Jump to content
Forum Rules
Official Modification Forum Rules
GTAMods Wiki
GRAND THEFT AUTO VI INFODUMP DISCUSSION FORUM - TRAILER, SCREENSHOTS, ARTWORK

Malware inside Angry Planes & Noclip Mod

aboutseven

By aboutseven
in GTA V

 Share

Recommended Posts

-ShetlandPony-

-ShetlandPony-

Posted
Posted

 

Damn :facedesk:

 

ttlSZw1.png

 

You still need to clean the registry.

 

Can we update the first post in order to help people solve this issue?

 

What do you do to clean the registry? I was reading through this thread and related to like everything you were saying.

Snowshoe

Snowshoe

Posted
Posted (edited)

Lol hi snowshoe, shouldn't you be working on TF2C? :p

 

I'm not sure actually, mainly because I don't mess around with GTA mods.

I edited my post. It's more probable something like that could be done with CLEO/SCM stuff (definitely not for V though). But ASI is just too complicated for that. They are essentially DLLs, EXEs (I'm going with the former), or whatever, but renamed.

Edited by Snowshoe
Sergeeeek

Sergeeeek

Posted
Posted

 

I saw this being discussed somewhat on the first page, but I'm from the AlliedModders community and on our forums when you add a .sp file as a post attachment, it comes up with two options:

 

Get Plugin

Get Source

 

Get Plugin gets you the compiled .smx file and Get Sourcr gets you the uncompiled .sp file. The forum runs the attached .sp file through the sourcepawn compiler at the time of download and counts every download.

 

It's also against our T&C to upload compiled plugins without the source.

 

The .sp files are completely readable in any notepad program. Our forun also has a New Plugin section and users who are designated as Plugin Approvers. These users know how to spot malicious code and approve good plugins which moves the new plugins thread into the Approved Plugins section.

 

Plugjns that reproduce things in existing plugins, or plugins that no longer work (due to game updates) are usually moved to the Unapproved Plugins section.

 

That setup sounds like what this community needs to prevent the spread of malicious mods.

Pawn scripts =/= entire C++ projects/DLLs with numerous source files and dependencies

 

How would this even work? server-side MSVC?

 

It would make sense with CLEO mods possibly but not this.

 

Maybe require c++ asi mods to have public github repos with build servers set up (https://travis-ci.org/ for example) so what moderators on modding websites could check if md5 hashes are the same with the build server's version.

Silent

Silent

Posted
Posted

gtaall noclip malware version attempts to download GTA5.exe from xttp://stenagergaard nu/tmp/GTA5 exe

 

obv it's http but I wanted to obfuscate the link a bit

gamesguru

gamesguru

Posted
Posted (edited)

Thanks for the heads-up.

 

I had a few restore points, including a manual one I made just before using the Angry Planes script. I had both Fade.exe and init.exe in my temp folder. Which both went after restoring (but the data folder was left over). Unlike the OP, instead of having a .Z file I had a .yz file instead (date created matched the exe). I had to delete that one manually. I didn't have anything after the explorer.exe in my registry's string. So I don't know if that means, I was safe to begin with (at least password wise). But I restored to just before I used the mod and changed all the passwords on the sites I was active on in between that time, just to be secure (Steam, Social Club, here, etc).

Edited by gamesguru
Lozo222

Lozo222

Posted
Posted (edited)

I think im ok, i did install the planes mod but ive checked temp and nothing in there (i deleted it all just to be sure), no detections from malware bytes, i checked both registry locations and nothing out of the ordinary there, no password emails so im pretty sure im ok and i also checked to see if i had an extra GTAV.exe and i did not

Edited by Lozo222
Drkz

Drkz

Posted
Posted

I saw this being discussed somewhat on the first page, but I'm from the AlliedModders community and on our forums when you add a .sp file as a post attachment, it comes up with two options:

 

Get Plugin

Get Source

 

Get Plugin gets you the compiled .smx file and Get Sourcr gets you the uncompiled .sp file. The forum runs the attached .sp file through the sourcepawn compiler at the time of download and counts every download.

 

It's also against our T&C to upload compiled plugins without the source.

 

The .sp files are completely readable in any notepad program. Our forun also has a New Plugin section and users who are designated as Plugin Approvers. These users know how to spot malicious code and approve good plugins which moves the new plugins thread into the Approved Plugins section.

 

Plugjns that reproduce things in existing plugins, or plugins that no longer work (due to game updates) are usually moved to the Unapproved Plugins section.

 

That setup sounds like what this community needs to prevent the spread of malicious mods.

 

Interesting.

Silent

Silent

Posted
Posted

I've updated the OP on virus removal, if anyone has more information on anything else that could have been affected, please tell me.

Could you append info about x64/GTA5.exe malware and maybe link to this analysis too?

http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/?p=1067465309

Snowshoe

Snowshoe

Posted
Posted

 

 

I saw this being discussed somewhat on the first page, but I'm from the AlliedModders community and on our forums when you add a .sp file as a post attachment, it comes up with two options:

 

Get Plugin

Get Source

 

Get Plugin gets you the compiled .smx file and Get Sourcr gets you the uncompiled .sp file. The forum runs the attached .sp file through the sourcepawn compiler at the time of download and counts every download.

 

It's also against our T&C to upload compiled plugins without the source.

