs McAfee Validation Trust Protection Service

Martin Brinkmann
May 11, 2015
Security
|
23

McAfee Stinger is a second-opinion scanner that you can run alongside your resident security solution to check the system for malicious programs.

The main purpose of the program is to detect and remove infections on computer systems running a supported version of Windows.

McAfee did add a real-time behavior component Raptor to the application in recent time to improve the program's capabilities.

Downloads for 32-bit and 64-bit versions of McAfee Stinger are provided on the official website but also on third-party sites.

One of those sites, Portable Apps, discovered recently that McAfee Stinger was installing a Windows service without informing the user about it when the program is run.

The site removed McAfee's tool as a consequence from its repository due to malware-like behavior stating that the service is "exceedingly difficult to remove" once installed since it lacks uninstallation options.

I ran McAfee Stinger after reading the news piece to find out more about that. True enough, the McAfee Validation Trust Protection Service was installed during first run of McAfee Stinger on a 64-bit version of Windows.

It appears though that you need to run the corresponding version of Mcafee Stinger. A test run of the 32-bit version of McAfee Stinger on a 64-bit machine did not seem to install the service.

mcafee validation service

Do the following to test if the validation service is installed on your system:

  1. Tap on the Windows-key, type services.msc and hit enter.
  2. Scroll down the list of Windows Services until the letter M.
  3. You should see McAfee Validation Trust Protection Service listed there if it is installed.
  4. If you don't see it there, it is not installed.

The purpose of the service is not clear and the description does not help either in shedding light on that (Provides validation trust protection services).

mcafee validation trust protection service

The service cannot be stopped and its status cannot be changed as it does not offer any means to do that (all actions are grayed out).

The path to the executable is listed as C:\Windows\system32\mfevtps.exe in the properties.

The service cannot be removed through normal which makes this even more troublesome for users who run the program on their system. If they remove the McAfee Stinger program, the service remains on the system and since it is set to autostart, it will start and run on every system start.

So how can you remove the service once it is installed?

You may be able to use System Restore for that. Note that a restore point is not created when you run McAfee Stinger. If a restore point was created earlier, you may use it to restore the an earlier snapshot to get rid of the service.

The best option that the Portable Apps crew found was to use McAfee's Removal Tool as it can be run on the system directly and will remove the McAfee Validation service along with other traces of McAfee software from the system.

This is obviously only an option if you don't have McAfee software installed that you rely on as it will get removed in the process.

removing mcafee

Please note that you need to restart the system after the removal process finishes to complete it. Once done, the service is no longer installed on the system.

Summary
McAfee Stinger installs McAfee Validation Trust Protection Service
Article Name
McAfee Stinger installs McAfee Validation Trust Protection Service
Description
If you ran McAfee's Stinger application recently on your system you may have inadvertently installed a new autostarting Windows service on your system.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on September 10, 2020 at 1:29 pm
    Reply

    W10 Pro and Stinger 64. After removing the service with McAfee’s Removal Tool I tried Stinger with the –ePO switch. So far that seems to do the trick to stop the mfevtp service to be installed:

  2. AJ North said on March 13, 2018 at 9:41 pm
    Reply

    As ustavio said on May 12, 2015 at 3:48 am, a convenient (and easily reversible) method to disable this service (and two other auto-starting entries that appear to be associated with McAfee Stinger, mfehidk and mferkdet) is to use Sysinternals’ AutoRuns – https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns (again, as previously stated, be very careful in using this very powerful utility; best practices would be to first create a Restore Point).

  3. Die McAfee said on August 19, 2016 at 3:54 pm
    Reply

    I always say: there’s absolutely no virus that harms more your system than a Anti-Virus. Period.

  4. Sam said on April 28, 2016 at 12:29 am
    Reply

    To delete the McAfee validation service, log in in safe mode, then delete the following:
    1. C:\WIndows\System32\mfevtps.exe. Also delete any prefetch files associated with this (search C:\ drive for all “mfevtps”
    2. In the registry, delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mfevtp, and all its subfolders (Security and Enum)
    3. In the registry, delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mfevtp, and all its subfolders.

    This should do it. Reboot and verify that the service and process mfevtps.exe are gone.

