Skip to main content

CCleaner unknowingly distributed malware to Windows PCs for one month

It has been revealed that CCleaner, a popular application for file clean-up and performance optimization suffered a "security incident" last month, which resulted in malware being unknowingly distributed for four weeks.

Announced today in a blog post (opens in new tab) from the program's developer, Piriform, 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 distributed malicious software, between August 15 and September 12. After being notified of the issue by Cisco Talos, the firm prevented any further downloads of these versions, while pushing out an automatic update to affected users.

Alongside a download of these versions of CCleaner, users unknowingly installed the software, which was slipped into the installer and distributed through official servers. The malware sent various encrypted information from affected PCs to attackers, including PC names, installed and running software, Windows updates and MAC addresses of network adapters.

These exploits also allowed affected PCs to be remotely controlled, with the capability to download and install additional binaries. However, it has been noted that execution of the second stage is yet to be seen, meaning no additional software should have installed to devices.

Piriform, the company behind CCleaner was acquired by Avast earlier this year – a security giant with products spanning security, privacy, and performance-enhancing applications. With 2 billion users and 5 million weekly installs for CCleaner alone, today's news has a severe reach to millions of users. While it's currently unknown how this incident occurred, Piriform has noted it's investigating into the origin of the attack and taking action to prevent future incidents. In the meantime, the company recommends potentially affected users update to the latest version of the program as soon as possible.

Matt Brown
Matt Brown

Matt Brown is Windows Central's Senior Games Editor, Xbox & PC, at Future. Following over seven years of professional consumer technology and gaming coverage, he’s focused on the world of Microsoft's gaming efforts. You can follow him on Twitter @mattjbrown.

