lmacri

Hi Special: Thanks for the link to that update announcement. I haven't installed the v5.36 update yet but it sounds like the new Emergency Updater is included in both the Free and Professional versions of CCleaner. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.4.0 * NS Premium v22.11.0.41 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

The change log for CCleaner v5.36.6278 (released 24-Oct-2017) at http://www.piriform.com/ccleaner/version-history includes the following: I assume this Emergency Updater was added to allow Piriform to force an automatic product update if another critical security vulnerability is detected in CCleaner (e.g., similar to the Floxif trojan that was embedded in CCleaner v5.33.6162 as announced <here>). Before I update to v5.36, could someone please tell me if this Emergency Updater is now included in both the Free and Professional versions of CCleaner, and whether the CCupdate.exe will now be loaded into memory at boot-up even though I've disabled my setting to start CCleaner at boot-up and turned off both System Monitoring and Active Monitoring at Options | Monitoring? ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.4.0 * NS Premium v22.11.0.41 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

Hi mrdimly: In my original 18-Sep-2017 post <here> I stated: Keep in mind that Piriform occasionally bundles low-risk PUPs (potentially unwanted programs) like browser toolbars in the Standard installers. Two installers downloaded from Piriform on different days might both be named ccsetup534.exe but have completely different sizes and SHA-256 hashes because only one of the installers has a bundled PUP, or because the installers are bundled with different PUPs on different days. As a general rule, these lower risk PUPs are sometimes detected by an anti-malware/anti-spyware scanner like Malwarebytes or SUPERAntiSpyware but are often ignored by antivirus programs like Norton, Kaspersky, etc. that are designed to scan for higher risk malware. I scanned the larger cc_setup534.exe installer from Piriform (note the "_" underline in the file name) with my Norton Security and Malwarebytes and no threats were detected, but when I searched for the SHA-256 hash (eb32922f1043ad5d956891b7e5aeae9f337be4baea12e3ce709acf6a5a37f8d1) of this installer on VirusTotal at https://www.virustotal.com/#/home/search the report at https://www.virustotal.com/#/file/eb32922f1043ad5d956891b7e5aeae9f337be4baea12e3ce709acf6a5a37f8d1/detection showed that the ESET-NOD32 scan engine flagged this installer as potentially unsafe for Win32/Bundled.Toolbar.Google.D. I didn't use that larger v5.34 installer but I'm guessing it was bundled with the Google Toolbar. When installing any software it's always a good practice to choose the advanced options in the installation wizard and make sure you decline the installation of any bundled PUPs, especially if you are using the free version of a manufacturer's software. I'm not certain if I follow what you did, but you might be confusing the self-extracting installer (e.g., ccsetup534.exe) with the actual 32-bit CCleaner.exe executable. If you go to http://www.piriform.com/ccleaner/builds: CCleaner Standard (ccsetup535.exe) is the "normal" installer that can be bundled with a low-risk PUP like a browser toolbar. CCleaner Portable (ccsetup535.zip) is technically not an installer. It's a zipped archive that can be downloaded to a USB thumb drive. Once the archive is unzipped the user has all the files necessary to run CCleaner from the USB drive (e.g., CCleaner.exe for 32-bit OS, CClearner64.exe for 64-bit) without having to install the program on the hard drive in C:\Program Files\CCleaner. See the support article How to Run CCleaner From a USB Drive. CCleaner Slim (ccsetup535_slim.exe) is the "clean" installer usually released a few days after the CCleaner Standard installer and is guaranteed not to include bundled PUPs. These self-extracting installers might all have different sizes and different SHA-256 hashes but all should contain the same the 32-bit CCleaner.exe executable (i.e., the same 7,506 KB size and SHA-256 hash) that launches the v5.35.6210 CCleaner program. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

