Jump to content

Photo

Weird (possibly malicious?) Problems with Dallas server?


  • Please log in to reply
19 replies to this topic

#1
BGatot

BGatot

    Faithful poster

  • Members
  • PipPipPipPip
  • 2,238 posts

I just tried to download a file from Skyrim Nexus, manually as usual (not using Mod Manager), and from the server option I choose the Dallas server, which seem to have unusually few activity, compared to the other servers. But the file I was offered to download was some 'Nexus downloader.exe' and not the file I was trying to download. Needless to say I cancelled. I tried again several times, and it's always the same, with different kind of files too. I then tried other servers, and the file download proceeded as normal. I wonder if the Dallas server was hijacked by some malicious entity, causing less aware Nexus user to download potentially dangerous .exe program. Using Nexus' credentials, no less!

 

Anyway, just want to point that out to you, in case you were not aware.


Edited by BGatot, 21 March 2013 - 10:47 AM.


#2
Aleanne

Aleanne

    Regular

  • Members
  • PipPip
  • 57 posts

Same here. Dallas only has 1 user, others are fine. Smells fishy.



#3
Werne

Werne

    Criminal Scum

  • Members
  • PipPipPipPip
  • 1,958 posts

I wonder if the Dallas server was hijacked by some malicious entity

36443699.jpg

 

Sorry, couldn't resist the urge. :teehee:



#4
cecil667

cecil667

    Enthusiast

  • Members
  • PipPip
  • 147 posts

Do not activate ANY strange executables.

 Scanned it first with avg, seems clear but it's not. Basically what it does is cancels out everything you're doing and redirects you to some phony FBI page saying they've locked your computer and require 300 dollars to unlock it.

 

 As is obvious, don't give out ANY info or any money.

 

 Now for the big thing is finding where the f*** this thing installed so i can rid myself of it >:(

Can't log into my main account on the PC because everytime i do, white phony FBI screen.



#5
cecil667

cecil667

    Enthusiast

  • Members
  • PipPip
  • 147 posts

K Update, it's the MoneyPak virus guise.  ( a type of trojan )

 

 

If you used the phony executable, use a malware software removal tool ASAP.



#6
Werne

Werne

    Criminal Scum

  • Members
  • PipPipPipPip
  • 1,958 posts

Scanned it first with avg, seems clear but it's not.

ClamAV recognised it as a threat, moved it to quarantine immediately. :ermm:



#7
Lanceor

Lanceor

    Revelationsmith

  • Premium Member
  • 2,493 posts
I just tried the dallas server and got the same 133 kb nexus_downloader.exe file. VirusTotal says that 3/45 virus scanners flag it as suspicious, but based on what cecil667 says, it's some kind of malware.

Gonna report this right away.

#8
cecil667

cecil667

    Enthusiast

  • Members
  • PipPip
  • 147 posts

For anyone having trouble with this thing, here's a tip that may work.

 

Click start menu, in the search type 

 

%appdata% to open up a hidden folder where the virus might be hiding.

 

go to microsoft/windows/startmenu/programs/startup

 

Remove the Ctfmon ( .Ink if in DOS ), as that's what calls the virus up everytime you log in.

 Open windows start type %userprofile% and go to Appdata/local/temp

remove Rool0_pk.exe

remove (random).mof file

remove v.class

 

 

 Below is also a list of files that the virus disguises itself as

%Program Files%\FBI Moneypak Virus
%Appdata%\skype.dat
%Appdata%\skype.ini
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[RANDOM].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
irb700.exe
dtresfflsceez.exe
tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe



#9
Dark0ne

Dark0ne

    Webmaster

  • Admin
  • 16,789 posts

Definitely a hack job. We've fixed it up now and will look in to how this happened and how to fix it. Sorry for the problems.



#10
alphaV1za

alphaV1za

    Enthusiast

  • Members
  • PipPip
  • 149 posts

I just got this as well.
Like a moron I thought it might be legit as it appeared on different mod pages when trying to download manually.

 

Installed it and it does indeed cause some strange crap.

It disabled my Security Cente service (wscsvc) and my AV did detect anything.
Found a process called 666151101.exe running.

 

After killing that process I was able to start my WSC.

Found the 666151101.exe in mt temp folder

deleted it and ran a full updated av scan.

 

2928u4k.jpg






Page loaded in: 1.057 seconds