New
#1
Flox.if virus registry entry AppInit_DLLs loaders cores.dll symsrv.dll
Please read
If there is a dedicated Flox remover please tell me. As of now there is no ultimate solution because the primary starting loader will point to your perfectly working files. Only files you could reinstall after doing a good wipe might work out.
Reinstalling Windows will not help at all.
Updating Windows will not help at all. The goal is to not have to make so many installs.
System Restore might help you only if system restore including programs and apps which means a very big restore file.
Using your Windows Disk/usb or online to replace files will not help.
In fact all the above might make things worst ( not including System Restore ).
..................................
Please help me find a way to prevent my startup apps/programs from being affected. While you can nail it in safe-mode, something starts up in regular mode and boom you have another virus problem, a ticking time bomb on your hands.
This virus acts like a human common cold virus.
So this is my report I am writing for this problem I had and how I solved it. I made a thread before got no response.
When I saw the same thing happen in my fresh install I said #$!@#$!#$ it. I decided to finally take matters into my own
hands. I am still having a problem as finding various applications ( ones I used the most ) triggering this virus.
Basically lets say you clean the virus away. You have nothing. You go about your business and use a program. Boom
the virus starts all over again, the same exact loop. Lucky if you have MalewareBytes that is somewhat recent ( at least
2019 ) that knows that the virus is and what you are looking for, but guess what? Even if you clean it the virus still have
command over your program. You click your clean program and boom a whole load of garbage loads up. Repeat, rinse,
etc
NOTE: Be advised that MalewareBytes will give you false warnings, Mostly if you use alternative programs and edits and altercations of the system. So you need to read what is what and filter out things you know is not Floxif. Everything else is okay,
just Floxif is the main bad-virus. All the other viruses/settings/etc are benine and okay to keep around. Just make sure you read and if your not sure then pass it up. However MalewareBytes will catch the virus attempting to start the same chain again,
it will block the virus ( via real-time mode via premium ) and any new items will be related to the Flox.if virus.
This is a virus called Floxif ( Floxif.A ) usually loaded by conres.dll. Conres.dll is what will be loaded first, especially when you trigger the virus by running the affected program. This program may or may not be a fake or real, and usually the virus wrote ( injected ) a piece of code somewhere into the program to make the call. This call could be a number of things but it will always result in Conres.dll being created, a ( insert name of next target ).tmp in which the virus may or may not swap places with the executable.
It targets your startup programs. Anything in your startup folder or startup list. This means
any security programs ( like Adobe IPCbroker ), to anything you use non-stop like Vmware-tray. E
Even Winstep ( which is all you need to replace your explorer ) in fact if the virus corruption ( mentioned above ), has did it's swappa-roo, wrote ( injected ) code in your primary startup apps. Further more it will use uncorrupted programs and when you try to delete a related file, will make you think the program is a virus, making you delete important startup programs.
Basically "it" comes in from 2019. It came with "ccleaner 5.33.6162 and ccleaner 1.07.3191" which was very popular and is still being used today. This literally makes it impossible to use older versions of ccleaner ( unless you have no reports ). That being said you would need to run any download of this through Virustotal.
Windows Defender will mark everything and anything with little choice out of deleting these items. Truth be told I believed it was the programs but in reality these programs ( any startup, any thing you use often, anything you use at all )are clean and at some point you will delete them out of frustration. It is like blocking peers back when P2P was a thing. It just keeps popping up with another executable and my dumb r-tarded self just delete the file thinking I deleted the virus. It is like fighting Seproth clones in Final Fantasy VII. but in reality your killing innocent people who are being used as human shields by Seproth and ultimately Jenova. So Windows Defender will not do.
Again if not mentioned, even if you clean out the virus via Malewarebytes ( which will help save your programs and point you to the right Registry Keys ) .
..................
How I got the Virus
I probably infected myself when I ran it on my Windows 7 machine, or it was present on my Windows 7 machine from something else ( because it is always on and I use it for web browsing ). The infection spread when I moved files from it to my Windows .10 machine ( which the virus was made for ).
or
I ran a version of ccleaner that distubuted the virus
.....................
Just to repeat
conres.dll is the primary loader and was only detected when I used MalewareBytes and had it running
in the background, and was on active patrol. Meaning you have to set Malewarebytes to run in the
background and or at startup. When you start your computer Malewarebytes will catch conres.dll.
Otherwise if MalewareBytes is not running in the background it miss it. You can not catch
conres.dll in action because it only loads one time and then.