 

The .sp files are completely readable in any notepad program. Our forun also has a New Plugin section and users who are designated as Plugin Approvers. These users know how to spot malicious code and approve good plugins which moves the new plugins thread into the Approved Plugins section.

 

Plugjns that reproduce things in existing plugins, or plugins that no longer work (due to game updates) are usually moved to the Unapproved Plugins section.

 

That setup sounds like what this community needs to prevent the spread of malicious mods.

Pawn scripts =/= entire C++ projects/DLLs with numerous source files and dependencies

 

How would this even work? server-side MSVC?

 

It would make sense with CLEO mods possibly but not this.

 

Maybe require c++ asi mods to have public github repos with build servers set up (https://travis-ci.org/ for example) so what moderators on modding websites could check if md5 hashes are the same with the build server's version.

 

Like Silent said, md5 could possibly differ depending on the compiler. Maybe file size would be a better way but probably has the same pitfalls.

 

Really, the only way to be sure is to analyze the source code and compile it yourself, which I don't think a lot of people have the time or programs necessary to do this sadly.

aboutseven

aboutseven

Posted
  • Author
Posted

 

I've updated the OP on virus removal, if anyone has more information on anything else that could have been affected, please tell me.

I don't think removing Shell is safe, you probably just have to delete the part who begin after the comma

 

Are you sure? I read that the Shell key was just for custom shells and that by default Windows uses explorer.exe anyways. I could be wrong though. I'll restart my computer to see if any problems persist after removing Shell.

AngryGamer94

AngryGamer94

Posted
Posted

hmmm i re formatted my PC yesterday due to an unrelated issue(had problems with win10 preview)

I used angry planes once and then deleted it,should i be worried?

 

Changing all my passwords would be a massive chore.I have a hard time remembering things so i use the same 2-3 passwords on everything except steam.

 

 

Not going to install any more random .asi mods from now on,i'll stick to .lua scripts.

iCeDMeTaL

iCeDMeTaL

Posted
Posted

It's really simple, guys.

 

 

I see so many people asking the same questions over and over... Am I infected? If my antivirus caught it, am I good to go?

 

 

The answer is, no one really knows. Imagine if a badly sick person sneezes in your face, but you manage to quickly wipe it off. Are you infected? We don't know, but it's a good idea to take precautions.

 

 

So if you have any sign of infection, I recommend you treat it as a full infection and change all your passwords and protect yourself. A keylogger is a program that relays anything you type directly to the hacker, so even your flirty chats on facebook are logged and recorded, not just passwords.

 

No one is going to give you a definitive answer and tell you that you are SAFE, because no one wants to be responsible when your bank account gets cleaned out. Everyone is still trying to figure out the extent of the damage, no one knows for sure which antivirus can detect and clean it prior to infection. If you downloaded and used the mods in question, treat it as a full infection.

 

 

Stay safe and happy modding.

Bencici

Bencici

Posted
Posted (edited)

 

 

I've updated the OP on virus removal, if anyone has more information on anything else that could have been affected, please tell me.

I don't think removing Shell is safe, you probably just have to delete the part who begin after the comma

 

Are you sure? I read that the Shell key was just for custom shells and that by default Windows uses explorer.exe anyways. I could be wrong though. I'll restart my computer to see if any problems persist after removing Shell.

 

Well, you probably know more than me ;) Edited by Bencici
Sergeeeek

Sergeeeek

Posted
Posted (edited)

 

Like Silent said, md5 could possibly differ depending on the compiler. Maybe file size would be a better way but probably has the same pitfalls.

 

Really, the only way to be sure is to analyze the source code and compile it yourself, which I don't think a lot of people have the time or programs necessary to do this sadly.

 

Again, if file's md5 differs from build server version just don't allow the mod. It's a lot harder for modders but that ensures safety for users so why not?

Edited by Sergeeeek
vithepunisher

vithepunisher

Posted
Posted

 

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

they'd make something more epic this was a simple simple simple simple script mod

 

Thats true i appreciate your reply im a big fan i just thought id share that conspiracy slash lie that's going around in order that'd shed some light on the subject i dont belive it myself only sharing it lol i dont want people getting mad

aboutseven

aboutseven

Posted
  • Author
Posted

 

I've updated the OP on virus removal, if anyone has more information on anything else that could have been affected, please tell me.

Could you append info about x64/GTA5.exe malware and maybe link to this analysis too?

http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/?p=1067465309

 

Do you happen to have a link to the information about x64/GTA5.exe? I couldn't find anything like that in my case, so I believe this might have been a different mod (NoClip?) that has done this.

Igor Bogdanoff

Igor Bogdanoff

Posted
Posted

Why don't just report him to right authorities?

Silent

Silent

Posted
Posted

 

 

I've updated the OP on virus removal, if anyone has more information on anything else that could have been affected, please tell me.

Could you append info about x64/GTA5.exe malware and maybe link to this analysis too?

http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/?p=1067465309

 

Do you happen to have a link to the information about x64/GTA5.exe? I couldn't find anything like that in my case, so I believe this might have been a different mod (NoClip?) that has done this.

 

 

 

gtaall noclip malware version attempts to download GTA5.exe from xttp://stenagergaard nu/tmp/GTA5 exe

And yes, it's NoClip. Though the other NoClip I got has Fade in. Guess it comes in multiple flavours. Beyond f*cked up.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.

  I accept