What Is CCleaner Trojan.Floxif Malware and How to Remove It

What Is CCleaner Trojan.Floxif Malware and How to Remove It

This article aims to explain what Is the Trojan.Floxif infecton which is spread via CCleaner and how to remove Floxif malware from your computer.

A scandalous infection has been detected by malware researchers which infects computers directly via the CCleaner 5.33.6162 version of the program. The hackers managed to slither the Trojan.Floxif infection which drops a file on the computer and begins to perform a variety of malicious activities which are the last thing you want on your computer. Besides being a Keylogger, the Trojan may also steal your login details, financial information and even download and install other malware such as ransomware, for example, which locks your documents and holds them hostage for a ransom payoff.

If your computer has CCleaner installed on it, it is advisable to immediately remove it and read the following article to learn how to detect and remove the CCleaner Trojan.Floxif from your computer effectively.

Threat Summary

NameCCleaner Trojan.Floxif
TypeTrojan Horse
Short DescriptionInfects your computer via the CCLeaner installer and downloads it’s payload. Classic Trojan Horse behavior.
SymptomsNo symptoms since the threat is well-concealed via obfuscators and other software. Can be found only by having the “Agomo” sub-key in the Windows Registry Editor.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by CCleaner Trojan.Floxif

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CCleaner Trojan.Floxif.

CCleaner Trojan.Floxif – How Did I Get Infected

The bad news is that if you have downloaded the affected versions of either CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) has already been infected by the threat. The infection is conducted via the Trojan.Floxif infector which has been slithered by the hackers directly into those versions.

According to researchers the strongest indicator of having this malware on the computer is that upon infection it creates a Windows Registry Sub-key going by the name of “Agomo”. It is located in the following registry sub-key:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

If you have this registry key existing on your computer, you should assume that your computer has been compromised by the Trojan.Floxif infection.

Related:Backdoor in CCleaner Affects Millions, Reason Behind Hack Unknown

Trojan.Floxif – Activity Analysis

The Floxif Trojan is a malware that has several different versions. The activity of those versions, however is rather similar. When the Floxif trojan has been started, it immediately executes a script that drops a .dll file, named symsrv.dll. The file is about 67 kilobytes in size and has the following location:

→ C:\Program Files\Common Files\System\symsrv.dll

In order to execute the malicious file when Windows boots up, the virus may add the following registry entry in the “Windows” sub-key, located in HKEY_LOCAL_MACHINE’\SOFTWARE\Microsoft\Windows NT\CurrentVersion\:

→ “AppInit_DLLs” = “C:\­Program Files\­Common Files\­System\­symsrv.dll”
“LoadAppInit_DLLs” = 1

In addition to this, the Trojan.Floxif may also set the registry entries so that it remains hidden on your computer. To do this, it attacks the following Registry sub-keys:

→ HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\Explorer\¬Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\SuperHidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In those keys, entries are created with the following values in them:

→ “ShowSuperHidden” = 0
“NoDriveTypeAutoRun” = 145
“Type” = “radio”
“SFCDisable” = 4294967197

Another activity which is performed by this virus is that it connects with the following Windows application programming interfaces (APIs):

→ CredReadW (advapi32.dll)
CreateServiceA (advapi32.dll)
CreateServiceW (advapi32.dll)
OpenServiceA (advapi32.dll)
OpenServiceW (advapi32.dll)
WinVerifyTrust (WINTRUST.dll)
CreateFileW (kernel32.dll)
ExitProcess (kernel32.dll)
RegOpenKeyExA (kernel32.dll)
RegOpenKeyExW (kernel32.dll)
CreateProcessInternalW (kernel32.dll)
MessageBoxTimeoutW (user32.dll)
KiUserExceptionDispatcher (ntdll.dll)
WahReferenceContextByHandle (ws2help.dll)

But this is not where the infection process ends, the Trojan.Floxif malware also tries to delete system files from Windows itself:

→ %Program Files%\Common Files\System\symsrv.dll.dat
%Users%\Administrator\Local\Temp\…\*.tmp

The end goal of the Floxif malware is to steal information from your computer or install other malware on it. Besides collecting lists with programs installed on your PC, the network information from it and unique identifiers, the virus may also connect to a remote host and download malware. To store the stolen information, the Trojan.Floxif may create the following files:

→ %System Drive%\pagefile.pif
%System Drive%\autorun.inf
%Temp%\update.exe

Of those files, it executes the update.exe file automatically.

How to Detect and Remove Trojan.Floxif

In order to remove Trojan.Floxif malware from your computer, it is strongly recommended to follow the manual or automatic removal steps below. They are specifically designed to help you isolate and delete this virus.

Be advised that since the Trojan.Floxif threat creates multiple objects on your computer and assumes partial control of it, it may be difficult to remove manually. This is why, experts strongly advise detecting and removing it automatically by installing and scanning your computer with an advanced anti-malware software. This will also make sure the threat is permanently gone and your system is protected against any future infections, like the CCleaner Floxif malware.

Manually delete CCleaner Trojan.Floxif from your computer

Note! Substantial notification about the CCleaner Trojan.Floxif threat: Manual removal of CCleaner Trojan.Floxif requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CCleaner Trojan.Floxif files and objects
2. Find malicious files created by CCleaner Trojan.Floxif on your PC

Automatically remove CCleaner Trojan.Floxif by downloading an advanced anti-malware program

1. Remove CCleaner Trojan.Floxif with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CCleaner Trojan.Floxif in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...