Malware inside Angry Planes & Noclip Mod

[MarshallRawR]

yeah a highly respected veteran whithin the modding community decided to go out of his way and put a virus on the website that makes him alot of money

 

no rappo did not please never say that again

 

I personally don't know the owner.

Don't worry, I'm not directly accusing anyone, so far only the creator of those mods is on top of the list.

[FlyingAce]

noentiendero thanks for checking and telling us your results though

[Drkz]

Who knows, maybe whoever owns GTA5-Mods.com is putting all those malwares.

 

Hahaha. No.

[rappo]

 

yeah a highly respected veteran whithin the modding community decided to go out of his way and put a virus on the website that makes him alot of money

 

no rappo did not please never say that again

 

I personally don't know the owner.

Don't worry, I'm not directly accusing anyone, so far only the creator of those mods is on top of the list.

 

Nice to meet you!

 

No, it wasn't me, and this whole thing makes me very sad.

 

Silent, can you please let me know how you're checking the .asi files for integrity? Is the only way to run them?

[lipskamafia]

I used noclip and angry planes mod .

 

my antivirus didnt notice any virus or other stuff

 

so what's the best way to check if we're infected? the regedit and malwarebytes scan?

 

edit : i got this in winlogon is it ok?

Edited May 14, 2015 by lipskamafia

[MarshallRawR]

Nice to meet you!

 

No, it wasn't me, and this whole thing makes me very sad.

 

Seeing other's people opinion on you, I'm pretty sure that's not you.

You know, it's never fun to get all of your passwords stolen, especially when there are sensible

information involved (such as my credit card on a few websites, and the money on my account is used to pay my rents, and I don't got a lot of it).

Anyways, I can also understand that it is bad for you too as it might (and probably will) attract some bad publicity.

Sorry if you felt accused in any way, I just threw this in there.

 

I used noclip and angry planes mod .

 

my antivirus didnt notice any virus or other stuff

 

so what's the best way to check if we're infected? the regedit and malwarebytes scan?

 

My antivirus (ESET) picked the .exe by itself after a little while.

Check the TEMP folders to see if you have any of those files.

Edited May 14, 2015 by MarshallRawR

[Silent]

Silent, can you please let me know how you're checking the .asi files for integrity? Is the only way to run them?

Pure guesswork with the disassembly. If the code was released after the compilation, I would expect it to be somewhere near the end of the code section, whereas it's clearly in the middle of legit code:

 

 

Since the ASI still has 0 hits on virustotal, I dooubt there is a reliable way to auto check for such cases without becoming an antiviruxs And no, I didn't launch the code and I don't plan to.

[Wayno717]

I noticed that in the root of the GTA 5, in the x64 folder their is a file called GTA5.exe with the same icon as the fade.exe program. I removed it and validated all the files and found that that wasn't included with the base GTA game. I do believe that was part of the Fade malware so i would recommend removing it

[Drkz]

 

 

yeah a highly respected veteran whithin the modding community decided to go out of his way and put a virus on the website that makes him alot of money

 

no rappo did not please never say that again

 

I personally don't know the owner.

Don't worry, I'm not directly accusing anyone, so far only the creator of those mods is on top of the list.

 

Nice to meet you!

 

No, it wasn't me, and this whole thing makes me very sad.

 

Silent, can you please let me know how you're checking the .asi files for integrity? Is the only way to run them?

 

 

Hey rappo since you're here, it would be great if you could add a way for users to download an older / alternate version of your mod without having to recreate brand new modpage for it. Similar to what the nexus is doing.

 

Anyway, i know you guys are working hard so thanks for gta5-mods.

Edited May 14, 2015 by Drkz

[TheFlareEntercounter]

What a sh*tty day for GTA modding, I just hope this won't discourage people from modding the game.

 

 

*disassembly program*

Silent, what disassembly program is that? Edited May 14, 2015 by TheFlareEntercounter

[rappo]

 

Silent, can you please let me know how you're checking the .asi files for integrity? Is the only way to run them?

Pure guesswork with the disassembly. If the code was released after the compilation, I would expect it to be somewhere near the end of the code section, whereas it's clearly in the middle of legit code:

 

[image]

 

Since the ASI still has 0 hits on virustotal, I dooubt there is a reliable way to auto check for such cases without becoming an antiviruxs And no, I didn't launch the code and I don't plan to.

 

Thanks! It's clear that our community is under a bit of an attack here. I'll be sure to seriously scrutinize compiled scripts from unrecognized names.

[TJGM]

What a sh*tty day for GTA modding, good thing I don't have any of these mods installed.

 

*disassembly program*

Silent, what disassembly program is that?

 

IDA.

[sasuke78200]

 

Who knows, maybe whoever owns GTA5-Mods.com is putting all those malwares.

yeah a highly respected veteran whithin the modding community decided to go out of his way and put a virus on the website that makes him alot of money

 

no rappo did not please never say that again

 

 

 

The way the code is infecting the PC means that it was added by the mod developper, I'm 100% sure about that. GTA5 Mods has nothing to do with this. (I'm not one of their friends, I don't know them).