Hi mrdimly: I can give you version numbers and release dates, but don't have "official" SHA-256 hashes for the older ccsetup53x.exe installers or the 32-bit ccleaner.exe executables so someone else would have to provide that information. As far as I know, the 32-bit ccleaner.exe v5.33.6162 executable was the only CCleaner executable infected with the Floxif backdoor trojan. v5.33.6162 (rel.15-Aug-2017, only version with backdoor trojan) v5.34.6207 (rel.12-Sep-2017, no trojan) v5.33.6163 (rel.15-Sep-2017, trojan removed, pushed to v5.33 Professional users via automatic update) v5.35.6210 (rel. 20-Sep-2017, no trojan, updated digital certificates) I've deleted all the older installers from my hard drive, but here are links to the VirusTotal.com reports for my current CCleaner Free v5.35.6210 files. SHA-256 hashes are listed at the top of each report. Note that these results are for the Standard installer, not the Portable or Slim installers available at http://www.piriform.com/ccleaner/builds. ccsetup535.exe installer downloaded from http://www.piriform.com/ccleaner/download (1/62 detection rate): https://www.virustotal.com/#/file/85d5309373cd1713eeb2416b4767c653e96a9e9cef3689dbb8f548cd23494319/detection 32-bit ccleaner.exe v5.35.6210 executable installed at C:\Program Files\CCleaner (0/64 detection rate): https://www.virustotal.com/#/file/478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8/detection On the VirusTotal.com site, the Last Analysis date isn't critical because the SHA-256 hash is like a fingerprint (digital ID) for a file. If VirusTotal finds an exact match for the SHA-256 hash of the file you uploaded you can be confident that the analysis results are relevant. If you want to double-check and have VirusTotal.com run a new analysis then click button with the 3 dots in the top right corner of the results page and choose "Reanalyze" to resubmit the SHA-256 hash for an updated analysis with the latest available malware definitions for the ~ 60 antivirus scan engines. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

From Martin Brinkmann's 21-Sep-2017 ghacks.net article CCleaner Malware Second Payload Discovered: Cisco's 20-Sep-2017 preliminary technical analysis about this second payload can be found at CCleaner Command and Control Causes Concern. Kudos to user ALF60 for posting <here> on the Norton Tech Outpost about Martin Brinkmann's article. EDIT: Additional information about this second payload was posted today on the HelpNetSecurity article Hackers behind CCleaner compromise were after Intel, Microsoft, Cisco. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free 5.35.6210

...and further to this discussion about Phase 1 / Phase 2 of the attack, here is additional information about the data collected from infected 32-bit computers (e.g., MAC address, computer name, list of installed programs, etc.) according to the 19-Sep-2017 Security Now article CCleaner Infection Reveals Sophisticated Hack: ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Hi Tom Piriform: Perhaps I misunderstood, but when I originally read that statement I assumed it meant that no additional malware (i.e., "a second-stage payload") had been uploaded from the rogue servers at IP address 216.126.x.x to infected 32-bit computers via an incoming connection. If that had happened I suspect my Norton Security antivirus would have been raising red flags as soon as these hackers tried to upload unknown / unsigned files onto my computer. I am more concerned about data collected from my own machine (e.g., MAC address, computer name, list of installed programs, etc.) by the code embedded in the compromised 32-bit ccleaner.exe executable that was sent back to the rogue servers via an outgoing connection, which is what this particular variant of the Floxif backdoor trojan was apparently designed to do. According to the timeline posted by bleepingcomputer's Catalin Cimpanu at Avast Clarifies Details Surrounding CCleaner Malware Incident (which is based on details provided by Avast) it was users of Morphisec's security product who first detected instances of malicious activity (i.e, that the malware was collecting device details and sending the data to a remote server) and notified Avast and Cisco. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Hi Tom Piriform: The Avast blog entry Update to the CCleaner 5.33.6162 Security Incident states: That same blog entry also states: Unfortunately it was a full month month before Avast and Piriform even discovered their v5.33 32-bit ccleaner.exe executable (released 15-Aug-2017) contained a Floxif backdoor trojan. Unless Avast has firm evidence that there was no information harvested from infected 32-bit computers in that one-month period that could be used for future hacking attempts the phrase "no known harm" doesn't give me much comfort. Is there any way I can determine if my computer ever made a connection to the rogue servers at IP address 216.126.x.x before the servers were taken down on 15-Sep-2017? As far as I can tell any executable like ccleaner.exe that is digitally signed by Piriform and whitelisted by Symantec will have full (unrestricted) access through my Norton Smart Firewall and those "safe" connections will not be logged in my firewall activity log. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Hi bazzaman: Avast posted a blog entry today titled Update to the CCleaner 5.33.6162 Security Incident about the Floxif trojan that was bundled in the v5.33.6162 32-bit ccleaner.exe executable, which includes the following: ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

