Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

Well see that's why it's important to clarify that. CCleaner.exe is infected and Ccleaner64.exe is not.

 

Why does 64-Bit version even install CCleaner.exe if it is not used at all on 64-Bit systems which use Ccleaner64.exe instead? If CCleaner.exe is never launched there there is no infection. But why is Ccleaner.exe even there on 64-Bit systems, what is its purpose, if it's never launched by the Desktop shortcut which clearly points to Ccleaner64.exe?

Share this post


Link to post
Share on other sites
I have windows 7 64-bit and yesterday when running ccleaner my antivirus eset smart security notified me of this threat:
 
Hour; 9/18/2017 1:32:40 p.m
Scan module; Memory scan
Type of object; archive
Object; Operating Memory = CCleaner.exe (1124)
Threat; a variant of Win32 / CCleaner.B Trojan
Action; disinfected - contained infected files
User;
Information;
Hash; 38365DFEDF883AB2CF0F21434686BF58B8FAE5F6
First seen here
 
That's how I found out about the problem.

Share this post


Link to post
Share on other sites

So you guys talked about the manual execution of the 32-bit-file and how unlikely this is. As stated in a former post, i probably opened CCleaner.exe instead of CCleaner64.exe as i used the portable version of 5.33.6162 on my 64-bit Windows 10. I did not take notice about it, because no matter what, CCleaner always ran in 64-bit-mode on my system.

 

The question now is, am i affected by this issue as i opened CCleaner.exe manually on my 64-bit-system? Could Pirisoft clarify? What do others think?

 

Dennis2

Share this post


Link to post
Share on other sites

I doubt CCleaner64.exe was not infected, indirectly or otherwise. I have suffered two separate credit card fraud attacks during the period version 5.33 was active. No such problem for years previously in any of my online banking transactions. Possibly a coincidence, but I don't think that's likely.

Share this post


Link to post
Share on other sites

This is what my Symantec Cloud reported this morning.

 

Filename: ccsetup533.exe
Threat name: Trojan.SibakdiFull Path: c:\users\rong\downloads\ccsetup533.exe
 
____________________________
 
____________________________
 
 
On computers as of 
8/23/2017 at 8:52:17 AM
 
Last Used 
9/19/2017 at 9:25:41 AM
 
Startup Item 
No
 
Launched 
No
 
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
 
 
____________________________
 
 
ccsetup533.exe Threat name: Trojan.Sibakdi
Locate
 
 
Many Users
Hundreds of thousands of users in the Symantec Community have used this file.
 
Mature
This file was released 1 month ago.
 
High
This file risk is high.
 
 
____________________________
 
 
Downloaded File  from filehippo.com
Source: External Media
 
ccsetup533.exe
 
____________________________
 
File Actions
 
File: c:\users\rong\downloads\ ccsetup533.exe Removed
____________________________
 
 
File Thumbprint - SHA:
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
File Thumbprint - MD5:
75735db7291a19329190757437bdb847
 

Share this post


Link to post
Share on other sites

The question now is, am i affected by this issue as i opened CCleaner.exe manually on my 64-bit-system? Could Pirisoft clarify? What do others think?

 

 

According to this article on bleepingcomputer there will be a registry entry left behind if you were actually infected.

https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

 

I have checked my 64-bit Windows 10 and even though I do have the compromised installer (I've still got it saved) and did install 5.33 I do not have that registry entry.

 

So the answer seems to be to check for this registry entry.

If you do not have this registry entry then you were not infected.

Share this post


Link to post
Share on other sites

My wife's PC was hit with a similar problem this morning when she started it up.  ZoneAlarm caught it and treated it.  Problem is, is that it is a Windows Home 7 SP1 64-bit machine running Ccleaner Pro 64-bit (and, yes, now that it hit me a few minutes ago, I went back to her PC and

it was running 6162 which I have now upgraded). However, my similar machine got hit some 4 hours later, ZoneAlarm caught it and I was able to catch some info before I had to reboot after ZA treated something called "Backdoor.Win32.Infecleaner.a  When you reboot, before complete startup, I got prompted to let Piriform start up the Ccleaner monitor (never asked before). I said "NO" and am now running normally without the Ccleaner monitor running.  My PC is Windows 8 64-bit OS.  Starting Ccleaner from the desktop reveals it is: 6162 bit version. I have attached 2 printscreens...hope they come through to you.  Am going to update Ccleaner.

post-80011-0-81368900-1505846078_thumb.jpeg

post-80011-0-43725800-1505846079_thumb.jpeg

Share this post


Link to post
Share on other sites

@kpcannon if it does not work

go to piriform.com/ccleaner/builds

download the portable version

Copy ccleaner.exe and ccleaner64.exe from the zip to c:\Program Files\ccleaner (or where your ccleaner is if you customized the install path), Overwriting the .33 files with .34

 

Share this post


Link to post
Share on other sites

 

Just searched for the hash and it comes up in searches, in particular:

* https://www.virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/

 

 

 

That is identified as ccleaner.exe, too.  Why are there two bad ccleaner.exe's with different hashes and only one bad installer?

Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected.

Share this post


Link to post
Share on other sites

Hello all!

My Avira antivirus today reported finding TR/RedCap.zioqa in ccleaner.exe and moved it to quarantine. I'm running the 64 bit version of CCleaner, installed it this september. I did a malwarebytes scan after this, and it found no malware. I didnt use CCleaner for the past few days, so today, after receiving the notification about the trojan, I opened it and it notified me about the update, so I applied it. I also read the Avast blog about the security issue. I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else?

Share this post


Link to post
Share on other sites

Not sure I understand the last part of what you said, what "bad installer" what is the two bad ccleaner.exe only 5.33 was affected.

