Floxif Removal Guide

Do you know what Floxif is?

Floxif is the name of the Trojan that was distributed via Cyber Villains Corrupted Ccleaner 5.33 Version that was released on August 15, 2017. Cybersecurity experts have concluded that this Trojan was injected into CCleaner.exe and infected computers when installing CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) versions. Floxif can perform malicious actions on your PC, so you have to remove it as soon as possible. To find out more about this program, we invite you to read this whole description which contains in-depth technical information on this Trojan.

It has been revealed that installing CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) versions have been compromised during their development as cybercriminals injected them with Floxif. Only the free versions of CCleaner were corrupted, and this Trojan was set to infect a PC when CCleaner was downloaded from its developers’ website and installed. The corrupted version managed to stay under the radar for several weeks before cybersecurity specialists uncovered its malicious payload. Luckily, the secondary payload which is Floxif was never activated, so this Trojan was unable to execute especially since CCleaner’s creators blocked the Trojan from the server side of CCleaner. While this PC cleaner has been since updated, the free CCleaner (5.33.6162) and CCleaner Cloud (1.07.3191) versions do not get automatic updates, so you better update it as soon as you can.

Now let us go into the details about Floxif. It has been revealed that this Trojan should have been used for information collection purposes and spying. Research has shown that it can obtain information such as the name of your PC, list of installed software, list of active processes, MAC address, unique computer’s ID, and so on. Furthermore, it might obtain personal information such as login credentials, and credit card data, among other things. This Trojan stores the collected and stolen information in %System Drive%\pagefile.pif, %System Drive%\autorun.inf, and %Temp%\update.exe files. Note that it executes the update.exe file automatically. Also, it will delete files in %Program Files%\Common Files\System\symsrv.dll.dat and %Users%\Administrator\Local\Temp\…\*.tmp. Therefore, this Trojan is a serious threat to your computer’s security and your privacy.

This Trojan can be found only by having the “Agomo” sub-key at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo in the Windows Registry Editor. Floxif has several different versions, but they are very similar. Once Floxif is executed, it immediately runs a script that drops a .dll file named symsrv.dll. The file size is 67 KB, and it is dropped in C:\Program Files\Common Files\System\symsrv.dll. In order to execute the malicious file on system startup, this Trojan may add the following registry entry in the Windows sub-key, located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\. The sub-keys added include AppInit_DLLs with value data C:\Program Files\­Common Files\System\­symsrv.dll and LoadAppInit_DLLs with value data of 1.

In addition, Floxif may also set registry entries to remain hidden on your PC. In order to achieve that It was set to create registry entries that include the following:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\SuperHidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

These registry contain the “ShowSuperHidden” = 0, “NoDriveTypeAutoRun” = 145. “Type” = “radio”, and “SFCDisable” = 4294967197 value data respectively. Furthermore, This Trojan was set to connect with the following Windows application programming interfaces (APIs):

  • CredReadW (advapi32.dll)
  • CreateServiceA (advapi32.dll)
  • CreateServiceW (advapi32.dll)
  • OpenServiceA (advapi32.dll)
  • OpenServiceW (advapi32.dll)
  • WinVerifyTrust (WINTRUST.dll)
  • CreateFileW (kernel32.dll)
  • ExitProcess (kernel32.dll)
  • RegOpenKeyExA (kernel32.dll)
  • RegOpenKeyExW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • KiUserExceptionDispatcher (ntdll.dll)
  • WahReferenceContextByHandle (ws2help.dll)

In closing, Floxif is one malicious application that you should locate and remove immediately if you had CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) installed on your PC as they are used to carry this Trojan onto your PC. You should also update your free version of CCleaner or CCleaner Cloud because they do not have automatic updates. To remove this Trojan, use SpyHunter’s free scanner to find all of the malicious files and then delete them manually using our guide.

Manual Removal Guide

  1. Go to http://www.spyware-techie.com/download-sph
  2. Download SpyHunter-Installer.exe.
  3. Install the program and run it.
  4. Click Scan Computer Now!
  5. Copy the file path of the malware from the scan results.
  6. Press Windows+E keys.
  7. Enter the file path of the malware in File Explorer’s address box.
  8. Press Enter.
  9. Locate, right-click the malicious files and click Delete.
  10. Empty the Recycle Bin.

In non-techie terms:

Floxif is a Trojan-type computer infection that was distributed with Cyber Villains Corrupted Ccleaner 5.33 Version. The corrupted version has been fixed, but if you have a free version of CCleaner, then you have to update it manually to remove the malware remnants. Also, you should delete Floxif because it can be used to steal information from your computer, but it should be ineffective by now. Follow the instructions above to get rid of it.