NMM bug fix release and download hacking problems fixed

[Kalell]

I don't know if this will be useful, but I checked my Security History in McAfee and it says the threat name was Artemis!15F6715D315A.

 

Edit: I just checked my Chrome history and got the address of the page the download took place on. Here is the link (Warning: DO NOT ACCESS THIS PAGE): http://vmlmedia.net/KEdNwksIEX

Edited March 29, 2013 by Kalell

[awesonymous]

within the past 1-2 hours of this comment i got a couple of those nexusmods.exe. NOTE this is not nexus_downloader.exe! it downloaded alongside a mod i was downloading. never ever out of 200+ mods from the nexus ive downloaded i got more than one zipped file for a single download. hope this helps, and thank Dark0ne and the team for looking into this.

[AxelDominatoR]

Is anybody able to get the exact address of the exe file when it does start downloading?

If you are using firefox, for example, you should be able to right click the file in the download manager and "Copy link" or something similar.

This would greatly help us identifying where this file is originated from.

[Droffo]

I think servers got hacked again. This time, thingy called 'Nexus Loader.exe', after 'Downloader' version earlier today. Be warned folks! I tried to downaload the same unlucky mod, and got this both times instead... Do not open it!

i just ran that s#*! as admin, holy s#*! :( - went into process's straight away and ended it - running malware bytes as we speak, only fell for it because i was downloading a archiveinvalidator WHYYY AM I SO UNLUCKY

[faeriexdecay]

Hmm, I've seen two reports on two different mods (nuska's real skin and better males) yesterday and today regarding an exe file downloaded when trying to download these mods. I haven't run into the problem myself, though, so I'm afraid I can't be much help, just figured I'd point this out. I did try downloading both mods, the specific file mentioned to have given them the exe, but I did not get one in either case. Edited March 29, 2013 by faeriexdecay

[Cyndi]

In response to post #7695626. #7696670 is also a reply to the same post.

I tried:Seattle, San jose, Washington, possibly Dallas and iirc one of the London servers. Edited March 29, 2013 by Cyndi

[Junsai]

The erect manual file in better males has this nexusmods.exe virus which avast caught for me luckily.

[Meeporized]

Getting the nexusmods.exe for Nevada Skies Main file from downloading manually via ; London UK1+2; Salt Lake 1,2 ; Seattle; Dallas,Amsterdam all leading to f6.nexusmods.com server.

[Droffo]

The erect manual file in better males has this nexusmods.exe virus which avast caught for me luckily.

yeah I also have avast it didn't detect anything, do you have the paid version?

i ran a malwarebytes scan earlier and it detected nothing .. what if this virus is a backdoor (downloading something in the background) i'll try running avast... maybe i stopped the virus by performing "end process" on the NexusMods.exe earlier?

[mikeloeven]

Several of the files on the Washington DC servers still have the virus i went to download XRE's Cars mod and the fomod package was still replaced with a bad link to the Infected EXE instead of the .fomod file. the other mirrors seem to be clean

 

Virus or unwanted program 'HEUR/Crypted [heuristic]'

detected in file 'C:\Documents and Settings\Mike Loeven\Local Settings\temp\YMbwmhQL.exe.part.

Action performed: Deleted

 

The scanner report shows the temporary file name but firefox download log showed the file as nexusmods.exe

 

it looks like the server is washingdonDC2 not sure if this is a legitimate mirror or a malicious unaffiliated server that was added to the mirror list

 

 

 

Here is the page source for the bad link:

 

<li><a onclick="loadBox('/ajax/downloadfile/?id=1000000531&nid=206&nyro=1','1')"><img src="http://newvegas.nexusmods.com/contents/images/flags/us.gif"></img>

Washington DC 2, USA

</a>

 

 

at this point you should really change the root password and talk to the data center you use for hosting if your sharing a rack with multiple sites the hack could be hardware based from a compromised VM running on the same box

Edited March 29, 2013 by mikeloeven