Jump to content
Forum Rules
Official Modification Forum Rules
GTAMods Wiki
GRAND THEFT AUTO VI INFODUMP DISCUSSION FORUM - TRAILER, SCREENSHOTS, ARTWORK

Malware inside Angry Planes & Noclip Mod

aboutseven

By aboutseven
in GTA V

 Share

Recommended Posts

aboutseven

aboutseven

Posted
  • Author
Posted

 

 

However When I searching through registry under Microsoft/Software under the key "fade" I found this,is this anything I should be worried about?7

 

2upcxec.png

 

Thanks.

 

This is already stated as something you need to remove in the OP.

 

i have this in my reg also but i cant find anything about in the op

ok i have looked at a few different computers registry,ones that are on a dif network and no gta and no mods and they all have this

so it has nothing to do with this malware

so i wouldnt delete it

 

I didn't realize you were just searching for "fade", I thought that this was what was located in the "Fade" directory at that registry location. My bad.

TheMuffinManOP

TheMuffinManOP

Posted
Posted

 

 

 

I have read them, along with the entire thread.. Which is why I want to know how some people are affected and some aren't.. I know this forum looks negatively on pirating, but there might me a connection between legit users being infected and non legit users not being affected by it.. (BTW I've purchased GTA V 3 separate times already, so morally I don't feel bad about not buying it again..)

You say you have read them, but I've literally answered this right at the top. If you didn't find any files then don't assume you weren't affected. This is actually stated more than once in the OP.

There is also no reason for there to be a different situation if you had a pirated copy. ScriptHook executes the asi files the same way on a pirated copy as a legit copy, there is no difference. If you ran the mods, and you know that you ran the mods, then you were infected. That is just how the mod worked. Once the game loads up, the mod is loaded by ScriptHook and executes its infection.

 

Except that when I run GTA V my internet isn't connected.

 

 

Running the game without internet (you are not connected to any wifi, router or data network) may have caused you to break the trojan, which needed internet access. Idk, it might be possible. Someone test this out pls

 

seems weird maybe the virus does not work at all and does not even install anything with out internet,Test this out guys see what you find. this maybe a work around for some people instead of them saying"I am not infected with it there are no files here" try to remember if you were connected to the internet if you weren't you might just be in luck. Maybe they were not connected to the internet ? :/

  • demologik and richuf
  • Like 2
whorse

whorse

Posted
Posted

So I finally got around to reinstalling GTAV after I got the virus from the noclip mod. This time, I am keeping my game directory squeaky-clean and free of mods, so I can play online. Before I found out I was infected and before I reformatted, I was unable to revert my game to vanilla in order to play online, and it was making me extremely frustrated. I had installed too many mods with OpenIV and -- even though I had backed up all my .rpf files and restored them all -- I just could not get online, try time after time. Rockstar kept saying my files were corrupted. I definitely still did want to mod, but I felt like I really needed to find some way to have two entirely separate installations/game folders (if I ever wanted to use OpenIV and still be able to play Online again). Then I discovered Sandboxie: it turns out that, using Sandboxie, I can switch back and forth between the the modded and vanilla game with only one installation while also keeping the modded installation from making any permanent changes to my computer. The free version of Sandboxie allows you to run the game entirely within something called a sandbox, where it is isolated from the rest of the computer. Here's an explanation:

http://www.techsupportalert.com/content/introduction-and-quick-guide-sandboxie.htm

I just used a sandboxed version of Windows Explorer to move my ASI scripthook+mods to the sandboxed-version of the game directory. I also use OpenIV to make changes to some the game's RPF files (to change stuff like car handling, police dispatch and weapons ballistics), and I installed some graphics mods and more. You can just run modded GTAV straight out of that sandbox, entirely encapsulated within Sandboxie processes/sub processes, and totally unable to write to your drive outside of the symbolic virtual-sandbox-directory that it is confined to.

If you look at the files actually in the sandbox, it's just recording the modified and unique files you've made within the sandbox itself, everything else - all files duplicated and moved around from within the sandbox - are just symbolic links referencing the locations of the original files outside the sandbox. My GTAV-folder within my sandbox is only 300MB (size of my modified update.rpf) because all the asi mods I installed in the sandbox directory are just symlinks to the actual files in the real "mods" directory.

And it runs great! I have an AMD FX-8320 CPU and a Nvidia Geforce GTX 680 and I've noticed zero performance penalty. Sh*t's amazing. Running Windows 8.1.

But yeah, I just wanted to let it be known that this does work without slowdowns/errors, for those out there who aren't modding GTAV anymore because they are scared of inherently insecure nature of the ASI scripthook. A sandbox will protect you from that. Here, you can have two versions of one 60GB installation: one modded and one left untouched - and the modded installation is all in a virtual throwaway sandbox from which it can be played in, where a mod cannot give you a virus even if it tried. Fade.exe would be created within Sandboxie's locked-down "Defaultbox" directory if I'd tried the infected mods from Sandboxie, where it couldnt affect anything that wasn't also running in the sandbox.

The pic below shows a Sandboxie-instance of Windows Explorer on the left (notice the [#] signs), showing the contents of the modded game folder. Sandboxed-Grand Theft Auto V is running minimized in the background, and you can see its processes running in the Sandboxie Control in the center. Underneath that is a sandboxed-version of OpenIV, ready to edit sandboxed rpf files. And on the right side is my real game directory in un-sandboxed Explorer:

1qfq86.png



I could technically even launch both the sandboxed version and the normal version of the game at the same time (I hear people do this to play borderlands 2 split screen), but my computer would probably explode if it were GTA5. I am running everything from regular Sandboxie-"Defaultbox" (with its files set to never auto-purge), but I could create a GTA5 specific sandbox separate from Defaultbox if I wanted.

