Also known as: Trojan.Floxif, Win32/Floxif, Trojan.Floxif.AppFIsh
Variants: Win32/Floxif.H virus, Win32.Floxif.A, Win32.Floxif.B, Win32.Floxif.C, Virus.Win32.FLOXIF.D, Win32/Floxif.E, Win32/Floxif.E!bit, Win32/Floxif.gen!A, Win32/Floxif!rfn, Win32/Floxif!MTB, Win32/Floxif!MSR, Win32/Floxif.AV!MTB, Floxif.AW!MTB, Win32/Floxif.psyA!MTB, Win32/Floxif.RPX!MTB, Win32/Floxif.RDA!MTB
Damage potential: Stolen credentials, keylogging, device takeover, stolen crypto wallet funds, camera hijacking, data theft, opening backdoors for other malware (like ransomware), disabling antivirus and firewall software, showing fraudulent ads
Floxif is a family of file-changing trojan viruses that infect Windows executable and DLL files. Once the Floxif infection takes root, the infected files can spy on the device and serve as a backdoor for other malware. Floxif was famously distributed with legitimate versions of the CCleaner utility in 2017, when hackers injected the malware into CCleaner’s build environment.
While Floxif itself does not generate system warnings or overtly interfere with user activity, the malware it delivers may reveal a Floxif infection. In addition, as part of its payload, Floxif may create files such as “symsrv.dll,” “ffff.dll,” and “symsrv.dll” in the “C:\Program Files\Common Files\system” folder. According to Microsoft, the trojan may also add the “HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo” to your registry.
Other possible indicators of a Floxif infection include:
- Your device frequently freezes or stutters.
- Other malware appears on your device without a known cause.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (Floxif is uploading device information to its handlers).
- Your antivirus protection or Windows Firewall have been disabled without your knowledge.
Sources of the infection
For a time, Floxif was distributed with version 5.33 of the CCleaner tool and version 1.07.3191 of CCleaner Cloud — installing these versions may still infect your device. Today, Floxif is mostly spread through infected software on untrustworthy download sites or infected email attachments (such as fake invoices or receipts).
Your device may also get infected with Floxif from:
Infected files shared through messaging platforms.
Infected files downloaded from cloud storage or online repositories.
Other viruses that drop Floxif as part of their operations.
Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
Peer-to-peer (P2P) sharing of infected files.
Infected external devices, such as hard drives or USB sticks.
Do not install version 5.33 of the CCleaner tool and version 1.07.3191 of CCleaner Cloud, as they are known to be compromised by Floxif. Other than that, protection against Floxif involves developing good cybersecurity habits. Learn to recognize phishing attempts, avoid clicking on suspicious attachments, and do not download freeware from suspicious websites.
Other protective measures include:
Use email scanning tools to identify and automatically block messages with suspicious attachments.
Use reliable antivirus software to detect, quarantine, and eliminate a Floxif infection.
Use multi-factor authentication to protect your accounts in the event that someone steals your password using Floxif.
Avoid potentially dangerous websites, like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Floxif) to your device by exploiting vulnerabilities.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
Most reputable antivirus solutions can help you detect and remove a Floxif infection from your device. You should not try to remove Floxif manually because it deploys persistence mechanisms to reinstall itself after you reboot your device.