There is a fundamental issue here that has not been addressed. The hacked version was signed with the Piriform private key was it not. If so, the hackers had access of that private key. Either this was an inside job, or Piriform was compromised to the extent that the hackers got access to the private key. Either is catastrophic.

A more plausible scenario: This wasn't a hack at all, but instead a intentional move on Avast's part to collect configuraration data.

All bad! Won't be using it anymore... uninstalled.

The problem is that on 64-bit systems the 32-bit binary is still part of the installation (there's a CCleaner.exe and a CCleaner64.exe). Here's my assumption so you can correct me if I'm wrong. When you launch CCleaner the CCleaner.exe (32-bit) file is the one that's initially started even on 64-bit systems which upon launch the CCleaner.exe (32-bit) binary detects that your system is a 64-bit OS, launches the CCleaner64.exe binary, and then the 32-bit version exits. So if my assumption is correct here it doesn't matter if the 32-bit binary was the only one that was infected, 64-bit OS or not... you're still going to become infected.

Heck, even the Scheduled Task that allows CCleaner to be auto-elevated without a UAC prompt is pointing to the CCleaner.exe (32-bit) binary.

I'm still not comfortable with their claim that 64-bit systems are uncompromised. The fact that the installer has this Trojan lurking around doesn't make me feel any better. MWB result attached.

If you guys feel like you are at risk on 64-bit versions, then you can go ahead and download the 5.34 version too. That version also is for 64-bit, not just for 32-bit.

If you guys feel like you are at risk, then you should scan with a anti-virus. Try Avast, Malwarebytes, and Adwcleaner and see if anything comes out.

Lastly, why would Avast try to trash one of their own products, then make a post about it? If they were really going to go to that lengths, I am sure they would have done it way more stealthy.

We have a separate staff only discussion about it, and I gave a link very early this morning to your topic -- which instantly came to mind. If they obtain any information about that strange version you had that isn't in any change logs hopefully they'll post about it in here.

I have added a bit more information to my thread at: https://forum.piriform.com/index.php?showtopic=48859

Here's my assumption so you can correct me if I'm wrong.

That's easy enough to test,

Go to the CCleaner folder and delete CCleaner.exe, just leaving CCleaner64.exe.

Then launch CCleaner from the desktop or taskbar.

It still runs even without the 32-bit exe being there at all.

So I would say the assumption is wrong.

You do know that cisco (Talosintellegence.com) is spreading lies and misinformation about this right? (in the comments, specifically Craig Williams). Craig Williams at the blog http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html is telling people the only way to recover from this is a complete format, and of course to download their software after. When I tried to post how easy this was to fix he would not approve my posts and when I took it to twitter he blocked me without reply. You want a suspect with know how, motive, but would not cause lots of damage so if they got caught it wouldn't send anyone to jail? Hmmmmmmm.....and right after you're bought by avast......

Seriously though, barring that insane? thought, they really are spreading lies and hysteria about this.

Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.

Is CCleaner Pro (32 bit) also affected?

That's easy enough to test,

Go to the CCleaner folder and delete CCleaner.exe, just leaving CCleaner64.exe.

Then launch CCleaner from the desktop or taskbar.

It still runs even without the 32-bit exe being there at all.

So I would say the assumption is wrong.

Doing that does break the auto-elevation process though.

I am not particularly knowledgeable on such situations.

I think those who have/may have installed the version identified have many questions. A few I can think of are:

1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good.

2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great.

3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything?

4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5)

5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good.

I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears.

Thanks

All pertinent questions that I think many users would like to see answered.

Update: I realized I had CCleaner64.exe(64bit).

Malwarebytes is calling it a trojan.Floxif

Malwarebytes does not show I was infected just that the file ccleaner 5.33 was or is.

Your ad states trusted by millions, I say not anymore!

Also, clean up your act your Google+ page is advertising 5.33

Thanks piriform.

