CCleaner 5.33 carried malware inside - Has F-Secure some suggestions to fight against


Yesterday I read from IT news that , CCleaner v.5.33 has been carrying some malware.


I have trusted that cleaning program to be safe, and used it for years in all computers of my family. Naturally I had just upgraded CCleaner to all those laptops and workstations during a couple weeks when the infected CC-version was offered. Most of those machines are used in net payments and other bank operations needing proper safety.


My machines are running F-Secure SAFE, but it has not informed anything fromCCleaner?


No I upgraded CCleaner to v.5.34, which should be clean according to Piriform, and which should clean the bad code while upgrading. Howeve, When I ran Malwarebytes analysis, it discovered:




Which I could quarantine and delete with Malwarebytes.


Today Piriform vp informs in web that there is no reason to worry. But...


Has F-Secure any suggestions to fight against  this attack?



  • [Deleted User]
    [Deleted User] Posts: 0 Former F-Secure Employee

    Hi hakasa,


    Yes, we do detect the compromised files for the CCleaner. For more details, you can visit this threat description page.


    You can also check this statement from Piriform.

  • Ukko
    Ukko Posts: 3,634 Superuser



    From this situation -> I just found that Pirifiorm acquired by Avast.

    And if such situation did not happened -> probably it will be still unknown for me.

    But not clear based on official statements: does F-Secure only detect installer (!?) executable with payload... or certain 'result' under system too (if it possible to detect)? Thanks.

  • hakasa
    hakasa Posts: 2 New Member

    I wonder why F-Secure did not prevent me to download, install and run CCleaner 5.33 Setup executable? Nor informed me of also loaded malware, nor quarantined it?


    Especially, if F-Secure could detect it?

  • Ukko
    Ukko Posts: 3,634 Superuser

    @hakasa wrote:

    I wonder why F-Secure did not prevent me to download, install and run CCleaner 5.33 Setup executable? Nor informed me of also loaded malware, nor quarantined it?


    Especially, if F-Secure could detect it?



    Sorry for my reply. I'm also only F-Secure user (their Home Solutions) and CCleaner user (with some systems); So -> only as my own unofficial suggestions/feelings/feedback about your ask:



    --> Firstly, trouble not fully about 5.33 - but about certain build also (5.33.6162);

    While official article from Piriform with strange wording (?! when troublebuild start be available for downloading) -> maybe you hit certain good build (before/after);

    AND also claimed that only 32-bit installers (but I do not understand it.. such as -> I not sure if Piriform do provide certain installers as 32bit/64bit; and installed CCleaner under 64bit system with both of executables);


    --> Secondly, it was unknown for most of security software/companies about certain 'compromissed' installers. And when it start be known -> after some hours/days -> executables is detected;


    Not prevented to download -> because website/server/domain/URL for downloading -> is not rated as harmful/suspicious; And certain executable file was not known as 'trouble-file" (so -> launch/install - if it was ?! -> allowed);

    And then certain payload do suspicious... but probably not critical things (with common meanings - if we talk about 'valid' software); But this is based on articles (not sure - how it was indeed);


    I also not sure -> if Malwarebytes under your system detected "trojan.netya" about CCleaner (?!); Does it possible to re-check any Malwarebytes scan logs about destination/path or so (just as re-sure what file/items did trigger such detection);

    And if this is based on CCLeaner (and your system was one of 'systems' with installed compromissed CCleaner) --> indeed good to receive answer/explanation about potential abilities of F-Secure. Such as -> if there was such suspicious activities - why any of layers do not prompted something. Or even... this is not analysed properly (based on current public statistics -> count for detection about "Trojan.PRForm.A, Backdoor.Agent.ABXS" is quite large. And for backdoor-part more stable count);

    Possible to trigger Full Scan by F-Secure (as re-check that your system do not have any 'not active' files from this situation);



    // added at 25.09.2017:

    under piriform's community-forum published probably useful reply (with potential steps - where system can be with trouble and when maybe not):

This discussion has been closed.
Pricing & Product Info