CCleaner 5.35.6210

[jalaffa]

CCleaner (Crap Cleaner) is a freeware system optimization, privacy and cleaning tool. It removes unused files from your system allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner. But the best part is that it's fast (normally taking less than a second to run) and contains NO Spyware or Adware!

Thanks to SalaR for the update.

Download

[Pete 12]

We wait for Master Knowledge , thumbs up for him...............

[angel]

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Dear CCleaner customers, users and supporters,

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12^th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):

 

This modification performed the following actions before the main application’s code:

• It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
• The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
• This DLL was subsequently loaded and executed in an independent thread.
• Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.

Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version):

The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:

• It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
  • MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
  • TCID: timer value used for checking whether to perform certain actions (communication, etc.)
  • NID: IP address of secondary CnC server
• Besides that, it collected the following information about the local system:
  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
• All of the collected information was encrypted and encoded by base64 with a custom alphabet.
• The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
• The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
• In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.

At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis. 

Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.35 or higher, the latest version is available for download here. 

Thank you,

 

 

[uffbros]

All you have to do is copy over the branding.dll and the CCleaner.dat files to the new version.

[Actarusse]

https://raw.githubusercontent.com/MoscaDotTo/Winapp2/master/Winapp2.ini

[CarterTaz]

• Changes in 5.35.6210:
• All builds signed with new Digital Signatures
• Digital Signatures? What does this really mean?
• CCleaner was hacked
• https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

[Actarusse]

If that version is before version 5.33.6162, then you are not affected

If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected.

[snf]

Portable CCleaner Professional 5.35.6210 Plus 32-64 bit Multilingual Online Or Technician or Business By PortableAppZ

[Pete 12]

Using 64-bits OS is muuuch safer , not only for the CCleaner.......................!!  

[CarterTaz]

Yea Actarusse, I feel that everything is OK for me, but I do think that it is shitty of piriform to keep it hushed up, and I guess that my real point was the cover-up, and was pointing out that this update is to address possible future hacks.

[Actarusse]

[Alv37]

CCleaner Keygen - CORE

Site: https://yadi.sk
Sharecode^[?]: /d/KCqC0e-03Kwd3D

[uffbros]

Anyone notice you can't get the portable from companys website? When you try the download page goes right back to the main web site page..no download. It has done this to me many times over a year. Every time there is an update it does this. I even tried various browsers.

[SalaR]

CCleaner 5.35.6210 Technician Edition Multilanguage Portable By fcportables | 5 MB

Spoiler

Site: https://www.upload.ee
Sharecode^[?]: /files/7477576/CCleaner_Technician_5.35.6210_Poetable.7z.html

 

[xanax]

15 minutes ago, uffbros said:

Anyone notice you can't get the portable from companys website? When you try the download page goes right back to the main web site page..no download. It has done this to me many times over a year. Every time there is an update it does this. I even tried various browsers.

 

 

 

and missing 5.35 x64 business msi installer

and forget to sign 5.35 x86 business msi installer with sha256

 

 

and they still offer bundle version with CCleaner v5.33 on servers 

http://download.piriform.com/pro/CCleanerBundle-0817-Setup.exe

 

[Iznogoud]

I don't know for you, but I am waiting some time before update to this build. For any case.

[Kalju]

19 minutes ago, stajke said:

I don't know for you, but I am waiting some time before update to this build. For any case.

So good recommendation, maybe should also give up?  For any case.  

[Gamkutopolowk]

CCleaner hijacked by hackers to open a backdoor for remote code execution

[knowledge-Spammer]

Site: https://www.upload.ee
Sharecode^[?]: /files/7478052/c.rar.html

 

[SPECTRUM]

9 minutes ago, Gamkutopolowk said:

CCleaner hijacked by hackers to open a backdoor for remote code execution

 

was, but only in 5.33.6162 and 32 bit.

[vissha]

CCleaner Professional 5.35.6210 - Multilingual Online Portable- @jooseng:

Site: https://www.upload.ee

Sharecode^[?]: /files/6675592/CCleaner_Portable_xxx_pro-be-te_32-64-bit_Multilingual_Online.exe.html

Site: https://www.mirrorcreator.com

Sharecode^[?]: /files/MCPNBZZK/CCleaner_Portable_xxx_pro-be-te_32-64-bit_Multilingual_Online.exe_links

[TheEmpathicEar]

1 hour ago, knowledge said:

Site: https://www.upload.ee
Sharecode^[?]: /files/7478052/c.rar.html

 

Is this your portable(s)? [I'm looking for "Tech Edition" portable]

[BALTAGY]

CCleaner Professional v5.35.6210 Portable Made With Turbo Studio

 

32Bit (Size: 6.59 MB)

Site: http://www.mirrorcreator.com
Sharecode^[?]: /files/CQBJAXXZ/CCleaner_Professional_v5.35.6210_32Bit.zip_links

 

64Bit (Size: 7.12 MB)

Site: http://www.mirrorcreator.com
Sharecode^[?]: /files/RM57QJ1E/CCleaner_Professional_v5.35.6210_64Bit.zip_links

[angel]

CCleaner™ 5.35.6210 Pro/Tech/Buss/ Retail + CCEnhancer 4.4.2.1 Multilingual

Site: https://www.upload.ee
Sharecode^[?]: /files/7477404/CC535Ret.zip.html

 

[VIKTOR PAVEL]

funny is security breach just few time after sold to security company!