Infected by CCleaner’s Malware? Here’s How to Remove It

Mercy Pilkington
Posted: December 23, 2018

If you’re one of the over 2 million users worldwide that has been infected by CCleaner, you need to remove it from your computer immediately.

CCleaner is a legitimate system cleanup software that fell victim to a massive rogue code insertion. Two spyware payloads were delivered to users after attackers hacked into the software developer’s network and put code in the program’s free version. This code could leak details of your programs to a third-party server in the United States.

Here’s what you need to do to safely remove the infected program from your Windows computer and truly keep your system clean.

Remove the Program

While the large-scale hack was certainly concerning, the good news is that only an old 32-bit version of the Windows program fell victim to the cybercrooks—and users had to run the program with admin rights for the payload to execute.

So if you’re using CCleaner on Mac or Android, you don’t need to take action. The specific version that was compromised is 5.3 and the free version doesn’t support automatic upgrades. Therefore, if you’re a premium user or running a more up-to-date version (such as 5.50) then you also have no cause for concern.

However, if you do have a non-upgraded free version of 5.3 on your Windows machine, here’s your first course of action:

For Windows 10 users:

  • Open the ‘Start’ menu
  • Click on ‘Settings’
  • Click ‘System’
  • Choose ‘Apps and Features’
  • Find ‘CCleaner’ in the list of programs
  • Click ‘Uninstall’ from the horizontal menu above the programs list

Scan the System

The first payload installed a piece of spyware called Floxif on users’ machines. This program builds a complete picture of the local network and the infected device itself. The malware gathers a complete list of running processes, MAC addresses of network interfaces, and installed software. The information could be used to target vulnerable systems for further attacks—such as those running outdated versions of programs containing known vulnerabilities.

A later payload introduced Trojan.Nyetya, which may attempt to maliciously modify the Windows Registry of the infected computer. It’s capable of sending the following to a cybercriminal’s server:

  • All user keystrokes
  • Saved browser passwords
  • Frequently and recently edited MS Word documents
  • Financial information

For that reason, although the default uninstall process should remove Floxif along with the infected version of CCleaner, infected systems are highly vulnerable to further attacks; users should install reliable antivirus software immediately.

Some titles with a strong track record of eliminating malware—even in previously infected systems—include:

Norton: Norton’s virus and malware detection rates are among the best on the market. Its award-winning scanning engine includes Proactive Exploit Protection (PEP) to catch zero-day attacks and its Emulator will analyze suspicious files in an isolated virtual environment.

Comodo: Comodo Antivirus Advanced is a powerful tool that conducts a deep check of the filesystem to catch viruses, malware, spyware, or adware that may be active. Its powerful keylogger detector makes it a particularly good choice if you may have been affected by the second payload.

Nano: NANO PRO has a powerful array of scanning options in its premium product and the company has a growing reputation as a leading provider of antivirus software. NANO PRO features highly customizable scanning options, and the initial definitions database included more than 700MB of definitions when we tested it.

Get Protected!

If you were unlucky enough to install CCleaner 5.3 on a 32-bit Windows PC, you may have been exposed to one of the worst malware hijackings in recent history.

While CCleaner is a legitimate cleanup tool, the two unauthorized payloads in the corrupted versions can damage your computer and set you up for future attacks. It’s important to remove the program immediately and install a comprehensive virus scanner to make sure any malicious software is safely eliminated.

About the Author

Mercy Pilkington
Mercy Pilkington

Mercy Pilkington has been a tech industry news writer for nearly ten years. She regularly covers topics such as software, cybercrime, and digital innovation.