Nergal

You have the installer for the malicious ccleaner. Look at your image closer and notice the captured file is from the downloads folder.

Sounds like you are not infected (based on the information we have on the infection thus far)

Do you mean yes resolved "it's the same now"

Do you mean you do have those keys or don't have?

So, wait is this resolved? It looks like someone in admin fixed a copy paste error (just a guess not inside knowledge)

That page gives ccleaner64.exe This matches the result the member above stated.Are you saying you have a ccleaner 64.exe with a different sha256?

Nope I meant a post I made here as opposed to the staff thread on the subject.

Great catch, I didn't even think of it but yeah XP no UAC

As this can only be answered by admins I will flag this issue for their answer.

I'm unaware of there being a ccleaner for iPad ever being released by piriform. Are you seeing it in the app store?

Oops sorry wrong thread

Since you're a paid user, don't forget you can get priority support from the developers. That said, many people have had this difficulty lately. Are you saying that with ccleaner uninstalled you are still getting the cannot overwrite error? If you navigate to c:\program Files\ccleaner (or where your ccleaner is if you customized the install path) and confirm there are no files in there.

As trim and community winapp2 are not officially supported, we ask that you ask this question in the dedicated winapp2 thread https://forum.piriform.com/index.php?showtopic=32310

That I am unsure of, the video shows the second ccleaner process popping up after the 10 minutes..but with monitor running (as it is in the video) it could possibly run from there (note I don't know that to be true but roughly guessed by the evidence that you have as well)

I think they're expecting the monitor window to run all ccleaner's routines when it just cleans the browser (chrome in this case)

@robertcarroll6, @pearshaped please take some time to read the posts and watch the video that @hazelnut posted https://forum.piriform.com/index.php?showtopic=48869&page=10&&do=findComment&comment=286894

See my answer in your other topic

Any launch of ccleaner.exe (32bit) on a 64bit machine automatically hands off the process to ccleaner64.exe

I'm so sure I understand the question. What do you mean with notification on chrome?

Juat so you know, moderators are speaking with Admins (Piriform employees) on this topic. In your browser can you provide us with the exact steps you followed to see each separate certificate? I know that's a weird ask but it's what was asked of us.

I agree that looks too agressive.

Atomic weapons are not fire just kidding, but yeah nuking a pc is one way to do it. Thanks for making the rest of us feel much less OCD

@nocluez there are not components thus far discovered that would survive all the steps you took. That said that's a bit overkill based on all the research that has been done (to the time of this post).

1. the "if you're 64bit" the you was directed at the previous poster. Everyone should update to 5.35. 2. no, just meant to look for and remove the files and registry suggested in the article. 3. I may have been unclear. Certain researchers have discovered that the first payload did not begin until ccleaner.exe (32bit) had been open for roughly 10 minutes. I have seen this timing in action but am waiting on another piriform moderator to speak with me before posting it (s/he lives in the UK so I think it's still late there). But, my mispeak was to use normal when no evidence points to any non-normal situation. I hope this cleared up those 3 questions.

If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post). If you are very worried you can follow the steps in https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ However the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.