Database Breach - An Update

[electricpanda14]

After learning about this incident, I have noticed many sign-in attempts from a few different locations in the span of last week, but google blocked them all because of their location and they were on PCs never used before. Has anyone else gotten these recently? They were all attempted from either Ukraine or Vietnam.

[electricpanda14]

I have various dsound.dll files in my windows directory, but I'm not sure whether or not a file from a mod would be able to get there on its own. They all have strange characters (not familiar with how .dll files work) and in the center all have written "S A P P H A C K I D _ D E V A C C E L D S A P P H A C K I D _ D I S A B L E D E V I C E D S A P P H A C K I D _ P A D C U R S O R S D S A P P H A C K I D _ M O D I F Y C S B F A I L U R E D S A P P H A C K I D _ R E T U R N W R I T E P O S D S A P P H A C K I D _ S M O O T H W R I T E P O S D S A P P H A C K I D _ C A C H E P O S I T I O N S P r e - M a y 2 0 0 0 Q u i c k T i m e

 

This is all followed by a large amount of text saying stuff like "Call failed due to parameters" and other weird ass stuff

 

[h3Xh3X]

In response to post #31999465. #32033155 is also a reply to the same post.

Lioness446 wrote: I searched my computer and found a dsound.dll file, but I am not sure if it's a suspicous file or something my computer needs. I opened it in Notepad and found this:
ˆ €   € ¸ È Ø Hh ð d ² a |
W E V T _ T E M P L A T E M U I |4 V S _ V E R S I O N _ I N F O ½ïþ @° @°? Ú S t r i n g F i l e I n f o ¶ 0 4 0 9 0 4 B 0 L C o m p a n y N a m e M i c r o s o f t C o r p o r a t i o n @ F i l e D e s c r i p t i o n D i r e c t S o u n d l & F i l e V e r s i o n 6 . 1 . 7 6 0 0 . 1 6 3 8 5 ( w i n 7 _ r t m . 0 9 0 7 1 3 - 1 2 5 5 ) 8 I n t e r n a l N a m e D i r e c t S o u n d € . L e g a l C o p y r i g h t © M i c r o s o f t C o r p o r a t i o n . A l l r i g h t s r e s e r v e d . > O r i g i n a l F i l e n a m e d s o u n d . d l l j % P r o d u c t N a m e M i c r o s o f t ® W i n d o w s ® O p e r a t i n g S y s t e m B P r o d u c t V e r s i o n 6 . 1 . 7 6 0 0 . 1 6 3 8 5 D V a r F i l e I n f o $ T r a n s l a t i o n ° CRIM° Kµ“ŠZǵI¥¾`q[3$ WEVTŒ Œ ô Ü è ( 4 @ CHANh ¨ ÿÿÿÿL M i c r o s o f t - W i n d o w s - D i r e c t S o u n d / D e b u g TTBLè TEMPP P Òêyg¦Ø»$ž<[ 7øJ. ÿÿ D‚ E v e n t D a t a TEMPŒ a\û { ?¬~dcüò
. Aÿÿ D‚ E v e n t D a t a ´ FMw x m l n s : a u t o - n s 2 / h t t p : / / s c h e m a s . m i c r o s o f t . c o m / w i n / 2 0 0 4 / 0 8 / e v e n t s ¼ x m l n s
D i r e c t S o u n d N S ÿÿ
h r
ÿÿ [k h r S t r i n g
¸ Ä h r h r S t r i n g OPCO LEVL@ P ( w i n : I n f o r m a t i o n a l TASK KEYW EVNTp € ° ô ˜ € °P ô ˜ ÍþÍþ𠆔›³žxn`¡è9:¹'6[²æ[àG¤Ã uhl.…· ˆ * ¸ À Ð à W E V T _ T E M P L A T E M U I M U I e n - U S

And this...

DSOUND.dll DirectSoundCaptureCreate DirectSoundCaptureCreate8 DirectSoundCaptureEnumerateA DirectSoundCaptureEnumerateW DirectSoundCreate DirectSoundCreate8 DirectSoundEnumerateA DirectSoundEnumerateW DirectSoundFullDuplexCreate DllCanUnloadNow DllGetClassObject GetDeviceID

Does this mean it's legit, or should I delete it?

electricpanda14 wrote: I found quite a few dsoun.dll files in my windows files. For now, I would just stick with some sort of antivirus and scan your computer, because I dont think a mod actually can contain any exes to make it install in that directory.

DLL files (dynamic linked library) are compiled binary files that applications can use to access extended functionality, and can not be understood by looking at them in a text editor.

Dsound.dll is a part of DirectX (a windows component that deals with interfacing with game hardware), called DirectSound. If the file was infected with malware, it needs to be unpacked and analyzed by a professional malware analyst to determine its threat. Not all malware is detectable by generic virus scanners, and you certainly can't open a file in notepad and see if it's malicious or not.

[bben46]

Malware often hijacks the name of a ligit file. So just going by the name can cause you to delete something that is actually a ligit file and needed by the computer.

[h3Xh3X]

In response to post #31985445.

MartineV wrote: How would a compromised dll file contained in a mod actually infect a PC. As far as I know, most mods do not execute code do they?

If you put it in your game dir the executable may call a function from it when accessing directsound functions (playing sound). If the file is compromised these functions may do other things than the original directsound dll file does, such as writing to the file system and leaving a backdoor to the system, dropping a rootkit or whatever else.

[BlueGunk]

Thank you for the update!

 

I recently (17 October on) started having inexplicable Skyrim game crashes on perfectly good games. The crashes were instant, on saving the game, usually appearing around save 130 upwards. It led me to scrap and rebuild the games and try again, not once but FOUR times, all with TESV.exe faulting violating virtual memory access. On debugging the DMP files through Visual Studio, what was the last file logged but dsound.dll .

 

So, is this why I had the instant CTDs on save? Is it a compromised dsound.dll acquired via Nexus downloads? Or just a genuine failure in my game. Is this the work of someone who wants to get at Skyrim Nexus users and players as a revenge bomb? I don't know but there we are.

 

I'd appreciate some guidance on how I can check this file. I'm sure others would!! I'm on Win 10. The DLLs I have are all the same date apart from a couple of older ones that go with my GTAIV game. A cursory glance using an on-line DLL viewer shows nothing odd but that may be meaningless. I ran the dsound.dlls through AVG - nothing came up.

 

I understand dsound.dll is a Directx generated file calling other functions, so you can't "get a replacement". May require a reinstall of Directx to clean?

 

Thanks guys and well done on catching this, and being so informative to the Nexus users!

 

ADDENDUM: I see on Reddit that the "rename dog meat" mod may have been a compromised mod. Is it a coincidence that on my game load screens, the dog is missing parts of fur textures and looks weird??? No other picture is affected. Anyone else seen this?

Edited December 16, 2015 by BlueGunk

[Deleted54170User]

I've seen the unfinished kind of pattern within the Windows 10 OS. My account with is suffering from forum post failures, like we all haven't seen that before... Edge is causing suffering almost identical to those days when the browser wars were trying to win popularity by making the best browser.

 

Windows 10's Edge is a bit buggy still and caused a few posts I typed to not post here at forums.nexusmods when using Windows 10's browser, "Edge". I clicked on post and nothing happened. I refreshed the page tried again and VOILA' it worked.

 

I've noticed, because I am more tech conscious, that a lot of the same problems which were happening a few years ago, a couple of years ago, and a year ago are happening again with the arrival of the new OS Windows 10.

Who would have thought that might happen? :laugh:

Since I restored this legal licensed version of Windows 7 Pro 64 bit, only a five months ago, it is already corrupt to the point it was before I decided to do the completely reformat and reinstall it.

 

Windows Update is making Windows 7 64 bit OS's look like a fish flopping around on the shore trying to get back into the water.

 

Now that I have finished this post successfully, I will unplug this hard drive and plug in the other one, which used to be the Windows 7 Pro I bought a second license for. Then I could connect with Games for Windows Live for Fallout 3. Now that HD has Windows 10 OS. Skyrim is the only Steam Game I have on it. In fact, it is the only game that isn't part of the Windows 10 amazingly new look and feel of Windows 8.1, looks a lot like Xbox One features, games services available on Windows 10. :wink: :wink:

[BlueGunk]

In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065 are all replies on the same post.

rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.

JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.

Lokie7 wrote: I second this, entirely. Well said.

