Popular windows program ccleaner compromised with malware

Posted by ewv 6 years, 9 months ago to Technology
0 comments | Share | Flag

The widely used Piriform windows security/optimizer utility ccleaner used to clean out extraneous files and registry entries has been hacked, infecting over 2 million users.

The hack affected the 32 bit installer download for version 5.33 on Piriform's own servers for about a month before it was discovered by researchers at Cisco Talos. All anti-virus programs missed it because it was implanted under the company's own security signature. Piriform was purchased by the security company AVAST a few months ago.

The malware is described as a trojan set to send information back to servers controlled or used by the hackers.

Piriform says that the servers were discovered from addresses embedded in the malware and were disabled before being activated. Piriform says the malware was not publicly announced until it got control of the hackers' server, so as to not tip them off. It does not say why it believes there had been no isolated activations..

The newest monthly update of ccleaner, version 5.34 Sept. 12, 2017, fixes the problem by replacing the compromised files, which can be identified by their sha256 hash values:

ccleaner.exe v5.33

ccleaner.exe v5.33


The program file ccleaner.exe is put in C:\Program Files\Piriform\ unless you install it somewhere else.

The malware also installa a new registry key that the new version 5.34 installer does not remove, but which is said to be dormant without the malware running: HKLM\SOFTWARE\Piriform\Agomo\

Technical details are described at


SOURCE URL: https://forum.piriform.com/index.php?showtopic=48869

Add Comment



  • Comment hidden. Undo