This post was actually a request for advice on how to submit it to McAfee, as the files do not get flagged as Artemis, nor are they given a 12 digit number, both of which appear to be pre-requisites for a submission according to the page you link.
I gave Doug the name of those files in that thread. He is a Tier 3.0 Lead Engineer.
Hopefully we will hear something back from Doug today. I wanted you to know I had not forgotten about your issue.
3 of 3 people found this helpful
Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.
I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.
Click Choose File and browse to the files
- Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
- Note: Make sure it is not the quarantined files you are submitting, as those are encrypted
Click Scan It
Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.
Copy the URL of that page and paste it in a reply.
Also submit the other file with the same steps.
I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.
3rd Party Analysis
I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.
This is what MSFT says about this variant "
Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.
Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "
We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.
Let's start with the VirusTotal submission and take it from there.
Manager, Support Engineering
As requested: The urls of the virustotal scans of the relevant files:
Many thanks for your attention.
1 of 1 people found this helpful
Wow it looks like you have an infection with nfapi.dll. That explains why when you restore the files it in a detection/quarantine loop. Where did you get those drivers from? Can you see if the card manufacturer has any other versions you could try? This is a common tactic where a malicious user swaps out a legit file in a package from a legit company to trick users into installing their malware. Proceed with caution as that malware has the ability to put anything it wants on your machine. Might want to check if there are any TCP/IP connections to unexplained hosts. (Open cmd.exe as Admin->type netstat -ano )
Thanks for your input, Doug. It is appreciated.
However the files came pre-installed on the laptop when it was new, still shrink wrap sealed in the box. The first time it deleted the nfapi.dll file, I downloaded the package afresh from the Asus drivers website. I suppose it is always possible that their website could be compromised.
I can't help but note, in that virustotal scan, there is some.. "contention", with a number of your competitors flagging the file as clean.
I guess the next best step for me to take, is to open a support case with Asus, who provide the files in the first place. Thank you for your assistance so far, and sorry for the late reply. I work nights and now that the Bank Holiday weekend in the UK is over, I'm back at work. I will update you when I get a reply from Asus.