Malware inside Angry Planes & Noclip Mod

[iOnlyEatCops]

Is my registry good then? I had fade in my temp which I just deleted everything out of. Going to change my passwords but it looks like it's a keylogger so I don't think it stole your password if you didn't type them out and was already logged in.

 

[Alexander Blade]

Look here

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

if nothing there points to temp folder then you are clean

Edited May 14, 2015 by Alexander Blade

[lewistair1]

what should i do if i deleted the userinit register entry?

[jippa_lippa]

UPDATE!

 

My Avast has "fade.exe" in what it calls "Virus Chest",

Does it mean the virus was blocked completely?

 

I'm still formatting, just to be sure, but it would be better to know no information has been leaked from my PC.

 

Good boy avast

Edited May 14, 2015 by jippa_lippa

[ckck]

Was someone using us to get more visitors to their Twitch page?

No, it appears he was attacking that person's stream and DDoS'ing them. I can't say for sure however, I'm only certain those modules were activated with those targets for the twitch and udp flood.

[Igor Bogdanoff]

Look here

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

if nothing there points to temp folder then you are clean

Does AV delete string from that virus or only exe&bin?

Edited May 14, 2015 by Tomasak

[ckck]

7656119

 

That is the Steam ID configured in the Steam inventory stealing module. Probably the person who has control over the trojan.

[BS_BlackScout]

@lewistair1
Put it back perhaps, or just see if nothing is broke.

I don't have this REG_SZ here, so IDK.

Edited May 14, 2015 by TrustedInstaller

[Silent]

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

 

I downloaded mine from here:

 

www.gtaall.com/gta-5/mods/60829-noclip.html

 

And i don't have any "fade.exe" in my temp folder

 

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

[Alexander Blade]

Add it , just don't restart your windows til you do

what should i do if i deleted the userinit register entry?

 

Depends on AV , it should

 

Look here

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

if nothing there points to temp folder then you are clean

Does AV delete string from that virus or only exe&bin?

 

[Igor Bogdanoff]

http://steamcommunity.com/id/7656119Denmark.

[iOnlyEatCops]

Look here

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

if nothing there points to temp folder then you are clean

What if it does? Do you just delete the Shell?

[ckck]

Is my registry good then? I had fade in my temp which I just deleted everything out of. Going to change my passwords but it looks like it's a keylogger so I don't think it stole your password if you didn't type them out and was already logged in.

It also steals cookies from your browser. It's possible to hijack your existing/logged in session using these cookies. You should still change your passwords and make sure to deauthorize/log out any existing sessions. Facebook and others will allow you to do this on the same page where you change your password.

[Igor Bogdanoff]

He seems to be either complete idiot or want to destroy someone.

[Zeynohh]

Is Welsh's menu nd noclip with controller support clean? (The noclip with controller support that was made by Mafins.)

[lewistair1]

 

Add it , just don't restart your windows til you do

what should i do if i deleted the userinit register entry?

 

 

 

How do i add it back? Sorry if i have no idea what to do

[Falenone]

Look here

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

if nothing there points to temp folder then you are clean

This should be clean registry for that location. Didn't find any trace of "fade" anywhere in registry nor temp or anywhere else in my hard drive.

Edited May 14, 2015 by Falenone

[Dock]

I also found something else called "LEEP.exe" after checking WInLogin through HKEY CURRENT USER. Was in the APPDATA>ROAMING folder.

[ckck]

Here is a sample of what the keylogged collects. Obviously redacted some information.

 

 

[Log started at X/X/XXXX X:XX:XX PM UTC]

=== Grand Theft Auto V @ X:XX PM ====

<Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract><Subtract>

w<SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT>DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD</SHIFT><F5>wwaaaaaaaaaaaaaaaaaaaaaaaaaaa<SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT></SHIFT> <SHIFT> </SHIFT><SHIFT> AAAAAAAAAAAA</SHIFT>sddddddddddddddddddddddawwwwwwwwwwwwwwwwwwwww<SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT></SHIFT><F5>wa<SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT><SHIFT>

=== Task Switching @ x:xx PM ====

=== XXXX.ini - Notepad @ X:XX PM ====

<WIN>l

=== New Tab - Google Chrome @ X:XX PM ====

 

 

[ZZCOOL]

 

Is my registry good then? I had fade in my temp which I just deleted everything out of. Going to change my passwords but it looks like it's a keylogger so I don't think it stole your password if you didn't type them out and was already logged in.

It also steals cookies from your browser. It's possible to hijack your existing/logged in session using these cookies. You should still change your passwords and make sure to deauthorize/log out any existing sessions. Facebook and others will allow you to do this on the same page where you change your password.

 

i think i speak for everyone when i saw thankyou for taking your time to help so many it is apreeciated by many thankyou

 

as for sessions no off sessions for me seems things are fine on my side

[Zeynohh]

Im just going to format, f*ck it.

[Dock]

I also found something else called "LEEP.exe" after checking WInLogin through HKEY CURRENT USER. Was in the APPDATA>ROAMING folder.

[ZZCOOL]

Im just going to format, f*ck it.

at this moment i wish i had a dvd drive lol only time i actually need one why can't windows release on usb sticks or be cloud downloaded with settings and everything

[jihadijohn]

deleted everything out of my temp folder, but found this in my registry, wat do?

 

[TTKRickJames]

 

 

Since this is a bad thing, anyone want an unlimited use malwarebytes premium code?

Yes. Please, and thank you.

 

ID: 8AS27 KEY: 5PBM-8AJPW27J-P3B8

 

Thanks again. You Rock! Unlike this malicious modder. Thanks also to the community for looking out for us.

[Drkz]

Im just going to format, f*ck it.

 

Implying you already got rid of the mod itself, the registery entry and the temp folder, formatting will not help with anything whatsoever. You will just waste some time.

 

Like ckck said at this stage the only thing you could do is making sure you changed your passwords and sh*t like that,

Edited May 14, 2015 by Drkz

[jippa_lippa]

 

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

 

I downloaded mine from here:

 

www.gtaall.com/gta-5/mods/60829-noclip.html

 

And i don't have any "fade.exe" in my temp folder

 

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

 

 

True.

And that explains why my Avast "Virus Chest" (basically quarantine) has a lot of "GTA V.exe" alongside the "Fade.exe".

I have the original game, so i couldn't figure out what was it

[LoneMerc]

 

Fellas, regarding the NOCLIP MOD only (i didn't use the other one) something doesn't feel right.

Is the mod ITSELF infected or is there a chance only the one uploaded to GTA5 MODS being infected?

 

I downloaded mine from here:

 

www.gtaall.com/gta-5/mods/60829-noclip.html

 

And i don't have any "fade.exe" in my temp folder

 

By the way i'm super pissed, because the noclip mod is actually very useful for recording videos!!! Might we see it one day in the Official Native Trainer?

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

 

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

 

[vithepunisher]

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

[MarshallRawR]

 

 

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

 

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

 

WTF..

 

and suddendly

 

 

So basically, I've been infected by both?

Great.

Edited May 14, 2015 by MarshallRawR