Jump to content
Forum Rules
Official Modification Forum Rules
GTAMods Wiki
GRAND THEFT AUTO VI INFODUMP DISCUSSION FORUM - TRAILER, SCREENSHOTS, ARTWORK

Malware inside Angry Planes & Noclip Mod

aboutseven

By aboutseven
in GTA V

 Share

Recommended Posts

Eagle1001

Eagle1001

Posted
Posted (edited)

 

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

 

Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries.

 

How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files

Edited by Eagle1001
ffzero58

ffzero58

Posted
Posted

 

 

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

 

Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries.

 

How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files

 

 

It does not look like keepass files were stolen.

vecuccio

vecuccio

Posted
Posted

None of this sh*t would be as feasible if Rockstar hadn't insisted in forcing you to be online and sign into the social club. Otherwise we could just pull the LAN cable out of the PC before running V in SP mode.

 

What are the admins going to do to the Devs of these mods? They should post as much private information about them as possible. IP address, etc. If they're not so smart, then maybe on one of the upload sites they did not use a VPN? Something, anything that.might be useful for a human flesh search as we call it in China. These bastards need to be tracked down and punished.

  • EddFyx and TheUnit
  • Like 2
cp702

cp702

Posted
Posted

At the very least, shouldn't Paypal be able to trace what happened to the funds? Keep in mind that whoever did this seems to have committed serious crimes. Stealing tens of thousands of dollars can land you in prison. The appropriate response is to go to law enforcement, not to try to deal with it yourself, possibly by committing crimes of your own.

master131

master131

Posted
Posted

So I'm going through the basics of IDA and the relevant tutorials on youtube. In one of them, it says that you can see the importsand what they use like using like networking.

 

Now I have no idea what ASI files need or how they work when they download viruses. But did Angry Planes mod need that import and would it show up on IDA?

 

No, it used GetProcAddress and LoadLibrary which is a dynamic alternative to standard imports. I checked them too when I analysed them and noticed no internet related imports. It was not until I dug into the code and decrypted the strings that it became obvious what was really happening.

TheMuffinManOP

TheMuffinManOP

Posted
Posted (edited)

Did it affect windows 8.1 users?

 

I can't find any of the exe files. But I did find one .z file in temp that appeared to be unnamed and had a winrar icon.

 

I am on windows 8.1 and I had all the malware and it was there still look through all the steps and do the scans with the programs if you need more info go to this reddit post on how to remove all malware : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

Edited by TheMuffinManOP
H3RB4LS

H3RB4LS

Posted
Posted (edited)

If someone wants to clean up the 1.2 version of Angry Planes. Here it is:

 

https://mega.co.nz/#!0wQ3gaBI!Dm_ykHP_N0ZdPyL_NIctiwcbrzgSAveoeKiP-n85g4w

 

Love this version.

 

Version 3.0 Angry Planes:

(Not as Fun, kinda... Bleh.... Planes mostly just fly above you and crash into each other)

 

Version 2.0 Angry Planes:

 

and

 

 

 

Is this clean? And how do we know? Id really like the mod again but a random mega download seems a bit sketch. One way to find out I suppose :D

 

Edit: Well metascan didn't seem to like it...

 

9e95b4da84d737c2f8b462ec8fb6f95a.png

Edited by H3RB4LS
tom730

tom730

Posted
Posted

 

What will it change since they can publish clean source among with infected binary .

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in th

 

 

 

It's clean

I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too.

 

can someone check if this one is clean too?

https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod

 

I looked on the mod's comments, and it looked like someone's detected something, take a look there. It actually said from Norton that they found some Malware in the files. Don't download this unless you want your password to be stolen.

G0nx4

G0nx4

Posted
Posted

 

 

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks :) Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

 

well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply :)

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew

it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

to remove ALL malware from your pc. thanks :)

 

 

 

 

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks :) Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

 

well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply :)

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew

it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

to remove ALL malware from your pc. thanks :)

 

No problem! By the way, since some antivirus dont detect the virus I recommend you this http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

PotatoStorm

PotatoStorm

Posted
Posted

The virus could have easily self-nuked to get rid o any traces of it running on your system. As many people have said already, we do not know fully what the virus is capable of. Do not assume, just delete everything you found that OP told you to delete. Treat it as a full infection. If you are really unsure, change your password and format your system.

PacketOverload_x64bit

PacketOverload_x64bit

Posted
Posted

Confirmed , noclip as well as angry planes are with malware , Fade.exe is password stealer , chage every password you have including steam .

 

This kind of malware, in community mods, is a definite downer. I have assets to protect, and never thought we'd see that from community mods in GTA. Everything is suspect now. Would be nice to have a mod site that actively checks ASI's and DLL's prior to publish as a result of this.

-Packet

MarshallRawR

MarshallRawR

Posted
Posted

I have a pirated version of GTA V and have been using angry planes since it came out.. But my PC show zero sign of infection.. Is this limited to registered users who can access GTA Online perhaps?

