Flox.if virus registry entry AppInit_DLLs loaders cores.dll symsrv.dll

Page 1 of 2 12 LastLast

  1. Posts : 296
    Windows 10
       #1

    Flox.if virus registry entry AppInit_DLLs loaders cores.dll symsrv.dll


    Please read


    If there is a dedicated Flox remover please tell me. As of now there is no ultimate solution because the primary starting loader will point to your perfectly working files. Only files you could reinstall after doing a good wipe might work out.

    Reinstalling Windows will not help at all.
    Updating Windows will not help at all. The goal is to not have to make so many installs.
    System Restore might help you only if system restore including programs and apps which means a very big restore file.
    Using your Windows Disk/usb or online to replace files will not help.

    In fact all the above might make things worst ( not including System Restore ).


    ..................................


    Please help me find a way to prevent my startup apps/programs from being affected. While you can nail it in safe-mode, something starts up in regular mode and boom you have another virus problem, a ticking time bomb on your hands.
    This virus acts like a human common cold virus.

    So this is my report I am writing for this problem I had and how I solved it. I made a thread before got no response.
    When I saw the same thing happen in my fresh install I said #$!@#$!#$ it. I decided to finally take matters into my own
    hands. I am still having a problem as finding various applications ( ones I used the most ) triggering this virus.

    Basically lets say you clean the virus away. You have nothing. You go about your business and use a program. Boom
    the virus starts all over again, the same exact loop. Lucky if you have MalewareBytes that is somewhat recent ( at least
    2019 ) that knows that the virus is and what you are looking for, but guess what? Even if you clean it the virus still have
    command over your program. You click your clean program and boom a whole load of garbage loads up. Repeat, rinse,
    etc

    NOTE: Be advised that MalewareBytes will give you false warnings, Mostly if you use alternative programs and edits and altercations of the system. So you need to read what is what and filter out things you know is not Floxif. Everything else is okay,
    just Floxif is the main bad-virus. All the other viruses/settings/etc are benine and okay to keep around. Just make sure you read and if your not sure then pass it up. However MalewareBytes will catch the virus attempting to start the same chain again,
    it will block the virus ( via real-time mode via premium ) and any new items will be related to the Flox.if virus.

    This is a virus called Floxif ( Floxif.A ) usually loaded by conres.dll. Conres.dll is what will be loaded first, especially when you trigger the virus by running the affected program. This program may or may not be a fake or real, and usually the virus wrote ( injected ) a piece of code somewhere into the program to make the call. This call could be a number of things but it will always result in Conres.dll being created, a ( insert name of next target ).tmp in which the virus may or may not swap places with the executable.

    It targets your startup programs. Anything in your startup folder or startup list. This means
    any security programs ( like Adobe IPCbroker ), to anything you use non-stop like Vmware-tray. E
    Even Winstep ( which is all you need to replace your explorer ) in fact if the virus corruption ( mentioned above ), has did it's swappa-roo, wrote ( injected ) code in your primary startup apps. Further more it will use uncorrupted programs and when you try to delete a related file, will make you think the program is a virus, making you delete important startup programs.

    Basically "it" comes in from 2019. It came with "ccleaner 5.33.6162 and ccleaner 1.07.3191" which was very popular and is still being used today. This literally makes it impossible to use older versions of ccleaner ( unless you have no reports ). That being said you would need to run any download of this through Virustotal.

    Windows Defender will mark everything and anything with little choice out of deleting these items. Truth be told I believed it was the programs but in reality these programs ( any startup, any thing you use often, anything you use at all )are clean and at some point you will delete them out of frustration. It is like blocking peers back when P2P was a thing. It just keeps popping up with another executable and my dumb r-tarded self just delete the file thinking I deleted the virus. It is like fighting Seproth clones in Final Fantasy VII. but in reality your killing innocent people who are being used as human shields by Seproth and ultimately Jenova. So Windows Defender will not do.

