Guardian
Well-Known Member
- Joined
- May 5, 2012
- Messages
- 982
- Reaction score
- 58
The GTA 5 mods NoClip and Angry Planes have been discovered to have malware.
If you've installed them, get rid of them immediately.
Instructions on virus removal:
*If these files do not exist, do not assume you weren't affected. The virus could have deleted itself after grabbing what it needed to cover its tracks.
1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.
2. Go to your Temp folder at "C:\Users\*YOUR USER NAME*\AppData\Local\Temp"
3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.
4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.
5. Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.
6. Type in regedit in your Start menu search, or regedit.exe using run.
7. Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png (HKEY_USERS is the first folder you expand) and remove Shell. The long string of characters might be different for each person.
8. In registry go to "HKEY_CURRENT_USER\Software\Microsoft\" and look for Fade and Leep and delete them. Leep might only be related to the NoClip mod, as I did not have it.
9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the NoClip mod. Go to "C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64" and delete GTA5.exe if it exists.
10. Restart your computer to make sure all instances of Fade.exe are no longer running.
This is all that I currently know of for removing the virus, and I will try to update if more information is presented.
If in doubt, and you still don't feel safe, format and reinstall Windows. With how new the information is, I have no idea if this is a complete removal. I will most likely be reinstalling Windows myself just to make sure.
Change your passwords!
If you downloaded Angry Planes or NoClip and played GTA V with them, you were most likely hit with a keylogger or other methods of password grabbing, and I strongly suggest changing all passwords. Do the steps above first before changing them. Just because you don't see any of the files above, don't assume you weren't hit. The virus could have had a way of deleting itself from your computer to cover traces. I'd also suggest using something like Keepass in the future for keeping your passwords in an encrypted database, since browsers keep passwords in plain text.
Read more here: http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/
If you've installed them, get rid of them immediately.
Instructions on virus removal:
*If these files do not exist, do not assume you weren't affected. The virus could have deleted itself after grabbing what it needed to cover its tracks.
1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.
2. Go to your Temp folder at "C:\Users\*YOUR USER NAME*\AppData\Local\Temp"
3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.
4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.
5. Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.
6. Type in regedit in your Start menu search, or regedit.exe using run.
7. Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png (HKEY_USERS is the first folder you expand) and remove Shell. The long string of characters might be different for each person.
8. In registry go to "HKEY_CURRENT_USER\Software\Microsoft\" and look for Fade and Leep and delete them. Leep might only be related to the NoClip mod, as I did not have it.
9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the NoClip mod. Go to "C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64" and delete GTA5.exe if it exists.
10. Restart your computer to make sure all instances of Fade.exe are no longer running.
This is all that I currently know of for removing the virus, and I will try to update if more information is presented.
If in doubt, and you still don't feel safe, format and reinstall Windows. With how new the information is, I have no idea if this is a complete removal. I will most likely be reinstalling Windows myself just to make sure.
Change your passwords!
If you downloaded Angry Planes or NoClip and played GTA V with them, you were most likely hit with a keylogger or other methods of password grabbing, and I strongly suggest changing all passwords. Do the steps above first before changing them. Just because you don't see any of the files above, don't assume you weren't hit. The virus could have had a way of deleting itself from your computer to cover traces. I'd also suggest using something like Keepass in the future for keeping your passwords in an encrypted database, since browsers keep passwords in plain text.
Read more here: http://gtaforums.com/topic/794383-possibility-of-trojan-downloaderspyware-installed-via-gta-v-mod/
