Jump to content
  1. Welcome!

    1. Welcome to GTAForums!

  2. News

    1. GTANet.com

  3. Multiplayer

    1. GTA Online

      1. Los Santos Drug Wars
      2. Updates
      3. Find Lobbies & Players
      4. Guides & Strategies
      5. Vehicles
      6. Content Creator
      7. Help & Support

    2. Red Dead Online

      1. Blood Money
      2. Frontier Pursuits
      3. Find Lobbies & Outlaws
      4. Help & Support

    3. Crews

  4. Grand Theft Auto

    1. Grand Theft Auto Series

      1. Bugs*
      2. St. Andrews Cathedral

    2. GTA VI

    3. GTA V

      1. Guides & Strategies
      2. Help & Support

    4. GTA IV

      1. The Lost and Damned
      2. The Ballad of Gay Tony
      3. Guides & Strategies
      4. Help & Support

    5. GTA San Andreas

      1. Classic GTA SA
      2. Guides & Strategies
      3. Help & Support

    6. GTA Vice City

      1. Classic GTA VC
      2. Guides & Strategies
      3. Help & Support

    7. GTA III

      1. Classic GTA III
      2. Guides & Strategies
      3. Help & Support

    8. Portable Games

      1. GTA Chinatown Wars
      2. GTA Vice City Stories
      3. GTA Liberty City Stories

    9. Top-Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
  5. Red Dead

    1. Red Dead Redemption 2

      1. PC
      2. Help & Support

    2. Red Dead Redemption

  6. Modding

    1. GTA Mods

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials

    2. Red Dead Mods

      1. Documentation

    3. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop

    4. Featured Mods

      1. Design Your Own Mission
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
  7. Rockstar

    1. Rockstar Games

    2. Rockstar Collectors

  8. Community

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Movies & TV
      5. Music
      6. Sports
      7. Vehicles

    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
  9. GTANet

    1. Announcements

    2. Forum Support

    3. Suggestions

Official Modification Forum Rules
SCRIPTHOOK FATAL ERROR AFTER UPDATE? READ THIS BEFORE ASKING QUESTIONS.
GTAMods Wiki

Malware inside Angry Planes & Noclip Mod

aboutseven

By aboutseven
in GTA V

 Share

Recommended Posts

Gumshoe

Gumshoe

Posted
Posted (edited)

Dunno if anyone still wants these mods, but I took it upon myself to clean them up of bullsh*t malware. I liked Angry Planes and wanted to continue using it.

 

I dug through NoClip and Angry Planes with IDA and NOP'd out the calls and the functions that called home and downloaded malware crap to your computer, all the while maintaining functionality of the mod itself.

 

Suprisingly enough I never got infected, probably because I had GTA5.exe, GTAVLauncher.exe, and PlayGTAV.exe all blocked in Windows Firewall. Never used NoClip, only Angry Planes.

 

Of course, run these at your own risk. I can't guarantee that I've cleaned them up completely, but I've ran them sandboxed in Sandboxie and saw no malicious files in the contents of the sandbox and no strange connections via HTTP to some Bitcoin farm in China. Hopefully someone on this forum can double-check with IDA and confirm that these are clean.

 

Again, run at your own risk:

http://www.mediafire.com/download/iq6i9c1zwp4a6k4/AngryNoClip_PPURGED.zip

Edited by Gumshoe
Link to comment
Share on other sites
Alexander Blade

Alexander Blade

Posted
Posted

Max Payne 3 was creating the same file

 

found something new i have a file called Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦

in my appdata folder

upon googling it i found this

http://steamcommunity.com/app/271590/discussions/0/611703999971057114/

edit:NTAuthority confirmed that it's safe

Link to comment
Share on other sites
ZZCOOL

ZZCOOL

Posted
Posted

 

Max Payne 3 was creating the same file

 

found something new i have a file called Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦

 

in my appdata folder

 

upon googling it i found this

 

http://steamcommunity.com/app/271590/discussions/0/611703999971057114/

 

edit:NTAuthority confirmed that it's safe

 

yeah NTAuthority confirmed it's safe

Link to comment
Share on other sites
Demons_420

Demons_420

Posted
Posted

Hey, I installed this mod but as soon as it loaded my firewall picked up an outgoing connection to duckdns so I blocked it, does this mean I have successfully avoided infection? I scanned with malwarebytes and found the shell file only and have since reformated my pc I just want to know if the base program NEEDED to connect to the C&C at duckdns to be able to load a keylogger

Link to comment
Share on other sites
Foosmeels

Foosmeels

Posted
Posted

Dunno if anyone still wants these mods, but I took it upon myself to clean them up of bullsh*t malware. I liked Angry Planes and wanted to continue using it.

 

I dug through NoClip and Angry Planes with IDA and NOP'd out the calls and the functions that called home and downloaded malware crap to your computer, all the while maintaining functionality of the mod itself.

 

Suprisingly enough I never got infected, probably because I had GTA5.exe, GTAVLauncher.exe, and PlayGTAV.exe all blocked in Windows Firewall. Never used NoClip, only Angry Planes.

 

Of course, run these at your own risk. I can't guarantee that I've cleaned them up completely, but I've ran them sandboxed in Sandboxie and saw no malicious files in the contents of the sandbox and no strange connections via HTTP to some Bitcoin farm in China. Hopefully someone on this forum can double-check with IDA and confirm that these are clean.

 

Again, run at your own risk:

https://www.mediafire.com/?pljv6m8ydn15zdy

 

 

 

 

 

Bruh, your a Life Saver! Been looking all over for a Clean Version of the "Angry Planes" - Mod. Thank You! Thank You! THANK YOU! xD

Link to comment
Share on other sites
Shasoosh

Shasoosh

Posted
Posted

It makes sense now!!

I had Angry Planes 1.2 but couldn't find fade.exe / init..exe or any of those files ..

I blocked all my GTA files from inbound \ outbound connections in windows 7 firewall and that saved me apparently..

Link to comment
Share on other sites
Kafonix

Kafonix

Posted
Posted

So I used the Angry Planes mod, but only when I had no internet connection (worried of online bans). I didn't find any trace of these files on my PC. The Registry is fine, no fade, no leep, no second GTA5.exe, nothing.

I guess I'm fine...?

Link to comment
Share on other sites
Alvarez

Alvarez

Posted
Posted

I start to believe that the permanent solution to malware problem is to write mods in scripting language like Lua with a unified interpreter.

 

Script files are more transparent than compiled files.

Link to comment
Share on other sites
ZZCOOL

ZZCOOL

Posted
Posted (edited)

had a virus warning on RareCars.asi i'd assume it's a false positive but i think it's useful to say something

 

keeps on getting better and better i had a rogue toolbar called "RelevantKnowledge" no idea where it comes from (this text is not related to the rarecars text i just edited this to add this extra information)

Edited by ZZCOOL
Link to comment
Share on other sites
skyda-killer

skyda-killer

Posted
Posted

found something new i have a file called Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦

 

in my appdata folder

 

upon googling it i found this

 

http://steamcommunity.com/app/271590/discussions/0/611703999971057114/

 

edit:NTAuthority confirmed that it's safe

I had that too, so it's safe right? I didn't know whether I should delete it or not. So I left it, looked suspicious, but as far as I could tell it was harmless.

Link to comment
Share on other sites
jippa_lippa

jippa_lippa

Posted
Posted (edited)

Dunno if anyone still wants these mods, but I took it upon myself to clean them up of bullsh*t malware. I liked Angry Planes and wanted to continue using it.

 

I dug through NoClip and Angry Planes with IDA and NOP'd out the calls and the functions that called home and downloaded malware crap to your computer, all the while maintaining functionality of the mod itself.

 

Suprisingly enough I never got infected, probably because I had GTA5.exe, GTAVLauncher.exe, and PlayGTAV.exe all blocked in Windows Firewall. Never used NoClip, only Angry Planes.