I updated to CCleaner Free v5.34 on my 32-bit OS on 13-Sep-2017 and when I ran a Threat Scan yesterday with Malwarebytes Premium v3.2.2 (database v1.0.2835) my scan was clean. After reading rherber1's post I just repeated another Malwarebytes Threat Scan today (database v1.0.2843) and it finally detected the following stray registry entries left behind by the Floxif malware that was embedded in the 32-bit ccleaner.exe executable for v5.33: Registry Value: 2 Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|MUID, Quarantined, [8813], [436740],1.0.2843 Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8813], [436739],1.0.2843 Both Malwarebytes scan reports are attached. A - MB Threat Scan Agomo Not Detected 18 Sep 2017.txt B - MB Threat Scan Agomo Detected 19 Sep 2017.txt Here's my next question. The logs for my Norton Smart Firewall activity (Security | History | Show | Firewall Activities) only go back a few weeks so I'm not sure how I can determine if any connections were made to the rogue servers at IP address 216.126.x.x. Given the infected 32-bit ccleaner.exe executable for v5.33 was signed by Piriform with a valid digital certificate, whitelisted by Norton and then given full access through my firewall between 15-Aug-2017 and 13-Sep-2017, is there any way of determining if data from my computer was sent back to these rogue servers? _______________ ...and if anyone from Piriform is following this thread it might be helpful if you update the change log for CCleaner v5.34 at http://www.piriform.com/ccleaner/version-history. "Minor GUI improvements and bug fixes" doesn't really cut it for all the current 32-bit CCleaner Free v5.33 users who don't receive automatic updates and still haven't heard about this Floxif malware. ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

I believe I was one of the 32-bit CCleaner users infected by the Floxif malware that was bundled with the previous v5.33 installer but the new v5.34 installer does not appear to be removing all traces of this malware off my system. How do I ensure that sure that this malware has been completely removed, short of restoring my system to a state prior to 15-Aug-2017? _________________________________ Last week I posted in geekandglitter's thread Trojan.Rozena.Win32.59165 found by Zillya! about downloading two different installers for CCleaner Free v3.34 from the official Piriform site (cc_setup534.exe @ 9,954 KB versus the ccsetup534.exe @ 9,597 KB) but my post in that thread was deleted by one of the forum mods on 13-Sep-2017. I just read today's Piriform blog entry Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users as well as the bleepingcomputer article CCleaner Malware Incident - What You Need to Know and How to Remove about Piriform's infected 32-bit v5.33 installer. The bleepingcomputer article states that "The malware was embedded in the CCleaner executable itself. Updating CCleaner to v5.34 removes the old executable and the malware." I wiped CCleaner v5.34 (originally installed 13-Sep-207) off my system today with the Free Revo Uninstaller v2.0.3 (advanced mode) and reinstalled with a fresh copy of ccsetup534.exe downloaded from the Piriform site (http:// download.piriform.com/ccsetup534.exe @ 9,597 KB) but the Agomo registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo still persists. Should I be deleting this Agomo registry entry manually, and what other registry entries and files might have been missed by the v5.34 installer? ----------- 32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Just an update to let you know that the Download button for CCleaner Free at http://www.piriform.com/ccleaner/download is working correctly today and I was able to download the latest v5.15 installer (ccsetup515.exe) from that download page. The Download button now redirects me to http://www.piriform.com/ccleaner/download/standard. ------------ 32-bit Vista Home Premium SP2 * Firefox 44.0.2 * IE9 * NIS 2014 v. 21.7.0.11 * CCleaner Free 5.15.5513 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

