Eagle1001 Posted May 18, 2015 Share Posted May 18, 2015 (edited) Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files? Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries. How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files Edited May 18, 2015 by Eagle1001 Link to comment Share on other sites More sharing options...
everesee Posted May 18, 2015 Share Posted May 18, 2015 (edited) I have 2 word for developer of this mods: f*ck YOU. Edited May 18, 2015 by everesee TheUnit and Igor Bogdanoff 2 Link to comment Share on other sites More sharing options...
ffzero58 Posted May 18, 2015 Share Posted May 18, 2015 Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files? Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries. How about keepass files? I reinstalled my pc but I really want to know if it stole keepass files It does not look like keepass files were stolen. Link to comment Share on other sites More sharing options...
vecuccio Posted May 19, 2015 Share Posted May 19, 2015 None of this sh*t would be as feasible if Rockstar hadn't insisted in forcing you to be online and sign into the social club. Otherwise we could just pull the LAN cable out of the PC before running V in SP mode. What are the admins going to do to the Devs of these mods? They should post as much private information about them as possible. IP address, etc. If they're not so smart, then maybe on one of the upload sites they did not use a VPN? Something, anything that.might be useful for a human flesh search as we call it in China. These bastards need to be tracked down and punished. TheUnit and EddFyx 2 Link to comment Share on other sites More sharing options...
cp702 Posted May 19, 2015 Share Posted May 19, 2015 At the very least, shouldn't Paypal be able to trace what happened to the funds? Keep in mind that whoever did this seems to have committed serious crimes. Stealing tens of thousands of dollars can land you in prison. The appropriate response is to go to law enforcement, not to try to deal with it yourself, possibly by committing crimes of your own. Link to comment Share on other sites More sharing options...
master131 Posted May 19, 2015 Share Posted May 19, 2015 So I'm going through the basics of IDA and the relevant tutorials on youtube. In one of them, it says that you can see the importsand what they use like using like networking. Now I have no idea what ASI files need or how they work when they download viruses. But did Angry Planes mod need that import and would it show up on IDA? No, it used GetProcAddress and LoadLibrary which is a dynamic alternative to standard imports. I checked them too when I analysed them and noticed no internet related imports. It was not until I dug into the code and decrypted the strings that it became obvious what was really happening. Link to comment Share on other sites More sharing options...
TheMuffinManOP Posted May 19, 2015 Share Posted May 19, 2015 (edited) Did it affect windows 8.1 users? I can't find any of the exe files. But I did find one .z file in temp that appeared to be unnamed and had a winrar icon. I am on windows 8.1 and I had all the malware and it was there still look through all the steps and do the scans with the programs if you need more info go to this reddit post on how to remove all malware : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/ Edited May 19, 2015 by TheMuffinManOP Link to comment Share on other sites More sharing options...
H3RB4LS Posted May 19, 2015 Share Posted May 19, 2015 (edited) If someone wants to clean up the 1.2 version of Angry Planes. Here it is: https://mega.co.nz/#!0wQ3gaBI!Dm_ykHP_N0ZdPyL_NIctiwcbrzgSAveoeKiP-n85g4w Love this version. Version 3.0 Angry Planes: (Not as Fun, kinda... Bleh.... Planes mostly just fly above you and crash into each other) Version 2.0 Angry Planes: and Is this clean? And how do we know? Id really like the mod again but a random mega download seems a bit sketch. One way to find out I suppose Edit: Well metascan didn't seem to like it... Edited May 19, 2015 by H3RB4LS Link to comment Share on other sites More sharing options...
Microbots Posted May 19, 2015 Share Posted May 19, 2015 That is not the way to find out. TheUnit 1 Link to comment Share on other sites More sharing options...
tom730 Posted May 19, 2015 Share Posted May 19, 2015 What will it change since they can publish clean source among with infected binary . It's clean I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too. can someone check if this one is clean too? https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod If this becomes a really big problem, can't you force all ScriptHookV using mods to have their source code published? It'd make it harder to include malware in th It's clean I'm glad you researched into these files, now to make sure those files get removed on gta5-mods too. can someone check if this one is clean too? https://www.gta5-mods.com/scripts/airtaxi-helicopter-rappel-mod I looked on the mod's comments, and it looked like someone's detected something, take a look there. It actually said from Norton that they found some Malware in the files. Don't download this unless you want your password to be stolen. Link to comment Share on other sites More sharing options...
