The CCleaner Virus: What It Is and How to Remove It

Hackers targeted your favorite utility tool

A conceptual illustration of the CCleaner virus destroying a laptop computer.

Theresa Chiechi / Lifewire

PRODUCT DISCLOSURE $

There you are, just trying to be proactive and use an effective tool to remove unwanted programs to organize your computer and keep it running smoothly. Even then, almost laughing at your diligence in keeping your system cleaned up, malware hackers found a backdoor to your computer by creating the CCleaner virus. Devious, yes. Fixable? Absolutely.

CCleaner is a utility tool used to clean out unwanted files and invalid Windows Registry entries from your computer. It works on both Windows PCs and Macs, so any computer theoretically could have been impacted yet early reports indicated only 32-bit Windows computers were at risk from the virus. Macs were never officially confirmed as infected with this virus and, according to Avast, are still not known to be risk.

What Is the CCleaner Virus?

To understand this virus, you first need to understand what CCleaner is: A utility program designed to remove unwanted files from a computer. While not specifically designated as a malware removal tool, as it scoured your PC or Mac for files to remove, it also wound up removing different types of malware at times, too. That makes it a very useful tool for millions of people.

While the cleaner itself is perfectly legitimate, hackers managed to insert malicious code into it in an attempt to steal data from users of the program. CCleaner confirms this occurred prior to the releases involved. When Avast Piriform, the parent company of CCleaner, learned of the malware on September 12, 2017, it immediately took steps to resolve the problem through an upgrade. However, that upgrade triggered a second-stage payload, which attacked 20 of the largest tech companies in the world, including Cisco (which found the second stage payload), Microsoft, Google, Intel, and more.

The virus can still lurk in specific, older versions of CCleaner, so it's important to carefully check versions if you download it now. Versions released since September 16, 2017, appear to be virus-free and there have been no further accounts of this virus reappearing.

The malware consisted of two Trojans, Trojan.Floxif and Trojan.Nyetya, inserted into the free versions of CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. If you decide to install CCleaner, be certain you are downloading the most recent version available, or at least version 5.34 or higher. The clean version of CCleaner Cloud is 1.07.3214 or higher. CCleaner provides more information here.

While the origins of this act are murky, some indications are that a Chinese hacking group known as Axiom was involved. CCleaner worked with a legal variant of that group, which is why suspicions point to an inside job. Cisco Talos, a threat intelligence company, believes a hacker infiltrated Avast Piriform’s official build somewhere in the development process to plant malware designed to steal users’ data. Because of the secondary industrial espionage attack that was launched, some suspect the Chinese government is behind the attack but those accusations remain unproven.

How Does the CCleaner Virus Work?

The malware collected specific data, such as IP addresses, lists of installed software and running processes and other information, and sent it to a third-party server located in the United States. It was also designed to download and execute other malware but Avast, which discovered the virus, said that no evidence was ever found that this function was used.

Because the CCleaner binary that included the malicious program was signed using a digital certificate, most antivirus programs did not catch it. Many threat researchers believe that the target was never the individual user anyway; rather, the malware was designed to specifically go after information at a corporate level.

CCleaner boasted over 2 billion downloads in late 2016 and claimed it was adding users at a rate of 5 million/week. The sheer volume of computers that this virus potentially infected made it a massive threat to both individuals and corporations.

How Do I Know if I Have This Virus?

Unlucky CCLeaner user computers were left with a new, unauthorized Windows Registry Key in their Registry Hive. Infected machines showed Agomo listed under Registry Editor/HKEY_LOCAL_MACHINE_SOFTWARE_Piriform with two data values titled MUID and TCID. These two data values were engineered to gather data from an infected machine and pass it back to the hacker's command and control center.

Registry Key showing Agomo files

How Did I Get This Virus?

If you downloaded CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 you were potentially infected.

How Do I Get Rid of the CCleaner Virus?

If you have the old CCleaner versions on your computer, you need to remove them immediately by upgrading to the most current version CCleaner has available. However, that will not remove the Agomo key from the Windows registry.

  1. To remove the Agomo key, you need to delete a registry key. Don't forget to upgrade your CCleaner version and back up your system first!

  2. After you remove the key, scan your computer for signs of malware.

  3. If none of those steps solve the problem, you can use System Restore to return to an earlier point on your computer before you picked up the CCleaner virus. Be sure to pick a time period where you know you definitely didn't already have the virus on your computer. This step is not typically necessary with this particular malware, however.

How Can I Avoid Getting This Virus Again?

This malware was so sneaky, there's probably no way you could have avoided it. CCleaner is a reputable company with a reputable site and is recommended by hundreds of PC experts. Sometimes, malware just gets in.

However, there are key ways to lower your chances of contracting a virus or another type of threat. Plus, always keep your antivirus software and malware protection updated. Just like the CCleaner virus, new viruses are created regularly so it's important to keep your PC informed on what to look for with the latest virus and malware-based threats.