This article aims to explain what Is the Trojan.Floxif infecton which is spread via CCleaner and how to remove Floxif malware from your computer.
A scandalous infection has been detected by malware researchers which infects computers directly via the CCleaner 5.33.6162 version of the program. The hackers managed to slither the Trojan.Floxif infection which drops a file on the computer and begins to perform a variety of malicious activities which are the last thing you want on your computer. Besides being a Keylogger, the Trojan may also steal your login details, financial information and even download and install other malware such as ransomware, for example, which locks your documents and holds them hostage for a ransom payoff.
If your computer has CCleaner installed on it, it is advisable to immediately remove it and read the following article to learn how to detect and remove the CCleaner Trojan.Floxif from your computer effectively.
Threat Summary
| Name | CCleaner Trojan.Floxif |
| Type | Trojan Horse |
| Short Description | Infects your computer via the CCLeaner installer and downloads it’s payload. Classic Trojan Horse behavior. |
| Symptoms | No symptoms since the threat is well-concealed via obfuscators and other software. Can be found only by having the “Agomo” sub-key in the Windows Registry Editor. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool | See If Your System Has Been Affected by malware Download Malware Removal Tool | User Experience | Join Our Forum to Discuss CCleaner Trojan.Floxif. |
CCleaner Trojan.Floxif – How Did I Get Infected
The bad news is that if you have downloaded the affected versions of either CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) has already been infected by the threat. The infection is conducted via the Trojan.Floxif infector which has been slithered by the hackers directly into those versions.
According to researchers the strongest indicator of having this malware on the computer is that upon infection it creates a Windows Registry Sub-key going by the name of “Agomo”. It is located in the following registry sub-key:
→ HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
If you have this registry key existing on your computer, you should assume that your computer has been compromised by the Trojan.Floxif infection.
→ Related:Backdoor in CCleaner Affects Millions, Reason Behind Hack Unknown
Trojan.Floxif – Activity Analysis
The Floxif Trojan is a malware that has several different versions. The activity of those versions, however is rather similar. When the Floxif trojan has been started, it immediately executes a script that drops a .dll file, named symsrv.dll. The file is about 67 kilobytes in size and has the following location:
→ C:\Program Files\Common Files\System\symsrv.dll
In order to execute the malicious file when Windows boots up, the virus may add the following registry entry in the “Windows” sub-key, located in HKEY_LOCAL_MACHINE’\SOFTWARE\Microsoft\Windows NT\CurrentVersion\:
→ “AppInit_DLLs” = “C:\Program Files\Common Files\System\symsrv.dll”
“LoadAppInit_DLLs” = 1
In addition to this, the Trojan.Floxif may also set the registry entries so that it remains hidden on your computer. To do this, it attacks the following Registry sub-keys:
→ HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\Explorer\¬Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\SuperHidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In those keys, entries are created with the following values in them:
→ “ShowSuperHidden” = 0
“NoDriveTypeAutoRun” = 145
“Type” = “radio”
“SFCDisable” = 4294967197
Another activity which is performed by this virus is that it connects with the following Windows application programming interfaces (APIs):
→ CredReadW (advapi32.dll)
CreateServiceA (advapi32.dll)
CreateServiceW (advapi32.dll)
OpenServiceA (advapi32.dll)
OpenServiceW (advapi32.dll)
WinVerifyTrust (WINTRUST.dll)
CreateFileW (kernel32.dll)
ExitProcess (kernel32.dll)
RegOpenKeyExA (kernel32.dll)
RegOpenKeyExW (kernel32.dll)
CreateProcessInternalW (kernel32.dll)
MessageBoxTimeoutW (user32.dll)
KiUserExceptionDispatcher (ntdll.dll)
WahReferenceContextByHandle (ws2help.dll)
But this is not where the infection process ends, the Trojan.Floxif malware also tries to delete system files from Windows itself:
→ %Program Files%\Common Files\System\symsrv.dll.dat
%Users%\Administrator\Local\Temp\…\*.tmp
The end goal of the Floxif malware is to steal information from your computer or install other malware on it. Besides collecting lists with programs installed on your PC, the network information from it and unique identifiers, the virus may also connect to a remote host and download malware. To store the stolen information, the Trojan.Floxif may create the following files:
→ %System Drive%\pagefile.pif
%System Drive%\autorun.inf
%Temp%\update.exe
Of those files, it executes the update.exe file automatically.
How to Detect and Remove Trojan.Floxif
In order to remove Trojan.Floxif malware from your computer, it is strongly recommended to follow the manual or automatic removal steps below. They are specifically designed to help you isolate and delete this virus.
Be advised that since the Trojan.Floxif threat creates multiple objects on your computer and assumes partial control of it, it may be difficult to remove manually. This is why, experts strongly advise detecting and removing it automatically by installing and scanning your computer with an advanced anti-malware software. This will also make sure the threat is permanently gone and your system is protected against any future infections, like the CCleaner Floxif malware.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
- Guide 1: How to Remove CCleaner Trojan.Floxif from Windows.
- Guide 2: Get rid of CCleaner Trojan.Floxif from Mac OS X.
- Guide 3: Remove CCleaner Trojan.Floxif from Google Chrome.
- Guide 4: Erase CCleaner Trojan.Floxif from Mozilla Firefox.
- Guide 5: Uninstall CCleaner Trojan.Floxif from Microsoft Edge.
- Guide 6: Remove CCleaner Trojan.Floxif from Safari.
- Guide 7: Eliminate CCleaner Trojan.Floxif from Internet Explorer.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
How to Remove CCleaner Trojan.Floxif from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove CCleaner Trojan.Floxif
Step 2: Uninstall CCleaner Trojan.Floxif and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it. To do that:
Follow the instructions above and you will successfully uninstall most programs.Step 3: Clean any registries, created by CCleaner Trojan.Floxif on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by CCleaner Trojan.Floxif there. This can happen by following the steps underneath:
Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.Before starting "Step 4", please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Get rid of CCleaner Trojan.Floxif from Mac OS X.
Step 1: Uninstall CCleaner Trojan.Floxif and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove CCleaner Trojan.Floxif via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
→ ~/Library/LaunchAgents
/Library/LaunchDaemons
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove malware from your Mac
When you are facing problems on your Mac as a result of unwanted scripts, programs and malware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Remove CCleaner Trojan.Floxif from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Erase CCleaner Trojan.Floxif from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Uninstall CCleaner Trojan.Floxif from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Remove CCleaner Trojan.Floxif from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the CCleaner Trojan.Floxif will be removed.
Windows Mac OS X Google Chrome Mozilla Firefox Microsoft Edge Safari Internet Explorer
Eliminate CCleaner Trojan.Floxif from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