    Again if not mentioned, even if you clean out the virus via Malewarebytes ( which will help save your programs and point you to the right Registry Keys ) .
    ..................

    How I got the Virus


    I probably infected myself when I ran it on my Windows 7 machine, or it was present on my Windows 7 machine from something else ( because it is always on and I use it for web browsing ). The infection spread when I moved files from it to my Windows .10 machine ( which the virus was made for ).

    or

    I ran a version of ccleaner that distubuted the virus

    .....................

    Just to repeat

    conres.dll is the primary loader and was only detected when I used MalewareBytes and had it running
    in the background, and was on active patrol. Meaning you have to set Malewarebytes to run in the
    background and or at startup. When you start your computer Malewarebytes will catch conres.dll.
    Otherwise if MalewareBytes is not running in the background it miss it. You can not catch
    conres.dll in action because it only loads one time and then.

    The virus will find a random program, usually something that is in your startup list. Then rename
    itself to that program/instance and delete the original. This is why I had all of these C++ runtime
    errors I mentioned before. Because Floxif / conres.dll was actually those instances.

    ...................

    These programs could only be killed with Process Hacker/Taskmanager replacement. After that you need to
    delete these affected programs ASAP. This means I have to replacement

    AdobeIPCbroker
    vmware
    Sheepshaver

    !!!Anything else that runs at start up!!!!,

    Lucky for me I have multiple backups of these program and I have the original installation files.

    This is why vmware would not work when I reinstalled the program. Because it would work fine until
    I shutdown because I killed every single instance of Floxif / conres. This is why Vmware worked.
    Because what was giving me the error was the Floxif / conres pretending to be Vmware.

    Flox was giving me errors like 0x00000??? ( etc ) because these programs was "sharing bits" with Flox
    and the various commands given.

    ...........

    No matter what you must kill any instance of conres.

    !!1The virus will even remain active if it is in the recycling bin.!!!

    So you should wipe the drive afterwards ( just not with CCleaner sadly ), or use a drive eraser tool. If you use ccleaner you should get the later edition of the program, and not the variant I mentioned.

    !!! If the virus has infected items in your USB drive, it could spread via anybody using those items where it will start the whole
    "injection" ( like HIV and AIDS brought you by a scientist, green back monkeys being isolated in shipment, and religious nutjobbery idea of a joke to target Homosexuals when people was plunging needles with blood.

    Symsrv.dll is the birth child of this virus and any item that has the instruction set. You will see ten, if not twenty different programs, all at once making this item over and over and over again. Which I assume is a loader, or even calling the internet
    back to momma base. Further more you might have to manually delete the regedit entries and manually delete the symsrv.dll
    file.

    Only by finding the location of symsrv.dll and deleting it manually alongside process hacker will
    you pin point which programs have been affected and must be terminated/murdered/killed/ aniliated.
    It feels like killing my friends I had for years. But no worries I have backups before this virus hit
    my system.

    Again if you have "resource-hacker" which is free to download and you do not want to delete an affected program,
    maybe you could use it to browse the affected files and remove the set of instructions. Because the program is not damaged,
    it just have extra instructions which it should not have. Pin pointing which files.
    .................

    Remember even if you use Malewarebytes you must manually delete these files, I mentioned.

    You also should try using malewarebytes sometime in safemode. To get to safemode you need the

    run -> msconfig

    go to the boot section and click the safe-start/mode option and then close.

    restart into safemode

    This will not stop the virus but makes easier for you to remove the various copies or even browse
    the registry for the entries ( at your own risk ).

    ......................

    When your in Safemode your able to get rid of anything that is going to load or will load
    giving you less entries to go through when your in regular mode.

    Then go back to regular mode by running Msconfig and unclick the safemode/boot option to boot
    into regular mode.

    ....................................

    Once back to regular mode get ready to do some virus stomping. The locations are usually
    Start up Process Hacker ( you will need this over Task manager ).
    Run Maleware Bytes and have it do a scan, then make sure that anything ( like Process hacker ) is
    allowed. As Maleware Bytes will give false warnings.

