CCleaner: what it is and how to remove it

Who I am
Pau Monfort

Here, you are just trying to be proactive and use an effective tool to remove unwanted programs to organize your computer and use it smoothly. Even then, almost laughing at your diligence in keeping your system clean, malware hackers found a backdoor on your computer by creating the CCleaner virus. Sneaky, yes. Can be eliminated? Absolutely.

CCleaner is a utility tool used to clean unwanted files and invalid Windows registry entries from your computer. It works on both Windows PCs and Macs, so theoretically any computer could be affected, but early reports indicate that only 32-bit Windows computers were at risk. 

Macs have never been officially confirmed as infected with this virus, and according to Avast, they are not yet known to be at risk.

What is the CCleaner virus?

To understand this virus, you must first understand what CCleaner is - a utility program designed to remove unwanted files from a computer. While it is not specifically designated as a malware removal tool, as it has scoured your PC or Mac for file removal, it has also eliminated several types of malware at times. 

This makes it a very useful tool for millions of people.

While the cleaner itself is perfectly legitimate, the hackers have managed to inject malicious code in an attempt to steal data from the program's users. CCleaner confirms this occurred earlier than the affected versions. 

When Avast Piriform, CCleaner's parent company, learned of the malware on September 12, 2017, it immediately took action to fix the problem through an update. However, that update triggered a second-tier payload, which attacked 20 of the largest tech companies in the world, including Cisco (which found the second-tier payload), Microsoft, Google, Intel, and more.

The virus can still hide in specific previous versions of CCleaner, so it's important to check the version carefully if you download it now. Versions released since September 16, 2017 appear to be virus-free.

The malware consisted of two Trojans, Trojan.Floxif and Trojan.Nyetya, included in the free versions of CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. If you decide to install CCleaner, be sure to download the latest version available, or at least version 5.34 or later. The clean version of CCleaner Cloud is 1.07.3214 or later. CCleaner provides more information here.

While the origins of this act are unclear, some indications indicate that a Chinese hacking group known as Axiom was involved.

Cisco Talos, a threat intelligence company, believes a hacker infiltrated the official build of Avast Piriform somewhere in the development process to implant malware designed to steal user data. Due to the secondary industrial espionage attack that was launched, some suspect that there is a nation behind the attack, but these allegations remain unproven.

How does the CCleaner Virus work?

The malware collected specific data, such as IP addresses, lists of installed software and running processes, and other information, and sent it to a third-party server located in the United States. It was also designed to download and run other malware but Avast, which discovered the virus, said that no evidence of using this feature was ever found.

Since the CCleaner binary that included the malicious program was signed using a digital certificate, most antivirus programs did not detect it. Many threat researchers believe that the target was never the individual user; rather, the malware was specifically designed to search for information at an enterprise level.

CCleaner boasted over 2 billion downloads at the end of 2016 and said it was adding users at a rate of 5 million / week. The huge volume of computers this virus has potentially infected has made it a great threat to both individuals and businesses.

How do i know if i have this virus?

User computers with CCLeaner installed were left with a new unauthorized Windows registry key in the registry hive. Infected machines showed Agomo listed in Registry Editor / HKEY_LOCAL_MACHINE _SOFTWARE_Piriform with two data values ​​named MUID and TCID. These two data values ​​were designed to collect data from an infected machine and pass it to the hacker's command and control center.

How did I get this virus?

If you have downloaded CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 you have been potentially infected.

How to get rid of the CCleaner virus?

If you have old versions of CCleaner on your computer, you need to remove them immediately by updating the latest version that CCleaner has available. However, this will not remove the Agomo key from the Windows registry.

  1. To remove the Agomo key, a registry key must be deleted. Don't forget to update your CCleaner version and backup your system first!

  2. After removing the key, scan your computer for signs of malware.

  3. If none of these steps solve the problem, you can use System Restore to go back to an earlier point on your computer before detecting the CCleaner virus. Make sure you choose a time period when you know you definitely didn't already have the virus on your computer.

How can I avoid getting this virus again?

This malware was so sneaky, there was probably no way around it. CCleaner is a reputable company with a reputable site and is recommended by hundreds of PC experts.

However, there are ways to reduce the chances of getting a virus or other type of threat. Also, always keep the protection of your antivirus and malware software up to date. Just like the CCleaner virus, new viruses are created regularly, so it's important to keep your PC informed of what to look for with the latest virus and malware-based threats.

Restore your PC after a virus or malware attack

Further Reading:

  • Top 3 CCleaner Alternatives to Clean Your Mac
  • How to remove a device from iCloud
  • CCleaner Review for Android: The free application to optimize Android
  • How to clear the cache in Windows 10
  • How to clear cache on Xiaomi Mi 10T
add a comment of CCleaner: what it is and how to remove it
Comment sent successfully! We will review it in the next few hours.