Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Floxif Virus Threat and Removal


  • Please log in to reply
4 replies to this topic

#1 Modem_operandi

Modem_operandi

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:01 PM

Posted 26 September 2017 - 06:14 PM

Hi,
I installed CCleaner probably in early August, so my machine has been infected with the floxif virus for around two months without my knowledge. It's a 64-bit Toshiba Satellite laptop, but I cannot remember if I downloaded a 32- or 64-bit version of CCleaner.

I have experienced some strange activity like unusually high disk consumption even during Idle, and my latest attempt at installing windows updates stalled for two days and would not complete. I have no idea if either of these is related to the virus or other performance issues.

I normally run my computer in non-administrator status; however I do occasionally switch to administrator status when required to complete a task. I do not need to input a password to swap accounts, so I have to admit that I do not know if that makes my non-administrator account ineffective or not.

Since my windows updates froze and would not complete, I had to swap to administrator status to terminate the process and start over. After terminating the update process, I restarted my laptop and re-initialized the windows updates. After the security updates completed yesterday, Sept. 25, I received a notification and quarantine of the floxif virus by Windows Defender (my only AV software currently running in real time). I then deleted the threat, and plan to uninstall my current copy of CCleaner and download a new one.

After the supposed automatic "removal" of Floxif by WD, I ran a Windows Defender quick scan, and was concerned that it "completed" after only two minutes rather than the usual 1.5 hours it has always taken. (Although I did have my 600+ browser tabs closed at the time, but I don't think that's ever made a difference before). I wondered whether remnants of the virus could be terminating the scan and spoofing its completion. I then ran a WD full scan (in custom mode) which took the usual time of over five hours, with nothing else open. Nothing more was detected.

Now I have three basic questions:

1.) I've read that the virus only affects 32-bit machines running from an administrator account. However, there's still some confusion online whether downloading the 32-bit version of CCleaner onto a 64-bit machine still posed a problem for those machines. And since I have swapped to administrator status probably more than once in the last two months, do those two factors mean that the virus could have executed on my machine, and that my files and sensitive information could have been compromised?

2.) Is it possible that my keystrokes could have been recorded for entered passwords, and that I now have to change passwords for every account I may have accessed in the last two months (many)?

3.) I plan to execute the manual removal steps published here on BC, but other manual removal processes published online are even more laborious, involving searching for and removing specific files, registry keys, and any associated unwanted programs, and even resetting all of my web browser's which would delete all of my history, extensions, saved sessions, etc. (losing a lot of data). Is this all necessary even after WD supposedly removed the threat? (I.e. are there still remnants that need to be removed, fixed, and safeguarded and will ADWcleaner detect the associated unwanted programs or is there a known list of them?)

Steps 2 and 3 will require days of work and loss of information. I realize these hackers were targeting large tech companies and care little about my stuff; however I want to be sure my info, computer, and passwords are safe without going through days of possibly unnecessary eradication processes and concern. I have read that leaving any remnants on the machine can cause the virus to resurrect itself or continue to execute in part, and that the browsers have to be cleaned separately, as well as associated unwanted programs removed.

My stats:

64-bit Toshiba Satellite laptop.

Running Windows 8.1 that was upgraded poorly from windows 8 at the store before my purchase. (There are still some remnants that in some cases make my machine think it is still Windows 8 in identifiers, but Windows 8.1 in others.)

AV software: Windows Defender


Sorry for the long post but I thought I should give as much detail as possible. Thanks very much for your advice!

Edited by Modem_operandi, 26 September 2017 - 07:18 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:01 PM

Posted 27 September 2017 - 06:38 AM

Per the latest info....the malware DID NOT/ COULD NOT execute on Windows 64 bit computers. Windows Defender simply quarantined

the malware files bundled with CCleaner. No need to do more as far as that malware was concerned...it did not execute on your 64 bit Windows computer.

 

If you haven't used the programs below or haven't used them recently, it would be a good idea to use them to remove malware and adware that

you may not be aware of from your computer. If you would like a review of what they found then post the scan logs.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

If you are unable to run a scan using MBAM:

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

 

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 FrankJr1

FrankJr1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 28 September 2017 - 05:52 PM

 

Per the latest info....the malware DID NOT/ COULD NOT execute on Windows 64 bit computers. Windows Defender simply quarantined

the malware files bundled with CCleaner. No need to do more as far as that malware was concerned...it did not execute on your 64 bit Windows computer.

 

If you haven't used the programs below or haven't used them recently, it would be a good idea to use them to remove malware and adware that

you may not be aware of from your computer. If you would like a review of what they found then post the scan logs.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

If you are unable to run a scan using MBAM:

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

 

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

 

 

 

Malwarebytes detected and quarantined floxif on two of my 64bit Windows 7 desktop computers.  After reboot I was able to delete the malware on both machines.  I can only hope floxif was unable to execute, but it apparently was able to get installed....

 

BTW hello and best wishes to everyone!



#4 buddy215

buddy215

  • Moderator
  • 13,414 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:01 PM

Posted 28 September 2017 - 08:01 PM

FrankJr1...welcome to BC...

 

If you looked at MBAM's log you saw that the floxit installer was in the CCleaner.exe. That is what was quarantined...and then you deleted it...so you may not

be able to view that now. If you haven't done so...update CCleaner to the latest.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Modem_operandi

Modem_operandi
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:01 PM

Posted 15 November 2017 - 05:15 PM

Hi again,
Thanks so much, Buddy215, for your detailed reply to this back in September! I sincerely apologize for my delay in responding back, but I had to address some urgent personal business and then was out of town for a while without Internet access. In the meantime I missplaced my username and password and just now recovered it. Sorry about that!

I did find out that I had downloaded the 64-bit version of CCleaner onto my 64-bit laptop as well as the fact that the reason I got the virus flag was due to the fact that the same installer was used for both the 32-bit and 64-bit version. I downloaded a new version of CCleaner and was so relieved to know that I was not infected by the virus. Your response was reassuring. Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users