    "C:\Program Files\Common Files\System" for the "symsrv.dll" ( get your trigger/delete finger ready ).

    Go back into MalewareBytes and run the program. Do not restart, just delete all the Floxif it finds.
    All of thes Floxif all boot into the same location and do the same thing, finds a startup program,
    deletes it, writes an entry into the Registry, and repeat.


    Go back to your trigger finger and delete the symsrv.dll, it will give you a warning. Whatever
    program it is connected to...THAT IS A FAKE or HAS EXTRA INSTRUCTIONS. Delete the fake,
    and will do the same thing over and over. Until your able to delete the symsrv.dll once and for all.
    Most if not all your

    A. startup items
    B. Anything you use a number of time ( I assume a list ) a day or a lot
    C. If it gets super bad, even system files will be affected at some point.

    Using Process Hacker, do a quick search via the mini search box for part of the name. If nothing
    else is coming up then that is the fake/program you must stop and delete. Go to the location,
    and stop/kill the program in Process Hacker. Delete the program ( there is no way to save it because
    it is a fake or maybe it can be saved but because it is a startup item, it will start up again in the short future and
    give you the same problem over and over and over again ).

    Try to delete the symsrv.dll. It will point to another program. Delete that one too. Keep deleting
    until your able to delete symsrv.dll.

    ...............................................

    Run Malewarebytes again just to make sure that nothing is alive in your Recycling bin ( that is right
    you might delete something but in reality is still active and getting ready to do the same thing.

    Afterwards you should be at %100 rating ( if you filtered out all the hacks/edits/viruses you want to
    keep ),

    ..........................

    Malewarebytes or even Windows Defender ( which I reccomend to keep off and not use at all ). Will not
    stop this at all. Windows Defender will delete/quarantine just about anything to everything. Including
    things that has nothing to do with the problem. Only thing you could and should do is eliminate the programs
    that are unable to function correctly and reinstall from a backup.

    Again you need to have something just like Malewarebytes but

    !!!! It will NOT stop the primary process ( head vampire ) !!!!

    So while I was deleting important server/activation programs I need ( unless I want to reinstall all over
    again ) I took note of every location. So now I could go back to another earlier backup of this and recover
    all those files I deleted. Like ( Whatever program ) rather then reinstalling. If your able to get a backup of this program running,
    it will work without flaw, but if the program is under a command, will start trouble again, but at this point you should have
    maleware antivirus running.

    However programs like vmware which got hit hard I have to reinstall from scratch.
    .
    .
    .
    .
    .
    .
    .
    END OF LINE

    Moral of story.... Use MalewareBytes, and I should have just brought the hard drive to back up to
    and make sure when you make a system restore this including installed applications, and do not use
    CCleaners anymore ( at least the versions I mentioned ).

    I have been dealing with this problem without knowing what it was. Many people online have reported
    the same problem and all the Youtube videos never show a solution at all. The Flox.if just keeps on replicating
    by

    1. Writing extra info to perfectly fine programs.
    2. Writing extra Registry information ( which may or may not act as pointers and timers )
    3. Replacing selected programs.
    ..............................................................................................
    Here is where "it hurts" this virus will continue to replicate into other drives and any other programs ( installation files ) it feels it could replicate, and possibly will. So you have scan very delicately and make sure you only delete what references to the virus itself.

    !!! At this point you will have an Anti-virus program Maleware Antivirus in Premium mode. If I had a free Anti-virus that work in "real-time mode" and stop the cores.dll and anything else I would tell you to use it. Do not recommend anything else unless you know it will stop Flox.if in it's track and Quarentine and ask me what to do. I can not have any virus busting tool that seconds guess what I am doing.

    ....................................

