Jump to content

CCleaner - false detection or real?


coops1

Recommended Posts

This monring, my malwarebytes (Windows 10, v 3.2.2 premium) reported it quarantined Nyetnya on a reboot this am.
I'd like to understand if this is likely a false positive or real.
 
the exe file it reports seems to be a program i installed a long time ago (which i purchases a license for. it is a utility for cleaning registry etc - CCleaner from piriform)
 

C:\Program Files\CCleaner\CCleaner.exe

which makes sense as where i installed it
 
Notes:

I don’t know the source or time of the 'infection'.

The detection was preceded by an apparent problem finding my user profile on login this am from a Shutdown state when I left home. I started up machine on office network.

After another try, I was able to log in, but my desktop was missing.

I then followed some instructions (looked up on internet, amounting to copying my desktop folder somewhere) for recovering my desktop, based on the Windows error messages, and restarted the computer. Desktop was recovered (with icon locations reset) and login appeared normal.

However, Malwarebytes reported it quarantined “Nyetnya” Trojan.

looking at the details, I see the CCleaner.exe file is what is quarantined.

nyetnya_log.txt

Link to post
Share on other sites

Malwarebytes also found Nyetnya 8 times on my computer this morning!  I actually came here to inform Malwarebytes of this in case they didn't receive it directly from my computer.  I'M SO GLAD I HAVE MALWAREBYTES PREMIUM!!!

I must have gotten it when I downloaded the latest version of CCleaner, v5.34.6207.

Do I need to delete my CCleaner?  I have been having so much trouble with it for months, but haven't deleted it because even waiting for 10 minutes at a time to clean my 'puter after every time I leave the internet, I thought it necessary.  It stopped running badly after downloading the new version, but now this scary stuff...Am I fooling myself?  Should I simply delete Ccleaner with this new trojan problem?  If I didn't have Malwarebytes I'd have been in a world of hurt.

Bless YOU ALL!!

Edited by Bethyboo
Needed to add further info.
Link to post
Share on other sites

Shadowwar helped me resovle this.  I was having issues also, but I was not rebooting computer between uninstall and reinstall of CCleaner.  i would uninstall CCleaner and then reinstall it and MWB would detect trojan.nyetya everytime.  Once Shadowwar told me about this, I uninstalled CCleaner, rebooted computer and reinstalled CCleaner and I did not have anymore problems at this time.  CCleaner opened without issues.

Link to post
Share on other sites

Guess what?  I downloaded CCleaner from Piriform's website using 'ftp' AND also have that 'Trojan.Floxif' upon my system as detected by MBAM Premium.  So as I may quote from the blog so graciously provided by "shadowwar" in part:

"Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public."

To also inform all that it is not just the AVAST server, Piriform's server is also infected, just downloaded a few days ago (September 08,2017 to be more exact) and had just up graded to the Pro (PD) version.

 

Link to post
Share on other sites

If I may add this comment: that is not very easy to clear off of our systems.  It has taken me several hours even days to finally rid my system of that "Trojan" working mostly 'off-line' not connected to the net.

After doing some extensive investigating have finally improved the operations of my system.  Do not recommend anyone doing what I have learned to do to protect my system.  Details are not shared unless specific questions are asked, in other words you that ask the correct questions will know and understand what I have done.

Thank you for reading my messages

Link to post
Share on other sites

Excuse me "Metallica" for miss quoting to the 'blog' giving credit to "shadowwar" instead of you, "Metallica".  With so much happening and first time being infected, after about33 years, not bad for a dummy, self-taught not any formal training just the "School-Of-Hard-Knocks."  Never graduate nor given any sort of label to hang on a wall as you are always in school. 

Link to post
Share on other sites

Bethyboo,

I am not an expert, yet have some experience in keeping my system clear for over 35 years.  So I do not think that is toooo bad. 

If MBAM Premium did quarantine your CCleaner.ese file from v 5.33.6162 and you removed that version by using their cleaner software with reboots as required then installing the latest version 5.34.6207 (For 64 bit O/S) then you should be safer.  Cannot give information on 32bit systems.  Plus one last point for you if you have the expertise to work with in the Registry files, look for this key without the quotes, " HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo " (that is why there is extra spaces between the quotes and the key.)  If you go to the 'blog' as shown by "Metallica" you will find that information there and some additional data .

If you are just a user and not familiar with this type of procedure then you should consult with more informed people than myself, I am just self-taught and do things that are not recommended.

 

41 minutes ago, Bethyboo said:

Can anyone possibly answer my questions I posted, please?

 

 

 

Edited by NTxLS
Link to post
Share on other sites

On 9/18/2017 at 9:59 AM, Metallica said:

Hi coops1,

That is not a false positive.

You can find more information here: 

https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/

 

Pieter Arntz,

If I may ask?  What is required to access the 'blog' website or is it just for viewing?

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.