    1. Bob said on December 16, 2016 at 7:08 pm
      Reply

      You will need to do the same for mferkda.dll, mfehidk.sys, and mferkdet.sys.

  5. birmingham said on January 14, 2016 at 3:11 pm
    Reply

    I tried it first with the commands method (from the comments) but somehow the service was only set inactive.
    Finally I tried it with the official Removal Tool mentioned in the above article. It worked, but for me one simple restart seemed to be not enough. After I send my PC to Sleep Mode next time it didn’t want to wake up anymore and hung up in a fail-starts-loop instead. – Might be better to do a second real restart right after the first one. PC works again, McAfee service is removed :)

  6. Jacob Meyer said on August 13, 2015 at 5:24 am
    Reply

    I just discovered this McAfee malware hanging around on my machine after running the Stinger “standalone” utility. These guys are really self-righteous scum, I will be recommending the removal of McAfee malware (preinstalled bloat and tag-along installer crap too) from every client I come across.

  7. PhoneyVirus said on May 19, 2015 at 9:44 pm
    Reply

    Here’s something I found in Windows XP folder the good old days don’t know if its going to work but I though it might be useful.

    Create or Delete A Service in Windows XP

    Services are added from the Command Prompt. You need to know the actual service name as opposed to what Microsoft calls
    the Display Name. For example, if you wanted to create or delete the Help and Support service, the name used at the Command
    Prompt would be “helpsvc” rather than the Display Name of “Help and Support”. The actual service name can be obtained by
    typing services.msc in Run on the Start Menu and then double clicking the Display Name of the service.

    Once you know the name:

    To Create A Service

    * Start | Run and type cmd in the Open: line. Click OK.
    * Type: sc create
    * Reboot the system

    To Delete A Service

    * Start | Run and type cmd in the Open: line. Click OK.
    * Type: sc delete
    * Reboot the system

    How does it look:

    When I first ran my system in the recovery console mode it looked like the old DOS environment. There are a lot of commands,
    which are pretty much the same like the old-DOS commands, so it was a pretty comfortable environment to me. The recovery
    console gives a you command prompt in the %systemroot%, usually the C:\winnt. In the recovery console mode are the following
    commands available:

    Disable; to stop a indicated service
    Enable; to start a indicated service
    Diskpart; adds and deletes a disk partition
    Fixboot; replaces a W2K boot sector in the system partition or indicated drive
    Fixmbr; repairs the masterboot record
    Listsvc; lists all the service and there state
    Map; lists all the installed drives
    Systemroot; sets the current directory as the systemroot
    So the console recovery mode gives you good tools to recover a system which wouldn’t boot properly.

    If you prefer to work in the registry rather than through the command prompt to delete services;

    Click Start then Run and type regedit in the Open: line. Click OK.

    Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Scroll down the left pane, locate the service name, right click it and select Delete.

    Reboot the system

  8. dostiers said on May 13, 2015 at 12:16 am
    Reply

    What it is:

    The MFEVTP [McAfee Validation Trust Protection Service] service uses Microsoft cryptographic APIs to validate McAfee processes are loading McAfee files, and to ensure nobody else is using them.

    This is a new service, and as such continues to undergo tweaks as needed and warranted from customer-reported issues.

    The Windows kernel allows for kernel-level drivers to do _anything_. If that driver is a root kit you are compromised, entirely. Whatever that root-kit is designed to do, it can do it.

    We’ve taken measures to make it more difficult for a root-kit to accomplish certain tasks with our software installed.

    It is not ordinarily stoppable because:

    This service is protected due to its integral necessity for McAfee services to function, and to hinder attempts to bypass our protection mechanisms and other root-kit behaviors.

    To disable the service run the Command Prompt as administrator and enter:
    sc stop “mfevtp” + [Enter]
    sc config “mfevtp” start= disabled + [Enter]

    To delete run a Command prompt as admin and enter:
    sc stop “mfevtp” + [Enter]
    sc delete “mfevtp” + [Enter]

  9. Ferrin said on May 12, 2015 at 4:44 pm
    Reply

    …. if McAfee can’t be trusted anymore, and Intel now owns McAfee — can Intel be trusted anymore ??

