McAfee Stinger installs McAfee Validation Trust Protection Service
McAfee Stinger is a second-opinion scanner that you can run alongside your resident security solution to check the system for malicious programs.
The main purpose of the program is to detect and remove infections on computer systems running a supported version of Windows.
McAfee did add a real-time behavior component Raptor to the application in recent time to improve the program's capabilities.
Downloads for 32-bit and 64-bit versions of McAfee Stinger are provided on the official website but also on third-party sites.
One of those sites, Portable Apps, discovered recently that McAfee Stinger was installing a Windows service without informing the user about it when the program is run.
The site removed McAfee's tool as a consequence from its repository due to malware-like behavior stating that the service is "exceedingly difficult to remove" once installed since it lacks uninstallation options.
I ran McAfee Stinger after reading the news piece to find out more about that. True enough, the McAfee Validation Trust Protection Service was installed during first run of McAfee Stinger on a 64-bit version of Windows.
It appears though that you need to run the corresponding version of Mcafee Stinger. A test run of the 32-bit version of McAfee Stinger on a 64-bit machine did not seem to install the service.
Do the following to test if the validation service is installed on your system:
- Tap on the Windows-key, type services.msc and hit enter.
- Scroll down the list of Windows Services until the letter M.
- You should see McAfee Validation Trust Protection Service listed there if it is installed.
- If you don't see it there, it is not installed.
The purpose of the service is not clear and the description does not help either in shedding light on that (Provides validation trust protection services).
The service cannot be stopped and its status cannot be changed as it does not offer any means to do that (all actions are grayed out).
The path to the executable is listed as C:\Windows\system32\mfevtps.exe in the properties.
The service cannot be removed through normal which makes this even more troublesome for users who run the program on their system. If they remove the McAfee Stinger program, the service remains on the system and since it is set to autostart, it will start and run on every system start.
So how can you remove the service once it is installed?
You may be able to use System Restore for that. Note that a restore point is not created when you run McAfee Stinger. If a restore point was created earlier, you may use it to restore the an earlier snapshot to get rid of the service.
The best option that the Portable Apps crew found was to use McAfee's Removal Tool as it can be run on the system directly and will remove the McAfee Validation service along with other traces of McAfee software from the system.
This is obviously only an option if you don't have McAfee software installed that you rely on as it will get removed in the process.
Please note that you need to restart the system after the removal process finishes to complete it. Once done, the service is no longer installed on the system.
W10 Pro and Stinger 64. After removing the service with McAfee’s Removal Tool I tried Stinger with the –ePO switch. So far that seems to do the trick to stop the mfevtp service to be installed:
As ustavio said on May 12, 2015 at 3:48 am, a convenient (and easily reversible) method to disable this service (and two other auto-starting entries that appear to be associated with McAfee Stinger, mfehidk and mferkdet) is to use Sysinternals’ AutoRuns – https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns (again, as previously stated, be very careful in using this very powerful utility; best practices would be to first create a Restore Point).
I always say: there’s absolutely no virus that harms more your system than a Anti-Virus. Period.
To delete the McAfee validation service, log in in safe mode, then delete the following:
1. C:\WIndows\System32\mfevtps.exe. Also delete any prefetch files associated with this (search C:\ drive for all “mfevtps”
2. In the registry, delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mfevtp, and all its subfolders (Security and Enum)
3. In the registry, delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mfevtp, and all its subfolders.
This should do it. Reboot and verify that the service and process mfevtps.exe are gone.
You will need to do the same for mferkda.dll, mfehidk.sys, and mferkdet.sys.
I tried it first with the commands method (from the comments) but somehow the service was only set inactive.
Finally I tried it with the official Removal Tool mentioned in the above article. It worked, but for me one simple restart seemed to be not enough. After I send my PC to Sleep Mode next time it didn’t want to wake up anymore and hung up in a fail-starts-loop instead. – Might be better to do a second real restart right after the first one. PC works again, McAfee service is removed :)
I just discovered this McAfee malware hanging around on my machine after running the Stinger “standalone” utility. These guys are really self-righteous scum, I will be recommending the removal of McAfee malware (preinstalled bloat and tag-along installer crap too) from every client I come across.
Here’s something I found in Windows XP folder the good old days don’t know if its going to work but I though it might be useful.
Create or Delete A Service in Windows XP
Services are added from the Command Prompt. You need to know the actual service name as opposed to what Microsoft calls
the Display Name. For example, if you wanted to create or delete the Help and Support service, the name used at the Command
Prompt would be “helpsvc” rather than the Display Name of “Help and Support”. The actual service name can be obtained by
typing services.msc in Run on the Start Menu and then double clicking the Display Name of the service.
Once you know the name:
To Create A Service
* Start | Run and type cmd in the Open: line. Click OK.
* Type: sc create
* Reboot the system
To Delete A Service
* Start | Run and type cmd in the Open: line. Click OK.