 

Of course, run these at your own risk. I can't guarantee that I've cleaned them up completely, but I've ran them sandboxed in Sandboxie and saw no malicious files in the contents of the sandbox and no strange connections via HTTP to some Bitcoin farm in China. Hopefully someone on this forum can double-check with IDA and confirm that these are clean.

 

Again, run at your own risk:

https://www.mediafire.com/?pljv6m8ydn15zdy

 

 

Man thanks a lot! I really need noclip to make videos.

Can somebody double check the mod's "integrity", just to be sure? :)

 

By the way, Gumshoe.

Could you kindly check this mod, please? (If you want to) http://gtaforums.com/topic/789786-vrelwip-enhanced-native-trainer/

Had no problems with it, but still...

 

By the way are the game savegames safe to backup/reinstall, or is the Rockstar Games folder in Documents somehow linked to the malware?

 

Gotta say i love my Free Avast <3 It takes a lot of ram to work, but it automatically quarantined Fade.exe and the multiple malicious gta5.exes right away; i guess that's why i don't see any strange activity on my social club or steam.

Edited by jippa_lippa
Link to comment
Share on other sites
darkphoenixxx

darkphoenixxx

Posted
Posted

Ahahahahahahaha...

So that is why steam launches some times on my PC. Having retail version i was like "wtf? u no need steam." and since i hate steam i closed it. Suspected somethign trying to launch steam and steal my DOTA2 hats or something so i didnt launched it since then (no auto login). Thanks OP, gonna try to wash this filth from my PC when i get home.

Link to comment
Share on other sites
Snowshoe

Snowshoe

Posted
Posted

Dunno if anyone still wants these mods, but I took it upon myself to clean them up of bullsh*t malware. I liked Angry Planes and wanted to continue using it.

 

I dug through NoClip and Angry Planes with IDA and NOP'd out the calls and the functions that called home and downloaded malware crap to your computer, all the while maintaining functionality of the mod itself.

 

Suprisingly enough I never got infected, probably because I had GTA5.exe, GTAVLauncher.exe, and PlayGTAV.exe all blocked in Windows Firewall. Never used NoClip, only Angry Planes.

 

Of course, run these at your own risk. I can't guarantee that I've cleaned them up completely, but I've ran them sandboxed in Sandboxie and saw no malicious files in the contents of the sandbox and no strange connections via HTTP to some Bitcoin farm in China. Hopefully someone on this forum can double-check with IDA and confirm that these are clean.

 

Again, run at your own risk:

https://www.mediafire.com/?pljv6m8ydn15zdy

 

4mSLxOT.png

I still don't trust it :panic:

Link to comment
Share on other sites
arewenotmen

arewenotmen

Posted
Posted (edited)

 

I'd personally love to keep using the "Enhanced Native Trainer" 11.0 but how to know if it's legit?

Ya this would be nice to know...especially since there's tons of ppl using it...

 

I wrote/coordinate ENT. I told you all that ASI malware was a risk in my opening post in the ENT thread!

 

The ENT source code is all open & shared on GitHub, with multiple contributors getting visibility of each others changes, so if you're not building it yourself (the ideal option), your only risk should be whether that's the same code as makes it into a compiled release.

 

At least for now, the only person currently building releases of ENT - assuming that you get them from the same wapoc.com domain as linked in that OP - is me.

Edited by arewenotmen
Link to comment
Share on other sites
Royalgamer06

Royalgamer06

Posted
Posted

 

 

WTF.. Thanks for the Post OP. guys i deleted init.exe and fade.exe also i cleared the registry as MarshallRawR said is there anything i need to do ? I'm really worried right now

Change all your passwords.

 

ok, some people like me can't possibly change all their passwords.

 

This is just a keylogger, right? so my stored passwords are safe? I've only been using this since last night, and I haven't actually typed in any passwords.

 

 

Please someone give some more details on this.

 

This

Link to comment
Share on other sites
H3RB4LS

H3RB4LS

Posted
Posted

Welp, I had the Fade chilling on my system . Completed all the steps above, seems to be gone for now. Kinda glad I don't use GTA V for online, no password on it. But still, this isn't good. I agree with the person who said about sharing the source for mods, unless there's a better alternative, I'll be wary to download anything else from GTA 5 Mods. I understand people put work into it, but if there's a chance of this happening from a single .asi file. GG mods, I'll stick to learning to code my own. Open source all the way, then we could share everything and have one of the most comprehensive trainers ever made with TONS of features. Clean up all the redundancy in mods and scripts laying around.

