amoeba00 Posted August 4, 2019 Share Posted August 4, 2019 Been using Vortex for a while (last version .18.6). Decided to upgrade to v1.0 - and Windows AV is reporting a very specific virus on one of the files: member.exe Location: Vortex\resources\app.asar.unpacked\node_modules\native-errors\Detours\bin.X64\Virus: Trojan:Win32/Skeeyah.A!MTB Just downloaded v.19.1 to test and it didn't trigger this alert. Also, there isn't the full green check box on the Virus Scan (just the blue "some manually verified files") - so this doesn't necessarily fall under the usual "My AV is reporting a virus" concern. The alert happens on both the custom and regular files. What's interesting is that when I first downloaded and installed this package last week - I didn't get the alert. I mistakenly selected the regular installer and just now realized it was using the C:\. So when I came back to download the custom installer one - all this happened. (Of course, I don't have the original file to compare). Anyway - given that it wouldn't be the first time packages have been infected after the fact and there is no published hash file of Vortex of which to compare the original source - led me to post this. Can someone confirm that it's a known false positive?If so, maybe update the FAQ to include this specific item - since it's new to v1.0. Thanks for your time. OS: Windows 10, v1903Definitions as of 8/4/2019 6:17am Link to comment Share on other sites More sharing options...
AlantirDarke Posted August 4, 2019 Share Posted August 4, 2019 I just got the same this morning. At first I thought it was a mod I downloaded not fully scanned but now I'm not so sure. If anyone can find out what the case is, I'm sure a lot of users (self included) would be appreciative. Last thing I want to do know is nuke my os and reinstall unless I have too! :confused: AD Link to comment Share on other sites More sharing options...
Sargoth Posted August 4, 2019 Share Posted August 4, 2019 Updated today and a Trojan was quarantined in member.exe. Trojan:Win32/Skeeyah.A!mtb Ransom.Win32.STOP.ANALIASES:Win32.Trojan-Ransom.STOP.VZ9O0W (GData), Trojan:Win32/Skeeyah.A!MTB, (Microsoft), W32/Kryptik.GVDM!tr (Fortinet) Threat Type: RansomwareEncrypted: Yes Link to comment Share on other sites More sharing options...
HandsomFrank Posted August 4, 2019 Share Posted August 4, 2019 I just downloaded Vortex for the first time through the link in the Vortex 1.0 news article. Same thing, Windows Defender called out the same threat. Link to comment Share on other sites More sharing options...
AugustaCalidia Posted August 4, 2019 Share Posted August 4, 2019 Neither Norton nor Malwarebytes detect the virus mentioned. They both deem Vortex 1.0 safe. I downloaded 1.0 from Nexusmods several days ago. I do not use the Vortex updater. EDIT: I just now re-downloaded Vortex 1.0 from Nexusmods and re-installed it. Nothing has changed. Both Norton and Malwarebytes deem Vortex 1.0 to be safe. I downloaded the default install version of Vortex. Link to comment Share on other sites More sharing options...
amoeba00 Posted August 4, 2019 Author Share Posted August 4, 2019 I downloaded 1.0 from Nexusmods several days ago.That's the whole point - several days ago is different than this morning. I'd be curious what Norton/Malwarebytes would say if you installed the software using a fresh download? Link to comment Share on other sites More sharing options...
pajicadvance Posted August 4, 2019 Share Posted August 4, 2019 I just updated Vortex through the app itself, told me there's a major update and after restarting the app I got the same thing. I've quarantined and removed the file through windows defender. Vortex is working fine without it. Link to comment Share on other sites More sharing options...
rawr22 Posted August 4, 2019 Share Posted August 4, 2019 I updated to 1.0 today using the auto update and got the same virus warning. Don't assume it's a false positive unless we know for sure. It's not worth it. Link to comment Share on other sites More sharing options...
Phraun Posted August 4, 2019 Share Posted August 4, 2019 Got the same warning this morning when auto-updating it. Deleted the "infected" file, completely removed Vortex, did a full scan of the system and came up clean. Downloaded Vortex manually from the site, installed, same warning came back. Pushed the installer to VirusTotal and it came back completely clean. https://www.virustotal.com/gui/file/7f6411e323b721bda09477d0c885368120b71ee9c00a5c682f6850b244eba3ba/detection Restored the member.exe file from quarantine and pushed that to VirusTotal, that also came back clean, with the exception of Microsoft detecting Trojan:Win32/Skeeyah.A!MTB https://www.virustotal.com/gui/file/255d34ac5786570b9066e325cb8bb2bac34411650ebfbac0906d315c516d3397/detection This reeks to me of Defender's heuristics engine having a mental breakdown, rather than an actual issue with Vortex. Link to comment Share on other sites More sharing options...
FlamingCheeseMonkey Posted August 4, 2019 Share Posted August 4, 2019 Whelp, this is actually really interesting. I did the update through Vortex within a few days of 1.0 being released and Windows Defender didn't pick up anything then, nor did it pick up anything when running Vortex (although, does Defender even check files when said program is ran?). So it's curious as to what changed. In any case, I checked what Detours is even about and according to https://www.npmjs.com/package/detour , Detour is used for routing purposes. So that can be anywhere between Knowledge Base, the dashlets, and retrieving and displaying mod information when double clicking on mods. Last update on it was 3 years ago so unless if Nexus made changes to it, it helps to close certain reasons. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.