    E:\Users\Users Account Name\AppData\Local\Temp

    NOTE: This virus literally

    A. Disguise itself as a file, delete the original file and wait for you to activate it via clicking it.

    or / and

    B. Writes a code via the register, so when you click on any program. That program click will talk to
    the Virus ( executable, dll, etc ) and it will create itself "Cores.dll" write new instructions to the
    Registry so it could replicate itself with A or B method.

    The virus could be doing this now without me knowing. I could be playing a game and under a timer, it
    would replicate ( Inject ) itself via a command/method used to add code to any executable file.

    You will only notice this problem when you start to see your startup files fail. As it replaces the
    startup file ( or any file that is run most often )..

    ...............................................

    Right now FileSearchEX for example is clean but there is code attached to the executable. So when I run
    it, it will start the whole process all over again. I tried reinstalling it. Nope. I have to literally delete and
    wipe the drive, and then reinstall and hope ( whatever instance is doing this nonsense is not doing it
    anymore ).

    Maybe I unblocked the primary instance ??? IDK ???? Point being is that FilesearchEX on my other machine is working
    fine and not causing the same problem at all.

    .................................................................................................... ..

    I have to stress

    MalewareBytes could scan and find various affected files.......but

    Only with Premium ( realtime scan mode ) am I able to actually catch Cores.dll in the process of starting the entire
    process once I load into Windows


    I had all of these things installed for the longest it was because the virus was probably on my Windows 7 PC and
    did not activate until I recovered it from the drive I accidentally over-wrote. All of this is my fault for bringing this horror show
    from the past to light.

    ......................................................

    the key things to look for is

    "C:\Users\USERNAME\AppData\Local\Temp" for the "conres.dll"
    The main loader

    "C:\Program Files\Common Files\System" for the "symsrv.dll"
    The secondary loader


    "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows"

    "AppInit_DLLs"

    AppInit_DLLs is actually a legal method of injecting information into DLL, EXE, and other file types. This is the
    main method being used. Remove this entry from the above location

    The below are other relations to the Virus itself.

    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS "AppInit_DLLs"

    C:\PROGRA~1\COMMON~1\System\symsrv.dll

    HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS NT\
    CURRENTVERSION\WINDOWS "AppInit_DLLs"

    C:\PROGRA~1\COMMON~1\System\msrv.dll


    C:\Program Files\Common Files\system "ffff.dll" ( I have not seen this instance but it is listed belonging to the same group )

    ............................................................

    MalewareBytes is the only one you need. I just need it for Flox.if

    You need to have Premium Mode in order to catch any loading of the

    cores.dll -> symsrv.dll

    Premium Mode will enable real-time protection. Even so you will need to manually remove the files, and run a disk wipping.

    ..................................................
      My Computer


  2. Posts : 1,157
    Windows 10
       #2

    Malwarebytes won't give you false positives on a squeaky clean computer. When that computer actually has malware on it then I would heed what it is telling you and remove those threats. Nothing is false positive in this scenario.

    The rest sounds like a whole lot of might as well reinstall windows at that point. This Trojan infects dll and exe files it means that you will never escape it and you are talking about deleting core windows executable and containers.

    yeah good luck with that.
      My Computer


  3. Posts : 296
    Windows 10
    Thread Starter
       #3

    1 Malwarebytes does give you false positives. In fact I ran two versions of the same program, and both reports different things.
    The one that is helping with this problem is good enough for me. If you actually read up on false positives, you would understand this means anything from changes you made to the OS yourself, or even inactive viruses, or items it has on it's list. This is one reason why I avoid anti-virus programs. In fact the only reason why this one is doing anything for me is the "real-time-protection" which is actual cancels out any action of an affected program.


    2. Right now the information your giving me is childish. I need evidence, proof. I am not the kid using Bob from Windows 95 Christmas.

