Floxif Removal Guide

Threat Level:
9/10
Rate this Article:
Comments (0)
Article Views: 51
Category: Trojans

Floxif is a malicious application that was distributed using corrupted CCleaner (5.33.6162) and CCleaner Cloud (1.07.3191) versions. CCleaner is a legitimate and very popular PC cleaning tool, but cybercriminals managed to infiltrate its development and inject a backdoor into it, thus forcing it to install Floxif. If you have the free version CCleaner, then it is likely that you have Floxif on it as well. While this Trojan is non-functional now, you should delete it regardless because there is no telling what it might do if left unchecked. This article is dedicated to the safe removal of this malware, but if you want to find out more about it, then read this whole article.

It has been revealed that this malicious application was distributed by corrupted CCleaner versions for nearly a month and the cybercriminals managed to infect more than 2 million computers. The group of cybercriminals that perpetrated this cyber attack on Piriform’s (the company that developed CCleaner) servers call themselves Axiom and this group is, allegedly, based in China.

According to Piriform, CCleaner was compromised by Axiom during the development phase of the free CCleaner (5.33.6162) and CCleaner Cloud (1.07.3191) versions for 32-bit versions of Windows. The backdoor that was put into this PC cleaner was discovered by two third-party cyber security around the same time. If you install a corrupted version of CCleaner, Floxif will also be dripped and executed. It runs a script that drops a .dll file named symsrv.dll. The file size is 67 KB, and it is placed in C:\Program Files\Common Files\System\symsrv.dll.

It has been revealed that Floxif was configured to collect and send technical information about users’ computers which included installed software, computer names, running processes, MAC addresses, and computer IDs. This Trojan stores the collected information in %System Drive%\pagefile.pif, %System Drive%\autorun.inf, and %Temp%\update.exe files. Lso it was set to execute the update.exe file automatically. Furthermore, will delete files in %Program Files%\Common Files\System\symsrv.dll.dat and %Users%\Administrator\Local\Temp\…\*.tmp.

Axiom hacked Piriform’s servers in Mid-August of 2017 and the corrupted CCleaner versions were distributed until Mid-September that same year. The Trojan ran in the background silently and sent collected information to Axiom’s servers. It has been revealed that the Trojan connected to 216.126.225.148 IP address. It has since been revealed that the Trojan attack was meant to compromise the systems of well-known international companies such as Google, Epson, MSI, Oracle, Cisco and many others.

We have found that this Trojan drops a sub-key in Windows Registry under the name “Agomo” at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo. To execute the malware on system startup, this Trojan can add a registry entry in the Windows Registry located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\. The sub-keys added include AppInit_DLLs with value data C:\Program Files\¬Common Files\System\-symsrv.dll and LoadAppInit_DLLs with value data 1. Furthermore, Floxif may also configure registry keys to remain hidden on your computer. To achieve that It was set to create registry entries that include the following:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\SuperHidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

These registry keys contain ShowSuperHidden = 0, NoDriveTypeAutoRun = 145. Type = radio, and SFCDisable = 4294967197 value data entries respectively. The analysis has also revealed that this Trojan was set to connect with the following Windows application programming interfaces (APIs):

  • CredReadW (advapi32.dll)
  • CreateServiceA (advapi32.dll)
  • CreateServiceW (advapi32.dll)
  • OpenServiceA (advapi32.dll)
  • OpenServiceW (advapi32.dll)
  • WinVerifyTrust (WINTRUST.dll)
  • CreateFileW (kernel32.dll)
  • ExitProcess (kernel32.dll)
  • RegOpenKeyExA (kernel32.dll)
  • RegOpenKeyExW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • KiUserExceptionDispatcher (ntdll.dll)
  • WahReferenceContextByHandle (ws2help.dll)

To summarize, Floxif is a dangerous Trojan that was distributed through corrupted free CCleaner versions. It was meant to collect technical information about you but, luckily, this Trojan was unable to do any harm. While is it now dead, you should remove it if you have it your PC. We recommend using SpyHunter’s free scanner to detect this Trojan, and then go to the location of its malicious files and delete them manually.

Removal Instructions

  1. Go to http://www.411-spyware.com/download-sph
  2. Download SpyHunter-Installer.exe and install it.
  3. Launch it and select Scan Computer Now!
  4. Then, hold down Windows+E keys.
  5. Enter the file path of the malicious files in the File Explorer’s address box and press Enter.
  6. Right-click the malicious files and click Delete.
  7. Empty the Recycle Bin.
Download Remover for Floxif *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Comments are closed.