Netsplite wrote: ^ +1

ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.

Inboundwhisper wrote: +1

Inboundwhisper wrote: +1

Aricole wrote: +1

lordmanticore wrote: +1

btgbullseye wrote: +1

xenonblade wrote: +1

AlexZander40 wrote: Well said. May the modding goodness continue.

DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)

Legion563 wrote: +1.

ExtremeMod911 wrote: Absolutely :)

Domifax wrote: +1

Bernt wrote: Totally agree :)

Dragodian777 wrote: "Ditto"...well said.

Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.

dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag

JD777 wrote: +(1 X infinity) :)

JD777 wrote: Sorry double post but no delete button. :(

MTZGG wrote: Ad Victoriam.

Mycu wrote: 100% agreed.

Mindprobe24 wrote: +1, nice words dude ;)

Jn_Panower wrote: +1 !

Stargazer2893 wrote: +1

Erez747 wrote: +1 Couldn't have said it better myself. :)

Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!

EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level

MooseUpNorth wrote: Very well said. +1

Bram1970 wrote: +1

grimgagorim wrote: +1 well said, well said

Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1

Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!

padawanjedi wrote: +1

shinru2004 wrote: +1 ^

kev999 wrote: I second rickman. Well done, Team Nexus.

zidders wrote: Well said.

LogikBomb wrote: Hear, hear

ijc1927 wrote: Excellently put. +1

conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)

rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...

Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.

qqq122 wrote: +1
thank you robin for all the information

Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman

seba1337 wrote: Damn right! +10

Toft wrote: +1 and very well said

Simon (Toft)

Well said.

[Bluemoonshiner]

In response to post #32072735.

Pagafyr wrote:

I've seen the unfinished kind of pattern within the Windows 10 OS. My account with is suffering from forum post failures, like we all haven't seen that before... Edge is causing suffering almost identical to those days when the browser wars were trying to win popularity by making the best browser.

 

Windows 10's Edge is a bit buggy still and caused a few posts I typed to not post here at forums.nexusmods when using Windows 10's browser, "Edge". I clicked on post and nothing happened. I refreshed the page tried again and VOILA' it worked.

 

I've noticed, because I am more tech conscious, that a lot of the same problems which were happening a few years ago, a couple of years ago, and a year ago are happening again with the arrival of the new OS Windows 10.

Who would have thought that might happen? :laugh:

Since I restored this legal licensed version of Windows 7 Pro 64 bit, only a five months ago, it is already corrupt to the point it was before I decided to do the completely reformat and reinstall it.

 

Windows Update is making Windows 7 64 bit OS's look like a fish flopping around on the shore trying to get back into the water.

 

Now that I have finished this post successfully, I will unplug this hard drive and plug in the other one, which used to be the Windows 7 Pro I bought a second license for. Then I could connect with Games for Windows Live for Fallout 3. Now that HD has Windows 10 OS. Skyrim is the only Steam Game I have on it. In fact, it is the only game that isn't part of the Windows 10 amazingly new look and feel of Windows 8.1, looks a lot like Xbox One features, games services available on Windows 10. :wink: :wink:

Wtf are you rambling about?

[LaMuerte]

In response to post #31699195. #31709590, #31710865, #31717215, #31727420, #31727725, #31727755, #31735675, #31736475, #31737125, #31745975, #31747430, #31762590, #31770575, #31770655, #31770875, #31775185, #31778925, #31779245, #31780640, #31785130, #31785185, #31786765, #31806700, #31808850, #31811630, #31817170, #31846715, #31849190, #31856815, #31866030, #31877395, #31877985, #31881445, #31885980, #31893710, #31897225, #31899965, #31901575, #31906245, #31910235, #31914830, #31930150, #31951615, #31978895, #31980730, #31990045, #31998065, #32076080 are all replies on the same post.

rickman wrote: If you are reading this Robin, know this: the community is supportive BECAUSE you share this stuff outright, clearly, and with incredible haste. If you treated us like Sony did in December of 2012, knowing the problem and denying it for two weeks or more, we'd probably be a lot less kind. There is also this to consider: You told us EXACTLY what, who, when, and how, as soon as you could, and in plain, simple terminology. I (and most likely about 10,000,000 others) appreciate a straightforward answer when there is an issue. But MOST IMPORTANTLY, you are kind and humble about it. If someone was mad at the employees of Nexus after your immaculate behavior, They are clearly not the kind of individual that we should be associated with as a user base. I personally love this site for a myriad of reasons, to explain it would take a ten+ page essay to enumerate all of the reasons why. To be clear though, the biggest reason, THE STAFF TREATS THE USER BASE LIKE PEOPLE. Despite there being 10,000,000 of us, we don't feel like faceless numbers. And that is because you seem to CARE. Don't stop doing that, and this awesome community will probably never devolve.