I'm having a similar problem downloading the CCleaner Free v5.15.5513 installer from your Download page with my 32-bit Vista machine. The download of the standard installer ccsetup515.exe from the Builds page at http://www.piriform.com/ccleaner/builds is successful. However, if I click the Download button at http://www.piriform.com/ccleaner/download, I get the following error in my default Firefox v44.0.2 browser when I'm redirected to http://download.piriform.com/ccsetup_515.exe . This XML file does not appear to have any style information associated with it. The document tree is shown below. <Error> <Code>NoSuchKey</Code> <Message>The specified key does not exist.</Message> <Key>ccsetup_515.exe</Key> <RequestId>A27872501A041977</RequestId> <HostId>bz9ugPUyoIrsfTumukeC/2sEftGl273vppXfCf6dDKf95pfXWnObBaGf9wBYFVw0Rsw3jNNADsU=</HostId> </Error> I also tried downloading from http://www.piriform.com/ccleaner/download with my IE9 browser, and when I'm redirected to http://download.piriform.com/ccsetup_515.exe I see the error HTTP 404 Not Found: The webpage cannot be found. Could the underscore in the name of the executable (i.e., ccsetup_515.exe) be the issue? Or perhaps a HTTP vs. HTTPS issue? ------------ 32-bit Vista Home Premium SP2 * Firefox 44.0.2 * IE9 * NIS 2014 v. 21.7.0.11 * CCleaner Free 5.14.5493 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Here's an update on my progress with Piriform Support. Just FYI, enabling the "Stop VSS when defragmenting NTFS volume" option was also Piriform's first suggestion, so Willy2 was on the right rack even though I haven't found a solution yet. A. Vista Shadow Copies Running "vssadmin list shadowstorage" from an elevated command prompt shows that Vista has allocated a max. 30 GB for restore points on my 220 GB C:\ drive (see http://bertk.mvps.org/html/diskspacev.html for an explanation of how disk space is allocated by Vista). Each of my restore points occupies about 1.5 GB, and once I accrue around 20 restore points and max out my allocated space Vista will automatically delete the oldest restore point before it creates a new one. Here's a screenshot of my current disk allocation (6 restore points, 10 GB of 30 GB used): B. Full Disk Defrag with Defraggler - Volsnap Error 36 and All Restore Points Deleted (07-Mar-2015) When I run a full disk defrag with Defraggler with the Advanced option "Stop VSS when defragmenting NTFS volume" enabled (or disabled) I see a large drop in used disk space at the end of the defrag. At the same time a Volsnap error is logged in the Event Viewer under Windows Logs | System (Event ID 36 - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit). Here are screenshots for a Defraggler Defrag on 07-Mar-2014 showing 3 restore points before the defrag (4 GB of 30 GB used) and 0 restore points after the defrag. C. Full Disk Defrag with Windows Disk Defragmenter - No Volsnap Error, No Restore Points Deleted (11-Mar-2015) When I run a full disk defrag with Windows Disk Defragmenter (WDD) I typically see no change or a small increase in used disk space at the end of the defrag. There are no Volsnap errors logged in the Event Viewer and no restore points are deleted. Here are screenshots of a WDD defrag on 11-Mar-2014 showing 6 restore points before and after the defrag (7 GB of 30 GB used). Piriform Support have also been running test defrags with Vista. Their results show Used Shadow Copy disk space increasing over the course of a Defraggler full disk defrag even when VSS is disabled, and that the number of restore points deleted at the end of the defrag depends in part on the max. space allocated for restore points (which can be adjusted with a command similar to "vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=40GB"). Test results have been passed on to the developers and Piriform Support's last e-mail stated that "hopefully we will be able to have this fixed in a future version". In the mean time, I have serious concerns that Defraggler is wiping ALL restore points, including my latest restore point that might be needed if I had to do an emergency recovery, so I have decided to uninstall Defraggler from my Vista system and use Windows Disk Defragmenter for my disk defrags for now. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 36.0.1 * IE 9.0 * NIS 2014 v. 21.6.0.32 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Was an updated installer recently released for Speccy v. 1.28.709? The FileHippo App Manager notified me that an update was released for Speccy on 11-Mar-2015 even though I've had v. 1.28.709 installed on my system since since January 2015. There appears to be a small difference in the size of the two spsetup128.exe installers as well as different MD5 hashes: 23-Jan-2015: F5042B046AE92B0B0F978E65BC3CE62B (5,015 KB) 11-Mar-2015: 678AB0E8665345E72D11149A36F965BE (5,008 KB) There is nothing in the Speccy version history to indicate that the installer was modified so I assume it's a minor modification, but it's caused some confusion on the FileHippo site since the version numbers of both installers are identical. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 36.0.1 * IE 9.0 * NIS 2014 v. 21.6.0.32 * Speccy 1.28.709 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Hi MrK: Thanks for your response, Just to clarify, all my restore points are only wiped by a full Defrag by Defraggler. This does not happen with a full defrag with my native Vista Windows Disk Defragmenter. If I monitor my Defraggler full Defrags, I can see the Status of the defrag slowly increasing from 0% to approx. 70% over a period of around 5 hours. Once the Status reaches approx. 70%, it rapidly jumps to 100% and I can see the blocks of disk space occupied by my restore points wiped and changed to free disk space. The Status then changes to Calculating Disk Performance and the Defrag finishes. If I then check with CCleaner (Tools | System Restore) I can confirm that all restore points, including the latest restore point that is normally greyed out and prevented from being deleted, have been wiped. I should also note that I've noticed a second bug on my system that occurs each time I update Defraggler. Specifically, Defraggler incorrectly reports that my disk is approx. 30% fragmented and all my restore points appear in the fragmented files list, despite the fact that the option to Exclude restore point files (Settings | Options | Advanced | Use custom fragmentation settings | Define) is enabled. Other users have reported this bug - see my posts in switch's thread System Volume Information "Exclude" Problem. I discovered a workaround for this problem that I must perform after every Defragger update - enable the option to Replace Windows Disk Defragmenter, close Defraggler, and disable the option again - and Defraggler will once again correctly report that I'm back to 1% fragmentation. I wouldn't be surprised if the two issues are somehow related, although the problem with restore points being wiped is new to v. 2.18.945. The KB299904 you referenced mentions circumstances where System Restore can be suspended even if the user has sufficient disk space but I've never heard of any instance where all restore points (especially the latest restore point) were deleted when more than 50% of the hard drive was free space. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 36.0.1 * IE 9.0 * NIS 2014 v. 21.6.0.32 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Hi Willy2: Firefox was closed when I ran the defrag. Idletime background tasks for my Norton AV were disabled. As noted in my original post, I have a 220 GB HD and approx. 130 GB is currently free so lack of free disk space should not be an issue. I used CCleaner to clean up my hard drive and deleted all but my last four restore points prior to the defrag. EDIT: I've submitted a request to Piriform Support, although I'm not sure if they will provide support for the free version of Defraggler. I'll report back if they have any suggestions. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 36.0 * IE 9.0 * NIS 2014 v. 21.6.0.32 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

