Ivoo #1 Posted September 18, 2017 (edited) I have been using ccleaner for a long time without any problems ,, but today i have surprise that scare me ,,Malwarebytes detect ( Trojan.Nyetya ) ,,, any ideas what is the reason ? Edited September 18, 2017 by Ivoo missing letter(a) Share this post Link to post Share on other sites
miekiemoes #2 Posted September 18, 2017 Hi, This is no False Positive. It seems your version was compromised/infected. Please see here for more info: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users Share this post Link to post Share on other sites
Ivoo #3 Posted September 18, 2017 time to reinstall my windows ... i can say that IF my files was stolen now my work will be hard but it seems is ok ,i read and understand that my MAC address is stolen ,time to buy new wifi card adapter Share this post Link to post Share on other sites
miekiemoes #4 Posted September 18, 2017 No need to buy a new wifi adapter - you can still "change/spoof" your mac address if you want (and makes you feel better) http://www.makeuseof.com/tag/change-mac-address-windows/ But I wouldn't worry too much here though - MAC addresses can only be "seen" by computers in YOUR local network, they don't broadcast outside your LAN. Share this post Link to post Share on other sites
Tooslow #5 Posted September 18, 2017 I've just found the same thing. Malwarebytes says that it has removed the infection, I have updated CCleaner as advised in the link, so it's gone? No need to re-install / restore Windows (I hope)? Share this post Link to post Share on other sites
miekiemoes #6 Posted September 18, 2017 Yes, you should be OK after having malwarebytes remove what it has found or updating to the latest version of Ccleaner (as that also overwrites the file, in case it wasn't removed previously). No need to reinstall Windows Share this post Link to post Share on other sites
Tooslow #7 Posted September 18, 2017 Phew! Thanks. That has saved me a lot of work. Share this post Link to post Share on other sites
need4spd #8 Posted September 18, 2017 (edited) Yes, I had the same issue thank you for being on top of this. Glad we do not have to reinstall anything, thanks malwarebytes for taking care of things. My scan only found the install file on my computer, I had already updated to ccleaner 5.34 last week so the rest of it must have been overwritten. I guess from now on, I will delete the old install files. Edited September 18, 2017 by need4spd Share this post Link to post Share on other sites
blackpencilredpencil #9 Posted September 18, 2017 (edited) I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? Also, sorry for my English. Not a native speaker. Edited September 18, 2017 by blackpencilredpencil Share this post Link to post Share on other sites
miekiemoes #10 Posted September 18, 2017 (edited) 10 minutes ago, blackpencilredpencil said: I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? Also, sorry for my English. Not a native speaker. The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected. It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe "If so, are 64-bit users safe if no registry keys are present for the 32-bit version?" Basically yes, but always good to update anyway Edited September 18, 2017 by miekiemoes Share this post Link to post Share on other sites
Cake #11 Posted September 18, 2017 (edited) Yes this is not a false positive. But it's scary to know, that the malware could survive quite some time before getting detected Edited September 18, 2017 by Cake Share this post Link to post Share on other sites
blackpencilredpencil #12 Posted September 18, 2017 (edited) 9 minutes ago, miekiemoes said: The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected. It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe Yeah it might be, but that seems strange since I rarely save any executables on my computer. What happened was the following: I right clicked on my recycle bin icon on my desktop and selected the "run CCleaner" option. I got a prompt saying something like "couldn't find the program". At the exact same moment I received a popup from Malwarebytes informing me that the file was infected. I just had a look in my quarantine, and it's pointing toward ccleaner.exe under: C:\Program Files\CCleaner\ccleaner.exe Is there some chance that also the 64-bit version of the program has been infected? Or is this simply a precaution taken to make sure that people upgrade to the newest version? TL:DR: Should I nuke my system and reinstall everything? Edited September 18, 2017 by blackpencilredpencil Share this post Link to post Share on other sites
arleetel #13 Posted September 18, 2017 (edited) Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it. By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833 Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833 since that version was already replaced by the new one 5.34.6207, the old version removed. What worries me is that it was not detected before, the cleaner being used every single day !!! I suppose deleting those files will be OK. Edited September 18, 2017 by arleetel Share this post Link to post Share on other sites
Cake #14 Posted September 18, 2017 1 minute ago, arleetel said: Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it. By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833 Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833 since that version was already replaced by the new one 5.34.6207, the old version removed. What worries me is that it was not detected before, the cleaner being used every single day !!! I suppose deleting those files will be OK. On my system, it survived Malwarebytes Premium, Emsisoft Premium and Bitdefender 2018 Internet Security..... This Ninja-Malware survived everything! Share this post Link to post Share on other sites
biomembrain #15 Posted September 18, 2017 I may have to reinstall windows. The name closely resembles the name of known ransomware like Petya. It seems way too suspicious. Share this post Link to post Share on other sites
arleetel #16 Posted September 18, 2017 (edited) Yes it does resemble Petya but I hope quanrantine and removing will be enough. How are we sure now that the system is clean ? BTW Adw cleaner did not detect this neither Kaspersky ! Edited September 18, 2017 by arleetel Share this post Link to post Share on other sites
miekiemoes #17 Posted September 18, 2017 No need to Panic - Having Malwarebytes delete it and/or updating to the latest version of Ccleaner takes care of this all and your system will be clean. This is in no way related with Petya though Share this post Link to post Share on other sites
miekiemoes #18 Posted September 18, 2017 We have just released a blog post as well regarding this: https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/ I'm going to close this thread now, so for any questions regarding this - feel free to comment in the blogpost. Thanks!!! Share this post Link to post Share on other sites