Edited May 14, 2015 by sasuke78200

[Silent]

Silent, can you please let me know how you're checking the .asi files for integrity? Is the only way to run them?

Same with the strings actually, it makes so little sense to be bundled post-compilation. OR the malware maker is VERY experienced, but then he wouldn't target GTA, right? I'm rather expecting this is some open source proof-of-concept malware.

 

 

 

 

Silent, what disassembly program is that?

IDA 6.6

[nplaim]

 

Maybe that'll help, sent sh*t for analysis.

[LoneMerc]

Since this is a bad thing, anyone want an unlimited use malwarebytes premium code?

 

Lord I would love one around about now! All my AV's are free xD

 

I did notice this actually, fade.exe appearing and deleted it myself but I guess that was too late.

 

I oddly though had my free version of Avast pick up that GTA5.exe inside the steam folder for GTA /x64 has another GTA5.exe that was picked up as malware. Can anyone check their own steam GTA V folder and tell me if they too find a GTA5.exe inside x64 that is a virus? I had this deleted too when I found it for caution!

 

 

Oh well, I was going to reinstall windows the other day anyway... Better get around to that now + change my passwords! I too auto-save all my own Pws but according to previous posts, nobody truly knows if it's stole them locally from the SSD. Twats!

Edited May 14, 2015 by LoneMerc

[MR.GREY]

thank God i Didn't install this mods....lol

[TJGM]

To the guy who keeps mentioning he has a pirated version of GTA V, stop. We don't allow piracy here and that's why your posts are being removed.

[jippa_lippa]

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

Edited May 14, 2015 by jippa_lippa

[Op1e]

Well this suck, no one will trust modders anymore.

[iOnlyEatCops]

Wow this is messed up. Found this in my registry. How do I delete the shell and the userinit correctly?

 

[Link2012]

Prehaps it's time for OpenIV to be open source.

[MarshallRawR]

--pic--

 

Maybe that'll help, sent sh*t for analysis.

 

Huh, you have a dat[1].jpg and I had a dat[1].bin

Still no traces of that init..exe here.

 

EDIT:

I wonder if there is any way to analyze those

Edited May 14, 2015 by MarshallRawR

[ZZCOOL]

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

you can be absolutely sure that formating is going to erase it

[iOnlyEatCops]

Wow this is messed up. Found this in my registry. How do I delete the shell and the userinit correctly?

 

 

Any help? Is right clicking and pressing delete good?

[jippa_lippa]

 

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

you can be absolutely sure that formating is going to erase it

 

 

Ok thanks.

How to check for its presence?

Need to imput some special type of scan to my antivirus?

I also heard you can check for the fade.exe and others on your own, but how?

Simply using the "SEARCH" feature in windows?

 

Also last question. Can i move some files from documents (GTA V SAVEGAMES) to an other drive without transporting the virus.

I know...i'm a virus n00b but i'm super anxious right now :S

[Driver333]

Is it possible that this malware was only added in later versions of the script? As I have the first release version and I can find no trace of the fade.exe, the game doesn't start in windowed mode, there is no csc.exe running in the background and there is no trace of the added "shell" that linked to it, as the op posted

 

 

So is it possible this was added in a later version? I never had the noclip mod installed so i cant say for that. But i run the game right after i read this to make sure that it wasnt running in the background and I've had it installed and running for a few weeks now

[BS_BlackScout]

@iOnlyEatCops

 

You aren't supposed to remove userinit.exe from Registry.

https://technet.microsoft.com/en-us/library/cc939862.aspx

 

I also suggest people to take care when deleting anything from Registry, you can harm Windows if you don't know exactly what you are messing with.

Edited May 14, 2015 by TrustedInstaller

[Aerion]

PLEASE ANSWER, IF YOU CAN!

I don't want to take any chances, i'm not even going to check for the virus...i'm formatting my SSD and changing the passwords on an other PC.

I only have 2 important questions:

 

1- Is this virus capable of remaining in the hard disk (SSD) even after complete formatting? I know some viruses can

not this one, it's "made" when you run gta5 with the asi, doesn't exist otherwise, and doesn't pop up again (to anyone's knowledge) if you delete it

2- If that's the case, can the virus spread to other drives in the computer.

 

Anyway i find all the thread confusing.

If i wanted to check if i'm infected (for curiosity), how can i do it?

I have avast, but i can install an other antivirus if needed.

Thanks...i'm freaking out...really worried!!!!!!!!

So, can someone please answer 2 questions for me?

• how many of the people with a verified infection use some sort of mod "manager" or "installer"? (longshot, I know, had to try)

• why exactly do .asi have so much power? why can they access my PC outside the game folder or running memory without express admin permissions? and why use this format as a default for the script injector instead of something that can be verified by the layman?

Edited May 14, 2015 by Aerion

[zJordan]

Running a scan with 360 Total Security which uses five different engines 360 Cloud Scan Engine, 360 QVMII AI Engine, Avira and Bitdefender.

 

I seem clean from my registry and local temp files but running a full scan to make sure. I don't recall using Angry Planes or NoClip. This has admittedly made me way more cautious of non-OpenIV mods.