A moderator directed me to post this here. CCE detected several (~18) .nif files and a single folder as Rootkit.HiddenFile and Rootkit.HiddenDir respectively, within a Skryim mod directory. The mod in question is Realistic Lighting Overhaul. This is a very popular mod as you can see if you follow the link, and no Google searches turn up anything even remotely hinting at this issue for other users. This is not even taking into account the fact that .nifs are just meshes for a game engine, and I’m not terribly sure how they could even be a threat.
As I know it’s part of the procedure, I did upload to VT to verify, but none of them came back with any issues and in interest of keeping things simple, I will link to only one as there were, again, about 18. They all were equally clean, but with the ‘synchronization error’ on the second tab. I don’t know if that even means anything, I don’t use VT that much.
The folder that was marked at Rootkit.HiddenDir I couldn’t upload, as it was just a folder. There were more subfolders inside of it, but nothing within it was flagged, just the folder itself. I provided a link to the entire mod above, and I no longer have the scan window open as this was hours ago, but from memory, the files flagged in particular were:
(Long names, lots of subfolders, bear with me. Makes installing/uninstalling the mod easy, makes reporting this a pain.)
Every .nif in the following location was flagged as Rootkit.HiddenFile. 15 .nif files in all: Realistic Lighting Overhaul 4_0_6 Manual Install-30450-4-0-6\Realistic Lighting Overhaul 4_0_6 Manual Install\RLO Optionals\Skyrim Particle Patch\Skyrim Particle Patch Optionals\Blackreach Mushrooms\data\meshes\clutter\blackreach blackreachepicmushroom01.nif, blackreachgiantmushanim01.nif, blackreachgiantmushanim02.nif, blackreachgiantmush03.nif, blackreachgiantmushanim04.nif, blackreachgiantmushanim05.nif, blackreachgiantmushhoriz01.nif, blackreachgiantmushhoriz02.nif, blackreachgiantmushhoriz03.nif, blackreachgiantmushhoriz04.nif, blackreachgiantmushroom01.nif, blackreachgiantmushroom02.nif, blackreachgiantmushroom03.nif, blackreachgiantmushroom04.nif, blackreachgiantmushroom05.nif
Also from the Skyrim Particle Patch Optionals subdirectory: Mineral Pools\data\meshes\landscape\volcanic There are only two files in here, again, just .nif meshes. mineralpoolbig01.nif, mineralpoolsm01.nif
Again, From the Particle Patch Optionals: \Windhelm Tower\data\meshes\architecture\windhelm The only .nif in this folder was flagged. whshorttower.nif
The folder tagged as Rootkit.HiddenDir was also in the Skyrim Particle Patch subfolder: Solitude Doors and Market Stalls\data\meshes\architecture
These are just mesh files made through Nifskope for use in games like Skyrim so I’m not sure what could have made CCE even possibly think there was an issue here, but there it is. I scanned with Avast, Spybot, and Malwarebytes, nothing was found wrong with these files. Ran TDSSkiller just for the jollies, nothing.