Getting Avast Alerts while surfing nexus

[Crossforge]

Ok I've noticed over this last month and the end of January I've been getting a couple of Avast blocking Alerts while surfing this site, again not downloading anything just surfing the skyrim mods section. It's only happened a couple of times so far with today being the most recent.

 

This was my last popup as of today.

 

 

Avast Web Shield has blocked a harmful webpage or file

 

Infection details

 

url: http:/54.148.194ibs;dpid=1775&dpuuid=so_CIOGIw8-qijPJ5diLnbSjw52q2j-d5I3pnzZO

Infection: url:Mal

Process C:\Programs (x86) Mozilla Firefox\firefox.exe

 

I suspect a malicious ad, which is apparently getting through my adblocker (And blocking this stuff is the only reason I use Adblocker to begin with). Though It could be a false alarm. So yeah, not sure what is up with that, hasn't happened on any other site that I've surfed so far. Anybody else had this happen?

 

 

[bben46]

Anyone else seeing this?

[matortheeternal]

I use Avast and adblock when I browse the Nexus and I haven't seen this.

[hansi666]

Microsoft Security Essentials caught an infection attempt for me today. According to the log in C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog-01232015-014301.log the infected files were the following:

 

C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exe

 

Begin Resource Scan
Scan ID:{28313C69-C039-47FD-90BD-956296D77168}
Scan Source:3
Start Time:02-13-2015 16:42:36
End Time:02-13-2015 16:42:36
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\PruoShOpPer\75wBm5NvWgdNKH.exe
Extended Info:24631888129908
End Scan

 

C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exe

 

Begin Resource Scan
Scan ID:{F0958133-474D-4E3D-B926-D08A90A4246E}
Scan Source:3
Start Time:02-13-2015 16:42:49
End Time:02-13-2015 16:42:49
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\Open Tweet Filter\Open Tweet Filter.exe
Extended Info:24631888129908
End Scan

 

C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exe

 

Begin Resource Scan
Scan ID:{FFB31A5A-106D-45E0-8E55-097FA428A09B}
Scan Source:3
Start Time:02-13-2015 16:42:55
End Time:02-13-2015 16:42:55
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\deal4ome\TOhk2q0uNxPdfe.exe
Extended Info:24631888129908
End Scan

 

C:\Program Files (x86)\websavEra\websavEra.exe

 

Begin Resource Scan
Scan ID:{73F5E280-82B4-426B-AAD2-99AF9C8CD7A3}
Scan Source:3
Start Time:02-13-2015 16:42:58
End Time:02-13-2015 16:42:58
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\websavEra\websavEra.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\websavEra\websavEra.exe
Extended Info:24631888129908
End Scan

 

C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exe

 

Begin Resource Scan
Scan ID:{10433719-8266-4ABF-9B16-75477521BC5D}
Scan Source:3
Start Time:02-13-2015 16:42:59
End Time:02-13-2015 16:42:59
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\Lesos2apoay\Lesos2apoay.exe
Extended Info:24631888129908
End Scan

 

C:\Program Files (x86)\SaaverPro\SaaverPro.exe

 

Begin Resource Scan
Scan ID:{A97D401C-CE27-43BD-A36A-F15C1FC68CF6}
Scan Source:3
Start Time:02-13-2015 16:43:10
End Time:02-13-2015 16:43:10
Explicit resource to scan
Resource Schema:file
Resource Path:C:\Program Files (x86)\SaaverPro\SaaverPro.exe
Result Count:1
Threat Name:Adware:Win32/SaverExtension
ID:207768
Severity:4
Number of Resources:1
Resource Schema:file
Resource Path:C:\Program Files (x86)\SaaverPro\SaaverPro.exe
Extended Info:24631888129908
End Scan

 

 

I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here. After some scanning with a linux live CD with 3 different virus scanners, some manual registry and msconfig cleaning I think I've got rid of all of them, but for the time being I'll turn ADB on again and hope my report helps. I guess I should just finally get myself a premium account and stop worrying about Adware. :wink:

[matortheeternal]

I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here.

 

That seems like a major assumption, to me. And, given the fact that the files were in C:\Program Files (x86) and not in some temporary internet files directory, what's suggested is not that files came from the internet, but that they bloatware/malware in some kind of installation.

 

Virus detection softwares don't always detect intrusions the moment they occur. They scan files continuously in the background, and that often means they will find things at random times unrelated to the moment of intrusion. A possible determining factor would be to check the file attributes of those folders/files to determine when they were created.

 

 

[JimboUK]

 

 

I might be wrong but my best guess is that they actually came from nexusmods.com since this is the only site I turned my adblocker off (I really DO want to support you guys!) and the files were caught while I was browsing here. After some scanning with a linux live CD with 3 different virus scanners, some manual registry and msconfig cleaning I think I've got rid of all of them, but for the time being I'll turn ADB on again and hope my report helps. I guess I should just finally get myself a premium account and stop worrying about Adware. :wink:

 

That stuff more than likely got installed when you installed something else, I doubt it came from here.

[rblood01]

Anyone else seeing this?

Not on Avast. I see something different and on ESET.

 

This is only on one page so far and it is from Fallout NV

 

http://www.nexusmods.com/newvegas/mods/35878/?tab=1&navtag=http%3A%2F%2Fwww.nexusmods.com%2Fnewvegas%2Fajax%2Fmoddescription%2F%3Fid%3D35878%26preview%3D&pUp=1

 

I sent in a message yesterday as I didn't see this thread here then, sorry. Every refresh of that page gets the message that the URL has been blocked. No other pages open and it stops as soon as that page has been closed.

 

I have ran my antivirus and then Malwarebytes as well and nothing is active in my system currently. I have supporter status so I don't need or use Adblock on Nexus. This happens even if I turne AdBlocker on. There ends up being about 6 to 10 or so messages of various .png that have been blocked. Hope that might help.

[bben46]

Looking at the URL that is being blocked, it is not a Nexus URL. And is not even an advertising company URL. And it is for a png file which we don't support. My guess is you are being redirected. Looking at the actual URL, it looks like a ligit site belonging to this site

 

YDesign Group is an online-led retailer offering the best in modern and contemporary lighting, furnishings, and decorative plumbing to design driven consumers and trade professionals.

And that site seems to be what is getting the virus warning. :psyduck:

[DrakeTheDragon]

It's the images embedded inside the description of that one mod. They're all displaying as big question marks in my Safari, and their URLs are exactly the PNGs reported above.

It appears they're hosted on a seemingly untrustworthy website and some protective systems block them.

 

I don't get any block warnings or anything, but the images still fail to display. It's also possible they simply don't exist at all to begin with and as such the image tags in this description themselves are bogus.

[Crossforge]

Hmmm, now that you guys have mentioned it, its possible the alerts piggy backed from a site hosting the pics for me too. I was looking for some elven armors for Sevenbase around the net and several used the Skyrim Sexy Vanilla armor for unp and sevenbase as a base requirment for their mods. And I think both alerts might have come from that page, here's the link to the mod page in question. http://www.nexusmods.com/skyrim/mods/34160/?

 

Again, it doesn't happen everytime I go to the page, so it could have been some random malicious code from the pic site in question.

 

In addition Avast flagged wyre bash as suspected evo-gen, but I believe that's a false positive.

 

What kind of ads are you guys using btw? I want to support the site, but I'm also worried about screwing up my computer, it's brand new.

Edited February 14, 2015 by Crossforge