Malware inside Angry Planes & Noclip Mod

[Eagle1001]

 

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

 

Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries.

 

How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files

Edited May 18, 2015 by Eagle1001

[everesee]

I have 2 word for developer of this mods: f*ck YOU.

 

Edited May 18, 2015 by everesee

[ffzero58]

 

 

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

 

Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries.

 

How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files

 

 

It does not look like keepass files were stolen.

[vecuccio]

None of this sh*t would be as feasible if Rockstar hadn't insisted in forcing you to be online and sign into the social club. Otherwise we could just pull the LAN cable out of the PC before running V in SP mode.

 

What are the admins going to do to the Devs of these mods? They should post as much private information about them as possible. IP address, etc. If they're not so smart, then maybe on one of the upload sites they did not use a VPN? Something, anything that.might be useful for a human flesh search as we call it in China. These bastards need to be tracked down and punished.

[cp702]

At the very least, shouldn't Paypal be able to trace what happened to the funds? Keep in mind that whoever did this seems to have committed serious crimes. Stealing tens of thousands of dollars can land you in prison. The appropriate response is to go to law enforcement, not to try to deal with it yourself, possibly by committing crimes of your own.

[master131]

So I'm going through the basics of IDA and the relevant tutorials on youtube. In one of them, it says that you can see the importsand what they use like using like networking.

 

Now I have no idea what ASI files need or how they work when they download viruses. But did Angry Planes mod need that import and would it show up on IDA?

 

No, it used GetProcAddress and LoadLibrary which is a dynamic alternative to standard imports. I checked them too when I analysed them and noticed no internet related imports. It was not until I dug into the code and decrypted the strings that it became obvious what was really happening.

[TheMuffinManOP]

Did it affect windows 8.1 users?

 

I can't find any of the exe files. But I did find one .z file in temp that appeared to be unnamed and had a winrar icon.

 

I am on windows 8.1 and I had all the malware and it was there still look through all the steps and do the scans with the programs if you need more info go to this reddit post on how to remove all malware : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

Edited May 19, 2015 by TheMuffinManOP

[H3RB4LS]

If someone wants to clean up the 1.2 version of Angry Planes. Here it is:

 

https://mega.co.nz/#!0wQ3gaBI!Dm_ykHP_N0ZdPyL_NIctiwcbrzgSAveoeKiP-n85g4w

 

Love this version.

 

Version 3.0 Angry Planes:

(Not as Fun, kinda... Bleh.... Planes mostly just fly above you and crash into each other)

 

Version 2.0 Angry Planes:

 

and

 

 

 

Is this clean? And how do we know? Id really like the mod again but a random mega download seems a bit sketch. One way to find out I suppose

 

Edit: Well metascan didn't seem to like it...

 

Edited May 19, 2015 by H3RB4LS

[Microbots]

That is not the way to find out.

[tom730]

 

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in th

 

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

I looked on the mod's comments, and it looked like someone's detected something, take a look there. It actually said from Norton that they found some Malware in the files. Don't download this unless you want your password to be stolen.

[G0nx4]

 

 

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

 

well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew

it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

to remove ALL malware from your pc. thanks

 

 

 

 

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

 

well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew

it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

to remove ALL malware from your pc. thanks

 

No problem! By the way, since some antivirus dont detect the virus I recommend you this http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

[DennyFrontier]

I followed the instructions thoroughly and I did not find a lot of the folders and files in the places they should have been... Is it possible I wasnt infected?

[PotatoStorm]

The virus could have easily self-nuked to get rid o any traces of it running on your system. As many people have said already, we do not know fully what the virus is capable of. Do not assume, just delete everything you found that OP told you to delete. Treat it as a full infection. If you are really unsure, change your password and format your system.

[PacketOverload_x64bit]

Confirmed , noclip as well as angry planes are with malware , Fade.exe is password stealer , chage every password you have including steam .

 

This kind of malware, in community mods, is a definite downer. I have assets to protect, and never thought we'd see that from community mods in GTA. Everything is suspect now. Would be nice to have a mod site that actively checks ASI's and DLL's prior to publish as a result of this.

-Packet

[demologik]

I have a pirated version of GTA V and have been using angry planes since it came out.. But my PC show zero sign of infection.. Is this limited to registered users who can access GTA Online perhaps?

[MarshallRawR]

I have a pirated version of GTA V and have been using angry planes since it came out.. But my PC show zero sign of infection.. Is this limited to registered users who can access GTA Online perhaps?

 

No it's not.

[demologik]

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

[aboutseven]

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

[demologik]

 

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

[Jenia]

 

Nobody said that though. What has been mostly said is that the actual system is a bit too laxist and needs to be improved. The goal is not to scare people away, but to warn them.

