Apparent virus in version 2.32.1165

Sorry to make a virus report as my first post, but that is what I believe has happened.

Every time I run CCleaner version 2.32.1165, my antivirus software catches "trojan-relayer-jolleee". This is a very repeatable observation. Every time I run CCleaner, my antivirus software pops up with the Trojan in quarantine.

Trojan-Relayer-Jolleee is ranked as a high-risk virus. My antivirus software offers the following description: "Trojan-Relayer-Jolleee is a remore access Trojan that may allow a hacker to gain unrestriced access to your computer when you are online".

I believe I downloaded my version of CCleaner from File Hippo, though I am not certain.

Can anyone verify similar experience? Is Piriform aware of the issue, and is a clean copy of CCleaner available?



I uninstalled CCleaner, and downloaded directly from Piriform. This version appears to be free of the above mentioned Trojan.

That is strange.

What Antivirus are you using?

I understand panic when an A.V. reports a virus.

I do NOT understand why a virus reappears after it has been quarantined.

Did you let it out of quarantine yourself to see what it would do ?

Is your A.V. spectacularly useless at keeping the quarantine doors locked ?


and of course (so long as you did download it from File Hippo) please report the false postive to the Company that makers your antivirus (of which you've yet to reply with the Name)

I am using Webroot antivirus with spy sweeper.

And no.... I did not let the virus out after it went into quarantine. :rolleyes: I destroyed it every time it was captured.

I'll say up front that I do not know for certain what was happening. However, I have some good ideas.

What I do know is that the virus appeared consistently every time CCleaner was run.

I also know that after uninstalling CCleaner, and then reinstalling from the Piriform web site, the problem went away.

My supposition is that the version available on File Hippo was compromised. The compromised CCleaner tried to install the virus every time it was run, which is why Webroot flagged it even though it was previously destroyed.

Perhaps I should let the good folks over at File Hippo know? Or maybe the people from Piriform would carry more authority?

Interesting. It was repeatably demonstrated that the virus appeared whenever CCleaner was run, and the problem went away when CCleaner was reinstalled from an alternative source.

And yet you think this was a false positive on the part of the antivirus program? Your confidence in File Hippo appears unshakable.

It's probably because the download also included the toolbar, whereas on the site you can get a slim or portable build without the toolbar. is however an official download site for the software, along with

I also am getting the same result and am using "webroot AntiVirus" program. If you go to their website at

there is a full report on this issue.

In the ccleaner setting< i am using 'secure delete with 3 passes.' I wonder if this has anything to do with this issue.


It's a vanishingly small probability that this problem is caused by software settings in CCleaner.

Your (and my) Webroot AntiViris software recognized a serious threat. This is not some software incompatibility, nor is it something the users have done wrong.

It's a malicious piece of software someone deliberately installed into the CCleaner download from File Hippo. While I am not a hacker myself, I understand it's not terribly difficult to hack a web site. It's in the news often enough. I would guess someone hacked File Hippo and replaced the legitimate version of CCleaner with the hacked version.

Either that, or someone on the inside did it. Disgruntled worker, etc.

Do the Piriform people read this forum? As far as I know the compromised version remains available on File Hippo. This is a serious situation.

Do you believe in Webroot more than in 41 other AVs ? I don't. ;)

Exactly. It's just another false positive detection that any antivirus is capable of, and it isn't the first time and not the last by far.

Webroot just needs to update their signature files to remove the false positive, although I understand the concern of the op not wanting to use something the antivirus states is infected - which is why there's VirusTotal, Jotti's Malware Scan, and to verify if it's a false positive or not.

How then do you explain that the problem went away after I uninstalled the software, then reinstalled from a different source?

I did not make any changes to what I do or do not want installed.

You really think the signatures can be that easily confused? I'm surprised, but then I'm far from an expert on the subject.

Actually, here's a question: When you check the antivirus libraries of these different programs, is that particular virus listed?

There's a lot of them out there, and tests have shown a lot of divergence in antivirus software coverage.

Most likely you also got updated virus definitions from your AV provider at the same time, with the false positive removed.

As far as I know the compromised version remains available on File Hippo. This is a serious situation.

A compromised version is NOT available on filehippo.

I have unshakeable faith in FileHippo - but have just tested for your benefit.

I have downloaded CCleaner version 2.32.1165, both from Filehippo and from Piriform.

Both downloads had identical sizes of 3,387,040 bytes,

BUT FAR MORE CONVINCING a binary comparison tool found a perfect match in the contents, byte for byte.

The only potential compromise I have ignored is that of an Alternate Data Stream.

I know such things can exist, but have neither tools nor experience to detect any such infection.

Hopefully someone with more knowledge than I can comment on this.

I believe an A.D.S. infection at Filehippo is most unlikely.

It is far more probable that they had an infection when you downloaded, and they cured it by the time I downloaded.

It is far far far more likely that, as suggested by pwillener,

your A.V. gave a false positive which was fixed with a signature update between use of Filehippo and use of identical Piriform.

It would be nice if a hash checksum was quoted for every binary file - even MD5 is better than nowt ! !


Get rid of a crappy AV for s start.

Get rid of a crappy AV for s start.

Now now ident, I'm sure you can be a bit more diplomatic than that, in fact I expect you to be :)

I uninstalled ccleaner version 2.32.1165 using revo uninstaller, then installed a new downloaded version from Piniform and still had the same problem. Would anybody know if it's just Webroot that is finding this virus?


Read my post - I gave a VirusTotal link. ;)

I am having the same problem. About 3 months ago, CCleaner was setting off a false positive (in Webroot Internet Security) as it cleaning the cache files of Firefox. It was resolved after about 2 updates in CCleaner and Webroot. I use Malwarebytes' Anti-Malware for the double check. It showed no infection then and no infection for this latest false positive. I'll start a ticket at webroot site.
