Locked Possible infected upload

DJNeonNight · Mar 18, 2022

Hello, first of all, sorry if this isn't the correct medium of contact for this, so, I had my PC infected the last few days, after trying as much as even updating my motherboard because I thought I was having problems with either Windows or my hardware, I realized it was just a simple virus, I'm always careful when trying software of untrusted sites and use sandboxes as much as I can, but I was careless somewhere this time, anyways, I was doing a full scan of my system when I found the same virus (almost sure) Win32.Floxif.A in a .rar file I downloaded from this forum, I thought it might have got infected but it turns out it was the original download, so I wanted to contact someone from the staff so someone with more experience than me can investigate and maybe stop future infections for other people, the file I mentioned was downloaded from here https://teamos-hkrg.com/threads/scrollnavigator-v5-14-0-teamos.170624/

It's not the only file infected, perhaps, I found the same virus in the Medicines of https://teamos-hkrg.com/threads/vovsoft-text-edit-plus-v10-0-teamos.171000/
But I'm not so sure about this one, I decided to share just in case, hope I was of help and let me know if more details are required.

Yash Dedhia · Mar 18, 2022

@DJNeonNight Regarding

You must be registered for see links

i did check virus total report i donot see anything unsual its false positive i am quiet sure about it.. for the

You must be registered for see links

there are 18 people downloaded it & none mentioned anything wrong..
@DJNeonNight Read this please

You must be registered for see links

Redlin3 · Mar 18, 2022

What kind of virus did you get and log of the virus scan? What behavior did it have on your computer?

Mr. Spacely · Mar 18, 2022

Yash Dedhia said:
@DJNeonNight Regarding
You must be registered for see links
i did check virus total report i donot see anything unsual its false positive i am quiet sure about it.. for the
You must be registered for see links
there are 18 people downloaded it & none mentioned anything wrong..
@DJNeonNight Read this please
You must be registered for see links

@DJNeonNight, @Yash Dedhia This is nonsense. @DJNeonNight You got infected from something else. Downloaded 164 and 138 times respectively. No complaints except you. Thanks for the warning, but you need to look deeper into your issue I think. Good luck.

juanamm · Mar 18, 2022

I had already read another complaint from a single user in another thread from the same colleague.
In that case I decided to take the risk and try it on my PC and it did not infect me at all.

As I saw that the complaint was repeated, I started looking for information about the floxif malware in San Google.
I found a lot of information from last year and several years before and a single thread on reddit from this year.

In summary, in previous years the following was said:

Floxif is a type of generic detection used by different antivirus and antimalware programs, such as Malwarebytes, which indicates that we are infected with a virus with Trojan characteristics, classified as potentially malicious.

Something similar to the acronym PUA (“Potentially Unwanted Application”), that is, potentially undesirable applications. These are computer programs that exhibit a series of behaviors that are probably unwanted by the user."

And in the reddit thread someone said:

Floxif hooks up in the Wiindows API into System32 and Regedit , you need to know the hidden locations to stop it no one found yet, whatever you'll do it keeps coming back.

As we have always advised here, if you see something that you are not convinced or you do not like in a result of the VirusTotal report, try first in a VM or directly DO NOT install it that you do not trust.
Those of us who upload content here are NOT here to infect anyone, but something can get out of hand at some point.
All downloads and installations are under the strict responsibility and risk of the person who performs them.
It is my humble contribution to this discussion.

DJNeonNight · Mar 18, 2022

Alrighty, I am no expert so I wanted to ask more experienced people about it, I did my own research too and thought maybe the uploader got infected by mistake and uploaded the program without knowing, I might have got infected by something else, it's a shame because I haven't had a problem in 10+ years and searching for possible causes it only lead me to that program, because I always use a VM first and that one was one of the few I opened in the last days before I started having problems.

About the behavior and how I realized I got infected was basically random programs starting to fail and giving errors (Discord for example gave me a ~~0x0000005c~~ error, edit: my bad, it it should be 0xc000000e3, not like it matters much right now), Sublime Text and Unified Remote were also affected so I had no idea what was going on, I never had to deal with a virus in my own pc before but it should have been pretty obvious I'll admit.

All the affected programs had a .exe and then a .exe.dat file (this one was the original), the fix was as easy as deleting the .exe file and replacing it with the .exe.dat as silly as it sounds, and this is also true with the first post I linked. I respect the uploaders and don't want to bash anyone, we're all humans and make mistakes after all, I just wanted to share my findings is all.

VT report for SNSetup.exe >

You must be registered for see links

VT report for SNSetup.exe.dat >

You must be registered for see links

VT report for fff.desksoft.exe >

You must be registered for see links

VT report for fff.desksoft.exe.dat >

You must be registered for see links

Sure, the .dat file also has a lot of positives, but there's no Floxif to be seen, this was the reason I decided to ask the staff if there was something wrong with it, as I found it weird to have a .exe.dat file in both the installer and Medicines, if there is something I don't understand then I apologize, it just is something I never encountered before.
I have to also add that it took some days for me to notice something wrong after I opened the program outside my VM so it might not be as obvious, again I apologize if this all a waste of time, I just wanted to make sure no one else gets infected, I don't mind to offend anyone with this.

juanamm · Mar 18, 2022

I understand your point @DJNeonNight and I don't think any uploader has been offended by your comments.
We simply wanted to explain to you how we detect false positives (without being specialists in computer security) we can make some mistake, we are also human like you.
I think this thread has served its purpose and should be closed.

Yash Dedhia · Mar 19, 2022

Thankyou everyone for helping.. Thread locked & completed

Locked Possible infected upload

DJNeonNight

Yash Dedhia

Redlin3

Mr. Spacely

juanamm

Uploader

DJNeonNight

juanamm

Uploader

Yash Dedhia