@kpcannon if it does not work
go to piriform.com/ccleaner/builds
download the portable version
Copy ccleaner.exe and ccleaner64.exe from the zip to c:\Program Files\ccleaner (or where your ccleaner is if you customized the install path), Overwriting the .33 files with .34
Just searched for the hash and it comes up in searches, in particular:
That is identified as ccleaner.exe, too. Why are there two bad ccleaner.exe's with different hashes and only one bad installer?
Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected.
Just searched for the hash and it comes up in searches, in particular:
That is identified as ccleaner.exe, too. Why are there two bad ccleaner.exe's with different hashes and only one bad installer?
Hello all!
My Avira antivirus today reported finding TR/RedCap.zioqa in ccleaner.exe and moved it to quarantine. I'm running the 64 bit version of CCleaner, installed it this september. I did a malwarebytes scan after this, and it found no malware. I didnt use CCleaner for the past few days, so today, after receiving the notification about the trojan, I opened it and it notified me about the update, so I applied it. I also read the Avast blog about the security issue. I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else?
Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected.
There appear to be two files, identifiable by their hashes as compromised, the 5.33 version of ccleaner.exe and the installer ccsetup533.exe. But there are three hashes given, with two different values for ccleaner.exe.
I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else?
Different anti-virus/anti-malware vendors will give the same infection a different name for the detection, so it's not universally named between different vendors.
OK, thanks!
Hi all,
The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.
At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard
For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7
Thanks - Tom
I have a file called ccsetup533.exe which was downloaded on 08 sep 17 with these hashes as computed by Nirsoft's HashMyFiles.
md5: 75735db7291a19329190757437bdb847
sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
Avast alarms on this file and also on the slim version and the portable version downloaded the same date.
Just an FYI.
Avast (owner of Piriforms's CCleaner) published this timeline of events...
July 3 - Evidence suggests hackers breached Piriform's IT systems.
July 18 - Avast decides to buy Piriform, the company behind CCleaner.
August 15 - Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.
August 20 and 21 - Morphisec’s security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.
August 24 - Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.
September 11 - Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company’s engineers.
September 12 - Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 - Cisco notifies Avast of its own findings.
September ?? - Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.
September 15 - Following a collaboration between Avast and law enforcement, the malware’s C&C server was taken down.
September 15 - Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the Floxif malware.
September 18 - CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
Good morning all. Apologies for the lack of communication. I hope that you can understand that it's been an incredibly busy time for our Customer Support team and given how quickly we identified the issue and made the announcement, we didn't have time to arrange extra support.
I'm going to attempt to answer a couple of the main questions that you all have. I would like to ask that if you have more questions, please read our blog post before asking as this may enable you to find the answer first You can find this here: http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
In addition to this, I'm not able to provide any more information than what is in any of the Piriform/Avast public statements although I can clarify the points to help with confusion.
The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?"
The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry.
"Is the Pro or slim affected"
Any version with the number 5.33.6162 is affected. This includes Free, Slim, Portable, Pro, Business and Technician Edition.
You're also asking "Am I still infected?"
Well the problem was in the CCleaner.exe. This means that if you're removed this version then you're no longer at risk. In addition, as stated previously, the remote server has been shut down which means that even if the infected application is try to communicate - it can't. That being said, we're still encouraging everyone to update to the latest version. You can download this here: www.piriform.com/ccleaner/download/standard
I hope this clears things up a little.
Thanks - Tom
Edit to add: Please note that it is only CCleaner and CCleaner Cloud that were affected by this. Speccy, Defraggler, Recuva, CCleaner Network and CCleaner Android are unaffected.
edit: When I open the program it clearly shows "(64-bit)" after the version. So I am indeed running the 64-bit version yet I was infected. You need to immediately retract your statement that only 32-bit systems were infected.
If this trojan was only included in the 32-bit download of 5.33 someone please explain why ALL of my 64-bit systems were infected? My 64-bit systems are monitored and cleaned regularly. Yesterday, every one of them showed the Floxif trojan.
I think someone needs to reevaluate what information is being put out as you are falsely implying people were not compromised when they clearly were.
edit: I see posts saying that even if the 32-bit version is downloaded, it should run 64-bit when executed and therefore there would not have been an infection. As I stated all of my systems are 64-bit yet I was infected. I download my CCleaner direct from Piriform. Am I not getting the correct version for my systems? I don’t see multiple versions.
The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?"
The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry.
Like I said, all my systems are 64-bit and ALL were infected. So clearly there is something not right with either your program or your thinking the 64-bit version was safe.
This is where I download the program. I see no 32 or 64-bit options.
https://www.piriform.com/ccleaner/download or https://www.piriform.com/ccleaner
Bru20,
You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object
Hi again,
Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC.
Tom
Bru20,
You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object
I cleaned the Trojan. When I check the Registry I see no "Agomo".
Hi again,
Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC.
Tom
If I am understanding correct you are saying my AV flagged this trojan because the entire version was blacklisted. Yet because I am running the 64-bit my system was not infected. So you are telling me to ignore my AV and be assured I am not infected. Sorry, but that's a big leap of faith you are asking me to take.
Hi,
I've suggested already to everyone that you download the latest version which we know to be clean and not use version 5.33, even if it is 64-bit. You can download the latest CCleaner here: www.piriform.com/ccleaner/download/standard
Thanks.
I've ran full scans with everything I can think to scan with on my system (ClamWin, Panda, Malwarebytes, Zemana AntiMalware, anti-rootkit, etc.,) and nothing was found -- even though I had previously used that infected 5.33 version up until 5.34 was released which I started using on the same day it was released 12 September 2017.
So the burning question I have is if that registry key HKLM\SOFTWARE\Piriform\Agomo doesn't exist on my system and no infections were found (since some malware likes to download and install other malware) should my system be deemed clean?
Hi Andavari,
Have you read this: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident ?
In that blogpost there is a quote from the CTO of Avast that says:
Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.
Further to this, and touching on some of the requests in this thread, a new version (5.35.6210) has been released on the Piriform website signed with new certificates:
http://www.piriform.com/news/release-announcements/2017/9/20/ccleaner-v535
Lastly, I'd like to apologise for the communication thus far. Things have been moving very quickly and our focus has been on getting out security updates. We'll endeavour to make the information we have more visible. In the meantime, I'd encourage everyone to keep an eye on the CCleaner and Avast blogs:
CCleaner blog: https://www.piriform.com/news/blog
Avast blog: https://blog.avast.com/
Have you read this: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident ?
Just did. Based upon that information, and all the full system scanning I've done my system is clean.
I am currently more angry with my antivirus software, than Piriform, who were the victim after all.ESET, Karspersky, Avira, Malwarebytes and others, were not able to detect the unusual behavior of the program, so why are they supposed to exist ?.If Piriform had not made it public, the big companies of "security" do not know.
The problem with most Antivirus software and Malware software is IF they do not know about it then how can they protect you ?
ESET detected the issue link