I'm sorry, but after reading previous replies in this thread I'm still not clear if a full defrag by Defraggler v. 2.18.945 deliberately wipes every single restore point, including the user's latest (most recent) restore point when Settings | Options | Advanced | Stop VSS when defragmenting NTFS volume is disabled, as Willy2 has suggested. I tried another full defrag today with v. 2.18.945 and lost every single restore point again. This still sounds like a serious bug to me. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 36.0 * IE 9.0 * NIS 2014 v. 21.6.0.32 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Hi Willy2: Thank you for your feedback. Sorry, but I'm not sure where the setting is for "Wipe Free Space". If I highlight my C: drive after running the disk analysis to build my file list and then choose Action | Advanced from the main menu, I can see options for choosing "Defrag Freespace" or "Defrag Freespace (allow fragmentation)", but as far as I know Defraggler does not defrag my free disk space if I perform a standard full disk defrag. Over 50% of my C: drive is currrently free space. I could understand the logic of wiping my older restore points and leaving just my latest restore if I were short on drive space, but I've never heard of a defrag wiping every single restore point off a system. That sounds like an incredibly dangerous thing to do. The online Piriform documentation for the Advanced options tab states that the Stop VSS when defragmenting NTFS volume option "disables Volume Shadow Copy Service and Volume Snapshot Service whilst defragmentation is running. After defragmentation is complete, VSS is restarted." If leaving this option disabled deliberately wipes every single restore point off a system then users should be warned about this. I also have the free edition of CCleaner on my system and if I want to clean up my old restore points at Tools | System Restore, the latest restore point is always disabled for system safety so that I can't accidentally delete it. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