    3. Floxif is removable. If not read what I wrote.

    A. First comes something, You click a program
    B. cores.dll = the actual virus
    C. symsrv.dll = the next loader
    D. AppInit_DLLs = injector = Registry edit. If you actually read the keys you will see it is on a timer, and have pointers.
    E. ????.tmp = the replacement, which is created to mimic the program,
    1. The program is now replaced with Floxif
    2. The program points to Floxif.
    1. or 2. = A -> B -> C -> D -> repeats over and over
    F. Then it becomes a problem when too many files are pointing to Floxif or has been replaced ( Remember I said OR because many of the affected programs are working correctly

    In my case Floxif is pointing to the startup folder. In fact I deleted some odd looking items from the folder as well. Anything in the startup folder will run when Windows is started. Safe-mode prevents this from occurring, but in regular mode is unstoppable.

    Once MalewareBytes isolates and allows you to delete what you deem wrong, you have to go to those directories and keep them
    open, and wipe the spaces as well.

    Floxif comes in variant flavors. I am also not experience the ffff.dll at all.

    Right now I do a scan and Malewarebytes is not detecting any floxif or it's loaders. Again there are various things I need to keep running, but I am able to reinstall



    yeah good luck with that.
      My Computer


  4. Posts : 1,157
    Windows 10
       #4

    A squeaky clean computer won't have any detection at all false positive is subjective but when you have a malware infection then you are not writing it off to false detection at that point you would be unwise to think as such.

    Not childish at all you decided to take sound advice as a personal attack.

    Good luck with that means exactly that deleting windows core exe, containers and FS sounds like a whole lot of "good luck with that" to me.
      My Computer


  5. Posts : 2,123
    Windows 11 Pro (latest update ... forever anal)
       #5

    @OP .... Are you just telling us something, or are you asking for a solution to a problem??

    A little bit more succinctness might elucidate a few more responses.
      My Computers


  6. Posts : 1,157
    Windows 10
       #6

    I sound cynical but another thread where the approach is pretty unhinged. Its an amalgamation of a rant with several solutions and also several questions the content is all over the place. On one hand it sounds like a rant but you are trying to offer advice and then ask questions at the same time?

    I am not trying to sound abrasive but it is true what do you expect from us? as the other person just mentioned.
      My Computer


  7. Posts : 1,157
    Windows 10
       #7

    I think there is to much padding overall which makes that context hard to define. What you are really waiting is to define a clear and concise remediation approach.

    What i gathered here is

    - You want to work out what is causing startup applications to trigger the snowball effect


    its more deep seated than this it will be core services that run at logon probably several entry points defined through the logon sequence and then admin level access so kernel access, This is also a phone home type of malware which is sending payloads back to the target.

    startup apps are further down the list. and overall malware that infect the filesystem on this level the same resulting outcome is always the same and that is reinstalling windows.

    There is no real way around it unless you really know what you are doing. Someone with a good grasp on pen testing and computer science could tackle these sorts of infections but preemptively before that its a cat mouse game.
      My Computer


  8. Posts : 296
    Windows 10
    Thread Starter
       #8

    If it is a core-service I need to know what core-service it is.
    So far using the method I have described, I have been able to prevent any loading of any virus activity at all.
    However what I am seeing is that when I use specific programs, the same trigger will start

    After running Malewarebytes, and having it on in Real-Time-Mode

    cores.dll -> symsrv.dll -> ( whatever).tmp

    All above have been found out by Malewarebytes.... The problem is not safemode it is in regular mode.

    After findings in Malwarebytes In the registry eliminating AppInit_Dlls and changing these from 1 to 0
    ( why? because these entries looks odd enough as it is being pointed to.

    ....................................................


    Further from the above the programs ( as of now ) are okay, I probably never had to delete any of them.
    There is no video that explains at all about this at all. They only explain the part about deleting
    affected programs ( which is only a small part ). However even so these programs are not the cause and have no infection at all.
    They are triggering ( setting off , like a clock ).

    ....................................................

    This is where I am with this problem

    I have deleted programs with installations that have found "floxif infector"
    I have uninstalled those programs including ones I know are not infected.
    I am going to look for the startup folder in windows 10 to see if anything is triggering this problem.