The virus will find a random program, usually something that is in your startup list. Then rename
itself to that program/instance and delete the original. This is why I had all of these C++ runtime
errors I mentioned before. Because Floxif / conres.dll was actually those instances.
...................
These programs could only be killed with Process Hacker/Taskmanager replacement. After that you need to
delete these affected programs ASAP. This means I have to replacement
AdobeIPCbroker
vmware
Sheepshaver
!!!Anything else that runs at start up!!!!,
Lucky for me I have multiple backups of these program and I have the original installation files.
This is why vmware would not work when I reinstalled the program. Because it would work fine until
I shutdown because I killed every single instance of Floxif / conres. This is why Vmware worked.
Because what was giving me the error was the Floxif / conres pretending to be Vmware.
Flox was giving me errors like 0x00000??? ( etc ) because these programs was "sharing bits" with Flox
and the various commands given.
...........
No matter what you must kill any instance of conres.
!!1The virus will even remain active if it is in the recycling bin.!!!
So you should wipe the drive afterwards ( just not with CCleaner sadly ), or use a drive eraser tool. If you use ccleaner you should get the later edition of the program, and not the variant I mentioned.
!!! If the virus has infected items in your USB drive, it could spread via anybody using those items where it will start the whole
"injection" ( like HIV and AIDS brought you by a scientist, green back monkeys being isolated in shipment, and religious nutjobbery idea of a joke to target Homosexuals when people was plunging needles with blood.
Symsrv.dll is the birth child of this virus and any item that has the instruction set. You will see ten, if not twenty different programs, all at once making this item over and over and over again. Which I assume is a loader, or even calling the internet
back to momma base. Further more you might have to manually delete the regedit entries and manually delete the symsrv.dll
file.
Only by finding the location of symsrv.dll and deleting it manually alongside process hacker will
you pin point which programs have been affected and must be terminated/murdered/killed/ aniliated.
It feels like killing my friends I had for years. But no worries I have backups before this virus hit
my system.
Again if you have "resource-hacker" which is free to download and you do not want to delete an affected program,
maybe you could use it to browse the affected files and remove the set of instructions. Because the program is not damaged,
it just have extra instructions which it should not have. Pin pointing which files.
.................
Remember even if you use Malewarebytes you must manually delete these files, I mentioned.
You also should try using malewarebytes sometime in safemode. To get to safemode you need the
run -> msconfig
go to the boot section and click the safe-start/mode option and then close.
restart into safemode
This will not stop the virus but makes easier for you to remove the various copies or even browse
the registry for the entries ( at your own risk ).
......................
When your in Safemode your able to get rid of anything that is going to load or will load
giving you less entries to go through when your in regular mode.
Then go back to regular mode by running Msconfig and unclick the safemode/boot option to boot
into regular mode.
....................................
Once back to regular mode get ready to do some virus stomping. The locations are usually
Start up Process Hacker ( you will need this over Task manager ).
Run Maleware Bytes and have it do a scan, then make sure that anything ( like Process hacker ) is
allowed. As Maleware Bytes will give false warnings.
"C:\Program Files\Common Files\System" for the "symsrv.dll" ( get your trigger/delete finger ready ).
Go back into MalewareBytes and run the program. Do not restart, just delete all the Floxif it finds.
All of thes Floxif all boot into the same location and do the same thing, finds a startup program,
deletes it, writes an entry into the Registry, and repeat.
Go back to your trigger finger and delete the symsrv.dll, it will give you a warning. Whatever
program it is connected to...THAT IS A FAKE or HAS EXTRA INSTRUCTIONS. Delete the fake,
and will do the same thing over and over. Until your able to delete the symsrv.dll once and for all.
Most if not all your
A. startup items
B. Anything you use a number of time ( I assume a list ) a day or a lot
C. If it gets super bad, even system files will be affected at some point.
Using Process Hacker, do a quick search via the mini search box for part of the name. If nothing
else is coming up then that is the fake/program you must stop and delete. Go to the location,
and stop/kill the program in Process Hacker. Delete the program ( there is no way to save it because
it is a fake or maybe it can be saved but because it is a startup item, it will start up again in the short future and
give you the same problem over and over and over again ).
Try to delete the symsrv.dll. It will point to another program. Delete that one too. Keep deleting
until your able to delete symsrv.dll.
...............................................
Run Malewarebytes again just to make sure that nothing is alive in your Recycling bin ( that is right
you might delete something but in reality is still active and getting ready to do the same thing.
Afterwards you should be at %100 rating ( if you filtered out all the hacks/edits/viruses you want to
keep ),
..........................
