Jump to content
Ivoo

ccleaner (Trojan.Nyetya)

By Ivoo, in File Detections

Recommended Posts

Ivoo   

Ivoo
Posted (edited)

I have been using ccleaner for a long time without any problems ,, but today i have surprise that scare me ,,Malwarebytes detect ( Trojan.Nyetya ) ,,, any ideas  what is the reason ? 

 

Capture.JPG

Edited by Ivoo
missing letter(a)

Share this post

Link to post
Share on other sites

Ivoo   

Ivoo
Posted

time to reinstall my windows :D ... i can say that IF my files was stolen now my work will be hard but it  seems is ok ,i read and   understand that my MAC address is stolen  ,time to buy new wifi card adapter  :D 

Share this post

Link to post
Share on other sites

Tooslow   

Tooslow
Posted

I've just found the same thing. Malwarebytes says that it has removed the infection, I have updated CCleaner as advised in the link, so it's gone? No need to re-install / restore Windows (I hope)?

 

 

Share this post

Link to post
Share on other sites

miekiemoes   

miekiemoes
Posted

Yes, you should be OK after having malwarebytes remove what it has found or updating to the latest version of Ccleaner (as that also overwrites the file, in case it wasn't removed previously). No need to reinstall Windows :)

Share this post

Link to post
Share on other sites

need4spd   

need4spd
Posted (edited)

Yes, I had the same issue thank you for being on top of this.  Glad we do not have to reinstall anything, thanks malwarebytes for taking care of things.

My scan only found the install file on my computer, I had already updated to ccleaner 5.34 last week so the rest of it must have been overwritten.

I guess from now on, I will delete the old install files.

Edited by need4spd

Share this post

Link to post
Share on other sites

blackpencilredpencil   

blackpencilredpencil
Posted (edited)

I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. 

Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? 

Also, sorry for my English. Not a native speaker. 

Edited by blackpencilredpencil

Share this post

Link to post
Share on other sites

miekiemoes   

miekiemoes
Posted (edited)
10 minutes ago, blackpencilredpencil said:

I also had the same issue as OP. However, I am quite curious as to why I got the positive result from Malwarebytes at all. I didn't have any old install files on my computer. And furthermore, I am running a 64-bit system, and therefore also a 64-bit version of CCleaner. I thought only the 32 bit-version was affected by this? Please correct me if I'm wrong. 

Edit: After a bit of research I found that CCleaner does indeed install both versions on your system, but only makes a shortcut to the version that suits your system. If so, are 64-bit users safe if no registry keys are present for the 32-bit version? 

Also, sorry for my English. Not a native speaker. 

The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected.

It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe

"If so, are 64-bit users safe if no registry keys are present for the 32-bit version?" Basically yes, but always good to update anyway :)

Edited by miekiemoes

Share this post

Link to post
Share on other sites

Cake   

Cake
Posted (edited)

Yes this is not a false positive.

 

But it's scary to know, that the malware could survive quite some time before getting detected :(

Edited by Cake

Share this post

Link to post
Share on other sites

blackpencilredpencil   

blackpencilredpencil
Posted (edited)
9 minutes ago, miekiemoes said:

The installer has both 32 and 64 bits - so I'm sure in your case, the setup file was detected.

It must have been this file then: https://www.virustotal.com/en/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ - ccsetup533.exe

Yeah it might be, but that seems strange since I rarely save any executables on my computer. What happened was the following: 

I right clicked on my recycle bin icon on my desktop and selected the "run CCleaner" option. I got a prompt saying something like "couldn't find the program". At the exact same moment I received a popup from Malwarebytes informing me that the file was infected. I just had a look in my quarantine, and it's pointing toward ccleaner.exe under: 

C:\Program Files\CCleaner\ccleaner.exe

Is there some chance that also the 64-bit version of the program has been infected? Or is this simply a precaution taken to make sure that people upgrade to the newest version? 

TL:DR: Should I nuke my system and reinstall everything? 

 

Edited by blackpencilredpencil

Share this post

Link to post
Share on other sites

arleetel   

arleetel
Posted (edited)

Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it.

By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833
Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833

since that version was already replaced by the new one 5.34.6207, the old version removed.

What worries me is that it was not detected before, the cleaner being used every single day !!!

I suppose deleting those files will be OK.

Edited by arleetel

Share this post

Link to post
Share on other sites

Cake   

Cake
Posted
1 minute ago, arleetel said:

Have the same detection, today, but that file is on the computer since 15.08.2017, a malwarebytes scan yesterday did "not" detect it.

By the way it's just this file : Trojan.Nyetya, C:\USERS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833
Trojan.Nyetya, C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\CCSETUP533.EXE, No Action By User, [8818], [436221],1.0.2833

since that version was already replaced by the new one 5.34.6207, the old version removed.

What worries me is that it was not detected before, the cleaner being used every single day !!!

I suppose deleting those files will be OK.

On my system, it survived Malwarebytes Premium, Emsisoft Premium and Bitdefender 2018 Internet Security..... :ph34r:

This Ninja-Malware survived everything!

Share this post

Link to post
Share on other sites

arleetel   

arleetel
Posted (edited)

Yes it does resemble Petya but I hope quanrantine and removing will be enough.

How are we sure now that the system is clean ?  BTW Adw cleaner did not detect this neither Kaspersky !

 

Edited by arleetel

Share this post

Link to post
Share on other sites

miekiemoes   

miekiemoes
Posted

No need to Panic - Having Malwarebytes delete it and/or updating to the latest version of Ccleaner takes care of this all and your system will be clean. :)

This is in no way related with Petya though :)

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept