Warning for S.T.A.L.K.E.R.S. virus found Thread

	Posts
Warning for S.T.A.L.K.E.R.S. virus found (Forums : Support : Warning for S.T.A.L.K.E.R.S. virus found)	Locked
Thread Options
Darkluv	Mar 29 2015 Anchor
I run (ran) AVG and until now nothings gotten by it. Day before yesterday I decided to pick up some mods for my S.T.A.L.K.E.R. games and steam pointed me to MODDB used to use Filefront back in the day). I checked out the current available mods and decided to pick up complete for SoC and CS but go with Sigorus 2.2 for CoP. After spending the whole day downloading them and following their instillation instructions since the executable mod versions cant work with steam, I decided to get some sleep after I ran SoC and CS to make sure they worked since my CoP download had not completed yet. The next day I woke up to find my computer was now infected with the HELP_DECRYPT ransomware. I can not be sure which of the three mods had caused this since I had picked them up at the same time and of course the virus took great advantage of me being asleep giving it plenty of time to crypt up a ton of files. Prior to this the only other activities I had done were the games downloads off of steam the previous day since my discs keys were lost with time (dont mind paying a little extra for a great game set) and watched some Hulu intermittently days before that. The damage so widespread that it was more feasable to just wipe to factory settings and reload everything since this particular ransomeware is so kind as to delete all of my restore points. It tried to lock out the recovery options all together, thankfully there was a fix for that. When downloading I noticed this site directs you to a mirror site unless you are a member so I created this account and am posting here to both warn others who might be fans like me and come back to this lovely game series and to get to download directly from MODDB in hopes that it will prevent the files from being infected. I did check Filefront a few minutes ago and they only carry the executables so this is a steam users only hope. Yea I know I'm probably a glutton for punishment but this game is tops and I'll take the long shot. Only 2 days of programming to fix, not that bad heh. Anyone else have any issues like this?
Phoenix1747	Mar 29 2015 Anchor
Firstly thanks for the warning mate, but haven't you checked the files with AVG before you installed/unziped them?
feillyne	Mar 29 2015 Anchor
It is also possible for it to come from other source than mod files themselves (any other files downloaded by your other software) though it seems doubtful as well. You have to list all the mod and downloads' pages (and their URLs) you visited here for rechecking.
Darkluv	Mar 29 2015 Anchor
The problem is currently NO antivirus or malware protection program can pre-detect HELP_DECRYPT yet. Even the big paid for companies forums show they are weak to it. There is a method of using group policies to prevent an executable from running in certain folders though the use of it would be as much hassle doing a factory reset. I was just too dam lazy to clear one of my external drives and ghost my C drive until now heh so if it strikes again I am prepared to reset. Plus after several years of use a fresh start is kinda nice, so this wasn't such a bad thing. Now I threw on Avast and Malbytes cause I was just tired of AVG constant scam pop up trying to get me to go paid and restarts to update 2 times a day. As far as listing every URL I visited, the list was given in general. Steam application store directly to S.T.A.L.K.E.R. set purchase, then next day MODDB for the mods only viewing those for this game. This means the entire complete series mod was view though only the SoC and CS versions were downloaded and the sig2.2 mod for CoP. Did watch some Hulu during that time, though as far as I know a virus exe file doesn't move through streaming video. I wonder if perhaps the virus was hidden in the readme files since they had to be accessed to be sure I was installing the mods correctly. Steam users have to use the manual install since the exe modder wont work with steam downloads. Like I mentioned, the site made me use a mirror to download since I wasn't logged into an account, now that I am I hope the files put here on the actual host site are clean. If anyone is currious what this nasty bit of program is then you can check out Bleepingcomputer.com for the details. I hope this is in some way helpfull to the staff here and to others who are total fan boys of the game like my self. Stay safe gang! Good news, I have retraced my actions from those last fateful days with one change, using a MODDB account to pick up the download so it wont send me to a mirror, and so far no virus. I can only extrapolate from this, that the mirror was the culprit (thought I cant recall which one it redirected me to so I cant warn them). I guess that is as far someone of my humble nerd powers can go, so I will have to consider this case closed unless someone smarter than I would care to pick up where I left off for the greater cause of public safety. Thanks Phoenix and Feillyne for trying to help, appreciate the insights (without the obvious cracks on my laziness and not creating a ghost drive sooner heh).
Pfeiffer0815	Dec 12 2015 Anchor
There seems to be a virus. I have downloaded the Stalker_Data_unpacker from ModDB : Moddb.com Then I checked the .zip file with Avira Antivir , everything ok . After unpacking, i start the EN File. Avira stopped accessing and gave a warning. Prntscr.com This as Info. I removed the File. Regards, Ceallach

Thread Options

Darkluv

Mar 29 2015 Anchor

I run (ran) AVG and until now nothings gotten by it. Day before yesterday I decided to pick up some mods for my S.T.A.L.K.E.R. games and steam pointed me to MODDB used to use Filefront back in the day). I checked out the current available mods and decided to pick up complete for SoC and CS but go with Sigorus 2.2 for CoP. After spending the whole day downloading them and following their instillation instructions since the executable mod versions cant work with steam, I decided to get some sleep after I ran SoC and CS to make sure they worked since my CoP download had not completed yet.

