# Have I been hacked?



## Bjayefferson (Jun 21, 2012)

I've noticed a warning in my event viewer that worries me. It lists the source as mfehidk.. this looks like a name followed by idk to me.. My brothers name is mike & our last name starts out Feh, but he died 2 years ago so I know its not him. Could be totally coincidental but still wierd, right? Anyways how do I fix this & prevent it from being allowed to make changes to my virus protector? Or is it ok & normal & I shouldn't worry? 

General;
Process **\mcshield.exe pid (4760) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Detalis;
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="mfehidk" /> 
<EventID Qualifiers="33024">516</EventID> 
<Level>3</Level> 
<Task>256</Task> 
<Keywords>0x80000000000000</Keywords> 
<TimeCreated SystemTime="2012-06-21T09:06:07.099284400Z" /> 
<EventRecordID>6963</EventRecordID> 
<Channel>System</Channel> 
<Computer>myfknpcman-PC</Computer> 
<Security /> 
</System>
- <EventData>
<Data>\Device\mfehidk</Data> 
<Data>**\mcshield.exe</Data> 
<Data>4760</Data> 
<Binary>00000000030030000001000004020081000000000000000000000000000000000000000000000000</Binary> 
</EventData>
</Event>


Just found another one.... its source is listed as Wininit. Is this ok and safe? if not how do I stop these things?

General;
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.

Details;
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" /> 
<EventID>11</EventID> 
<Version>0</Version> 
<Level>3</Level> 
<Task>0</Task> 
<Opcode>0</Opcode> 
<Keywords>0x4000000000000000</Keywords> 
<TimeCreated SystemTime="2012-06-21T08:55:17.831641500Z" /> 
<EventRecordID>6890</EventRecordID> 
<Correlation /> 
<Execution ProcessID="832" ThreadID="864" /> 
<Channel>System</Channel> 
<Computer>plbbbbbbbbb-PC</Computer> 
<Security UserID="S-1-5-18" /> 
</System>
- <EventData>
<Data Name="StringCount">1</Data> 
<Data Name="String">C:\Windows\system32\nvinitx.dll</Data> 
</EventData>
</Event>


----------



## koala (Mar 27, 2005)

mfehidk.sys is a system file used by your McAfee antivirus. It should be located in Windows\System32\Drivers. Hang on for a reply from one of our security experts who will give more details.


----------



## SkyStormKuja (Apr 6, 2012)

It isn't a hacker, so the system file name resemblance is coincidence. 
Link to a someone who had a similar problem.
https://community.mcafee.com/message/149162


----------



## epshatto (Dec 23, 2010)

Seconded, you've not been hacked.

What's happening here is there is some application which is executing from an address space occupied by a McAfee process.

Some viruses will perform this behavior as a way of hiding from AV. As a result you get the error message.

However it most frequently happens when a third party software item does the same thing. It frequently seems to occur after a Windows/Office update. There's a KB article about it here-

https://kc.mcafee.com/corporate/index?page=content&id=KB71083

If you want to know what's doing that you'll need to use Process Explorer to see what .dll file is being loaded, to start with.


----------



## Bjayefferson (Jun 21, 2012)

Thank you!


----------