    Windows 7 seemed to automatically add some new Intel software of questionable extent/value (e.g., Rapid Storage Technology).

    If Intel necessarily installs a lot of its software/drivers on common Intel-based PC’s… and we can no longer quite trust Intel — seems like a problem for users (?)

  10. Straspey said on May 12, 2015 at 1:09 pm
    Reply

    As mentioned above by voor, it’s fairly easy to delete a service via the command prompt.

    How-To-Geek has an article which walks you through the procedure, along with diagrams.

    “How to Delete a Windows Service in Windows 7, Vista or XP”

    http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-windows-service-in-vista-or-xp/

    Not sure if this works for Windows 8 or 10 – however I would imagine it would.

    Unless the McAfee service has some type of hook to prevent this, you should be able to easily remove the service using this method – which is certainly preferable to downloading yet another program.

    NOTE: – This method is also a great way to remove leftover or “orphaned” services which remain on your system long after you have uninstalled a program.

  11. br0adband said on May 12, 2015 at 7:27 am
    Reply

    A product from an anti-virus/malware protection company that installs a service that could practically be called “malware” simply because it doesn’t inform the end user it’s been installed and is somewhat difficult for casual users to remove easily if they don’t even know it’s there in the first place?

    Say it ain’t so… :D

    That’s some damned nasty stuff, indeed, and here to think I used Stinger in years past and relied on it to some degrees to do exactly what it was designed to do and nothing more. My how times have changed, good grief.

  12. mikeb said on May 12, 2015 at 7:04 am
    Reply

    You can probably stop the service in the Services control panel plug-in if you start services.msc from an administrator command prompt.

    I haven’t tried it with this particular service (since it isn’t installed on my machine), but other services that have controls disabled when I start services.msc from the start menu normally can be controlled with no problem if I start services.msc from an Admin prompt.

  13. ustavio said on May 12, 2015 at 3:48 am
    Reply

    I used and removed Stinger thinking that was that. I noticed, however, that start up and log on ran a wee bit slower than usual, which happens from time to time anyway for one reason or another. This seemed to be fairly consistent so I poked about with System Explorer and found the aforementioned culprit. This kind of nonsense annoys the snot out of me, especially if there is no way provided to uninstall it (other than tinkering with the registry).

    I’m grateful for Autoruns. Once the entry is unchecked, it is disabled and is reflected as such in Services MSC, Easy fix (once one is aware it is there). It’s not uninstalled, but it is disabled. Computer is back to its old self and I have not detected it trying to re-install.

    One has to be careful with Autoruns but it is easier to undo a goof than it is when flogging about in the Registry

  14. mikef90000 said on May 12, 2015 at 2:21 am
    Reply

    Wow, once a Piece Of S… always a Piece Of S….
    John McAfee, long disassociated with the company, still regrets letting them keep using his name as their brand.

  15. voor said on May 12, 2015 at 12:22 am
    Reply
  16. Nebulus said on May 11, 2015 at 11:08 pm
    Reply

    You can remove any service by manually editing the registry.

    1. Will T said on February 18, 2020 at 3:08 am
      Reply

      You can also destroy your OS doing that.
      Just use the McAfee Consumer Removal Tool.

  17. Doc said on May 11, 2015 at 10:11 pm
    Reply

    I thought that McAfee was now “Intel Security” or something of that nature, since Intel bought them out?

    1. Luis Anton Imperial said on May 12, 2015 at 12:26 pm
      Reply

      Yeah.
      “Intel Security Group, (previously McAfee, Inc.) /ˈmækÉ™fiː/,[3] is an American global computer security software company headquartered in Santa Clara, California, and the world’s largest dedicated security technology company.[4]”
      – English Wikipedia

    2. Martin Brinkmann said on May 11, 2015 at 10:17 pm
      Reply

      Yes Intel bought McAfee but the brand is still there.

  18. Jeff said on May 11, 2015 at 10:04 pm
    Reply

    Pro-tip: don’t install anything by McAfee, ever. :-)

    1. smaragdus said on May 12, 2015 at 6:06 am
      Reply

      Exactly, 1+

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.