CCleaner for Windows Hacked to Spread Malware, Update Now
CCleaner for Windows has been hacked to spread malware to users of the 32-bit version. Here’s what you need to know (and do).
CCleaner, the popular file clean-up and performance optimization utility for Windows, has been hacked to spread malware to users of the 32-bit version. The breach was discovered by security researchers at Cisco Talos Group. They found that the hackers could inject the malware into the app by accessing the download servers used by the antivirus provider Avast (the parent company that owns CCleaner). “For some time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” writes the Talos team.
The malware allowed an infected system to be remotely controlled and collect data from your computer. “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA,” Piriform says in a statement issued on Monday.
The malware affects CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. According to Avast, about 2.27 million people ran the affected software. Luckily, the company is taking the necessary steps to correct the situation. In a blog post this morning, Piriform exec Paul Yung writes, “we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
Check Your Version of CCleaner
To determine the version of CCleaner you are currently running simply launch the application and check the version number on the app’s upper-left next to the logo. The current non-compromised version at the time of this writing is 5.34.6207.
Make sure the version you’re running is 5.34.6207 or higher. 64-bit versions were not affected by this security breach.
If you haven’t run CCleaner in a while, you will probably get a message similar to the one shown below that alerts you to an available update.
Note that the Android version was not affected. Only the 32-bit version for Windows was compromised. If you’re running the 64-bit version, you should be fine – but it wouldn’t hurt to check for an update.
14 Comments
Leave a Reply
Leave a Reply
Ziggy
September 18, 2017 at 10:48 pm
Mind boggling! Of late I’ve been using Glary disk cleaner, so I hope all’s well there!
Steve Krause
September 19, 2017 at 7:51 am
I had an earlier version installed so no worries on my side. Wow… Nasty one. I’m just glad they went public and notified customers what happened.
I’m still a fan of CCleaner and its other products. But, AVAST needs to take a look and get things cleaned up on its systems side of things.
Ron Lund
September 20, 2017 at 1:20 pm
I just checked my 32-bit computer and I also had a pretty old version on it. Of course, I had the popup warning about updating and quickly did so. I hope I managed to escape any compromising of my stuff.
Tony Armstrong
September 19, 2017 at 7:59 am
Is no-one concerned that an anti-virus provider has been hacked into? What about their other products?
Bipolar_Bear
December 10, 2022 at 6:21 pm
Frightening stuff you are correct!!
Glenn Charles
September 19, 2017 at 3:44 pm
This actually contains a lesson. First, always check software for updates, even the stuff that “always auto-updates”. Second and even more important, try to have an anti-virus software module check each and every download. Third and actually critical and nearly no one does it, the checksum should always actually be checked if it’s available. IF YOU DOWNLOAD FROM SOFTONIC, FILEHIPPO, A ZIFF-DAVIS PUBLICATION (because of its downloader) and many others, you simply have to check each and every download, because many of their downloads are infected. Because of fear of being litigated against for calumny and libel I refuse to openly speculate. Filehippo last century was quite reliable. PC Mag (one of the ZD pubs) was entirely safe until the turn of the century. ALWAYS, ALWAYS, ALWAYS check your downloads. There are even online free sites where you can check them.
Brian Burgess
September 22, 2017 at 7:50 am
Yup. We covered the amount of crapware sites like that force on your system:
https://www.groovypost.com/unplugged/confirmed-cnet-download-com-gains-crapware-status/
https://www.groovypost.com/howto/avoid-computer-bloatware-from-cnet-download-com-crapware/
Ginny
September 19, 2017 at 5:05 pm
It appears I, too, have an earlier version so hope I’m okay. Goodness, why can’t these nasty people mind their own business and leave those people alone who ARE minding their own business. It’s irritating!
venkat
September 19, 2017 at 10:53 pm
my version is 5.34.6207 (64 bit). So I presume there is not problem in cleaning my files with ccleaner
Ziggy
September 19, 2017 at 11:50 pm
Doing a little bit of research on this I found that it stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo
If you have the Agomo listed, ouch!
Ron Lund
September 20, 2017 at 1:24 pm
I’m doing a search right now in regedit to see if that key shows up. Fingers crossed.
Ron Lund
September 20, 2017 at 1:27 pm
Cool!!! Looks like I managed to escape any modifying of my windows registry from these hackers.
Ziggy
September 22, 2017 at 7:12 am
It ain’t all clear sailing yet folks! Latest to hit the net is that there is a second stage installer associated with this malware. To think that it just infected the 32 bit version is not totally correct as it also has implications for the 64 bit version.
Do some research on the following in relation to CCleaner and you will see what I mean:
GeeSetup_x86.dll
trojanized TSMSISrv.dll, associated with the 32 bit
trojanized EFACli64.dll, associated with the 64 bit
There are also some other registry keys that need to be checked to see whether one has been compromised or not. Again the research will show you which keys have been affected.
Susan
December 4, 2021 at 4:49 pm
Soo…why is the version on my Android phone suddenly asking for full access to my folders and won’t run otherwise? It didn’t do that before. Should I uninstall and reinstall?
Mark
October 28, 2023 at 3:02 pm
Remove the junk, and never use it again. Won’t people learn?!