    I just to find the source infector file, delete/replace it, and remove any entries in regedit if any.
    I have done this in the past before, where a virus would attempt to load from a reg entry
    but I removed the physical files and for a long time gave me some stupid error until I removed
    the entries from the registry. Just as that it must be the key to all of this.

    The programs are not infected. The virus just use these programs to start itself up in place.

    ....................

    AdobeIPCbroker ( the security program for earlier CC program ) just needs to be replaced,
    vmware ( anything related to vmware ) needs to be reinstalled.

    Lets say if I did this right now, Two things will happen

    A. I run the program related to it, and works fine. No error. I restart and no error.
    or
    B. I run the program related to it, and it works fine. No error. I restart and error occurs. Maleware Bytes catches cores.dll,
    and prompts me to delete the affected files

    ......................

    This is a hypothesis for B scenario...

    A. If the program is at fault, then it should be deleted.
    or
    B. If the program is being used to run floxif from a different location. Then it should not be deleted.

    .............................

    The whole point is the eliminate Floxif from running via the AppInit_Dlls injector. Floxif could stay on my computer just as long
    as it does not Hijack another program or uses a .temp to replace the program.

    .................................................................................................... .................................................................................................... .........

    My computer is not so bad it is unable to function, or do my business on it. It is just Floxif is triggering specific startup
    applications. I could run Malewarebytes right now and find 0 problems right now.

    .............................................

    But if I leave it alone it will become a problem overtime.
      My Computer


  9. Posts : 1,157
    Windows 10
       #9

    Well because it infects dll and exe then you won't know without being strong in this area of debugging the computer.

    svchost.exe is one good example if it gets that far then you are screwed.
    That container is about linking manny things together its common for infections that are infecting the file system to utilize these exe
    at a glance without counting i have over 20 svchost exe running atm.

    i mean you already know its compounding you do one step to take two back.

    i think logically that says one thing.

    My computer is not so bad it is unable to function, or do my business on it. It is just Floxif is triggering specific startup
    applications. I could run Malewarebytes right now and find 0 problems right now.

    .............................................

    But if I leave it alone it will become a problem overtime.
    Well i am not advanced in pen testing i only know the basics like preemtive measures and some more basic tactical resolutions. Actual in depth analysis is beyond me but i know that flox is a Trojan backdoor this means it sets you up for more infections. The other symptoms you describe sound like a rootkit which will mean you probably are not going to recover if the AV solution is not nuking it.

    - AV is detecting some of the time and removing threats
    - Not detecting other times and then the problems reoccur.

    those two signs usually mean rootkit they are hard to narrow down because that is how they work you think you got rid of it for it to come right back after time.

    Trojan and rootkit usually means that there is remote hierarchy in play so you are being sent more payload over time.

    If you also look on Malwarbytes forum for flox. When those threads don't timeout to inactivity one of the common consensus is to reinstall from one of the admins. You can try to tackle it but most of those threads will end with reinstall windows.

    These things are also time critical so if you do all the right things withing the window of first detection then you may recover but if this is something that you have been tackiling for more than a day and the problems keep coming back then i would assume that its not going to resolve. The more you do the more it embeds itself.
    Last edited by Malneb; 20 Feb 2024 at 11:57.
      My Computer


  10. Posts : 1,157
    Windows 10
       #10

    To note that anytime you run something on a malware pc there is cause to compound so running an installer or uninstaller is potentially compounding. You are potentially running payload or a file that has been infected with payload.

    Anything that is an exe should not be ran if not needed and overall you want to minimize running or moving or copying anything. The same goes for shell commands so deleting a file can cause stuff to happen. Even just previewing a file can cause stuff to happen like metadata type vulnerabilities for example.

    once these things are attacking or spoofing processes then its over.

    Because you have been yooha around the computer i think its a dead end.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:38.
Find Us




Windows 10 Forums