Jump to content
CCleaner Community Forums
bazzaman

"Strange" version of CCleaner appeared on PCs without warning

Recommended Posts

I have 2 PCs (desktop and lappie), both running Win7 32 bit, with Chrome. Both had Ccleaner (free) installed (5.33.3162) and automatic checking for updates turned off.

 

Yesterday both machines suddenly and without any warning got updated to 5.33.3163. I quickly noticed this because my shortcuts to Ccleaner (on Quick Launch bar) lost their Ccleaner icons and stopped working.

 

Being concerned I uploaded the updated 5.33.3163 Ccleaner.exe to virustotal.com (no issues found).

 

I also checked the Ccleaner version history ( https://www.piriform.com/ccleaner/version-history ) - no mention of 5.33.3163.

 

I also happened to notice that Chrome had been updated around the same time. So this got me wondering whether Piriform have somehow got into cahoots with Google and Chrome is now installing (or at least updating) versions of Ccleaner without any warning or notification?

 

Intriguingly, the Chrome version updated to was 61.0.3163.91 - i.e. also including the digit sequence 3163

 

I got round it in the end by downloading 5.34.6207, disconnecting from Internet, restoring a system partition image, installing 5.34.6207 and then reconnecting to the Internet. But will Chrome (if it is the culprit) continue to update Ccleaner in future?

 

Can anyone shed more light please?

Share this post


Link to post
Share on other sites

Can you please include a link to the virus total result please.

 

Sorry, I didn't keep a link or the file hash and I no longer have the file on my system. Haveing looked on virustotal, there doesn't seem to be an ability to search by file name

 

Can I ask what you were hoping to get from seeing the results? As I said, no issues were found.

Share this post


Link to post
Share on other sites

I've been able to recreate the environment that gave rise to the unexpected 5.33.3163 version of Ccleaner and revisited virustotal. The hash is SHA-256 c48b9db429e5f0284481b4611bb5b69fb6d5f9ce0d23dcc4e4bf63d97b883fb2

 

In the recreated environment, Avast Emergency Update ran just at the point that 5.33.3163 got installed. This may or may not be relevant.

 

I also have the pertinent ccleaner.exe (securely encrypted to avoid any mishaps).

Share this post


Link to post
Share on other sites
...Being concerned I uploaded the updated 5.33.3163 Ccleaner.exe to virustotal.com (no issues found).

 

I also checked the Ccleaner version history ( https://www.piriform.com/ccleaner/version-history ) - no mention of 5.33.3163.

 

Hi bazzaman:

 

Avast posted a blog entry today titled Update to the CCleaner 5.33.6162 Security Incident about the Floxif trojan that was bundled in the v5.33.6162 32-bit ccleaner.exe executable, which includes the following:

 

 

"First, we made sure the currently shipping version (5.34) and previous versions didn’t contain the threat – they did not. Next, we released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner users where it was possible, further reducing the number of impacted customers. "

-----------

32-bit Vista Home Premium SP2 * Firefox ESR v52.3.0 * NS Premium v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207

Share this post


Link to post
Share on other sites

Many thanks for the update.

 

A couple of pertinent points:

 

I have read through the Avast blog. It states "we released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner users where it was possible, further reducing the number of impacted customers. We notified the remaining users to upgrade to the latest version of the product as soon as possible (unfortunately, we weren’t able to update the free CCleaner users automatically as the free version doesn’t contain the auto-update functionality)."

 

I particularly draw your attention to the part I have highlighted in bold. I have the free version AND it was updated automatically to 5.33.3163. Inevitably such incorrect statements by Avast only give further cause for concern. I'm guessing that they should have stated something along the lines of:- unfortunately, we weren’t able to update the free CCleaner users automatically as the free version doesn’t contain the auto-update functionality with the exception that if such users were also Avast users, Avast pushed the 5.33.3613 out via the Avast Emergency Update functionality.

 

For my part, hopefully I was not exposed as I am assuming that the malicious code was only executable from Ccleaner.exe (not the installer that installed the Ccleaner.exe). As my firewall (Comodo) is setup to block Ccleaner.exe from having Internet access, even if the malicious code had run it would not have been able to reach the outside world (unless it managed to use the "offices" of some other service). Unfortunately, Comodo (like some other contemporary firewalls) uses Trusted Vendor lists and automatically allows Internet access to software from such vendors and so allows the installers access without even asking.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×