Malware inside Angry Planes & Noclip Mod

[lahma]

 

 

 

Though MD5 collisions have been demonstrated to be possible, actually doing so in practice would require a supercomputer and several decades at the minimum. Probably not something that the malware author (who is injecting his malware into a video game trainer) has the perseverance to carry out. Having said that, there is no sane reason to still be using MD5 checksums. Use SHA-1 and avoid the issue altogether.

 

 

No, it's SHA-1 which has been cracked but has not had a collision generated yet. MD5 is utterly broken; this guy managed to create a chosen-prefix collision between two fixed images in 10 hours of AWS time (costing under a dollar). SHA-1 should *also* not be used in new applications, because although its break is theoretical at this point it is broken. The correct checksum to use is a SHA-2 family hash (like SHA-256) or SHA-3; probably SHA-256, since that's really well supported. Do not use MD5 for any application that collision-resistance matters for, like this one.

 

 

 

Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook?

 

Can you not just decompile them?

 

Since this isn't an appropriate topic to debate about hashing functions, I'll refrain from further discussion, but you are absolutely right. SHA-256 would be a much better choice. The only reason I suggested SHA-1 is because a lot of software has support for it where SHA-256 is only now becoming more common (though it takes very very little effort to get a utility that will verify SHA-256.) The problem I find is that very few websites offer SHA-256 checksums of their downloadable files to verify against. Hell, many don't even offer SHA-1... This obviously needs to change.

[RainingAcid]

Saw this post on Reddit about a cleaned up version of Angry Planes:

http://www.reddit.com/r/GrandTheftAutoV_PC/comments/36279w/cleaned_up_version_of_the_angry_planes_mod_info/

 

Is anyone able to test it an confirm whether it's clean?

 

Many thanks

 

Same here..... I wanna know.

[Foosmeels]

If someone wants to clean up the 1.2 version of Angry Planes. Here it is:

 

https://mega.co.nz/#!0wQ3gaBI!Dm_ykHP_N0ZdPyL_NIctiwcbrzgSAveoeKiP-n85g4w

 

Love this version.

 

Version 3.0 Angry Planes:

(Not as Fun, kinda... Bleh.... Planes mostly just fly above you and crash into each other)

 

Version 2.0 Angry Planes:

 

and

 

 

Edited May 16, 2015 by Foosmeels

[Microbots]

Hey Im Worried about Sonic boom mod and innerforce mod

how come it doesnt want to load through a mod manager? it preforms a check, it looks like to see if it's being run through the main directory or not

 

local sonicboom = {}

local mod = false

local mod_toggle = false

 

function sonicboom.unload()

 

Bit shady?????? almost as if it doesn't want the mod to run through a mod manager that blocks the firewall hmmmmm

 

THOUGH I COULD BE COMPLETELY MISSUNDERSTANDING THIS

 

but its true both mods DONT work in the game when using a manager and this is what shows up in both of them.

 

Seems like the norm for lua mods. If you're that scared of the unload function, just remove it. Then see if it works and see if it's needed.

[Loves GTA]

Windows Defender does not play well at all with the dinput8.dll. When it's in the game folder, real time protection causes my game to stutter when switching characters and occasionally in normal gameplay. If I disable real time protection, everything is smooth. Anyone else have the same issue, and if so, is there a way to avoid issues while real time protection is enabled?

 

It's not a huge deal, but I'd much prefer to not have to remember to switch off the A/V every time I play and then back on when I'm done.

Edited May 17, 2015 by Loves GTA

[ffzero58]

 

Hey Im Worried about Sonic boom mod and innerforce mod

how come it doesnt want to load through a mod manager? it preforms a check, it looks like to see if it's being run through the main directory or not

 

local sonicboom = {}

local mod = false

local mod_toggle = false

 

function sonicboom.unload()

 

Bit shady?????? almost as if it doesn't want the mod to run through a mod manager that blocks the firewall hmmmmm

 

THOUGH I COULD BE COMPLETELY MISSUNDERSTANDING THIS

 

but its true both mods DONT work in the game when using a manager and this is what shows up in both of them.

Seems like the norm for lua mods. If you're that scared of the unload function, just remove it. Then see if it works and see if it's needed.

The unload function is normal and most times not required. Is there any more code within the function? See if the function is called later in the code. It could just be leftover from the LUA sample template.

[Spear64]

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on the same computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely (i suffer from MILD anxiety).

