Weird (possibly malicious?) Problems with Dallas server?

[BGatot]

I just tried to download a file from Skyrim Nexus, manually as usual (not using Mod Manager), and from the server option I choose the Dallas server, which seem to have unusually few activity, compared to the other servers. But the file I was offered to download was some 'Nexus downloader.exe' and not the file I was trying to download. Needless to say I cancelled. I tried again several times, and it's always the same, with different kind of files too. I then tried other servers, and the file download proceeded as normal. I wonder if the Dallas server was hijacked by some malicious entity, causing less aware Nexus user to download potentially dangerous .exe program. Using Nexus' credentials, no less!

 

Anyway, just want to point that out to you, in case you were not aware.

Edited March 21, 2013 by BGatot

[Aleanne]

Same here. Dallas only has 1 user, others are fine. Smells fishy.

[Werne]

I wonder if the Dallas server was hijacked by some malicious entity

http://cdn.memegenerator.net/instances/400x/36443699.jpg

 

Sorry, couldn't resist the urge. :teehee:

[cecil667]

Do not activate ANY strange executables.

Scanned it first with avg, seems clear but it's not. Basically what it does is cancels out everything you're doing and redirects you to some phony FBI page saying they've locked your computer and require 300 dollars to unlock it.

 

As is obvious, don't give out ANY info or any money.

 

Now for the big thing is finding where the f*#@ this thing installed so i can rid myself of it >:(

Can't log into my main account on the PC because everytime i do, white phony FBI screen.

[cecil667]

K Update, it's the MoneyPak virus guise. ( a type of trojan )

 

 

If you used the phony executable, use a malware software removal tool ASAP.

[Werne]

Scanned it first with avg, seems clear but it's not.

ClamAV recognised it as a threat, moved it to quarantine immediately. :ermm:

[Lanceor]

I just tried the dallas server and got the same 133 kb nexus_downloader.exe file. VirusTotal says that 3/45 virus scanners flag it as suspicious, but based on what cecil667 says, it's some kind of malware.

 

Gonna report this right away.

[cecil667]

For anyone having trouble with this thing, here's a tip that may work.

 

Click start menu, in the search type

 

%appdata% to open up a hidden folder where the virus might be hiding.

 

go to microsoft/windows/startmenu/programs/startup

 

Remove the Ctfmon ( .Ink if in DOS ), as that's what calls the virus up everytime you log in.

Open windows start type %userprofile% and go to Appdata/local/temp

remove Rool0_pk.exe

remove (random).mof file

remove v.class

 

 

Below is also a list of files that the virus disguises itself as

%Program Files%\FBI Moneypak Virus
%Appdata%\skype.dat
%Appdata%\skype.ini
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[userName]\Application Data\[random].exe
%Documents and Settings%\[userName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[RANDOM].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
irb700.exe
dtresfflsceez.exe
tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe

[Dark0ne]

Definitely a hack job. We've fixed it up now and will look in to how this happened and how to fix it. Sorry for the problems.

[alphaV1za]

I just got this as well.
Like a moron I thought it might be legit as it appeared on different mod pages when trying to download manually.

 

Installed it and it does indeed cause some strange crap.

It disabled my Security Cente service (wscsvc) and my AV did detect anything.
Found a process called 666151101.exe running.

 

After killing that process I was able to start my WSC.

Found the 666151101.exe in mt temp folder

deleted it and ran a full updated av scan.

 

http://i48.tinypic.com/2928u4k.jpg