52 Comments
  • ALSO you should perform quick scan...
  • No wonder I received internal software update couple days ago...
  • Would this have been caught if distributed via Windows Store?
  • Microsoft does not screen the apps that are offered in the Store. I did buy 2 apps in the Store. Both didn't work and of course MS is not responsible. So it is quite evident that the Windows Store does not give any added value at all, and that malware would have been distributed also through the Store. 
  • You couldn't be more wrong. Developers are able to make apps function however they like, and if you bought 2 apps and couldn't recognize they were bad (Ever try looking at the reviews?) that is on you. The reason this was a problem was that CCleaner was being distributed with installations of Avast! Antivirus, probably being bundled by default but optionally declinable. Apps in the Windows Store are NEVER bundled. And even if they had malware in them, modern Universal Windows Apps in the store are Isolated from the rest of the system into its own container. There is no way for malicious code to be executed from inside a real, native UWP  
  • Also, the first step after any app is submitted is that it is subjected to virus and malware scans and rejected if anything is found.
  • Microsoft was right to not recommend ccleaner . 
  • The only reason they didn't recommend it was because you can use it to remove the bloatware and Microsoft apps instead of spending a crap-ton of money for Windows 10 Enterprise. That is THE only reason.
  • Yeah as per this article the ONLY reason. And now you've lost ALL credibility
  • 1- You should know that you can't buy Windows 10 Entreprise by yourself.
    2- Ccleaner doesn't remove any "bloatware" as you call them, nor Microsoft app, any easier than the good old Program and Features or App & Features.
    3- The main reason is that it is mostly irrelevant to use a "registry cleaner" software, as it doesn't speed up the OS. And if such a tool has actually successfully repaired any weird error, then you are only hiding the issue at hand, which is that some software wrecked havoc on your system and it should be reinstalled anyway, if optimal performances are what you are after.
  • That's a disappointment..
  • The software itself is malware
  • Really? How so?
  • Not so much malware as stumbleware. Stumble with it and you break Windows. Historicallty, the software is behind a lot of problems users end up dealing with by reinstalling Windows. It's deceitful, in the sense that it gives you a lot of power, but no way of fully understanding what the impact will be. So while there are certainly useful things that it could do in expert hands that are faster than cmd/powershell, it exposes the OS in ways that are really bad for people that don't know what they are doing. Which is most. Use it if you know what you're doing with it, not if you just think you know what you're doing with it.
  • In my experience, those users will always find a way to break things... Be it software like this, downloading actual maleate, messing about with the command line or messing with the registry. It isn't really fair to blame the tool for people not using it properly... If someone goes blind because they're using a welding torch without a mask, tragic as it is, you can't blame the torch.
  • That's not quite a fair comparison. If CCleaner does a registry scan and finds 1,000 items that they feel can be "cleaned", are you going to take the time to go through each one line by line and verify that it's safe to delete? No, nobody in their right mind would. But the tool still presents the info, and sometimes just following its recommendations can result in fatal errors to your OS.
  • I thought the same. It seems maliciously useless.
  • And I just installed the 64Bit version like a month ago..... smh
  • Wait, I thought it was Kaspersky that was Malware. Also, I've used the 64-bit version forever so I'm not affected by this one.
  • One of my co-workers sent me a link to the Piriform announcement this morning. One of the things mentioned that the suspicious code was doing was collecting "additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc." Why would it check whether it is a 64-bit system if only the 32-bit version of software was affected? CCleaner automatically installs the version that matches the OS. I did a malware scan on a 64-bit machine with 64-bit CCleaner. It found a trojan in the CCleaner program files folder for version 5.33.
  • poit57, which program found the trojan and has it been removed successfully?
  • Tehp, it was found by the free MalwareBytes. The infected file was quarantined and told me that I needed to reboot to finish removing the threat (or however they phrase it). I also installed the updated version of CCleaner (5.34). There were no other threats found after doing so.
  • I see. I have installed 5.34 before i heard about this and since searched with the free MB as well with no findings either. Hopefully that was the extend of it
  • LOL as I read this, a ccleaner alert just popped up on my machine as I have it installed....
  • Malware distributed in software owned by Avast, that's awkward. Happy to say I've never used this software
  • There isn't a computer technician worth their salt that uses this sort of crap to begin with.
  • What's the concern about CCLEANER?  i use it but don't let it do certain things.  When you have a machine that has been littered with issues, and unkept temp files, i have found it helpful.  I've never encountered an issue after using it.
  • I never need these typpa enhancements tbh.
    I have Adobe, Microsoft products, 3dsMax, VisualStudio, Unreal, Havok lib, etc on my PC. Most of my applications are from major big names. I don't DL anything weird from the internet. I don't keep installing / uninstalling applications, so, there's no much rubbish on my PC.
    Year of 2017, if there's a win10 Store ultinatibve, I'll get it from the store cause they are sandboxed, they don't mess with my registry.
