GRANDHEIST Posted May 16, 2015 Share Posted May 16, 2015 So who was the fu***** c*** who did this? Link to comment Share on other sites More sharing options...
Zhuocheng Tan Posted May 16, 2015 Share Posted May 16, 2015 Is system restore just as effective compared to reformatting Link to comment Share on other sites More sharing options...
master131 Posted May 16, 2015 Share Posted May 16, 2015 (edited) So I analysed the sample @MarshallRawR sent. The first couple of layers have the exact same name as my previous analysis but do differ in hash and bytes (mostly likely reobfuscated). This is probably because it was compiled/created 1 day later than the other one I looked at. However, the final Fade executable at the very last layer is identical to the one in the previous analysis (same MD5: 1F3B946A850F0D7DF56FA85E5E14BD64). Huh, I was trying to get the file uploaded, ESET obviouslylocked the file before I could, but surprisingly it changed of detection type. They probably added their detection definitions. Stimilik is the name they use for Steam related trojans. How long does urlmon cache the downloaded files in the folder for? Would it be worth it for infected users to clean this folder or does it pose no threat? Not sure, I'm not familiar with urlmon's caching system. If it's there it probably can't do anything, but it doesn't hurt to delete it. We are disabling the domains as we are informed of them. We have dealt with acrypt.duckdns.org hop.duckdns.org nop.duckdns.org Cheers. Edited May 16, 2015 by master131 Link to comment Share on other sites More sharing options...
monster875. Posted May 16, 2015 Share Posted May 16, 2015 @StevenHarperUK sounds good hopefully those morons can be taken all down Link to comment Share on other sites More sharing options...
TDO Posted May 16, 2015 Share Posted May 16, 2015 Just one question: The main problems are ASI mods, where the ASI Loader (Script Hook V) is needed to make them work. So, wouldn't it be a good idea, to change the code of this ASI-Loader and remove the posibility of downloading / executing exe files / uploading and change the directory to something else than the GTA V dir? Is this spossible? Or if the ASI Loader can't prevent such activities, can it be monitored by the loader and stop the script, when it is trying to do something like this? TheUnit, BKnight and monster875. 3 Link to comment Share on other sites More sharing options...
MarshallRawR Posted May 16, 2015 Share Posted May 16, 2015 (edited) Seems like these DNS are indeed down. Great job, so far the infection is technically killed. Edited May 16, 2015 by MarshallRawR Link to comment Share on other sites More sharing options...
Silent Posted May 16, 2015 Share Posted May 16, 2015 Just one question: The main problems are ASI mods, where the ASI Loader (Script Hook V) is needed to make them work. So, wouldn't it be a good idea, to change the code of this ASI-Loader and remove the posibility of downloading / executing exe files / uploading and change the directory to something else than the GTA V dir? Is this spossible? Or if the ASI Loader can't prevent such activities, can it be monitored by the loader and stop the script, when it is trying to do something like this? Unlikely. ASI loader literally LoadLibrary's *.asi files. Link to comment Share on other sites More sharing options...
TDO Posted May 16, 2015 Share Posted May 16, 2015 (edited) And what about the Script Hook V SDK? Is it possible to prevent such activities already during programming/compiling such mods? Edited May 16, 2015 by TDO Link to comment Share on other sites More sharing options...
Liolix Posted May 16, 2015 Share Posted May 16, 2015 Saw this post on Reddit about a cleaned up version of Angry Planes: http://www.reddit.com/r/GrandTheftAutoV_PC/comments/36279w/cleaned_up_version_of_the_angry_planes_mod_info/ Is anyone able to test it an confirm whether it's clean? Many thanks Link to comment Share on other sites More sharing options...
Silent Posted May 16, 2015 Share Posted May 16, 2015 And what about the Script Hook V SDK? Is it possible to prevent such activities already during programming/compiling such mods? It's native code, so any sort of such security would in practice be equal to reinventing an antivirus. sasuke78200 1 Link to comment Share on other sites More sharing options...
ffzero58 Posted May 16, 2015 Share Posted May 16, 2015 Is system restore just as effective compared to reformatting It was the intent. However, some viruses can infect the restore files and continue the spread. Not saying this infection does this but why take the chance. http://superuser.com/questions/201468/can-system-restore-remove-virus-from-the-computer I can tell you are trying NOT to put in some effort to fully clean your PC. I can understand. Really, take some responsibility. Link to comment Share on other sites More sharing options...
rappo Posted May 16, 2015 Share Posted May 16, 2015 Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook? Link to comment Share on other sites More sharing options...