Thank you so much for understanding, i really appreciate it

1. Well, in terms of strict *POSSIBILITY*, it can happen if it was coded to do so (AFAIK). But I'd say the chances of it happening are less then 1%. Even if it could somehow spread to your other drive, OS X is written much differently then windows, and the virus couldn't be able to operate. If this was a problem, any virus would be much more of an issue then they already are. Consider it practically impossible. Someone correct me if im wrong though

2. I don't see why that'd be an issue. If your that paranoid you can virus scan it.

Edited May 17, 2015 by Spear64

[Stewox]

Wow.

 

Great community cooperative work, I would have downloaded and used this mod for sure if there was no warning.

 

Also you guys might try using ProcessMonitor from sysinternals as well, if you don't already .. should detect what files and reg is the trojan through csc and vbc ..etc

 

Maybe it's doing things through gta5.exe in the beginning ...

Edited May 17, 2015 by Stewox

[ffzero58]

 

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety)

Thank you so much for understanding, i really appreciate it

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

 

 

Again, we don't fully understand what else the virus could have done. This was literally discovered two days ago with analysis verified within 24 hours. We're not security experts (correct me if I am wrong). Even in the OP, it says "If you're not sure, reformat".

 

In your case, you could probably just format the windows OS drive. The possibility that the virus author thought about your scenario is next to nil.

[FlyingAce]

Hey guys.. I might have a problem... after closing gta v my computer RANDOMLLY booted up CS GO and said it was trying to launch from "out of steam" and therefore would not be able to connect to vac servers... IS someone trying to access our inventorys???

[Spear64]

Hey guys.. I might have a problem... after closing gta v my computer RANDOMLLY booted up CS GO and said it was trying to launch from "out of steam" and therefore would not be able to connect to vac servers... IS someone trying to access our inventorys???

If you can rule out any reason why you might've launched it on accident, its possible. ANYTHING is really possible at this moment. There's still a lot known about the virus at the moment. For the moment, its certain that it logs keystrokes and even your steam inventory. There's no confirmation its programmed to allow remote access to your PC. Formatting is really the only way to be very safe, IMO.

[FlyingAce]

I also found a ini in my temp folder called armui I googled and its related to malware aparently.... malwarebytes still hasnt caught anything and neither has my AV kind of concerned

[FlyingAce]

MY INVENTORY IS GONE I THOUGHT I REMOVED THE VIRUS

Edited May 17, 2015 by FlyingAce

[PhillBellic]

All of this raises an important question, Just who do/can we trust to release Mods free of malware, and other nasty programs from this point onwards?

[Spear64]

MY INVENTORY IS GONE I THOUGHT I REMOVED THE VIRUS

Just because its removed doesn't mean your not at risk. For one, you don't KNOW that its fully removed just from the OP's instructions. Second, whatever the keylogger managed to get before the servers got shut down is already in his possession. Did you not change your passwords?

[G0nx4]

 

 

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety)

Thank you so much for understanding, i really appreciate it

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

 

 

Again, we don't fully understand what else the virus could have done. This was literally discovered two days ago with analysis verified within 24 hours. We're not security experts (correct me if I am wrong). Even in the OP, it says "If you're not sure, reformat".

 

In your case, you could probably just format the windows OS drive. The possibility that the virus author thought about your scenario is next to nil.

 

IMO there's too much paranoia about this virus. Formatting is just a waste of time. Following the OP guide is the solution. I've been scanning my pc after deleting the virus a lot of times and nothing is found. So, just downloading a good anti virus should do it and deleting the folders in regedit. Anyway for my security I'll stay away from mods

Edited May 17, 2015 by G0nx4

[FlyingAce]

 

MY INVENTORY IS GONE I THOUGHT I REMOVED THE VIRUS

Just because its removed doesn't mean your not at risk. For one, you don't KNOW that its fully removed just from the OP's instructions. Second, whatever the keylogger managed to get before the servers got shut down is already in his possession. Did you not change your passwords?

 

I changed my passwords after I deleted it a few days ago.... then today CS:GO randomly launched after closing out gta v like some bot or some sort and now my inventory is gone I thought I already cleaned the malware out sh*t probably anyone that followed these instructions is still at risk

[Spear64]

 

 

 

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety)

Thank you so much for understanding, i really appreciate it

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

 

 

Again, we don't fully understand what else the virus could have done. This was literally discovered two days ago with analysis verified within 24 hours. We're not security experts (correct me if I am wrong). Even in the OP, it says "If you're not sure, reformat".

 

In your case, you could probably just format the windows OS drive. The possibility that the virus author thought about your scenario is next to nil.

