How to Terminate Floxif CCleaner Trojan (Malware/Trojan)

The cyber community was blown out of proportions when CCleaner, a widely used software tool that helps users remove unwanted files and applications on Windows, was exploited by hackers. There are around 2 billion users all over the globe who have downloaded this software. And now, with the insidious attack, those users are at risk.
On September 18, 2017, Piriform publicly revealed that its servers were hacked. CClenaer was modified by the hackers with a backdoor that has put millions of users at risk. The hackers used a two-stage back door which is capable of receiving and running code from the attackers’ command and control (C&C) server.

What is Floxif CCleaner Trojan?

Floxif is considered to be a very dangerous Trojan virus that was noticed spreading in a corrupted version of a popular PC optimization tool for Windows. This Trojan has infected over 2 million users. After its attack, it tracked several information about the affected PC and send it to its remote server.
The Floxif Trojan was installed in the main program’s executable file – CCleaner.exe. Thus, the malware was able to enter the system either by downloading the CCleaner version 5.33.6162 or CCleaner Cloud 1.07.3191 or by updating CCleaner to these aforementioned versions. The Trojan is only executed on a 32-bit Windows OS.
Malware experts identified several versions of the Floxif Trojan but most of them have the same behaviors. All of them steal a bunch of information such as the name of the infected computer, the list of installed programs and active processes, the MAC addresses of the first 3 network adapters and the computer’s unique ID.

How does Floxif Trojan execute its malicious attack?

As pointed out earlier, Floxif Trojan modified the original executable file of CCleaner and injected a malicious code into it. So when users download or update to this program version, they also install the Trojan. And when that happens, it quickly downloads a symsrv.dll file to the following directory:
C:\Program Files\Common Files\System\symsrv.dll
After that, it creates a sub-key in the Windows Registry on this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
Aside from all the modifications, Floxif also makes other modifications in the registry to execute malicious tasks and hide in the background. It also tries to connect to various Windows APIs and delete important files.

How is this corrupted version of CCleaner distributed?

This modified and corrupted version of CCleaner is distributed and was made available since August 15, 2017 on the developers’ website (Piriform). With this kind of distribution, it isn’t a surprise that it has infected 2 million users. In fact, the latest research data reports showed that Floxif launched targeted attacks towards technology giants like Microsoft, Samsung, Sony and many others. It has managed to affect about 20 computers owned by these companies.

The steps provided below will help you terminate Floxif from your computer. Carefully follow each one of them for successful removal.
Step 1: Tap Ctrl + Shift + Esc keys to open Task Manager.
Step 2: Under Task Manager, look for CCleaner’s process and end it.

Step 3: Close the Task Manager and open Control Panel from your Start Menu or open it by tapping Win + R keys to open Run and then type in appwiz.cpl and tap Enter.

Step 4: After opening Control Panel, look for CCleaner under the list of programs and then uninstall it.

Step 5: Tap Win + E keys to open File Explorer. From there, navigate to the following locations and look for any suspicious files which Floxif may have created.

C:\Program Files\Common Files\System\symsrv.dll
C:\Program Files (x86)\CCleaner
%USERPROFILE%\Downloads
%USERPROFILE%\Desktop
%TEMP%

Step 6: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, unlike CCleaner, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 7: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 8: Navigate to the following paths:

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

Step 9: Delete the registry keys and sub-keys created by the Trojan.
Step 10: Close the Registry Editor and empty your Recycle Bin.
To make sure that nothing is left behind and that the Floxif is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

Turn on your computer. If it’s already on, you have to reboot
After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
Windows will now load the Safe Mode with Networking.
Press and hold both R key and Windows key.

If done correctly, the Windows Run Box will show up.
Type in Apollolocker http://www.fixmypcfree.com/install/spyremoverpro

A single space must be in between Apollolocker and http. Click OK.

A dialog box will be displayed by Internet Apollolocker. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.