BGatot Posted March 21, 2013 Share Posted March 21, 2013 (edited) I just tried to download a file from Skyrim Nexus, manually as usual (not using Mod Manager), and from the server option I choose the Dallas server, which seem to have unusually few activity, compared to the other servers. But the file I was offered to download was some 'Nexus downloader.exe' and not the file I was trying to download. Needless to say I cancelled. I tried again several times, and it's always the same, with different kind of files too. I then tried other servers, and the file download proceeded as normal. I wonder if the Dallas server was hijacked by some malicious entity, causing less aware Nexus user to download potentially dangerous .exe program. Using Nexus' credentials, no less! Anyway, just want to point that out to you, in case you were not aware. Edited March 21, 2013 by BGatot Link to comment Share on other sites More sharing options...
Aleanne Posted March 21, 2013 Share Posted March 21, 2013 Same here. Dallas only has 1 user, others are fine. Smells fishy. Link to comment Share on other sites More sharing options...
Werne Posted March 21, 2013 Share Posted March 21, 2013 I wonder if the Dallas server was hijacked by some malicious entityhttp://cdn.memegenerator.net/instances/400x/36443699.jpg Sorry, couldn't resist the urge. :teehee: Link to comment Share on other sites More sharing options...
cecil667 Posted March 21, 2013 Share Posted March 21, 2013 Do not activate ANY strange executables. Scanned it first with avg, seems clear but it's not. Basically what it does is cancels out everything you're doing and redirects you to some phony FBI page saying they've locked your computer and require 300 dollars to unlock it. As is obvious, don't give out ANY info or any money. Now for the big thing is finding where the f*#@ this thing installed so i can rid myself of it >:(Can't log into my main account on the PC because everytime i do, white phony FBI screen. Link to comment Share on other sites More sharing options...
cecil667 Posted March 21, 2013 Share Posted March 21, 2013 K Update, it's the MoneyPak virus guise. ( a type of trojan ) If you used the phony executable, use a malware software removal tool ASAP. Link to comment Share on other sites More sharing options...
Werne Posted March 21, 2013 Share Posted March 21, 2013 Scanned it first with avg, seems clear but it's not.ClamAV recognised it as a threat, moved it to quarantine immediately. :ermm: Link to comment Share on other sites More sharing options...
Lanceor Posted March 21, 2013 Share Posted March 21, 2013 I just tried the dallas server and got the same 133 kb nexus_downloader.exe file. VirusTotal says that 3/45 virus scanners flag it as suspicious, but based on what cecil667 says, it's some kind of malware. Gonna report this right away. Link to comment Share on other sites More sharing options...
cecil667 Posted March 21, 2013 Share Posted March 21, 2013 For anyone having trouble with this thing, here's a tip that may work. Click start menu, in the search type %appdata% to open up a hidden folder where the virus might be hiding. go to microsoft/windows/startmenu/programs/startup Remove the Ctfmon ( .Ink if in DOS ), as that's what calls the virus up everytime you log in. Open windows start type %userprofile% and go to Appdata/local/tempremove Rool0_pk.exeremove (random).mof fileremove v.class Below is also a list of files that the virus disguises itself as%Program Files%\FBI Moneypak Virus%Appdata%\skype.dat%Appdata%\skype.ini%AppData%\Protector-[rnd].exe%AppData%\Inspector-[rnd].exe%AppData%\vsdsrv32.exe%AppData%\result.db%AppData%\jork_0_typ_col.exe%appdata%\[random].exe%Windows%\system32\[random].exe%Documents and Settings%\[userName]\Application Data\[random].exe%Documents and Settings%\[userName]\Desktop\[random].lnk%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk%Temp%\0_0u_l.exe%Temp%\[RANDOM].exe%StartupFolder%\wpbt0.dll%StartupFolder%\ctfmon.lnk%StartupFolder%\ch810.exe%UserProfile%\Desktop\FBI Moneypak Virus.lnkWARNING.txtV.classcconf.txt.enctpl_0_c.exeirb700.exedtresfflsceez.exetpl_0_c.exech810.exe0_0u_l.exe[random].exe Link to comment Share on other sites More sharing options...
Dark0ne Posted March 21, 2013 Share Posted March 21, 2013 Definitely a hack job. We've fixed it up now and will look in to how this happened and how to fix it. Sorry for the problems. Link to comment Share on other sites More sharing options...
alphaV1za Posted March 21, 2013 Share Posted March 21, 2013 I just got this as well.Like a moron I thought it might be legit as it appeared on different mod pages when trying to download manually. Installed it and it does indeed cause some strange crap.It disabled my Security Cente service (wscsvc) and my AV did detect anything.Found a process called 666151101.exe running. After killing that process I was able to start my WSC.Found the 666151101.exe in mt temp folderdeleted it and ran a full updated av scan. http://i48.tinypic.com/2928u4k.jpg Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now