Malwarebytes

www.malwarebytes.com

-Log Details-

Scan Date: 9/19/17

Scan Time: 9:00 AM

Log File:

Administrator: Yes

-Software Information-

Version: 3.1.2.1733

Components Version: 1.0.160

Update Package Version: 1.0.2837

License: Premium

-System Information-

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: System

-Scan Summary-

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 264945

Threats Detected: 2

Threats Quarantined: 2

Time Elapsed: 3 min, 53 sec

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

-Scan Details-

Process: 0

(No malicious items detected)

Module: 0

(No malicious items detected)

Registry Key: 1

Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO, Quarantined, [8823], [436394],1.0.2837

Registry Value: 1

Trojan.Floxif.Trace, HKLM\SOFTWARE\PIRIFORM\AGOMO|TCID, Quarantined, [8823], [436394],1.0.2837

Registry Data: 0

(No malicious items detected)

Data Stream: 0

(No malicious items detected)

Folder: 0

(No malicious items detected)

File: 0

(No malicious items detected)

Physical Sector: 0

(No malicious items detected)

(end)

32 bit ,updated CCleaner one week ago to Hacked version , Currently running new updated version but, im concerned now that after running the hacked version several times last week that my info is leaked . I do not believe that re installing back to older prior Aug 15 will accomplish a satisfactory outcome id current details have already been compromised . Correct me if im wrong but previous scanning with Malwarebytes and Kasperky programs would not have picked up this threat untill they where advised of this threat ?????

Advice on where to go from here would be well appreciated >Piriform..

• Should I be concerned that any logins and passwords for websites or apps (example microsoft account login, steam, origin, netflix, skype, etc..) may be compromised due to this infection?

• Was it only the infected PC's local network card MAC address that was leaked, or did it also grab the MAC address's of all the PC's connected on my Network?

• What is the probability of other PC's on my network (which did not have the affected ccleaner) having been compromised just because they are on my network with this one infected tablet?

• Should i manually change all the MAC address's on all my network attached devices because of this?

• Finally what can a malicious entity do with the type of information collected due to this infection?

Some news I'd not yet seen in this thread. The server which was receiving the stolen data is now down. Source: http://time.com/4946576/ccleaner-malware-hack

Edit: it was buried in the first post just didn't catch it I guess.

Is it me or am i totally wrong in my approach, CCleaner has been one of several programs used in my arsenal for the sole purposes in the attaining and or achievement of as much privacy and security as reasonably possible .

CCleaner usage assists in both cleaning and deleting of web history and remnants of computer useage ,and now further too, being recently acquired by Avast ,who positions itself as an IT security provider.

Very ironic that ,now of all times ,we find that CCleaner has been hacked with a trojan ,how incredulous is that ,but wait its only proported to be approx 3 % of the millions of users who have trusted CCleaner and Piriform.

I purposely chose to continue with win 7 until its final death due to its stability and the failing issues with upgrades 8 ,8.1 ,10 from microsoft , the same was said for CCleaner ,until now .

Performance ,gives credability and integrity to suppliers ,not waiting 5 days or more to notify users via a back door , not to mention the facts that millions,of world wide computers users are NOT all totally knowledgeable of the IT world.

At this point i would welcome a clear and definate answer , (have my details been leaked ) and what proceedures should i further take now ,other than a Full scan for Malware

Would you please post if the Slim version was affected?

Would you please post if the Slim version was affected?

Thank you. And now the most important clarification question: Even though both CCleaner64.exe and CCleaner.exe are installed on 64-Bt systems. if only the CCleaner desktop shortcut was used, which always points to CCleaner64.exe, then that would mean that CCleaner.exe was never run, therefore really the only systems affected are 32-Bit ONLY systems since it's highly unlikely that someone would go out of their way and actually manually run Ccleaner.exe instead of CCleaner64.exe on a 64-Bit system. Is that correct?

Because then most of us on 64-Bit systems have nothing to worry about then, even if we installed the infected version, since the non-64 bit exe was never run. It was installed, but never run, unless we manually went into the folder to run it. And who would do that on a 64-Bit system, almost no one. Correct?

Usually the desktop shortcut points to ccleaner.exe which hands it off to ccleaner64. While we've not been informed whether the hand off happens before or after the malware loads, the staff (volunteer moderators) is speaking with Admins (Piriform employees like Tom (OP) in a separate place