Smiley992 Posted May 16, 2015 Share Posted May 16, 2015 Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain EddFyx and Hayuru 2 Link to comment Share on other sites More sharing options...
masterjedi343 Posted May 16, 2015 Share Posted May 16, 2015 Glad I didn't download this mod. Will there be an actual safe version of Angry planes at some point? Link to comment Share on other sites More sharing options...
Smiley992 Posted May 16, 2015 Share Posted May 16, 2015 Glad I didn't download this mod. Will there be an actual safe version of Angry planes at some point? i guess so, Link to comment Share on other sites More sharing options...
G0nx4 Posted May 16, 2015 Share Posted May 16, 2015 Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you )))))) Link to comment Share on other sites More sharing options...
Cazomino05 Posted May 16, 2015 Share Posted May 16, 2015 (edited) To clarify some confusion asi files are for some reason renamed (compiled C++) dll files. They currently execute at the lowest level your computer can process and no protection exists beyond your existing antivirus and anti-malware software - which in this case didn't appear to catch it due to the encryption used obfuscating the intentions of the "mod". Any C# or C++ mods have full and unrestricted access to the system as any game, program or virus written in that language would. Edited May 16, 2015 by Cazomino05 Link to comment Share on other sites More sharing options...
Smiley992 Posted May 16, 2015 Share Posted May 16, 2015 (edited) Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you )))))) Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you )))))) You are welcome sir and i am always happy to help. And by the way make sure you always run a Strong Firewall Edited May 16, 2015 by Smiley992 Link to comment Share on other sites More sharing options...
G0nx4 Posted May 16, 2015 Share Posted May 16, 2015 Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you )))))) Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger, So, First Open up CMD and Write: net user What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked. and another thing is useful as well, for example This program Called (ApateDNS) Just Search ApateDNS On google So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked.. And Just an Advice, use a Program Called, KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program. i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you )))))) You are welcome sir and i am always happy to help. And by the way make sure you always run a Strong Firewall Do you recommend me to pay for avast? Because it has interesting features like firewall, sandbox mode, etc. Link to comment Share on other sites More sharing options...
cp702 Posted May 16, 2015 Share Posted May 16, 2015 (edited) Though MD5 collisions have been demonstrated to be possible, actually doing so in practice would require a supercomputer and several decades at the minimum. Probably not something that the malware author (who is injecting his malware into a video game trainer) has the perseverance to carry out. Having said that, there is no sane reason to still be using MD5 checksums. Use SHA-1 and avoid the issue altogether. No, it's SHA-1 which has been cracked but has not had a collision generated yet. MD5 is utterly broken; this guy managed to create a chosen-prefix collision between two fixed images in 10 hours of AWS time (costing under a dollar). SHA-1 should *also* not be used in new applications, because although its break is theoretical at this point it is broken. The correct checksum to use is a SHA-2 family hash (like SHA-256) or SHA-3; probably SHA-256, since that's really well supported. Do not use MD5 for any application that collision-resistance matters for, like this one. Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook? Can you not just decompile them? Edited May 16, 2015 by cp702 Link to comment Share on other sites More sharing options...
MarshallRawR Posted May 16, 2015 Share Posted May 16, 2015 (edited) All this sh*t made me paranoid now.Look at this, I'd love to try this mod, but how do I know? http://gtaforums.com/topic/794751-vwip-vigilante-mod Hell, I even played another mod from this guy and it seemed fine. sh*t makes you paranoid, is swear. Edited May 16, 2015 by MarshallRawR Link to comment Share on other sites More sharing options...
Eagle1001 Posted May 16, 2015 Share Posted May 16, 2015 I just have two questions, if I had 3 session files starting from 13th may is it possible that I didn't have any other? As I downloaded the mod earlier then that but I only saw those files. Link to comment Share on other sites More sharing options...
Ursus Posted May 16, 2015 Share Posted May 16, 2015 I'm not infected. I dont have the Angry Planes mod, but I have the Noclip mod (Date installed: May 3.). The Noclip mod I have is the one that uses numpad 0+1, and has this readme.txt included: Controls: - NUMPAD0 to enable/disable noclip - NUMPAD1 to modify speed (normal or super) - W to move forwards, S to move backwards - A to rotate left, D to rotate right - LSHIFT to move up, LCTRL to move down Custom activation/speed key: - Edit the settings file called Noclip.ini and modify the numeric values - List of keycodes can be found here: http://www.kbdedit.com/manual/low_level_vk_list.html - For example, NUMPAD0 is 0x60 and NUMPAD1 is 0x61 Known bugs: - Noclipping into other vehicles might make the other vehicle disappear - Long shadows don't seem to work while noclip is enabled Install: - Script Hook V must be installed - Put Noclip.asi and Noclip.ini in your root GTA V folder (i.e. the folder where the script hook is installed) Link to comment Share on other sites More sharing options...