 

Aside from that, thank you to the people who made modding this game possible. This is only a small speed bump and just a warning to let you all know what people are capable of. Not everyone has the best intentions.

 

Now, who the hell is going to make another (NON-INFECTED) Angry Plane mod? (Preferably with source included) :D

Link to comment
Share on other sites
Gumshoe

Gumshoe

Posted
Posted (edited)

 

Dunno if anyone still wants these mods, but I took it upon myself to clean them up of bullsh*t malware. I liked Angry Planes and wanted to continue using it.

 

I dug through NoClip and Angry Planes with IDA and NOP'd out the calls and the functions that called home and downloaded malware crap to your computer, all the while maintaining functionality of the mod itself.

 

Suprisingly enough I never got infected, probably because I had GTA5.exe, GTAVLauncher.exe, and PlayGTAV.exe all blocked in Windows Firewall. Never used NoClip, only Angry Planes.

 

Of course, run these at your own risk. I can't guarantee that I've cleaned them up completely, but I've ran them sandboxed in Sandboxie and saw no malicious files in the contents of the sandbox and no strange connections via HTTP to some Bitcoin farm in China. Hopefully someone on this forum can double-check with IDA and confirm that these are clean.

 

Again, run at your own risk:

http://www.mediafire.com/download/iq6i9c1zwp4a6k4/AngryNoClip_PPURGED.zip

 

4mSLxOT.png

I still don't trust it :panic:

 

 

I don't want people to get all paranoid about a few errant strings. They're gone now. Reupped.

 

http://www.mediafire.com/download/iq6i9c1zwp4a6k4/AngryNoClip_PPURGED.zip

 

You're so paranoid! :3

Edited by Gumshoe
  • Kafonix and Snowshoe
  • Like 2
Link to comment
Share on other sites
Ihatelagging

Ihatelagging

Posted
Posted (edited)

Has anyone back traced where the keylogged data is being sent to? We can't allow this to continue.

Edited by Ihatelagging
Link to comment
Share on other sites
Falenone

Falenone

Posted
Posted (edited)

found something new i have a file called Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦

 

in my appdata folder

 

upon googling it i found this

 

http://steamcommunity.com/app/271590/discussions/0/611703999971057114/

 

edit:NTAuthority confirmed that it's safe

I'm pretty sure it's 3DM crack related since 3DM in China based.

 

 

So if the .exe was blocked from the firewall and never could go online, the malware couldn't do anything?

Edited by Falenone
Link to comment
Share on other sites
ZZCOOL

ZZCOOL

Posted
Posted

 

found something new i have a file called Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦

 

in my appdata folder

 

upon googling it i found this

 

http://steamcommunity.com/app/271590/discussions/0/611703999971057114/

 

edit:NTAuthority confirmed that it's safe

I'm pretty sure it's 3DM crack related since 3DM in China based.

 

 

So if the .exe was blocked from the firewall and never could go online, the malware couldn't do anything?

 

last time i used a hush hush naughty don't pay for games file was back in 2009

Link to comment
Share on other sites
TheUnit

TheUnit

Posted
Posted (edited)

Looks like 'Open All Interiors' contains a keylogger too!

http://games.on.net/2015/05/gta-v-mod-30-hidden-locations/

https://www.gta5-mods.com/scripts/open-all-interiors

 

Well I thought I was safe because I didn't use Angry Planes or NoClip. BUT I used Open All Interiors.. phuck phuck PHUCK! I didn't have any of the files listed here.. don't know where this mod hides it's bad stuff (if it does have bad stuff).

