What Is CCleaner Trojan.Floxif Malware and How to Remove It

What Is CCleaner Trojan.Floxif Malware and How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article aims to explain what Is the Trojan.Floxif infecton which is spread via CCleaner and how to remove Floxif malware from your computer.

A scandalous infection has been detected by malware researchers which infects computers directly via the CCleaner 5.33.6162 version of the program. The hackers managed to slither the Trojan.Floxif infection which drops a file on the computer and begins to perform a variety of malicious activities which are the last thing you want on your computer. Besides being a Keylogger, the Trojan may also steal your login details, financial information and even download and install other malware such as ransomware, for example, which locks your documents and holds them hostage for a ransom payoff.

If your computer has CCleaner installed on it, it is advisable to immediately remove it and read the following article to learn how to detect and remove the CCleaner Trojan.Floxif from your computer effectively.

Threat Summary

NameCCleaner Trojan.Floxif
TypeTrojan Horse
Short DescriptionInfects your computer via the CCLeaner installer and downloads it’s payload. Classic Trojan Horse behavior.
SymptomsNo symptoms since the threat is well-concealed via obfuscators and other software. Can be found only by having the “Agomo” sub-key in the Windows Registry Editor.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by CCleaner Trojan.Floxif


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CCleaner Trojan.Floxif.

CCleaner Trojan.Floxif – How Did I Get Infected

The bad news is that if you have downloaded the affected versions of either CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) has already been infected by the threat. The infection is conducted via the Trojan.Floxif infector which has been slithered by the hackers directly into those versions.

According to researchers the strongest indicator of having this malware on the computer is that upon infection it creates a Windows Registry Sub-key going by the name of “Agomo”. It is located in the following registry sub-key:


If you have this registry key existing on your computer, you should assume that your computer has been compromised by the Trojan.Floxif infection.

Related:Backdoor in CCleaner Affects Millions, Reason Behind Hack Unknown

Trojan.Floxif – Activity Analysis

The Floxif Trojan is a malware that has several different versions. The activity of those versions, however is rather similar. When the Floxif trojan has been started, it immediately executes a script that drops a .dll file, named symsrv.dll. The file is about 67 kilobytes in size and has the following location:

→ C:\Program Files\Common Files\System\symsrv.dll

In order to execute the malicious file when Windows boots up, the virus may add the following registry entry in the “Windows” sub-key, located in HKEY_LOCAL_MACHINE’\SOFTWARE\Microsoft\Windows NT\CurrentVersion\:

→ “AppInit_DLLs” = “C:\­Program Files\­Common Files\­System\­symsrv.dll”
“LoadAppInit_DLLs” = 1

In addition to this, the Trojan.Floxif may also set the registry entries so that it remains hidden on your computer. To do this, it attacks the following Registry sub-keys:

→ HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\Explorer\¬Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In those keys, entries are created with the following values in them:

→ “ShowSuperHidden” = 0
“NoDriveTypeAutoRun” = 145
“Type” = “radio”
“SFCDisable” = 4294967197

Another activity which is performed by this virus is that it connects with the following Windows application programming interfaces (APIs):

→ CredReadW (advapi32.dll)
CreateServiceA (advapi32.dll)
CreateServiceW (advapi32.dll)
OpenServiceA (advapi32.dll)
OpenServiceW (advapi32.dll)
WinVerifyTrust (WINTRUST.dll)
CreateFileW (kernel32.dll)
ExitProcess (kernel32.dll)
RegOpenKeyExA (kernel32.dll)
RegOpenKeyExW (kernel32.dll)
CreateProcessInternalW (kernel32.dll)
MessageBoxTimeoutW (user32.dll)
KiUserExceptionDispatcher (ntdll.dll)
WahReferenceContextByHandle (ws2help.dll)

But this is not where the infection process ends, the Trojan.Floxif malware also tries to delete system files from Windows itself:

→ %Program Files%\Common Files\System\symsrv.dll.dat

The end goal of the Floxif malware is to steal information from your computer or install other malware on it. Besides collecting lists with programs installed on your PC, the network information from it and unique identifiers, the virus may also connect to a remote host and download malware. To store the stolen information, the Trojan.Floxif may create the following files:

→ %System Drive%\pagefile.pif
%System Drive%\autorun.inf

Of those files, it executes the update.exe file automatically.

How to Detect and Remove Trojan.Floxif

In order to remove Trojan.Floxif malware from your computer, it is strongly recommended to follow the manual or automatic removal steps below. They are specifically designed to help you isolate and delete this virus.

Be advised that since the Trojan.Floxif threat creates multiple objects on your computer and assumes partial control of it, it may be difficult to remove manually. This is why, experts strongly advise detecting and removing it automatically by installing and scanning your computer with an advanced anti-malware software. This will also make sure the threat is permanently gone and your system is protected against any future infections, like the CCleaner Floxif malware.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share