There appear to be two files, identifiable  by their hashes as compromised, the 5.33 version of ccleaner.exe and the installer ccsetup533.exe.  But there are three hashes given, with two different values for ccleaner.exe.

Share this post


Link to post
Share on other sites

I see that some people posted about having differently named malware in their systems. Is the TR/RedCap.zioqa just a different name for the same thing? Does that also mean that CCleaner is now ok and I don't need to do anything else?

 

Different anti-virus/anti-malware vendors will give the same infection a different name for the detection, so it's not universally named between different vendors.

Share this post


Link to post
Share on other sites

Hi all,

 

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

 

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard

 

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

 

Thanks - Tom

 

I have a file called ccsetup533.exe which was downloaded on 08 sep 17 with these hashes as computed by Nirsoft's HashMyFiles. 

md5: 75735db7291a19329190757437bdb847

sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff

 

Avast alarms on this file and also on the slim version and the portable version downloaded the same date. 

Just an FYI. 

Share this post


Link to post
Share on other sites

Avast (owner of Piriforms's CCleaner) published this timeline of events...

 

https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surrounding-ccleaner-malware-incident/

 

 

July 3 - Evidence suggests hackers breached Piriform's IT systems.
July 18 - Avast decides to buy Piriform, the company behind CCleaner.
August 15 - Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.
August 20 and 21 - Morphisec's security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.
August 24 - Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.
September 11 - Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 - Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 - Cisco notifies Avast of its own findings.
September ?? - Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.
September 15 - Following a collaboration between Avast and law enforcement, the malware's C&C server was taken down.
September 15 - Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the Floxif malware.
September 18 - CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.

Share this post


Link to post
Share on other sites

Good morning all. Apologies for the lack of communication. I hope that you can understand that it's been an incredibly busy time for our Customer Support team and given how quickly we identified the issue and made the announcement, we didn't have time to arrange extra support.

 

I'm going to attempt to answer a couple of the main questions that you all have. I would like to ask that if you have more questions, please read our blog post before asking as this may enable you to find the answer first :) You can find this here: http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

 

In addition to this, I'm not able to provide any more information than what is in any of the Piriform/Avast public statements although I can clarify the points to help with confusion.

 

 

 

The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?"

 

The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry.

 

 

"Is the Pro or slim affected"

Any version with the number 5.33.6162 is affected. This includes Free, Slim, Portable, Pro, Business and Technician Edition.

 

 

You're also asking "Am I still infected?"

Well the problem was in the CCleaner.exe. This means that if you're removed this version then you're no longer at risk. In addition, as stated previously, the remote server has been shut down which means that even if the infected application is try to communicate - it can't. That being said, we're still encouraging everyone to update to the latest version. You can download this here: www.piriform.com/ccleaner/download/standard

 

 

 

I hope this clears things up a little.

 

Thanks - Tom

 

 

Edit to add: Please note that it is only CCleaner and CCleaner Cloud that were affected by this. Speccy, Defraggler, Recuva, CCleaner Network and CCleaner Android are unaffected.

Share this post


Link to post
Share on other sites

edit:  When I open the program it clearly shows "(64-bit)" after the version.  So I am indeed running the 64-bit version yet I was infected.  You need to immediately retract your statement that only 32-bit systems were infected.

If this trojan was only included in the 32-bit download of 5.33 someone please explain why ALL of my 64-bit systems were infected?  My 64-bit systems are monitored and cleaned regularly.  Yesterday, every one of them showed the Floxif trojan.

I think someone needs to reevaluate what information is being put out as you are falsely implying people were not compromised when they clearly were.

edit: I see posts saying that even if the 32-bit version is downloaded, it should run 64-bit when executed and therefore there would not have been an infection.  As I stated all of my systems are 64-bit yet I was infected.  I download my CCleaner direct from Piriform. Am I not getting the correct version for my systems?  I don't see multiple versions.
 

The main question that people are asking seems to be "Am I affected if I'm using the 64-bit, what happens because the 32-bit is installed? What happens if I ran the 32-bit version?"

 

The answer to this is that no matter which .exe you run, if 64-bit can be run on your machine, it will be the one that runs. Opening the 32-bit will just launch the 64-bit version so you really shouldn't worry.


Like I said, all my systems are 64-bit and ALL were infected.  So clearly there is something not right with either your program or your thinking the 64-bit version was safe.

This is where I download the program.  I see no 32 or 64-bit options.

https://www.piriform.com/ccleaner/download   or   https://www.piriform.com/ccleaner

Share this post


Link to post
Share on other sites

Bru20,

 

You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object

Share this post


Link to post
Share on other sites

Hi again,

 

Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC.

 

Tom

Share this post


Link to post
Share on other sites

Bru20,

 

You antivirus found The Trojan that is ccleaner5.33.exe Even if You have 64bit in The program folder there is ccleaner5.33.exe And 5.3364.exe. do You have The registry Key agomo? If there is You are really infected. Do You have The installer? The antivirus Can sign this like compromise object

I cleaned the Trojan.  When I check the Registry I see no "Agomo".  

 

Hi again,

 

Your anti-virus will flag this regardless of whether you're running the 32-bit or 64-bit version as it is the entire version that has been balcklisted. There are no options when you download, CCleaner runs the correct version for your PC.

 

Tom

If I am understanding correct you are saying my AV flagged this trojan because the entire version was blacklisted.  Yet because I am running the 64-bit my system was not infected.  So you are telling me to ignore my AV and be assured I am not infected.  Sorry, but that's a big leap of faith you are asking me to take.

 

 

Share this post


Link to post
Share on other sites

Hi,

 

I've suggested already to everyone that you download the latest version which we know to be clean and not use version 5.33, even if it is 64-bit. You can download the latest CCleaner here: www.piriform.com/ccleaner/download/standard

 

Thanks.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×