G0nx4 Posted May 19, 2015 Share Posted May 19, 2015 for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * ) but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff: the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod. well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe. I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/ to remove ALL malware from your pc. thanks for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * ) but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff: the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod. well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe. I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/ to remove ALL malware from your pc. thanks No problem! By the way, since some antivirus dont detect the virus I recommend you this http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/ Link to comment Share on other sites More sharing options...
DennyFrontier Posted May 20, 2015 Share Posted May 20, 2015 I followed the instructions thoroughly and I did not find a lot of the folders and files in the places they should have been... Is it possible I wasnt infected? Link to comment Share on other sites More sharing options...
PotatoStorm Posted May 20, 2015 Share Posted May 20, 2015 The virus could have easily self-nuked to get rid o any traces of it running on your system. As many people have said already, we do not know fully what the virus is capable of. Do not assume, just delete everything you found that OP told you to delete. Treat it as a full infection. If you are really unsure, change your password and format your system. hyperar 1 Link to comment Share on other sites More sharing options...
PacketOverload_x64bit Posted May 20, 2015 Share Posted May 20, 2015 Confirmed , noclip as well as angry planes are with malware , Fade.exe is password stealer , chage every password you have including steam . This kind of malware, in community mods, is a definite downer. I have assets to protect, and never thought we'd see that from community mods in GTA. Everything is suspect now. Would be nice to have a mod site that actively checks ASI's and DLL's prior to publish as a result of this. -Packet Link to comment Share on other sites More sharing options...
demologik Posted May 20, 2015 Share Posted May 20, 2015 I have a pirated version of GTA V and have been using angry planes since it came out.. But my PC show zero sign of infection.. Is this limited to registered users who can access GTA Online perhaps? Link to comment Share on other sites More sharing options...
MarshallRawR Posted May 20, 2015 Share Posted May 20, 2015 I have a pirated version of GTA V and have been using angry planes since it came out.. But my PC show zero sign of infection.. Is this limited to registered users who can access GTA Online perhaps? No it's not. Link to comment Share on other sites More sharing options...
demologik Posted May 20, 2015 Share Posted May 20, 2015 Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro. Link to comment Share on other sites More sharing options...
aboutseven Posted May 20, 2015 Author Share Posted May 20, 2015 Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro. There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them. Link to comment Share on other sites More sharing options...
demologik Posted May 20, 2015 Share Posted May 20, 2015 Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro. There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them. I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..) Link to comment Share on other sites More sharing options...
Jenia Posted May 20, 2015 Share Posted May 20, 2015 Nobody said that though. What has been mostly said is that the actual system is a bit too laxist and needs to be improved. The goal is not to scare people away, but to warn them. Besides "mods" is a very broad term. A texture pack is a mod, a sound pack is a mod. And correct me if i'm wrong, but a .rar archive with some sounds or textures in it sounds and looks infinitely safer than a compiled file like .asi that can basically do whatever the f*ck it wants on your computer. So to sum it up it's not about being paranoid about getting a virus from installing mods, it's being paranoid about installing something in .asi. I'm sure you can see the differences and why you can't make such comparaisons and broad statements. Asi, for an average user (like me or someone else) is opaque as f*ck. You don't know what's inside, and most of the time (expect if you have some previous knowledge or you do some dedicated research like OP) you can't know what's inside. Plus, i could potentially do what it wants. There's a lot of implications with .asi, too much implications, and i don't think we can just rely on "trusting" modders to avoid getting infected. This is a recipe for disaster. That's honestly it. Yes, you are saying that, in fact you wanted to label all ASI mods as unsafe. The system is fine, you run the same risks downloading an ASI mod as you do downloading anything else on the internet, ASI mods don't need to have some sort of warning sign because of this one recent incident. Yeah, because these ASI's people are installing aren't actually mods. Like I said, if you're paranoid about getting a virus from installing some type of mod, then you shouldn't be installing that type of mod. It's just like saying if you fell off your bike, never ride it again. Unless you broke your neck Link to comment Share on other sites More sharing options...
vicboh0413 Posted May 20, 2015 Share Posted May 20, 2015 Good thing i havent downloaded any sh*tty mods. (Those mods are sh*tty) I got AVG AntiVirus 2015 Full Paid Version (100% Legal version) and AVG Pc Tuneup 2015 (100% legal version and paid) So f*ck those viruses maen Link to comment Share on other sites More sharing options...
