We encourage all CCleaner users to download the latest version of CCleaner: here. We apologize and are taking extra measures to ensure this does not happen again.

For further information, please read the official announcements linked below.

Official Information

CCleaner v5.33 and CCleaner Cloud v1.07 Security FAQ

https://piriform.zendesk.com/hc/en-us/articles/115001699371

Piriform blog: Security Notification for CCleaner version 5.33.6162 (Monday, 18 September 2017)

Security Notification for a general audience.

http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Piriform blog: Security Notification with Technical Overview (Monday, 18 September 2017)

A similar announcement to the above, aimed at a technical audience and revealing technical details about the nature of compromise.

http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Avast blog: Follow-Up Announcement by Avast CEO & CTO (Tuesday, 19 September 2017)

This blogpost confirms the timeline of events surrounding the detection, investigation and announcement of the compromise; what precautions we are advising customers to take and what information we are basing this on; and what precautions we are taking to ensure this does not happen again.

https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

Avast blog: Investigation Progress Update #1 by Avast Threat Labs team (Thursday, 21 September 2017)

This blogpost reveals more information regarding the target of the attack and more technical details about how the compromise behaves.

https://blog.avast.com/progress-on-ccleaner-investigation

Avast blog: Investigation Progress Update #2 by Avast Threat Labs team (Thursday, 21 September 2017)

This second progress update explains why only part of the command & control server logs were recovered and provides yet deeper technical understanding of the way the malicious code was put together. It also shares some clues as to the identity of the perpetrators.

https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident

Avast blog: Investigation Progress Update #3 by Avast Threat Labs team (Monday, 25 September 2017)

This third progress confirms how many and which companies were specifically targeted by the attack and present a hypothesis on the origin of the perpetrator(s). The blogpost also contains a full list of IOCs (Indicators of Compromise - in this case a list of files whose existence show that a system has at one time been compromised by this attack).

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Future announcements will be made on the Piriform and Avast blogs.

Piriform Software blog: https://www.piriform.com/news/blog

Avast Software blog: https://blog.avast.com/

Given that your now owned by a massive security company, Avast, are you going to release a tool that detects and removes the infection? That way any user of your software, can do a really quick check to see if you have accidentally infected them and get it removed.

Or if disinfection is not possible, then at least a tool to check if you are infected, so that way users can attempt to wind back to a previous state of Windows.

So the 64 bit version was not affected?

We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download.

So is updating to the new version enough to remove the problem, or do I need to do what people are suggesting and reinstall windows completely? it seems a bit over the top to reinstall windows, but I'll do it if necessary. thanks.

Oh good God, I had that version installed. Now I've got both Windows Defender and MalwareBytes scanning my system in full paranoid mode.

So is updating to the new version enough to remove the problem, or do I need to do what people are suggesting and reinstall windows completely? it seems a bit over the top to reinstall windows, but I'll do it if necessary. thanks.

Just get a better Antivirus and scan your PC/Laptop with Malwarebytes.

But this time most AVs should detect the issue

For more info read this link

Could you give some clarification on the installers and CPU architecture? Because a lot of sites including Piriform's, are mentioning that only the 32-bit version was affected. However, I also read a lot of reports about only one installer for both architectures being available. So wether you are on x86 or x64, the installer decides which package to install eventually. As a x64 user this kinda confuses me and now I'm not really sure if my system was infected or not.

Also it would be very decent if you could give some instructions to check if you were infected. For example, is the presence of mentioned registry keys a good indicator to check wether or not you were infected?

I learned of this attack more than an hour ago through an article a friend linked: https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#1ef52507316a

Piriform: Can you please provide cryptographic hashes of the compromised installers and the infected CCleaner.exe binaries for versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 and list them on your security notification page (https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users). Maybe MD5, SHA1, and SHA256.

Was it the installer or was it the executable that was affected?

How does this all tie in with a "spurious" version of Ccleaner being installed automatically on 15-Sep-17???

See this thread for more info:https://forum.piriform.com/index.php?showtopic=48859

How does this all tie in with a "spurious" version of Ccleaner being installed automatically on 15-Sep-17???

See this thread for more info:https://forum.piriform.com/index.php?showtopic=48859

We have a separate staff only discussion about it, and I gave a link very early this morning to your topic -- which instantly came to mind. If they obtain any information about that strange version you had that isn't in any change logs hopefully they'll post about it in here.

Hi all,

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

Thanks - Tom

Hi, I have windows 10 64bit and use ccleaner 64bit. Today my antivirus Kaspersky 2017 and also Malwarebytes antimalware flagged the ccleaner 5.33 installer that I have in the document folder, is normal? and I ahve installed the 5.34 version the same day of release but today I do a verification of my 5.34 version of ccleaner with Kaspersky Application Advisor and I see the installer has Invalid Certificate but the application has valid certificate. Is correct?

I am not particularly knowledgeable on such situations.

I think those who have/may have installed the version identified have many questions. A few I can think of are:

1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good.

2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great.

3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything?

4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5)

5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good.

I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears.

Thanks

Today my antivirus Kaspersky 2017 and also Malwarebytes antimalware flagged the ccleaner 5.33 installer that I have in the document folder, is normal?

Yes, I also have that installer version saved and Malwarebytes is now showing it as infected with "nyetya".

(It didn't before so I guess MB have now blacklisted that installer, shows that they are on the ball).

Hello Piriform-Team,

i have Windows 10 64-bit installed. Furthermore i used the portable Version of CCleaner v5.33.6162. So in the original program folder there are both versions, 32 bit and 64 bit. I also worked with the 32-bit version as well, as i guess, no matter which of the both Exe-files i opened, CCleaner always switches to 64-bit mode.

In conclusion my question is: Am i affected by this issue with my 64-bit Windows 10, as i runned the 32-bit-Exe of CCleaner portable v5.33.6162?

Thanks,

Dennis2

@Tom Piriform: I get the fact that malware get's cleaned with an uninstall of CC but please confirm or deny that the presence of mentioned registry keys is a indicator to check wether or not you were infected?

Some of us want to know if we were infected!

When I installed the 64-bit v5.33.6162, the installer told me I had to reboot for the update. I found this extremely odd and questionable at the time since I've never been asked to reboot after a CCleaner update before...

I've updated to the latest version and can confirm that I have/had the 64-bit version, but what assurance do we have that this was solely impacting the 64-bit version?

The only version affected is the 32-bit binary of CCleaner v5.33.6162.

The problem is that on 64-bit systems the 32-bit binary is still part of the installation (there's a CCleaner.exe and a CCleaner64.exe). Here's my assumption so you can correct me if I'm wrong. When you launch CCleaner the CCleaner.exe (32-bit) file is the one that's initially started even on 64-bit systems which upon launch the CCleaner.exe (32-bit) binary detects that your system is a 64-bit OS, launches the CCleaner64.exe binary, and then the 32-bit version exits. So if my assumption is correct here it doesn't matter if the 32-bit binary was the only one that was infected, 64-bit OS or not... you're still going to become infected.

Heck, even the Scheduled Task that allows CCleaner to be auto-elevated without a UAC prompt is pointing to the CCleaner.exe (32-bit) binary.