    Well... I guess I just don't really trust these enhancements. (Who knows maybe they are the cause of the troubles. You know, they can then swoop in and save the day? And if you accidently clean the wrong stuff... it just generates more trouble. Exception might caught it so application won't crash but it's making your machine to run slower and slower) Just keep your PC as simple / as clean as possible and you will be fine.
    Use cloud services, don't keep things in the client. You never know when your PC will break.
  • A lot of people get adventuress with it. It ends up being a reason why a technician is called, although usually users just end up reinstalling Windows and not touching those parts. Any software that lets a user stumble into having to reinstall Windows is not a peice of kit any expert worth their salt is going to recommend to end users. That doesn't mena it's not useful, just that it's dangerous in its own right.
  • A lot of people become women who like adventure?
  • A lot of people become women who like adventure?
  • *sigh* a dream of what could have been...
  • "Any software that lets a user stumble into having to reinstall Windows..." - so pretty much, anything that prompts for Administrative access, like Regedit, Admin Command Prompt, etc? Pretty much, if a user has admin rights, they can blow up their machine.  It doesn't matter what software is used to do it.
  • Why not use the Windows Disk cleanup tool.  I have used CCleaner in the past, it works, although I have used it and it broke things as well.  Really all I use a re Windows Disk CLeaner and Defrag built in.
  • Ouch. In the real world, a company that let's this happen would lose all credibility and be forced to call it quits.
  • I'm confident we've yet to see all of the complete fallout Avast will take on from this event.  The night is still young. ;/
  • *cough* Equifax *cough* How quickly people forget...
  • I never need these typpa enhancements tbh. I have Adobe, Microsoft products, 3dsMax, VisualStudio, Unreal, Havok lib, etc installed on my PCs. Most of my applications are from major big names, if they are not trustworthy, who are? Most of'em have huge user base too. (and people strike when things goes wrong, we know where they are.) I don't DL anything weird from the internet. I don't keep installing / uninstalling applications. I don't think there's much rubbish on my PC that needs "clean up" to "speed up". Year of 2017, if there's a win10 Store alternative, I'll get it from the store cause they are sandboxed, they don't mess with my registry. Well... I guess I just don't really trust these enhancements.
    (Who knows maybe they are the cause of the troubles. You know, they can then swoop in and save the day? And if you accidently clean the wrong stuff... it just generates more trouble. Exception might caught it so application won't crash but it's making your machine slower and slower. Can 1 dev, know how every other application inside out, write a algorism, safely clean up other people's mess? I doubt...)
    * I'm no body, buy I work in a major game dev as a main programmer. I also happened to be a very lazy programmer, so, I like to hack things. I hack websites, applications, work tools, to inject my own code to do my automation. Except graphical applications such as Adobe, eventually I can operate Windows and its applications (Chrome, Edge, Windows, Visual Studio, etc) without a pointing device. Keyboard only and it's faster and more efficient this way.
    Just keep your PC as simple / as clean as possible and you will be fine.
    Use cloud services, don't keep things in the client. You never know when your PC will break.
  • I agree with a lot of what you said, although I'm still wary of Cloud Services, especially for file backup.  The idea that "storing your content on someone else's computer" isn't any more secure than having your own decent backup system. I'd love to know how you navigate browsers with a keyboard.  When I reinstalled Windows and tried to get around an OEM website using TAB to navigate, I got so frustrated at the site layout and how it was virtually impossible to find the trackpad drivers.
  • I never liked CCleaner after XP days. But after so long, when my work PC was not performing well recently, in one of the rarest incidents, I ran CCleaner on my PC and I did it in the said time frame. What luck 😑😑
  • And this is one of the reasons Windows 10 S exists and why programes need to come to the store. One of the most popular softwares infected PCs across the globe with malware and that could be avoided if the app was on the store.
  • Indeed. However, the same people who'll down vote the idea will be just as quick to blame Microsoft. Application containerization mitigates these problems and I'm sure it wouldn't have made it through the store.
  • Bah, I had already uninstalled the program for other reasons several days ago and now I can't check whether it was the 32-bit or the 64-bit. Is there anyway to tell from the install executable?  I'd hate to have to install this to a sacraficial machine just to check.
  • If you right click on the executable > Properties > Details and look for 5.33.6162 or for  CCleaner Cloud 1.07.3191
  • So how do we remove whatever malware that was installed to our computers?
  • If your not using Defender for your AV, I'd update Defender, run an Offline scan, then full scan with MalwareBytes Pro trial.
  • What a nightmare considering the install base. For a long time It was a handy tool. I find it odd (but not at all surprised) it wasn't detected by their own security group @ Avast. Their free AV was decent option for a while once AVG started going South but the last year or two, we had to recommend people remove it because it wasn't detecting all viruses.
  • CCleaner, Defender, Malware Bytes is all I use. This combo has worked great for me.  What else would you suggest? 
  • Temp File Cleaner by Oldtimer is genuine temp cleaner. AdwCleaner is another nice one just to make sure you did not pick up something along the way Panda USB Vaccine to be safe when pluggin in those thumb drives of memory cards Another one that is getting popular but I did not try it is RansomFree by Cybereason  
  • That was close. I use the portable version and havent updated it since April. 
  • LOL suckers. Use Windows free Defender.
  • Another reason not to use aftermarket junk.