Silent Posted May 20, 2015 Share Posted May 20, 2015 Good thing i havent downloaded any sh*tty mods. (Those mods are sh*tty) I got AVG AntiVirus 2015 Full Paid Version (100% Legal version) and AVG Pc Tuneup 2015 (100% legal version and paid) Cool! And? TheUnit, Blisteryship006, Nah nah nah Gta 6 and 3 others 6 Link to comment Share on other sites More sharing options...
PotatoStorm Posted May 20, 2015 Share Posted May 20, 2015 (edited) Well, guess I got lucky then. I was running angry planes 1.2, and have done a full and thorough search on my PC with Avira, Malwarebytes AntiMalware, CCleaner, and Hitman Pro. There is a specific reason why I placed those things in the top of the OP with large colored font. Please read them. I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)Just treat it as if there is an infection, unless you did not run it. Its better safe than sorry. Also, antiviruses are not reliable when it comes to this, as the mod merely downloads the malware, as such does not have any code that can actually be flagged as malicious. Edited May 20, 2015 by PotatoStorm Link to comment Share on other sites More sharing options...
mattiskungen Posted May 20, 2015 Share Posted May 20, 2015 Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings? Please answer. Please, i beg someone. Answer. I want to know if format or nah. Link to comment Share on other sites More sharing options...
TheSun Posted May 20, 2015 Share Posted May 20, 2015 Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings? Please answer. Please, i beg someone. Answer. I want to know if format or nah. Same issue here I noticed my Laptop freezing at times which is out of the ordinary so... I ran all tests and malware removal scans and cleared all the files in the TEMP folder. However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7 Thanks. Link to comment Share on other sites More sharing options...
aboutseven Posted May 20, 2015 Author Share Posted May 20, 2015 (edited) I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..) You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP. There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection. However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7 Thanks. This is already stated as something you need to remove in the OP. Hello. I did all the steps and successfully removed the virus from my computer. But for some reason, my computer freezes all the time and acts unusual. It keeps on being weird and slow. May the virus have messed with my computer settings? Please answer. Please, i beg someone. Answer. I want to know if format or nah. Formatting is all up to you. I haven't seen anyone saying anything about their computer slowing down. If the virus has been removed from the computer and there is nothing running in the background that is related to csc.exe, then it has to be something else slowing down your computer. The virus itself didn't use much resources to begin with, which is probably why no one noticed it for a while. Edited May 20, 2015 by aboutseven Link to comment Share on other sites More sharing options...
wes_g Posted May 20, 2015 Share Posted May 20, 2015 I downloaded the mod on the 8th, ran it on the 12th or 13th, cannot remember. I went out of town on the 13th and came back on the 18th, and was told by a friend that it had horrible malware in angry planes, did not try the other one. Just scary! I'm not sure if it being turned off while the attackers server was on, and then turning on my computer after that server had been taken down makes it any less of a risk. I did stop the csc.exe, cleared out the temp folders, hunted down all registry entries (though I did miss the one in HKEY_CURRENT_USER\Software\Microsoft\ because I had thought I already did that step, not sure if that reg entry alone can harm you, caught that part a bit late, though csc.exe did not run), and of course removed the mod. Ran Avast and malware bytes, all seemed good. Restarting the computer did not load csc.exe, nor did running GTA V. Changed all passwords, got a new debit card, logged out all active sessions.... God what a pain in the arse! I have not seen any odd behavior or odd processes running. Would be great if they caught whoever did this, seriously. The other mods I have are NativeTrainer RiotMode Endeavour PedSuicide0.1a GravityGun Link to comment Share on other sites More sharing options...
richuf Posted May 20, 2015 Share Posted May 20, 2015 (edited) However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7 Thanks. This is already stated as something you need to remove in the OP. i have this in my reg also but i cant find anything about in the op ok i have looked at a few different computers registry,ones that are on a dif network and no gta and no mods and they all have this so it has nothing to do with this malware so i wouldnt delete it Edited May 20, 2015 by richuf Link to comment Share on other sites More sharing options...
demologik Posted May 21, 2015 Share Posted May 21, 2015 I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..) You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP. There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection. Except that when I run GTA V my internet isn't connected. Link to comment Share on other sites More sharing options...
PotatoStorm Posted May 21, 2015 Share Posted May 21, 2015 Running the game without internet (you are not connected to any wifi, router or data network) may have caused you to break the trojan, which needed internet access. Idk, it might be possible. Someone test this out pls Link to comment Share on other sites More sharing options...
Recommended Posts