IMPORTANT: If You're A CCleaner User You Need To Read This.


CCleanerIf you use the free CCleaner tool from Piriform, which removes junk from your PC and registry, then you need to upgrade your software as soon as possible.

It's been reported that the installer file for CCleaner had been compromised back in August, by person or persons unknown. It had been altered to send details of the user's computer to a server in the USA. Piriform kept quiet about the discovery until police in the US had located and shut down that server. Now that they have done so, Piriform have released a new version of CCleaner and are urging everyone to upgrade.

If you use CCleaner or CCleaner cloud, you need to download and install the latest version. If you're not already a user of the software, and you want to try it, then you should also ensure that you download the very latest release.

You'll find the latest free version of CCleaner at and it's a 10 MB file. Web of Trust rates the site as reputable, and VirusTotal merely notes that it includes the Google Toolbar as an optional extra. So the file is safe to download and use. Meanwhile, if you already have CCleaner installed, you should either update or remove it. In theory, the compromised version won't do any damage now that the US server has been shut down, but it's best to stay on the safe side.

Please rate this article: 

Your rating: None
Average: 4.6 (50 votes)


I found out about the Ccleaner infection in this article: A few minutes ago, I posted the following comment to that article: "I just got an alert that Ccleaner has a newer version than the one mentioned in this article. It is version 5.35.6210. I'm wondering if I should wait to download it? I've used Ccleaner for years, and I will continue to. I trust Piriform, but they are obviously not infallible. As for Avast... if they were who was distributing the malware version, how could they not detect it? They are an anti-virus software company! This is very disturbing, because I use the Avast AV on my computer." Then I came to this site, to make sure you guys were informed, and of course you were! Now I feel silly for wondering about that. Thanks Rob!

Seems like a second payload has been discovered for the malware, according to this Ghacks article:

This is really bad. Seems like system restore won't be enough, and reinstall of Windows, or restoring from a previous backup image is required.

Thanks for the ghacks advice is to check whether the artifacts of the intrusion are anywhere on your hard drive or in your Windows registry, then delete them. Here's another recent article with some information about the targets for the 2nd payload:

Seems to have been geared toward the manufacturing, design and communications giants -- industrial espionage at the least, and perhaps more of an effort to establish the potential for a widespread trojan backdoor control capability.

Further to my long post: forgot (slaps head) to say that if you do have the key at Piriform in the Registry saying MUID or Agomo MUID, then of course you should delete it.
By the way it now seems that another AV site, actually discovered this trojan and told Piriform / Avast about it:

This post alarms many unnecessarily and fails to tell all, as others above have noted - a disappointment against your usual standard. This is what I wrote for my people:
Someone introduced malware into a Ccleaner update package, effective between 15August and 13 September. This did not do any immediate harm, but the data it sent out (and possibly stored on your machine) could be used for a later attack. If you have a 64-bit machine you are safe. If you use a 32-bit machine, read on.

The version concerned was Ccleaner 5.33.6162, and the cloud equivalent from that time. If you have used either of these, you need to check the Registry editor.-

- in the Search / Run box (I think it's called "Ask me anything" in W10), type: regedit

- select the top result: regedit Run command, or in W7, regedit.exe

- click the + sign beside HKEY LOCAL MACHINE

- click the + sign beside SOFTWARE

- scroll down to Piriform

- There should be just one key in there for Piriform (ignore the subsection for Ccleaner): a little red logo saying ab followed by (default), labelled REG_SZ (Value not set)

--- If there is anything else there, you may have a problem, particularly:if it says: Agomo MUID, or just MUID.

- in that case you should

a) delete your present version of Ccleaner (no need to use Revo, as Ccleaner is very good at clearing itself out)

b) restore your system to a time before August 15 (or whenever you downloaded the update), or better re-install Windows. - ask me if necessary.

c) download a new version of Ccleaner - it should be safe from now on.

Talios at:
Piriform blog at:

It is notable that the Piriform announcement is somewhat mealy-mouthed about the whole thing, does not mention Talios who suppressed some of the remote domains, and does not say what to do if you have been infected.

On my PC, Malwarebytes Antimalware quarantined the malware and it was identified as Trojan.Floxif:
More info can be found here:
It appears that only 32-bit computers were vulnerable, and only through version 5.33 of CCleaner.
If you use a standard account (not admin account) you would not be affected.

Hitman Pro found a trojan in CCleaner when I scanned my computer recently, I hadn't known anything about the situation you are reporting here and was skeptical that it was false positive. I removed CCleaner anyway by using Hitman Pro and it said it removed the threat. I guess I was right to remove it in spite of my doubts.

There is a lot more detail at this link . It's heavy reading, but the bottom line is that (a) it was the 32-bit 5.33 version of CCleaner that was infected, which was distributed in August and part of September, (b) uninstalling or updating CCleaner doesn't remove the infection from your PC, however (c) it appears that the worst effects of the malware have been neutralized even if you do have the infection. If you feel comfortable poking around in your registry, you can see if your PC was affected.

There is no mention of this issue in the Release Notes for the latest update available (5.34.6207). Are we sure that this version corrects the problem?