Edited by TheUnit
Link to comment
Share on other sites
Drkz

Drkz

Posted
Posted (edited)

Looks like 'Open All Interiors' contains a keylogger too!

http://games.on.net/2015/05/gta-v-mod-30-hidden-locations/

https://www.gta5-mods.com/scripts/open-all-interiors

 

Well I thought I was safe because I didn't use Angry Planes or NoClip. BUT I used Open All Interiors.. phuck phuck PHUCK! I didn't have any of the files listed here.. don't know where this mod hides it's bad stuff (if it does have bad stuff).

 

We will need more than a sh*tty clickbait website to trust you mate. They say nothing interesting and provide no sources to back up their claims.

Edited by Drkz
Link to comment
Share on other sites
MarshallRawR

MarshallRawR

Posted
Posted

So today I started up my PC without Internet after all the cleanup I did yesterday.
No sign of anything, I did a Malwarebytes analysis on the Temp and Windows folder, nothing.

Enabled Internet, nothing. No new TEMP folder etc.. So I guess nothing is running.

Some people talked about multiple fade.exe , I only ever had one. No init..exe ever found.

Link to comment
Share on other sites
niels900000

niels900000

Posted
Posted

Looks like 'Open All Interiors' contains a keylogger too!

http://games.on.net/2015/05/gta-v-mod-30-hidden-locations/

https://www.gta5-mods.com/scripts/open-all-interiors

 

Well I thought I was safe because I didn't use Angry Planes or NoClip. BUT I used Open All Interiors.. phuck phuck PHUCK! I didn't have any of the files listed here.. don't know where this mod hides it's bad stuff (if it does have bad stuff).

 

It doesn't.... this website assumes there's a keylogger in it without doing any research on that .asi or having any evidence backing up that claim.

Link to comment
Share on other sites
Alexander Blade

Alexander Blade

Posted
Posted

It's clean , just checked

 

 

Looks like 'Open All Interiors' contains a keylogger too!

http://games.on.net/2015/05/gta-v-mod-30-hidden-locations/

https://www.gta5-mods.com/scripts/open-all-interiors

 

Well I thought I was safe because I didn't use Angry Planes or NoClip. BUT I used Open All Interiors.. phuck phuck PHUCK! I didn't have any of the files listed here.. don't know where this mod hides it's bad stuff (if it does have bad stuff).

 

We will need more than a sh*tty clickbait website to trust you mate. They say nothing interesting and provide no sources to back up their claims.

 

Link to comment
Share on other sites
TheUnit

TheUnit

Posted
Posted

 

Looks like 'Open All Interiors' contains a keylogger too!

http://games.on.net/2015/05/gta-v-mod-30-hidden-locations/

https://www.gta5-mods.com/scripts/open-all-interiors

 

Well I thought I was safe because I didn't use Angry Planes or NoClip. BUT I used Open All Interiors.. phuck phuck PHUCK! I didn't have any of the files listed here.. don't know where this mod hides it's bad stuff (if it does have bad stuff).

 

We will need more than a sh*tty clickbait website to trust you mate. They say nothing interesting and provide no sources to back up their claims.

 

 

 

 

^-snip-

 

It doesn't.... this website assumes there's a keylogger in it without doing any research on that .asi or having any evidence backing up that claim.

 

 

 

 

It's clean , just checked

 

 

^-snip-

-snip-

 

 

Apologies, I've just read that on another forum about an hour ago, the guy included the link to that article.

Thanks for letting me know though, can cancel my system scan. :p

Link to comment
Share on other sites
sarthakm27

sarthakm27

Posted
Posted

If my guess is right, this asi causes malicious programs to be downloaded when the script is enabled in gta 5. I have GTA5.exe,GTALauncher,etc all blocked by firewall and found no trace of fade in my temp folder as well as registry. This means I am safe right?

Link to comment
Share on other sites
lipskamafia

lipskamafia

Posted
Posted

But, every time i start GTA V i see some CMD windows open and close almost instantly, is this part of the malware or something?

Me too every time when i stard gtaV i see some cmd openig and closing. That can be a virus right ?

 

I've scanned my pc and cheched reg/temp, all was clean

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • 1 User Currently Viewing
    0 members, 0 Anonymous, 1 Guest

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.

  I accept