Strange Mod Organizer 2 event - damaged directory and problems

[Bluegunk]

I'm using MO2 2.5.2 Dev build.  PC, win 10 pro.  An SSD drive - well away from C :

 

I fired up MO2, fired up Skyrim AE as usual, only for the whole lot to crash off screen, and causing the modorganizer.exe to vanish from the folder. Completely.

 

OK, no worries. Reinstall MO2.  Only, I'm being asked for Administrator Permission to copy the modorganizer.eze over into the usual MO2 folder.

Uninstalled MO2, rebooted PC. Was then able to install MO2 and modorganizer.exe without problem.

 

Started up Skyrim - back to the above.

 

I am assuming my Skyrim. exe is broken so no worries I'll run the validation over it.

 

But meanwhile I still cannot transfer a copy of the downloaded modorganizer.exe into the working MO2 folders.  I'm asked for Administrator Permissions, which I give, and the process is denied.

A Syspage fault is implicated.

 

I can go around the long way again to get it back in working order.  But I'd really like to know what is going on so I can deal with it in the future.

 

Thank you!

 

UPDATE: I checked Starfield - it ran no problems. So I'm guessing I may have a broken mod in the Skyrim AE mod list. 

 

What sort of event would take down modorganizer.exe without leaving a DMP? Any ideas welcome!

 

Edited July 19, 2024 by Bluegunk

[traison]

1 hour ago, Bluegunk said:

and causing the modorganizer.exe to vanish from the folder.

 

Triggerhappy antivirus.

 

1 hour ago, Bluegunk said:

I'm asked for Administrator Permissions, which I give, and the process is denied.

 

Ring 0 blocking, or higher than Administrator privileges. Again, antivirus, perhaps trying to stop further activity in what it thinks is a virus containing folder?

 

1 hour ago, Bluegunk said:

What sort of event would take down modorganizer.exe without leaving a DMP?

 

Just terminating the application normally.

 

 

Now, unfortunately, one might assume if this was indeed done by anti-virus that it would have told you it did something. So the "dark" alternative to this is that you've got a hostile app on your system, something that's already in the kernel (i.e. no anti-virus is going to save you at this point).

 

Lets put this this way, be this the actions of a virus or a triggerhappy anti-virus, I would boot into a live Linux and scan the entire system with BitDefender (they have rescue cds if you don't fancy doing it all yourself). When booted into a live system, there's very few places where hostile code could be active. You'd be dealing with a targeted attack from a very motivated actor should you run into something like this.

 

Edit: Perhaps should clarify my apparent paranoia here:

1. The security policy for my own system is paranoid. I do not use anti-virus software; I boot into a different os to ensure I have full control: both over hostile apps, and so called legitimate vendors such as Microsoft.
2. Exe files, or files in general, do not disappear on their own. They can not delete themselves.

Edited July 19, 2024 by traison

[Bluegunk]

Hi Traison, and thanks!

 

I subscribe to AVG and the MO2 folders are excepted. No indications of AVG blocking anything are visible in the AVG logs. Malware scan also shows zilch. I'm not expected to be the victim of a targeted attack, unless they are after my Skyrim Mug in the kitchen or have take umbrage at my roses in the front garden.

 

I'm investigating some DLL mods I use. I think it may be one of them taking down the MO2 virtual file system with extreme prejudice.

 

 

[traison]

If you can repeat the process to get modorganizer.exe to disappear, do so with ProcMon from Sysinternals (Microsoft) running in the background. Filter it for paths ending with "modorganizer.exe". If you want me to look at it, save it filtered and figure out a private places to upload it - these logs contain more than you may expect. ProcMon may not see everything, especially if there's a way to delete files from the kernel without tripping ETW, but should the file disappear without anything showing in ProcMon it gets kinda obvious still.

 

Edit: Or if you trust me, RustDesk. I'd love to see this myself.

Edited July 19, 2024 by traison

[Bluegunk]

OK, thanks. The crash and vanish process runs on a clean new minimal game so it's not a mod.  I'll see what Proc Mon tells us.

[Bluegunk]

I tried with Proc Mon but messed it up. How best use it? 

Oh, wait, I think I understand now. Just finishing a deep scan on my mods I'll try and get the log for you after it.

Edited July 19, 2024 by Bluegunk

[traison]

28 minutes ago, Bluegunk said:

I'll try and get the log for you after it.

 

I can get an FTP server up if that's more your thing than a GDrive or similar. Remember to save it filtered though, a log like this really shouldn't be more than a few MiB. I realize you can get a GiB from a few minutes of logging, but then it's not filtered.

[traison]

Just posting this here for future Googling humans: AVG (anti-virus) removed ModOrganizer.exe. Probably need to add an exception or something along those lines. I can see how MO could trigger alarms, it does some funny things. Pretty sure the code is on GitHub though, at least the usvfs (the funny bit) is. Feel free to vet it yourself.