Jump to content

Nexus Client being marked as ransomware


TofuDrift
 Share

Recommended Posts

This is my first time posting on this forum, so I apologize in advance for any formatting errors.

The Nexus Client is a program provided by nexusmods.com for the purpose of managing modifications that can be applied to games that support it like The Elder Scrolls V: Skyrim, The Elder Scrolls IV: Oblivion, Fallout: New Vegas, and so on. I have used this program for several years without encountering a virus. However, Malwarebytes has recently begun quarantining the client whilst I am in the process of installing modifications to my games; I believe that these are false positives, as the modifications that I am installing have been downloaded and installed by thousands of other users without any problems, not to mention the fact that they have already been scanned on VirusTotal with zero detections. I managed to reproduce the false positive by attempting to install an already-installed modification; overwriting the files in the installation process, I managed to trigger the quarantine of the Nexus Client. I do not know the root cause of these detections; but, I am guessing it is linked to the installation process, as I have not experienced a detection while the client is idle or downloading modifications.

I have since scanned the client on VirusTotal (https://www.virustotal.com/en/file/d372f686b789f7646f661b272d95e276932f4a42af7cefe7ae51afe508e423cc/analysis/) with the SHA256 being listed as the following:

  d372f686b789f7646f661b272d95e276932f4a42af7cefe7ae51afe508e423cc

 

 

 

-Log Details-
Protection Event Date: 4/21/17
Protection Event Time: 10:38 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1777
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Ransomware Details-
File: 1
Malware.Ransom.Agent.Generic, C:\Program Files\Nexus Mod Manager\NexusClient.exe, Quarantined, [0], [-1],0.0.0


(end)

NexusClient.zip

Link to post
Share on other sites

  • 2 weeks later...

Hey there!

Just happened to me about five minutes ago. Malwarebytes flagged Nexus Mod Manager as a ransomware, and completely locked me out of the software. It does not show up anywhere in the quarantine, as if Malwarebytes just locked it.

Is there a way i can make it work again? Reinstalling it keeps me locked out of the program.

 

Edit: Claims that i do not have the "Appropriate authorizations" to access the file (NexusClient)

Edited by Omaha
Link to post
Share on other sites

  • Staff

Hi Omaha,

Please reboot and you should be able to use Nexus again. In your case, it looks like the process was only killed (not removed) because of suspicious behavior.

I suggest you add an exclusion for the folder C:\Program Files\Nexus Mod Manager in Malwarebytes. Please make sure you add the exclusion for both the antiransomware and antimalware engine (1st choice when using exclusions).

Thanks!

Link to post
Share on other sites

Hello!

Sadly, it did not work, i seem to be locked out of NMM completely, even after a reboot. The NMM folder is excluded for both.

When i attempt to start NMM, an error message pops up. 

Translated attached image of the error popping up (Screenshot_1);
"Windows does not have access to the device, path, or file. You may not have the appropriate authorizations for accessing this file."

Is there a way i can attempt to read into what Malwarebytes actually found, potencially reverse it? It has seemed to only pop up for about a second, and disappeared again.

Attached a screenshot of the quarantine, and exclusion.

Screenshot_1.png

Screenshot_2.png

Screenshot_3.png

Link to post
Share on other sites

Hello!

Managed to fix it after a little bit. Here's what i've done;

1) Reinstalled NMM
2) Deleted and added the exclusion again
3) Reboot
------------------------------------------------------

Seems to work now just fine! 

 

Thanks!

- Omaha

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.