 

PS: Sorry if people already all know about this, I just think its amazing that it even works at all for such a complex game as GTAV, and that it solves all these risks with unsigned ASI mods while simultaneously eliminating issues about going from modded->vanilla/online-mode, all in one fell swoop. And I'm not trying to shill Sandboxie, either (though I'm aware how much it probably looks like it). The free version is all you need to do this (plus there seem to be no sandbox-alternatives for Windows). Paid version offers a few minor benefits, but nothing major. Anyway, I hope someone finds this post useful.

Executor32

Executor32

Posted
Posted

I deleted Fade a while back from my registry, but this was still present as a sort of "reg backup".

I hope it did nothing.

 

XgcAXoe.jpg

 

That has nothing to do with this virus at all. That value name is just a hexadecimal number that happens to include the digits f (15), a (10), d (13), and e (14), in that order. I don't know what it actually pertains to, but it's generally not a good idea to go around deleting registry entries without being absolutely sure of what they are.

Microbots

Microbots

Posted
Posted

 

So I'm going through the basics of IDA and the relevant tutorials on youtube. In one of them, it says that you can see the importsand what they use like using like networking.

 

Now I have no idea what ASI files need or how they work when they download viruses. But did Angry Planes mod need that import and would it show up on IDA?

 

No, it used GetProcAddress and LoadLibrary which is a dynamic alternative to standard imports. I checked them too when I analysed them and noticed no internet related imports. It was not until I dug into the code and decrypted the strings that it became obvious what was really happening.

 

 

So where the fade come from? Was it in the script itself ?

TheMuffinManOP

TheMuffinManOP

Posted
Posted

Does anyone have a youtube tutorial video? I'm not a tech guy so I'm having a lot of trouble following the steps? When i tried looking for "Shell" i did not find it

 

Just do what it says step by step, also if you want to try and see if this can remove it, then try this offical post on how to remove malware : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

 

Although if this does not remove it all do not look at me this is just a helpful post I found on how to remove malware. hopefully this helps :)

Jakee.

Jakee.

Posted
Posted (edited)

ALERT!!!

https://twitter.com/Yan2295/status/603286101252546561

Read the entire conversation, it seems there are new infected modifications!

Can't confirm it 100%, but stay cautious.

 

Please don't spread false alarm, currently there is no proof or even suspicion behind the mods distributing malware - the Grappling Hook mod is completely clean, Spiderman mod is a OpenIV Mod and the source code of The Flash mod is clean - just investigating.

 

Problem with ASI container is there is no way (afaik) to decompile it.

Edited by Jakee.
  • 86DX and Yan2295
  • Like 2
TheMuffinManOP

TheMuffinManOP

Posted
Posted (edited)

 

ALERT!!!

https://twitter.com/Yan2295/status/603286101252546561

Read the entire conversation, it seems there are new infected modifications!

Can't confirm it 100%, but stay cautious.

 

Please don't spread false alarm, currently there is no proof or even suspicion behind the mods distributing malware - the Grappling Hook mod is completely clean, Spiderman mod is a OpenIV Mod and the source code of The Flash mod is clean - just investigating.

 

Problem with ASI container is there is no way (afaik) to decompile it.

 

 

* THIS could be false, a troll OR he got the malware from some where else and not these 3 mods * BUT there could be malware in even more mods guys just because we found 2 does not mean the f*ckers who did this wont do it again, I myself has not even re installed gta 5 since this whole thing happened it completely ruined everything for me. I have a feeling there is still a couple mods out there and that twitter post kinda confirms it there is at least 1 more mod with malware and so far it is out of the 3 this guy (in the twitter post) has. Be careful guys... ( read the comments under the tweet to see what we are talking about )

Edit : ( I do not know why there is a white line over the text just highlight it to read )

"The Mods were Just Cause 2 Grappling Hook, The Flash Mod, and the Spider-Man skin." the mods he installed if you have these mods <-- and the noclip or angryplains please uni stall and follow the steps that the original post says (page 1 at the top, Step by step guide) do not panic chill out follow the steps and get it uni stalled change in portent passwords too * This could be a false positive but these are the mods that the guy said he had installed** mods that could possibly have malware are Just Cause 2 Grappling Hook, The Flash Mod, and the Spider-Man skin. one or all of these could have malware. the Noclip and angry plain mods (as every one knows ) have 100% confirmed malware. follow this guide also to remove all malware if the main post did not work :http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

 

last time I am saying this..

Edited by TheMuffinManOP
KingDong

KingDong

Posted
Posted

I think i found out where the hacker lives

I forgot to change my facebook password and he tried to access my account

Facebook say he logged in here

Login near Bend, OR, United States from Firefox for Windows 7 (May 21 at 1:12am)

Daynja

Daynja

Posted
Posted

Is this the result of the keylogger found in Angryplanes and Noclip?

 

http://www.reddit.com/r/GrandTheftAutoV_PC/comments/37llv4/new_ban_wave/

 

According to one of the posters many users are receiving this response from Rockstar

"Sorry to hear that you are having a problem logging into GTAV for PC. We investigated your account and determined that GTAV login access was suspended because your Social Club login credentials were shared across a large number of computers. Please note that sharing your login credentials with others is a violation of the EULA and can result in permanent termination of your Social Club account and associated Rockstar Games"

G0nx4

G0nx4

Posted
Posted

Its author doesn't look suspicious but, well, you can't trust anyone in this world.

 

I had mods from this author before, and had no virus until noclip. I scanned the file from this trainer and it didn't show any risk. But I'm not 100% safe D:

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.

  I accept