Floxif Malware detected in CCleaner software update

ByPrajwal Desai Hours

We always want our operating systems to be clean and junk free. While there are many freeware apps to do the cleaning part, we are happy using them on our systems. After the recent malware attacks we have to be really careful while installing these freeware apps. Specially the freeware apps that are available for download everywhere. Some of the apps functions include cleaning the registry, temp files, browser cache etc. You would be surprised to know that there was malware detected in CCleaner software update. The name of this malware is Floxif.

What does this Floxif malware do ? – This malware first infects the system and then collects the information about the system. The info includes list of softwares installed, name of the system, mac address, IP address, network interfaces. Avast believes that the malicious code could also connect to remote servers to download and execute other malware. More info about this malware is revealed here. The malware runs by checking privileges assigned to the user running on the system first. If the current user is not an administrator of the machine, the malware will terminate it’s execution. This is understood because with less privileges the malware can’t gain much access on system. Seems like it has been coded to work well with users who are member of local administrator account. However in case the user is running this code with admin privileges then probably one should check the registry.

CCleaner app is a software that does a maintenance of your system. This tool is quite popular and I myself have used it several times. The download count is over 2 billion times worldwide. Just imagine what could be the impact of a malware sent as an update via this software. The complete information about this malware and it’s functions are documented here.

PatchMyPC HorizontalAD
Patch My PC Sponsored AD

Malware detected in CCleaner software update

In latest testing carried out by Cisco Talos, an executable was identified that was triggering the advanced malware protection systems. This executable was the CCleaner installer 32 bit version 5.33. It was also identified that CCleaner Cloud version 1.07.3191 was also infected with this malware. In addition this installer was distributed (between August 15 and September 12 2017) to many users worldwide with a valid certificate issued to Piriform by Symantec.

How do I know if my system is Infected ?

Now that you know about this malware, the next question is “Is my PC safe” ?. The infected version of CCleaner creates a new registry key called “Agomo” located at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\. Under this Agomo key if you find two values named MUID and TCID then your system is surely infected with this malware. So now that you know about it, go ahead and check it on your machine.

How do I remove Floxif Malware ?

As per Avast, updating the CCleaner app to version 5.34 removes this malware. The infected version has been removed on download sites to prevent the downloads. Furthermore uninstall the CCleaner app version 5.3, download 5.4 and install it. If it’s a cloud version that you are using, install the CCleaner Cloud version 1.07.3214 to get rid of this malware.

Avatar photo

Prajwal Desai is a Microsoft MVP in Enterprise Mobility. He writes articles on SCCM, Intune, Configuration Manager, Microsoft Intune, Azure, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.

Leave a Reply

Your email address will not be published. Required fields are marked *