* Type: sc delete
* Reboot the system
How does it look:
When I first ran my system in the recovery console mode it looked like the old DOS environment. There are a lot of commands,
which are pretty much the same like the old-DOS commands, so it was a pretty comfortable environment to me. The recovery
console gives a you command prompt in the %systemroot%, usually the C:\winnt. In the recovery console mode are the following
commands available:
Disable; to stop a indicated service
Enable; to start a indicated service
Diskpart; adds and deletes a disk partition
Fixboot; replaces a W2K boot sector in the system partition or indicated drive
Fixmbr; repairs the masterboot record
Listsvc; lists all the service and there state
Map; lists all the installed drives
Systemroot; sets the current directory as the systemroot
So the console recovery mode gives you good tools to recover a system which wouldn’t boot properly.
If you prefer to work in the registry rather than through the command prompt to delete services;
Click Start then Run and type regedit in the Open: line. Click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Scroll down the left pane, locate the service name, right click it and select Delete.
Reboot the system
What it is:
The MFEVTP [McAfee Validation Trust Protection Service] service uses Microsoft cryptographic APIs to validate McAfee processes are loading McAfee files, and to ensure nobody else is using them.
This is a new service, and as such continues to undergo tweaks as needed and warranted from customer-reported issues.
The Windows kernel allows for kernel-level drivers to do _anything_. If that driver is a root kit you are compromised, entirely. Whatever that root-kit is designed to do, it can do it.
We’ve taken measures to make it more difficult for a root-kit to accomplish certain tasks with our software installed.
It is not ordinarily stoppable because:
This service is protected due to its integral necessity for McAfee services to function, and to hinder attempts to bypass our protection mechanisms and other root-kit behaviors.
To disable the service run the Command Prompt as administrator and enter:
sc stop “mfevtp” + [Enter]
sc config “mfevtp” start= disabled + [Enter]
To delete run a Command prompt as admin and enter:
sc stop “mfevtp” + [Enter]
sc delete “mfevtp” + [Enter]
…. if McAfee can’t be trusted anymore, and Intel now owns McAfee — can Intel be trusted anymore ??
Windows 7 seemed to automatically add some new Intel software of questionable extent/value (e.g., Rapid Storage Technology).
If Intel necessarily installs a lot of its software/drivers on common Intel-based PC’s… and we can no longer quite trust Intel — seems like a problem for users (?)
As mentioned above by voor, it’s fairly easy to delete a service via the command prompt.
How-To-Geek has an article which walks you through the procedure, along with diagrams.
“How to Delete a Windows Service in Windows 7, Vista or XP”
http://www.howtogeek.com/howto/windows-vista/how-to-delete-a-windows-service-in-vista-or-xp/
Not sure if this works for Windows 8 or 10 – however I would imagine it would.
Unless the McAfee service has some type of hook to prevent this, you should be able to easily remove the service using this method – which is certainly preferable to downloading yet another program.
NOTE: – This method is also a great way to remove leftover or “orphaned” services which remain on your system long after you have uninstalled a program.
A product from an anti-virus/malware protection company that installs a service that could practically be called “malware” simply because it doesn’t inform the end user it’s been installed and is somewhat difficult for casual users to remove easily if they don’t even know it’s there in the first place?
Say it ain’t so… :D
That’s some damned nasty stuff, indeed, and here to think I used Stinger in years past and relied on it to some degrees to do exactly what it was designed to do and nothing more. My how times have changed, good grief.
You can probably stop the service in the Services control panel plug-in if you start services.msc from an administrator command prompt.
I haven’t tried it with this particular service (since it isn’t installed on my machine), but other services that have controls disabled when I start services.msc from the start menu normally can be controlled with no problem if I start services.msc from an Admin prompt.
I used and removed Stinger thinking that was that. I noticed, however, that start up and log on ran a wee bit slower than usual, which happens from time to time anyway for one reason or another. This seemed to be fairly consistent so I poked about with System Explorer and found the aforementioned culprit. This kind of nonsense annoys the snot out of me, especially if there is no way provided to uninstall it (other than tinkering with the registry).
I’m grateful for Autoruns. Once the entry is unchecked, it is disabled and is reflected as such in Services MSC, Easy fix (once one is aware it is there). It’s not uninstalled, but it is disabled. Computer is back to its old self and I have not detected it trying to re-install.
One has to be careful with Autoruns but it is easier to undo a goof than it is when flogging about in the Registry
Wow, once a Piece Of S… always a Piece Of S….
John McAfee, long disassociated with the company, still regrets letting them keep using his name as their brand.
Or you can use “sc delete”: https://technet.microsoft.com/en-us/library/cc742045.aspx
You can remove any service by manually editing the registry.
You can also destroy your OS doing that.
Just use the McAfee Consumer Removal Tool.
I thought that McAfee was now “Intel Security” or something of that nature, since Intel bought them out?
Yeah.
“Intel Security Group, (previously McAfee, Inc.) /ˈmækÉ™fiË/,[3] is an American global computer security software company headquartered in Santa Clara, California, and the world’s largest dedicated security technology company.[4]”
– English Wikipedia
Yes Intel bought McAfee but the brand is still there.
Pro-tip: don’t install anything by McAfee, ever. :-)
Exactly, 1+