ccleaner (Trojan.Nyetya)

[Ivoo]

I have been using ccleaner for a long time without any problems ,, but today i have surprise that scare me ,,Malwarebytes detect ( Trojan.Nyetya ) ,,, any ideas  what is the reason ? 

 

Edited September 18, 2017 by Ivoo
missing letter(a)

[miekiemoes]

Hi,

This is no False Positive.

It seems your version was compromised/infected.

Please see here for more info: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

[Ivoo]

time to reinstall my windows ... i can say that IF my files was stolen now my work will be hard but it  seems is ok ,i read and   understand that my MAC address is stolen  ,time to buy new wifi card adapter   

[miekiemoes]

No need to buy a new wifi adapter - you can still "change/spoof" your mac address if you want (and makes you feel better)

http://www.makeuseof.com/tag/change-mac-address-windows/

But I wouldn't worry too much here though - MAC addresses can only be "seen" by computers in YOUR local network, they don't broadcast outside your LAN.

[Tooslow]

I've just found the same thing. Malwarebytes says that it has removed the infection, I have updated CCleaner as advised in the link, so it's gone? No need to re-install / restore Windows (I hope)?

 

 

[miekiemoes]

Yes, you should be OK after having malwarebytes remove what it has found or updating to the latest version of Ccleaner (as that also overwrites the file, in case it wasn't removed previously). No need to reinstall Windows

[Tooslow]

Phew! Thanks. That has saved me a lot of work.

[need4spd]

Yes, I had the same issue thank you for being on top of this.  Glad we do not have to reinstall anything, thanks malwarebytes for taking care of things.

My scan only found the install file on my computer, I had already updated to ccleaner 5.34 last week so the rest of it must have been overwritten.

I guess from now on, I will delete the old install files.

Edited September 18, 2017 by need4spd

[blackpencilredpencil]

I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. 

Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? 

Also, sorry for my English. Not a native speaker. 

Edited September 18, 2017 by blackpencilredpencil

[miekiemoes]

10 minutes ago, blackpencilredpencil said:

I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. 

Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? 

Also, sorry for my English. Not a native speaker. 

The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected.

It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe

"If so, are 64-bit users safe if no registry keys are present for the 32-bit version?" Basically yes, but always good to update anyway

Edited September 18, 2017 by miekiemoes

[Cake]

Yes this is not a false positive.

 

But it's scary to know, that the malware could survive quite some time before getting detected 

Edited September 18, 2017 by Cake

[blackpencilredpencil]

9 minutes ago, miekiemoes said:

The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected.

It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe

Yeah it might be, but that seems strange since I rarely save any executables on my computer. What happened was the following: 

I right clicked on my recycle bin icon on my desktop and selected the "run CCleaner" option. I got a prompt saying something like "couldn't find the program". At the exact same moment I received a popup from Malwarebytes informing me that the file was infected. I just had a look in my quarantine, and it's pointing toward ccleaner.exe under: 

C:\Program Files\CCleaner\ccleaner.exe

Is there some chance that also the 64-bit version of the program has been infected? Or is this simply a precaution taken to make sure that people upgrade to the newest version? 

TL:DR: Should I nuke my system and reinstall everything? 

 

Edited September 18, 2017 by blackpencilredpencil

[arleetel]

Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it.

By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833
Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833

since that version was already replaced by the new one 5.34.6207, the old version removed.

What worries me is that it was not detected before, the cleaner being used every single day !!!

I suppose deleting those files will be OK.

Edited September 18, 2017 by arleetel

[Cake]

1 minute ago, arleetel said:

Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it.

By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833
Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833

since that version was already replaced by the new one 5.34.6207, the old version removed.

What worries me is that it was not detected before, the cleaner being used every single day !!!

I suppose deleting those files will be OK.

On my system, it survived Malwarebytes Premium, Emsisoft Premium and Bitdefender 2018 Internet Security..... 

This Ninja-Malware survived everything!

[biomembrain]

I may have to reinstall windows. The name closely resembles the name of known ransomware like Petya. It seems way too suspicious.

[arleetel]

Yes it does resemble Petya but I hope quanrantine and removing will be enough.

How are we sure now that the system is clean ?  BTW Adw cleaner did not detect this neither Kaspersky !

 

Edited September 18, 2017 by arleetel

[miekiemoes]

No need to Panic - Having Malwarebytes delete it and/or updating to the latest version of Ccleaner takes care of this all and your system will be clean. 

This is in no way related with Petya though

[miekiemoes]

We have just released a blog post as well regarding this: https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/

I'm going to close this thread now, so for any questions regarding this - feel free to comment in the blogpost. 

Thanks!!!