News

CCleaner for Windows Hacked to Spread Malware, Update Now

security-privacy-protection

CCleaner for Windows has been hacked to spread malware to users of the 32-bit version. Here’s what you need to know (and do).

CCleaner, the popular file clean-up and performance optimization utility for Windows, has been hacked to spread malware to users of the 32-bit version. The breach was discovered by security researchers at Cisco Talos Group. They found that the hackers were able to inject the malware into the app by accessing the download servers used by the antivirus provider Avast (the parent company that owns CCleaner). “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” writes the Talos team.

The malware allowed an infected system to be remotely controlled and collects data from your computer. “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA,” Piriform says in a statement issued on Monday.

The malware affects CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. According to Avast, about 2.27 million people ran the affected software. Luckily, the company is taking the necessary steps to correct the situation. In a blog post this morning, Piriform exec Paul Yung writes, “we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Check Your Version of CCleaner

To determine the version of CCleaner you are currently running simply launch the application and check the version number on the upper-left of the app next to the logo. The current non-compromised version at the time of this writing is 5.34.6207.

ccleaner version

Make sure the version you’re running is 5.34.6207 or higher. 64-bit versions were not affected by this security breach.

If you haven’t run CCleaner in a while you will probably get a message, similar to the one shown below, that alerts you to an available update.

Note that the Android version was not affected. Only the 32-bit version for Windows was compromised. If you’re running the 64-bit version, you should be fine – but it wouldn’t hurt to check for an update.


12 Comments

12 Comments

  1. Ziggy  

    Mind boggling! Of late I’ve been using Glary disk cleaner, so I hope all’s well there!

  2. I had an earlier version installed so no worries on my side. Wow… Nasty one. I’m just glad they went public and notified customers what happened.

    I’m still a fan of CCleaner and its other products. But, AVAST needs to take a look and get things cleaned up on its systems side of things.

    • Ron Lund  

      I just checked my 32-bit computer and I also had a pretty old version on it. Of course, I had the popup warning about updating and quickly did so. I hope I managed to escape any compromising of my stuff.

  3. Tony Armstrong  

    Is no-one concerned that an anti-virus provider has been hacked into? What about their other products?

  4. This actually contains a lesson. First, always check software for updates, even the stuff that “always auto-updates”. Second and even more important, try to have an anti-virus software module check each and every download. Third and actually critical and nearly no one does it, the checksum should always actually be checked if it’s available. IF YOU DOWNLOAD FROM SOFTONIC, FILEHIPPO, A ZIFF-DAVIS PUBLICATION (because of its downloader) and many others, you simply have to check each and every download, because many of their downloads are infected. Because of fear of being litigated against for calumny and libel I refuse to openly speculate. Filehippo last century was quite reliable. PC Mag (one of the ZD pubs) was entirely safe until the turn of the century. ALWAYS, ALWAYS, ALWAYS check your downloads. There are even online free sites where you can check them.

  5. Ginny  

    It appears I, too, have an earlier version so hope I’m okay. Goodness, why can’t these nasty people mind their own business and leave those people alone who ARE minding their own business. It’s irritating!

  6. venkat  

    my version is 5.34.6207 (64 bit). So I presume there is not problem in cleaning my files with ccleaner

  7. Ziggy  

    Doing a little bit of research on this I found that it stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo

    If you have the Agomo listed, ouch!

    • Ron Lund  

      I’m doing a search right now in regedit to see if that key shows up. Fingers crossed.

  8. Ron Lund  

    Cool!!! Looks like I managed to escape any modifying of my windows registry from these hackers.

  9. Ziggy  

    It ain’t all clear sailing yet folks! Latest to hit the net is that there is a second stage installer associated with this malware. To think that it just infected the 32 bit version is not totally correct as it also has implications for the 64 bit version.

    Do some research on the following in relation to CCleaner and you will see what I mean:

    GeeSetup_x86.dll
    trojanized TSMSISrv.dll, associated with the 32 bit
    trojanized EFACli64.dll, associated with the 64 bit

    There are also some other registry keys that need to be checked to see whether one has been compromised or not. Again the research will show you which keys have been affected.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

To Top