Community Help Hub

Former Member · ‎04-29-2017

Two files, nfapi.dll, and nfapinet.dll are triggering false positives and automatic deletion which is breaking my ethernet card drivers in Windows 10.

Unfortunately they don't meet the criteria for a submission, as in they are showing as JTI/Suspect!131076 and not "Artemis", nor do they have a 12 digit number. Therefore I cannot work out how to submit them to McAfee.

McAfee keeps deleting them, even though I have white listed them (File exemption), so it is basically ignoring my exemptions. This is not a tolerable situation.

Please advise.

Former Member · ‎05-01-2017

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

View solution in original post

catdaddy · ‎04-29-2017

Refer to this discussion;

You may want to stick to 1 thread if you are referring to your other post.

Cliff
McAfee Volunteer

Former Member · ‎04-29-2017

This post was actually a request for advice on how to submit it to McAfee, as the files do not get flagged as Artemis, nor are they given a 12 digit number, both of which appear to be pre-requisites for a submission according to the page you link.

catdaddy · ‎04-29-2017

I gave Doug the name of those files in that thread. He is a Tier 3.0 Lead Engineer.

Cliff
McAfee Volunteer

catdaddy · ‎05-01-2017

Hopefully we will hear something back from Doug today. I wanted you to know I had not forgotten about your issue.

Cliff
McAfee Volunteer

catdaddy · ‎04-29-2017

Successfully moved from Artemis Discussion to Home User Assistance > Discussions

Cliff
McAfee Volunteer

Former Member · ‎05-01-2017

Hi Allan,

Thanks for replying back. These files are not the ones we classified as clean in the database, so until you are 100% it is clean, the best practice is to treat them as infected.

I did some googling around and found that there are some network drivers using these files which are dropped by a trojan to spy on your connection to the internet.

Next Steps

Go to VirusTotal - Free Online Virus, Malware and URL Scanner

Click Choose File and browse to the files

Note: To prevent detection from McAfee you may have to turn off the Real Time Scanning temporarily
Note: Make sure it is not the quarantined files you are submitting, as those are encrypted

Click Scan It

Depending if it has been submitted before you will get an option like View Analysis, View Last Analysis. Click one of those.

Copy the URL of that page and paste it in a reply.

Also submit the other file with the same steps.

I can use this info to give to our researchers as they will be able to cross reference the VT data hashes with what we may know about these binaries.

Additional Info

3rd Party Analysis

I see someone else posting these files as Trojan.Virut here, packaged with Spotfluxagent.

https://www.reasoncoresecurity.com/spotfluxagent.exe-319a64ff1a66d6856b43dad667a6bbfeec69a029.aspx

Microsoft Analysis

This is what MSFT says about this variant "

Win32/Virut creates a mutex named VT_3, which it uses to prevent multiple copies of itself from running on your PC. Win32/Virut disables Windows System File Protection (SFP) by injecting code into "WINLOGON.EXE". The injected code patches "sfc_os.dll" in memory, which in turn allows the virus to infect files protected by SFP.

Win32/Virut injects code into other processes and this code will infect files with extensions .EXE and .SCR accessed by those processes. "

McAfee Analysis

We have some info on it as well, but it could be a slightly different variant W32/Virut.n.gen | Virus Profile & Definition | McAfee Inc.

Let's start with the VirusTotal submission and take it from there.

Regards,

Doug Richards

Manager, Support Engineering

McAfee LLC.

View solution in original post

Former Member · ‎05-01-2017

As requested: The urls of the virustotal scans of the relevant files:

Antivirus scan for a035dde03f95ad199a74e141089ea94d24abb42f56a9cc14c86c76c6ce6932ec at2017-05-01 17:... nfapi.dll

Antivirus scan for 6fd9ab5cdd954c9cd857eebecc6e5c1f6c95e5837519680357344b6ee5dd4418 at2017-05-01 18:... nfapinet.dll

Many thanks for your attention.

Former Member · ‎05-01-2017

Wow it looks like you have an infection with nfapi.dll. That explains why when you restore the files it in a detection/quarantine loop. Where did you get those drivers from? Can you see if the card manufacturer has any other versions you could try? This is a common tactic where a malicious user swaps out a legit file in a package from a legit company to trick users into installing their malware. Proceed with caution as that malware has the ability to put anything it wants on your machine. Might want to check if there are any TCP/IP connections to unexplained hosts. (Open cmd.exe as Admin->type netstat -ano )

Regards,

Doug Richards

McAfee

Former Member · ‎05-02-2017

Thanks for your input, Doug. It is appreciated.

However the files came pre-installed on the laptop when it was new, still shrink wrap sealed in the box. The first time it deleted the nfapi.dll file, I downloaded the package afresh from the Asus drivers website. I suppose it is always possible that their website could be compromised.

I can't help but note, in that virustotal scan, there is some.. "contention", with a number of your competitors flagging the file as clean.

I guess the next best step for me to take, is to open a support case with Asus, who provide the files in the first place. Thank you for your assistance so far, and sorry for the late reply. I work nights and now that the Bank Holiday weekend in the UK is over, I'm back at work. I will update you when I get a reply from Asus.

False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Re: False Positive: JTI/Suspect!131076

Community Help Hub

Join the Community