 

IMO there's too much paranoia about this virus. Formatting is just a waste of time. Following the OP guide is the solution. I've been scanning my pc after deleting the virus a lot of times and nothing is found. So, just downloading a good anti virus should do it and deleting the folders in regedit. Anyway for my security I'll stay away from mods

 

It's not if you value the security of your information, finances, etc. Not until some more information comes through, theres no telling if you truly removed the virus. I believe a few of the popular AV's don't detect it yet. I'm not saying you should still be paranoid so long as you followed the OP, and changed all passwords. But, theres so many people posting "am I still at risk". At this point the only thing left to do is to format. With that being said, I agree with the last part, I'd advise staying away from mods. Of course, there's a few trusted authors who you can download from.

[FlyingAce]

sh*t sh*t im afraid what if they get into peoples other accounts??? not just steam I mean they didnt even HAVE to steal my steam account to do this!! or even log into it!!

 

 

LIST OF INSTALLED MODS

 

bilagos mod manager

and mods listed
army response
collectablescollector
enhancednative trainer
gravity gun
hydraulics (the first one)
lamar gunner
nice fly
radio off
open interriors
riot mode
scripthookdotnet
tank
working jb700
lua
ambulence missions
trucking missions
vigilante missions

addins
sonic boom
inner_force
train driver

Edited May 17, 2015 by FlyingAce

[ffzero58]

 

 

 

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety)

Thank you so much for understanding, i really appreciate it

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

 

 

Again, we don't fully understand what else the virus could have done. This was literally discovered two days ago with analysis verified within 24 hours. We're not security experts (correct me if I am wrong). Even in the OP, it says "If you're not sure, reformat".

 

In your case, you could probably just format the windows OS drive. The possibility that the virus author thought about your scenario is next to nil.

 

IMO there's too much paranoia about this virus. Formatting is just a waste of time. Following the OP guide is the solution. I've been scanning my pc after deleting the virus a lot of times and nothing is found. So, just downloading a good anti virus should do it and deleting the folders in regedit. Anyway for my security I'll stay away from mods

 

 

That's all good. If you feel you're 100% safe then more power to you.

 

For the other folks who are less tech savvy or overly paranoid... reformatting is the surest way. It was already proven that some popular a/v programs could not detect it. This was a 0-day virus and a cleverly made one at that, it seems. If anything, folks should be more self conscious about backups and security. Knowledge is power. I've definitely learned a lot from this event.

[Silent]

Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook?

I have little clue about managed code, sadly

[RedDagger]

MY INVENTORY IS GONE I THOUGHT I REMOVED THE VIRUS

Go to Steam, go to inventory, click 'More' in the top right and choose, 'view inventory history', if all yo items were traded to a single person then your credentials were definitely stolen instead of some steam error.

[MarshallRawR]

Can someone tells me the hell is that?

EDIT: On isn't it an update of Visual thingy.

 

 

 

vcredist is a windows thing, but these logs are weird and I don't know much about them.

It contains weird sh*t though. Maybe it's just me stalking the TEMP folder too much.

 

 

Edited May 17, 2015 by MarshallRawR

[BossMannAU]

It looks as if our emails have also been sold to email spam companies. In the last 2 days I have got 40 spam emails vs the 1-2 that I would get previously.

[Smiley992]

 

 

use Malwarebytes Anti-Malware) it's good have a nice day.

 

 

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

 

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

You are welcome sir and i am always happy to help. And by the way make sure you always run a Strong Firewall

 

Do you recommend me to pay for avast? Because it has interesting features like firewall, sandbox mode, etc.

 

Hi, First you Should Try the Trial Version Of Avast if you liked it and it worked great then you can buy it if you want, but there is some other good anti viruses aswell , like, Bitdefender, or Dr.web these are some great anti-viruses and Malwarebytes is great as well

 

This is not a keylogger only we are being used as net bots, so use Strong Firewalls to Disable Flooding i don't know if it could help but always use strong anti-viruses and firewalls i hope i helped have a nice day.

Edited May 17, 2015 by Smiley992

[human10]

Here my picture on the 8th step as posted by OP.

 

I also found that there's another Leep folder with random name in the Roaming folder instead of Local.

 

It is really unsafe, no idea where else had it being hiding. Probably gonna reformat when I have spare time, and refrain any important logins for the the time being.

[EddieThePro]

So, i did that net user thing with CMD, and it came up with this. http://sv.tinypic.com/view.php?pic=2nvgkrk&s=8#.VVitRvntnGA

 

Everything is in the picture

[BKnight]

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

[EddieThePro]

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

Some of the files are used by software/programs that are running

[BKnight]

 

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

Some of the files are used by software/programs that are running

 

Cheers, I'll stay safe and avoid it for the time being.

 

Regarding your picture: I think that's fine. Mine consists of 'Administrator - ASPNET - Guest - [My Name]