 

Besides "mods" is a very broad term. A texture pack is a mod, a sound pack is a mod. And correct me if i'm wrong, but a .rar archive with some sounds or textures in it sounds and looks infinitely safer than a compiled file like .asi that can basically do whatever the f*ck it wants on your computer. So to sum it up it's not about being paranoid about getting a virus from installing mods, it's being paranoid about installing something in .asi.

 

I'm sure you can see the differences and why you can't make such comparaisons and broad statements. Asi, for an average user (like me or someone else) is opaque as f*ck. You don't know what's inside, and most of the time (expect if you have some previous knowledge or you do some dedicated research like OP) you can't know what's inside.

 

Plus, i could potentially do what it wants. There's a lot of implications with .asi, too much implications, and i don't think we can just rely on "trusting" modders to avoid getting infected. This is a recipe for disaster.

 

That's honestly it.

 

Yes, you are saying that, in fact you wanted to label all ASI mods as unsafe. The system is fine, you run the same risks downloading an ASI mod as you do downloading anything else on the internet, ASI mods don't need to have some sort of warning sign because of this one recent incident.

 

Yeah, because these ASI's people are installing aren't actually mods. Like I said, if you're paranoid about getting a virus from installing some type of mod, then you shouldn't be installing that type of mod.

 

 

It's just like saying if you fell off your bike, never ride it again.

 

Unless you broke your neck

 

[vicboh0413]

Good thing i havent downloaded any sh*tty mods. (Those mods are sh*tty)

I got AVG AntiVirus 2015 Full Paid Version (100% Legal version) and AVG Pc Tuneup 2015 (100% legal version and paid)

 

So f*ck those viruses maen

[Silent]

Good thing i havent downloaded any sh*tty mods. (Those mods are sh*tty)

I got AVG AntiVirus 2015 Full Paid Version (100% Legal version) and AVG Pc Tuneup 2015 (100% legal version and paid)

Cool! And?

[PotatoStorm]

 

 

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)Just treat it as if there is an infection, unless you did not run it. Its better safe than sorry. Also, antiviruses are not reliable when it comes to this, as the mod merely downloads the malware, as such does not have any code that can actually be flagged as malicious. Edited May 20, 2015 by PotatoStorm

[mattiskungen]

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

[TheSun]

 

 

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

Same issue here I noticed my Laptop freezing at times which is out of the ordinary so...

 

 

I ran all tests and malware removal scans and cleared all the files in the TEMP folder.

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

 

Thanks.

[aboutseven]

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP.

There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection.

 

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

 

Thanks.

 

This is already stated as something you need to remove in the OP.

 

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

Formatting is all up to you. I haven't seen anyone saying anything about their computer slowing down. If the virus has been removed from the computer and there is nothing running in the background that is related to csc.exe, then it has to be something else slowing down your computer. The virus itself didn't use much resources to begin with, which is probably why no one noticed it for a while.

Edited May 20, 2015 by aboutseven

[wes_g]

I downloaded the mod on the 8th, ran it on the 12th or 13th, cannot remember. I went out of town on the 13th and came back on the 18th, and was told by a friend that it had horrible malware in angry planes, did not try the other one. Just scary!

 

I'm not sure if it being turned off while the attackers server was on, and then turning on my computer after that server had been taken down makes it any less of a risk.

 

I did stop the csc.exe, cleared out the temp folders, hunted down all registry entries (though I did miss the one in HKEY_CURRENT_USER\Software\Microsoft\ because I had thought I already did that step, not sure if that reg entry alone can harm you, caught that part a bit late, though csc.exe did not run), and of course removed the mod.

 

Ran Avast and malware bytes, all seemed good.

 

Restarting the computer did not load csc.exe, nor did running GTA V.

Changed all passwords, got a new debit card, logged out all active sessions....

 

God what a pain in the arse!

I have not seen any odd behavior or odd processes running. Would be great if they caught whoever did this, seriously.

 

The other mods I have are

 

NativeTrainer

RiotMode

Endeavour

PedSuicide0.1a

GravityGun

[richuf]

 

 

 

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

 

Thanks.

 

This is already stated as something you need to remove in the OP.

 

i have this in my reg also but i cant find anything about in the op

ok i have looked at a few different computers registry,ones that are on a dif network and no gta and no mods and they all have this

so it has nothing to do with this malware

so i wouldnt delete it

Edited May 20, 2015 by richuf

[demologik]

 

 

 

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP.

There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection.

 

Except that when I run GTA V my internet isn't connected.

[PotatoStorm]

Running the game without internet (you are not connected to any wifi, router or data network) may have caused you to break the trojan, which needed internet access. Idk, it might be possible. Someone test this out pls