The next day I woke up to find my computer was now infected with the HELP_DECRYPT ransomware. I can not be sure which of the three mods had caused this since I had picked them up at the same time and of course the virus took great advantage of me being asleep giving it plenty of time to crypt up a ton of files. Prior to this the only other activities I had done were the games downloads off of steam the previous day since my discs keys were lost with time (dont mind paying a little extra for a great game set) and watched some Hulu intermittently days before that. The damage so widespread that it was more feasable to just wipe to factory settings and reload everything since this particular ransomeware is so kind as to delete all of my restore points. It tried to lock out the recovery options all together, thankfully there was a fix for that.

When downloading I noticed this site directs you to a mirror site unless you are a member so I created this account and am posting here to both warn others who might be fans like me and come back to this lovely game series and to get to download directly from MODDB in hopes that it will prevent the files from being infected. I did check Filefront a few minutes ago and they only carry the executables so this is a steam users only hope. Yea I know I'm probably a glutton for punishment but this game is tops and I'll take the long shot. Only 2 days of programming to fix, not that bad heh.

Anyone else have any issues like this?

Phoenix1747

Mar 29 2015 Anchor

Firstly thanks for the warning mate, but haven't you checked the files with AVG before you installed/unziped them?

feillyne

Mar 29 2015 Anchor

It is also possible for it to come from other source than mod files themselves (any other files downloaded by your other software) though it seems doubtful as well. You have to list all the mod and downloads' pages (and their URLs) you visited here for rechecking.

Darkluv

Mar 29 2015 Anchor

The problem is currently NO antivirus or malware protection program can pre-detect HELP_DECRYPT yet. Even the big paid for companies forums show they are weak to it. There is a method of using group policies to prevent an executable from running in certain folders though the use of it would be as much hassle doing a factory reset. I was just too dam lazy to clear one of my external drives and ghost my C drive until now heh so if it strikes again I am prepared to reset. Plus after several years of use a fresh start is kinda nice, so this wasn't such a bad thing. Now I threw on Avast and Malbytes cause I was just tired of AVG constant scam pop up trying to get me to go paid and restarts to update 2 times a day.

As far as listing every URL I visited, the list was given in general. Steam application store directly to S.T.A.L.K.E.R. set purchase, then next day MODDB for the mods only viewing those for this game. This means the entire complete series mod was view though only the SoC and CS versions were downloaded and the sig2.2 mod for CoP. Did watch some Hulu during that time, though as far as I know a virus exe file doesn't move through streaming video. I wonder if perhaps the virus was hidden in the readme files since they had to be accessed to be sure I was installing the mods correctly. Steam users have to use the manual install since the exe modder wont work with steam downloads. Like I mentioned, the site made me use a mirror to download since I wasn't logged into an account, now that I am I hope the files put here on the actual host site are clean.

If anyone is currious what this nasty bit of program is then you can check out Bleepingcomputer.com for the details. I hope this is in some way helpfull to the staff here and to others who are total fan boys of the game like my self. Stay safe gang!

Good news, I have retraced my actions from those last fateful days with one change, using a MODDB account to pick up the download so it wont send me to a mirror, and so far no virus. I can only extrapolate from this, that the mirror was the culprit (thought I cant recall which one it redirected me to so I cant warn them).

I guess that is as far someone of my humble nerd powers can go, so I will have to consider this case closed unless someone smarter than I would care to pick up where I left off for the greater cause of public safety. Thanks Phoenix and Feillyne for trying to help, appreciate the insights (without the obvious cracks on my laziness and not creating a ghost drive sooner heh).

Pfeiffer0815

Dec 12 2015 Anchor

There seems to be a virus.

I have downloaded the Stalker_Data_unpacker from ModDB :

Moddb.com

Then I checked the .zip file with Avira Antivir , everything ok .

After unpacking, i start the EN File. Avira stopped accessing and gave a warning.

Prntscr.com

This as Info. I removed the File.

Regards,
Ceallach