I ran a full defrag with the latest free Defraggler v. 2.18.945 on my 32-bit Vista system yesterday and just as the defrag reached completion I noticed the used space on my 220 GB hard drive suddenly dropped from 110 GB to 82 GB. I checked my system restore points in CCleaner (Tools | System Restore) and discovered that every single restore point had been wiped, including my latest (most recent) restore point. I had checked my restore points before starting the full defrag and had cleaned out all but the last 5 restore points dating back to 29-Sep-2014. Approx 50% of my hard drive (110 GB) was free space prior to starting the full defrag so lack free space should not have been an issue. The Analyze Drive also reported that I had approx 3% fragmentation (excluding restore points) prior to the defrag. Please note that I use the default settings for defragging on the Options | Defrag and Options | Quick Defrag tabs. The following settings at Options | Advanced | Use custom fragmentation settings | Define are also enabled by default: Exclude restore point (enabled) Exclude hibernation file (enabled) I found a similar bug reported in Pat-2's thread Restore Points from 2010 regarding Defraggler v. 2.00.230 where several users reported loosing every single restore point after running a full defrag. I normally run Quick Defrags with Defraggler and have never had restore points wiped during a Quick Defrag. ------------- MS Windows 32-bit Vista Home Premium SP2 * Firefox 33.0 * IE 9.0 * NIS 2013 v. 20.5.0.28 * Defraggler v. 2.18.945 HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Hi rodot: Welcome to the Piriform forum. I still don't have a definite answer as to whether Windows Disk Defragmenter (dfrgntfs.exe on my 32-Vista OS) and Piriform's Defraggler (defraggler.exe) both use the exact same file placement algorithm. There is a Piriform support article here titled Why Defraggler is Safe to Use stating that Defraggler uses Window's internal API (Application Programming Interface), but I'm not certain if that means that operations for defragging and file placement like those described here in the Windows Dev Centre are coded identically in Defraggler. I still have the scheduler for automatic Windows Disk Defragmenter (WDD) defrags disabled on my system, and I still see WDD's dfrgntfs.exe running for 10 - 30 min during the occasional system idle, which I assume is the Windows background WDD optimization of system boot files I described in post # 5 that can only be disabled with a registry edit. I use Defraggler for disk fragmentation analysis and Quick Defrags, but I have the Defraggler setting at Options | Advanced | Windows Integration | Replace Windows Disk Defragmenter disabled so that I can run a full disk defrag with WDD a few times a year to ensure my Windows system files have their optimum disk placement for faster boot-ups. I don't know if that's necessary, but until I get a definitive answer from Piriform about how their file placement algorithm works I'll keep using WDD for my full disk defrags. ------------- Windows Vista Home Premium 32-bit SP2 * NIS v. 20.4.0.40 * CCleaner 4.08.4428 * Defraggler 2.16.809 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