MarshallRawR Posted May 16, 2015 Share Posted May 16, 2015 I'm not infected. I dont have the Angry Planes mod, but I have the Noclip mod (Date installed: May 3.). The Noclip mod I have is the one that uses numpad 0+1, and has this readme.txt included: Controls: - NUMPAD0 to enable/disable noclip - NUMPAD1 to modify speed (normal or super) - W to move forwards, S to move backwards - A to rotate left, D to rotate right - LSHIFT to move up, LCTRL to move down Custom activation/speed key: - Edit the settings file called Noclip.ini and modify the numeric values - List of keycodes can be found here: http://www.kbdedit.com/manual/low_level_vk_list.html - For example, NUMPAD0 is 0x60 and NUMPAD1 is 0x61 Known bugs: - Noclipping into other vehicles might make the other vehicle disappear - Long shadows don't seem to work while noclip is enabled Install: - Script Hook V must be installed - Put Noclip.asi and Noclip.ini in your root GTA V folder (i.e. the folder where the script hook is installed) That's the same text in the readme from the infected NoClip I had. Link to comment Share on other sites More sharing options...
dgraham1284 Posted May 16, 2015 Share Posted May 16, 2015 Wrong, windows firewall is essentially useless. You need router level firewall integration and a person who knows what they are doing. Even then, given the complexity of this, that may not be enough. Link to comment Share on other sites More sharing options...
ZS GTA Posted May 16, 2015 Share Posted May 16, 2015 (edited) i use norton and that is VERY GOOD at detecting viruses and i pay nothing for it 1) Just download the original 30 day's trial from norton website and install it 2) Then after create a fake account for norton 3) Download norton trial re-setter from here (http://www.mediafire.com/download/8fgpo0l69op0jf6/Norton+Trial+Reset+2015+All+Version.rar) it is not detected as a virus by the norton trial which is just the full thing but lasts 30 days 4) Type MSCONFIG in start menu or in the charms bar for windows 8 5) Go to the Boot tab and click safe boot it tells you to restart then restart 6) once restarted log in and open the trial re-setter and click reset/convert it resets the free trial and converts to 180 days (about 1/2 a year) use it again when norton has less than 30 days left norton updates when you run a scan or when you click update in the settings i have been using this for over 2 years and it still works the way it works is i think it refreshes norton's data R☆™ Edited May 16, 2015 by ZS GTA Link to comment Share on other sites More sharing options...
FlyingAce Posted May 16, 2015 Share Posted May 16, 2015 (edited) Hey Im Worried about Sonic boom mod and innerforce mod how come it doesnt want to load through a mod manager? it preforms a check, it looks like to see if it's being run through the main directory or not local sonicboom = {}local mod = falselocal mod_toggle = falsefunction sonicboom.unload() Bit shady?????? almost as if it doesn't want the mod to run through a mod manager that blocks the firewall hmmmmm THOUGH I COULD BE COMPLETELY MISSUNDERSTANDING THIS but its true both mods DONT work in the game when using a manager and this is what shows up in both of them. Edited May 16, 2015 by FlyingAce Link to comment Share on other sites More sharing options...
jippa_lippa Posted May 16, 2015 Share Posted May 16, 2015 (edited) Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions. 1- I have both Windows and Mac Os x on the same computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus) 2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus? I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely (i suffer from MILD anxiety). Thank you so much for understanding, i really appreciate it Edited May 16, 2015 by jippa_lippa Link to comment Share on other sites More sharing options...
G0nx4 Posted May 16, 2015 Share Posted May 16, 2015 Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions. 1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus) 2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus? I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety) Thank you so much for understanding, i really appreciate it Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus. Link to comment Share on other sites More sharing options...
jippa_lippa Posted May 16, 2015 Share Posted May 16, 2015 (edited) - cut - Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus. I have been formatting my PC twice a month for years, i'm used to it...it doesn't bother me. I only (desperately) need a trusty answer to those 2 questions. Thanks for the concern, by the way. Edited May 16, 2015 by jippa_lippa Link to comment Share on other sites More sharing options...
Recommended Posts