Malewarebytes or even Windows Defender ( which I reccomend to keep off and not use at all ). Will not
stop this at all. Windows Defender will delete/quarantine just about anything to everything. Including
things that has nothing to do with the problem. Only thing you could and should do is eliminate the programs
that are unable to function correctly and reinstall from a backup.
Again you need to have something just like Malewarebytes but
!!!! It will NOT stop the primary process ( head vampire ) !!!!
So while I was deleting important server/activation programs I need ( unless I want to reinstall all over
again ) I took note of every location. So now I could go back to another earlier backup of this and recover
all those files I deleted. Like ( Whatever program ) rather then reinstalling. If your able to get a backup of this program running,
it will work without flaw, but if the program is under a command, will start trouble again, but at this point you should have
maleware antivirus running.
However programs like vmware which got hit hard I have to reinstall from scratch.
.
.
.
.
.
.
.
END OF LINE
Moral of story.... Use MalewareBytes, and I should have just brought the hard drive to back up to
and make sure when you make a system restore this including installed applications, and do not use
CCleaners anymore ( at least the versions I mentioned ).
I have been dealing with this problem without knowing what it was. Many people online have reported
the same problem and all the Youtube videos never show a solution at all. The Flox.if just keeps on replicating
by
1. Writing extra info to perfectly fine programs.
2. Writing extra Registry information ( which may or may not act as pointers and timers )
3. Replacing selected programs.
..............................................................................................
Here is where "it hurts" this virus will continue to replicate into other drives and any other programs ( installation files ) it feels it could replicate, and possibly will. So you have scan very delicately and make sure you only delete what references to the virus itself.
!!! At this point you will have an Anti-virus program Maleware Antivirus in Premium mode. If I had a free Anti-virus that work in "real-time mode" and stop the cores.dll and anything else I would tell you to use it. Do not recommend anything else unless you know it will stop Flox.if in it's track and Quarentine and ask me what to do. I can not have any virus busting tool that seconds guess what I am doing.
....................................
E:\Users\Users Account Name\AppData\Local\Temp
NOTE: This virus literally
A. Disguise itself as a file, delete the original file and wait for you to activate it via clicking it.
or / and
B. Writes a code via the register, so when you click on any program. That program click will talk to
the Virus ( executable, dll, etc ) and it will create itself "Cores.dll" write new instructions to the
Registry so it could replicate itself with A or B method.
The virus could be doing this now without me knowing. I could be playing a game and under a timer, it
would replicate ( Inject ) itself via a command/method used to add code to any executable file.
You will only notice this problem when you start to see your startup files fail. As it replaces the
startup file ( or any file that is run most often )..
...............................................
Right now FileSearchEX for example is clean but there is code attached to the executable. So when I run
it, it will start the whole process all over again. I tried reinstalling it. Nope. I have to literally delete and
wipe the drive, and then reinstall and hope ( whatever instance is doing this nonsense is not doing it
anymore ).
Maybe I unblocked the primary instance ??? IDK ???? Point being is that FilesearchEX on my other machine is working
fine and not causing the same problem at all.
.................................................................................................... ..
I have to stress
MalewareBytes could scan and find various affected files.......but
Only with Premium ( realtime scan mode ) am I able to actually catch Cores.dll in the process of starting the entire
process once I load into Windows
I had all of these things installed for the longest it was because the virus was probably on my Windows 7 PC and
did not activate until I recovered it from the drive I accidentally over-wrote. All of this is my fault for bringing this horror show
from the past to light.
......................................................
the key things to look for is
"C:\Users\USERNAME\AppData\Local\Temp" for the "conres.dll"
The main loader
"C:\Program Files\Common Files\System" for the "symsrv.dll"
The secondary loader
"Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
"AppInit_DLLs"
AppInit_DLLs is actually a legal method of injecting information into DLL, EXE, and other file types. This is the
main method being used. Remove this entry from the above location
The below are other relations to the Virus itself.
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS "AppInit_DLLs"
C:\PROGRA~1\COMMON~1\System\symsrv.dll
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS NT\
CURRENTVERSION\WINDOWS "AppInit_DLLs"
C:\PROGRA~1\COMMON~1\System\msrv.dll
C:\Program Files\Common Files\system "ffff.dll" ( I have not seen this instance but it is listed belonging to the same group )
............................................................
MalewareBytes is the only one you need. I just need it for Flox.if
You need to have Premium Mode in order to catch any loading of the
cores.dll -> symsrv.dll
Premium Mode will enable real-time protection. Even so you will need to manually remove the files, and run a disk wipping.
..................................................