Crossforge Posted February 11, 2015 Share Posted February 11, 2015 Ok I've noticed over this last month and the end of January I've been getting a couple of Avast blocking Alerts while surfing this site, again not downloading anything just surfing the skyrim mods section. It's only happened a couple of times so far with today being the most recent. This was my last popup as of today. Avast Web Shield has blocked a harmful webpage or file Infection details url: http:/54.148.194ibs;dpid=1775&dpuuid=so_CIOGIw8-qijPJ5diLnbSjw52q2j-d5I3pnzZOInfection: url:MalProcess C:\Programs (x86) Mozilla Firefox\firefox.exe I suspect a malicious ad, which is apparently getting through my adblocker (And blocking this stuff is the only reason I use Adblocker to begin with). Though It could be a false alarm. So yeah, not sure what is up with that, hasn't happened on any other site that I've surfed so far. Anybody else had this happen? Link to comment Share on other sites More sharing options...
bben46 Posted February 12, 2015 Share Posted February 12, 2015 Anyone else seeing this? Link to comment Share on other sites More sharing options...
matortheeternal Posted February 12, 2015 Share Posted February 12, 2015 I use Avast and adblock when I browse the Nexus and I haven't seen this. Link to comment Share on other sites More sharing options...
hansi666 Posted February 13, 2015 Share Posted February 13, 2015 Microsoft Security Essentials caught an infection attempt for me today. According to the log in C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-01232015-014301.log the infected files were the following: C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exe Begin Resource ScanScan ID:{28313C69-C039-47FD-90BD-956296D77168}Scan Source:3Start Time:02-13-2015 16:42:36End Time:02-13-2015 16:42:36Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exeExtended Info:24631888129908End Scan C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exe Begin Resource ScanScan ID:{F0958133-474D-4E3D-B926-D08A90A4246E}Scan Source:3Start Time:02-13-2015 16:42:49End Time:02-13-2015 16:42:49Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exeExtended Info:24631888129908End Scan C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exe Begin Resource ScanScan ID:{FFB31A5A-106D-45E0-8E55-097FA428A09B}Scan Source:3Start Time:02-13-2015 16:42:55End Time:02-13-2015 16:42:55Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exeExtended Info:24631888129908End Scan C:\Program Files (x86)\websavEra\websavEra.exe Begin Resource ScanScan ID:{73F5E280-82B4-426B-AAD2-99AF9C8CD7A3}Scan Source:3Start Time:02-13-2015 16:42:58End Time:02-13-2015 16:42:58Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\websavEra\websavEra.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\websavEra\websavEra.exeExtended Info:24631888129908End Scan C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exe Begin Resource ScanScan ID:{10433719-8266-4ABF-9B16-75477521BC5D}Scan Source:3Start Time:02-13-2015 16:42:59End Time:02-13-2015 16:42:59Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exeExtended Info:24631888129908End Scan C:\Program Files (x86)\SaaverPro\SaaverPro.exe Begin Resource ScanScan ID:{A97D401C-CE27-43BD-A36A-F15C1FC68CF6}Scan Source:3Start Time:02-13-2015 16:43:10End Time:02-13-2015 16:43:10Explicit resource to scanResource Schema:fileResource Path:C:\Program Files (x86)\SaaverPro\SaaverPro.exeResult Count:1Threat Name:Adware:Win32/SaverExtensionID:207768Severity:4Number of Resources:1Resource Schema:fileResource Path:C:\Program Files (x86)\SaaverPro\SaaverPro.exeExtended Info:24631888129908End Scan I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here. After some scanning with a linux live CD with 3 different virus scanners, some manual registry and msconfig cleaning I think I've got rid of all of them, but for the time being I'll turn ADB on again and hope my report helps. I guess I should just finally get myself a premium account and stop worrying about Adware. :wink: Link to comment Share on other sites More sharing options...
matortheeternal Posted February 13, 2015 Share Posted February 13, 2015 I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here. That seems like a major assumption, to me. And, given the fact that the files were in C:\Program Files (x86) and not in some temporary internet files directory, what's suggested is not that files came from the internet, but that they bloatware/malware in some kind of installation. Virus detection softwares don't always detect intrusions the moment they occur. They scan files continuously in the background, and that often means they will find things at random times unrelated to the moment of intrusion. A possible determining factor would be to check the file attributes of those folders/files to determine when they were created. Link to comment Share on other sites More sharing options...
JimboUK Posted February 14, 2015 Share Posted February 14, 2015 I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here. After some scanning with a linux live CD with 3 different virus scanners, some manual registry and msconfig cleaning I think I've got rid of all of them, but for the time being I'll turn ADB on again and hope my report helps. I guess I should just finally get myself a premium account and stop worrying about Adware. :wink: That stuff more than likely got installed when you installed something else, I doubt it came from here. Link to comment Share on other sites More sharing options...
rblood01 Posted February 14, 2015 Share Posted February 14, 2015 Anyone else seeing this? Not on Avast. I see something different and on ESET. This is only on one page so far and it is from Fallout NV http://www.nexusmods.com/newvegas/mods/35878/?tab=1&navtag=http%3A%2F%2Fwww.nexusmods.com%2Fnewvegas%2Fajax%2Fmoddescription%2F%3Fid%3D35878%26preview%3D&pUp=1 I sent in a message yesterday as I didn't see this thread here then, sorry. Every refresh of that page gets the message that the URL has been blocked. No other pages open and it stops as soon as that page has been closed. I have ran my antivirus and then Malwarebytes as well and nothing is active in my system currently. I have supporter status so I don't need or use Adblock on Nexus. This happens even if I turne AdBlocker on. There ends up being about 6 to 10 or so messages of various .png that have been blocked. Hope that might help. Link to comment Share on other sites More sharing options...
bben46 Posted February 14, 2015 Share Posted February 14, 2015 Looking at the URL that is being blocked, it is not a Nexus URL. And is not even an advertising company URL. And it is for a png file which we don't support. My guess is you are being redirected. Looking at the actual URL, it looks like a ligit site belonging to this site YDesign Group is an online-led retailer offering the best in modern and contemporary lighting, furnishings, and decorative plumbing to design driven consumers and trade professionals.And that site seems to be what is getting the virus warning. :psyduck: Link to comment Share on other sites More sharing options...
DrakeTheDragon Posted February 14, 2015 Share Posted February 14, 2015 It's the images embedded inside the description of that one mod. They're all displaying as big question marks in my Safari, and their URLs are exactly the PNGs reported above.It appears they're hosted on a seemingly untrustworthy website and some protective systems block them. I don't get any block warnings or anything, but the images still fail to display. It's also possible they simply don't exist at all to begin with and as such the image tags in this description themselves are bogus. Link to comment Share on other sites More sharing options...
Crossforge Posted February 14, 2015 Author Share Posted February 14, 2015 (edited) Hmmm, now that you guys have mentioned it, its possible the alerts piggy backed from a site hosting the pics for me too. I was looking for some elven armors for Sevenbase around the net and several used the Skyrim Sexy Vanilla armor for unp and sevenbase as a base requirment for their mods. And I think both alerts might have come from that page, here's the link to the mod page in question. http://www.nexusmods.com/skyrim/mods/34160/? Again, it doesn't happen everytime I go to the page, so it could have been some random malicious code from the pic site in question. In addition Avast flagged wyre bash as suspected evo-gen, but I believe that's a false positive. What kind of ads are you guys using btw? I want to support the site, but I'm also worried about screwing up my computer, it's brand new. Edited February 14, 2015 by Crossforge Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now