Thank you for being the best you can be.
Richard.

JZSquared wrote: ^This sums up my feelings exactly. I couldn't have said it better myself.

Lokie7 wrote: I second this, entirely. Well said.

Netsplite wrote: ^ +1

ZedLeppelin wrote: A wee bit verbose, (and I know verbose!), but rather well said and pretty damn accurate. The Nexus staff treats people like people, not numbers.

Inboundwhisper wrote: +1

Inboundwhisper wrote: +1

Aricole wrote: +1

lordmanticore wrote: +1

btgbullseye wrote: +1

xenonblade wrote: +1

AlexZander40 wrote: Well said. May the modding goodness continue.

DFX2K9 wrote: Agreed. no matter who you are, and how much money you've got, you're going to get a breach at some point. At least you salted the passwords, and use a hashing algorithm..

More then I can say for my local Library's system. A breach in THAT database would be catastrophic (note, it sends you your old password via email, that should give you an idea of how terrible it is)

Legion563 wrote: +1.

ExtremeMod911 wrote: Absolutely :)

Domifax wrote: +1

Bernt wrote: Totally agree :)

Dragodian777 wrote: "Ditto"...well said.

Saltamontes1980 wrote: +1
I concur, thank you Dark0ne.

dagstar132 wrote: good point well made. transparency in operation and intention is paramount.

Thanks for sharing.

Dag

JD777 wrote: +(1 X infinity) :)

JD777 wrote: Sorry double post but no delete button. :(

MTZGG wrote: Ad Victoriam.

Mycu wrote: 100% agreed.

Mindprobe24 wrote: +1, nice words dude ;)

Jn_Panower wrote: +1 !

Stargazer2893 wrote: +1

Erez747 wrote: +1 Couldn't have said it better myself. :)

Slimysumocow wrote: Definitely +1 for the wonderful Dark0ne and the rest of the Nexus team! Thank you guys!

EWM333 wrote: well said Richard, this is a great community. Thanks Robin for giving modders and gamers a way to play games on a higher level

MooseUpNorth wrote: Very well said. +1

Bram1970 wrote: +1

grimgagorim wrote: +1 well said, well said

Terafir wrote: I only signed up for this site about 3 weeks ago. So it made me a bit wary on what was going on. But, as everything was extremely clearly said and given, I have no concerns whatsoever about the security of the site.

It's not often that things are spoken so clearly and honestly from any company.

+1

Arksum007 wrote: While I have not been a member before this year I have found that this site is great the constant updates are amazing and like everyone else is saying that being treated like a real person is a great benefit for me and makes me want to continue using this site for finding all my mods. thanks for the update and keep up the good work!

padawanjedi wrote: +1

shinru2004 wrote: +1 ^

kev999 wrote: I second rickman. Well done, Team Nexus.

zidders wrote: Well said.

LogikBomb wrote: Hear, hear

ijc1927 wrote: Excellently put. +1

conjior wrote: +1 as well! Treat people like people.
Thanks again to the Nexus community and the Nexus team!
I love this place! :)

rimshot47 wrote: nice recap of a potentially ugly situation.. Not sure what provokes hackers to do this...

Blake81 wrote: The Lulz.

The ones doing this kind of stuff are usually Script Kiddies looking for a scrap of fame, or just for the wicked accomplishment of looking at these news and cackling while they wish they had a dastardly whiplash they could twirl.

qqq122 wrote: +1
thank you robin for all the information

Mileniumman wrote: The same for me, my feelings exactly.

Mileniumman

seba1337 wrote: Damn right! +10

Toft wrote: +1 and very well said

Simon (Toft)

BlueGunk wrote: Well said.

+1