What Is CCleaner Trojan.Floxif Malware and How to Remove It

What Is CCleaner Trojan.Floxif Malware and How to Remove It


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by CCleaner Trojan.Floxif and other threats.
Threats such as CCleaner Trojan.Floxif may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article aims to explain what Is the Trojan.Floxif infecton which is spread via CCleaner and how to remove Floxif malware from your computer.

A scandalous infection has been detected by malware researchers which infects computers directly via the CCleaner 5.33.6162 version of the program. The hackers managed to slither the Trojan.Floxif infection which drops a file on the computer and begins to perform a variety of malicious activities which are the last thing you want on your computer. Besides being a Keylogger, the Trojan may also steal your login details, financial information and even download and install other malware such as ransomware, for example, which locks your documents and holds them hostage for a ransom payoff.

If your computer has CCleaner installed on it, it is advisable to immediately remove it and read the following article to learn how to detect and remove the CCleaner Trojan.Floxif from your computer effectively.

Threat Summary

NameCCleaner Trojan.Floxif
TypeTrojan Horse
Short DescriptionInfects your computer via the CCLeaner installer and downloads it’s payload. Classic Trojan Horse behavior.
SymptomsNo symptoms since the threat is well-concealed via obfuscators and other software. Can be found only by having the “Agomo” sub-key in the Windows Registry Editor.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by CCleaner Trojan.Floxif


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CCleaner Trojan.Floxif.

CCleaner Trojan.Floxif – How Did I Get Infected

The bad news is that if you have downloaded the affected versions of either CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) has already been infected by the threat. The infection is conducted via the Trojan.Floxif infector which has been slithered by the hackers directly into those versions.

According to researchers the strongest indicator of having this malware on the computer is that upon infection it creates a Windows Registry Sub-key going by the name of “Agomo”. It is located in the following registry sub-key:


If you have this registry key existing on your computer, you should assume that your computer has been compromised by the Trojan.Floxif infection.

Related:Backdoor in CCleaner Affects Millions, Reason Behind Hack Unknown

Trojan.Floxif – Activity Analysis

The Floxif Trojan is a malware that has several different versions. The activity of those versions, however is rather similar. When the Floxif trojan has been started, it immediately executes a script that drops a .dll file, named symsrv.dll. The file is about 67 kilobytes in size and has the following location:

→ C:\Program Files\Common Files\System\symsrv.dll

In order to execute the malicious file when Windows boots up, the virus may add the following registry entry in the “Windows” sub-key, located in HKEY_LOCAL_MACHINE’\SOFTWARE\Microsoft\Windows NT\CurrentVersion\:

→ “AppInit_DLLs” = “C:\­Program Files\­Common Files\­System\­symsrv.dll”
“LoadAppInit_DLLs” = 1

In addition to this, the Trojan.Floxif may also set the registry entries so that it remains hidden on your computer. To do this, it attacks the following Registry sub-keys:

→ HKEY_CURRENT_USER\¬Software\¬Microsoft\¬Windows\¬CurrentVersion\Explorer\¬Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In those keys, entries are created with the following values in them:

→ “ShowSuperHidden” = 0
“NoDriveTypeAutoRun” = 145
“Type” = “radio”
“SFCDisable” = 4294967197

Another activity which is performed by this virus is that it connects with the following Windows application programming interfaces (APIs):

→ CredReadW (advapi32.dll)
CreateServiceA (advapi32.dll)
CreateServiceW (advapi32.dll)
OpenServiceA (advapi32.dll)
OpenServiceW (advapi32.dll)
WinVerifyTrust (WINTRUST.dll)
CreateFileW (kernel32.dll)
ExitProcess (kernel32.dll)
RegOpenKeyExA (kernel32.dll)
RegOpenKeyExW (kernel32.dll)
CreateProcessInternalW (kernel32.dll)
MessageBoxTimeoutW (user32.dll)
KiUserExceptionDispatcher (ntdll.dll)
WahReferenceContextByHandle (ws2help.dll)

But this is not where the infection process ends, the Trojan.Floxif malware also tries to delete system files from Windows itself:

→ %Program Files%\Common Files\System\symsrv.dll.dat

The end goal of the Floxif malware is to steal information from your computer or install other malware on it. Besides collecting lists with programs installed on your PC, the network information from it and unique identifiers, the virus may also connect to a remote host and download malware. To store the stolen information, the Trojan.Floxif may create the following files:

→ %System Drive%\pagefile.pif
%System Drive%\autorun.inf

Of those files, it executes the update.exe file automatically.

How to Detect and Remove Trojan.Floxif

In order to remove Trojan.Floxif malware from your computer, it is strongly recommended to follow the manual or automatic removal steps below. They are specifically designed to help you isolate and delete this virus.

Be advised that since the Trojan.Floxif threat creates multiple objects on your computer and assumes partial control of it, it may be difficult to remove manually. This is why, experts strongly advise detecting and removing it automatically by installing and scanning your computer with an advanced anti-malware software. This will also make sure the threat is permanently gone and your system is protected against any future infections, like the CCleaner Floxif malware.

Note! Your computer system may be affected by CCleaner Trojan.Floxif and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as CCleaner Trojan.Floxif.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove CCleaner Trojan.Floxif follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove CCleaner Trojan.Floxif files and objects
2. Find files created by CCleaner Trojan.Floxif on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share