 

No it's not.

aboutseven

aboutseven

Posted
  • Author
Posted

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

demologik

demologik

Posted
Posted

 

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

Jenia

Jenia

Posted
Posted

 

Nobody said that though. What has been mostly said is that the actual system is a bit too laxist and needs to be improved. The goal is not to scare people away, but to warn them.

 

Besides "mods" is a very broad term. A texture pack is a mod, a sound pack is a mod. And correct me if i'm wrong, but a .rar archive with some sounds or textures in it sounds and looks infinitely safer than a compiled file like .asi that can basically do whatever the f*ck it wants on your computer. So to sum it up it's not about being paranoid about getting a virus from installing mods, it's being paranoid about installing something in .asi.

 

I'm sure you can see the differences and why you can't make such comparaisons and broad statements. Asi, for an average user (like me or someone else) is opaque as f*ck. You don't know what's inside, and most of the time (expect if you have some previous knowledge or you do some dedicated research like OP) you can't know what's inside.

 

Plus, i could potentially do what it wants. There's a lot of implications with .asi, too much implications, and i don't think we can just rely on "trusting" modders to avoid getting infected. This is a recipe for disaster.

 

That's honestly it.

 

Yes, you are saying that, in fact you wanted to label all ASI mods as unsafe. The system is fine, you run the same risks downloading an ASI mod as you do downloading anything else on the internet, ASI mods don't need to have some sort of warning sign because of this one recent incident.

 

Yeah, because these ASI's people are installing aren't actually mods. Like I said, if you're paranoid about getting a virus from installing some type of mod, then you shouldn't be installing that type of mod.

 

 

It's just like saying if you fell off your bike, never ride it again.

 

Unless you broke your neck :p

 

Silent

Silent

Posted
Posted

Good thing i havent downloaded any sh*tty mods. (Those mods are sh*tty)

I got AVG AntiVirus 2015 Full Paid Version (100% Legal version) and AVG Pc Tuneup 2015 (100% legal version and paid)

Cool! And?

  • TheUnit, Blisteryship006, Igor Bogdanoff and 3 others
  • Like 6
PotatoStorm

PotatoStorm

Posted
Posted (edited)

 

 

Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro.

There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them.

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)Just treat it as if there is an infection, unless you did not run it. Its better safe than sorry. Also, antiviruses are not reliable when it comes to this, as the mod merely downloads the malware, as such does not have any code that can actually be flagged as malicious. Edited by PotatoStorm
mattiskungen

mattiskungen

Posted
Posted

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

TheSun

TheSun

Posted
Posted

 

 

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

Same issue here I noticed my Laptop freezing at times which is out of the ordinary so...

 

 

I ran all tests and malware removal scans and cleared all the files in the TEMP folder.

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

2upcxec.png

 

Thanks.

aboutseven

aboutseven

Posted
  • Author
Posted (edited)

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP.

There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection.

 

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

2upcxec.png

 

Thanks.

 

This is already stated as something you need to remove in the OP.

 

Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings?

Please answer. Please, i beg someone. Answer. I want to know if format or nah.

Formatting is all up to you. I haven't seen anyone saying anything about their computer slowing down. If the virus has been removed from the computer and there is nothing running in the background that is related to csc.exe, then it has to be something else slowing down your computer. The virus itself didn't use much resources to begin with, which is probably why no one noticed it for a while.

Edited by aboutseven
wes_g

wes_g

Posted
Posted

I downloaded the mod on the 8th, ran it on the 12th or 13th, cannot remember. I went out of town on the 13th and came back on the 18th, and was told by a friend that it had horrible malware in angry planes, did not try the other one. Just scary!

 

I'm not sure if it being turned off while the attackers server was on, and then turning on my computer after that server had been taken down makes it any less of a risk.

 

I did stop the csc.exe, cleared out the temp folders, hunted down all registry entries (though I did miss the one in HKEY_CURRENT_USER\Software\Microsoft\ because I had thought I already did that step, not sure if that reg entry alone can harm you, caught that part a bit late, though csc.exe did not run), and of course removed the mod.

 

Ran Avast and malware bytes, all seemed good.

 

Restarting the computer did not load csc.exe, nor did running GTA V.

Changed all passwords, got a new debit card, logged out all active sessions....

 

God what a pain in the arse!

I have not seen any odd behavior or odd processes running. Would be great if they caught whoever did this, seriously.

 

The other mods I have are

 

NativeTrainer

RiotMode

Endeavour

PedSuicide0.1a

GravityGun

richuf

richuf

Posted
Posted (edited)

 

 

 

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

2upcxec.png

 

Thanks.

 

This is already stated as something you need to remove in the OP.

 

i have this in my reg also but i cant find anything about in the op

ok i have looked at a few different computers registry,ones that are on a dif network and no gta and no mods and they all have this

so it has nothing to do with this malware

so i wouldnt delete it

Edited by richuf
demologik

demologik

Posted
Posted

 

 

 

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP.

There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection.

 

Except that when I run GTA V my internet isn't connected.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.

  I accept