I updated to Defraggler v. 2.15.742 today (clean install) and had the same problem I described in post #18 of this thread. I disabled (unchecked) the option to Replace Windows Disk Defragmenter in the installation wizard, and Defraggler incorrectly displayed all my system restore points and reported that my disk was 33% fragmented. The same workaround - enabling the option to Replace Windows Disk Defragmenter, closing Defraggler, and disabling the option again - fixed the problem and I'm back to 1% fragmentation. ------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 23.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * Defraggler 2.15.742 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Just posting an update to let everyone know that I had the same problem when I upgraded to Defraggler v. 2.15.741. I performed a clean install and disabled (unchecked) the option to Replace Windows Disk Defragmenter during the installation process. Multiple disk analyses with Defraggler incorrectly reported that my disk was 33% fragmented and all my system restore points appeared in the fragmented files list (see .jpg), despite the fact that the option to Exclude restore point files (Settings | Options | Advanced | Use custom fragmentation settings | Define) was enabled. Same fix as with v. 2.14.706 - I enabled the Replace Windows Disk Defragmenter option (Settings | Options | Advanced) and the next disk analysis correctly showed 1% disk fragmentation and the system restore points had disappeared from the fragmented file list. I then restarted Defraggler and disabled the Replace Windows Disk Defragmenter option (again) and everything works correctly - I'm back to 1% disk fragmentation with Replace Windows Disk Defragmenter disabled. I still don't know if this fix would work for anyone else, but at least it's consistent on my system. ------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 22.0 * IE 9.0 * NIS 2013 v. 20.4.0.40 * Defraggler 2.15.741 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

DennisD / Alan_B: Thanks for your excellent advice and support. It would be great if switchs or other users having a similar problem excluding system restore points from their Defraggler drive analysis could post some feedback. I'm curious if anyone else with this problem is using a Vista OS or found that disabling/enabling the advanced Replace Windows Disk Defragmenter option fixed the problem. I'd be happy to post a summary of this thread in the Defraggler Bug Reporting subforum if anyone thinks this is a legitimate software bug. ------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 20.0.1 * IE 9.0 * NIS 2013 v. 20.3.1.22 * Defraggler 2.14.706 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

Hi Alan_B: I think you might have isolated the problem. When I install Defraggler I always disable the following three options in the installation wizard: a) Add Defraggler menus to Windows Explorer, Replace Windows Disk Defragmenter c) Automatically check for updates to Defraggler I normally disable the Replace Windows Disk Defragmenter option since I usually do my full defrags with the built-in Windows Disk Defragmenter (WDD) (which I believe is dfrgntfs.exe on my 32-bit Vista OS) and only use Defraggler for quick defrags and defrags of individual files. So I ran two more tests with the standard "normal" Defraggler v. 2.14.706 installed on my hard drive. Trial 4: Standard Build Run with Replace Windows Disk Defragmenter Enabled (Checked) Success. I enabled the advanced option to Replace Windows Disk Defragmenter and the standard installation finally worked correctly (C: drive 1% fragmented, no restore points in the list of fragmented files). Trial 5: Standard Build Run with Replace Windows Disk Defragmenter Disabled (Unhecked) Success (unexpected). I then disabled the advanced option to Replace Windows Disk Defragmenter, expecting that % fragmentation would jump back up to 31%. Instead - the standard version continued to correctly report that my C: drive was 1% fragmented. I re-booted my system and the standard build of Defraggler is consistently reporting that C: drive is 1% fragmented, regardless of whether the Replace Windows Disk Defragmenter is disabled or enabled (which seems odd, but I'm not complaining). I'm going to permanently re-enable the Replace Windows Disk Defragmenter option and use Defraggler as my only defragger and hope that the problem doesn't re-appear. I should apologize for using the misleading phase "with default settings" in post # 10 when I was testing the portable build. In that post, I intended "default settings" to mean that "Exclude restore point file" was enabled under my advanced settings and that I had not manually added C:\System Volume Information\ folder to my list of excluded folders. ------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 20.0.1 * IE 9.0 * NIS 2013 v. 20.3.1.22 * Defraggler 2.14.706 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS