That GTA V mod you installed might be doing more than you think

That GTA V mod you installed might be doing more than you think

While you can do a ton of stuff in GTA V, there's still a lot of stuff you can't do. Since the PC is an open platform, mods have popped up to let gamers have everything from a gun that fires cars to making it rain whales. Yes, it's mostly wacky harmless fun but not everything is fun and games. 

A user, aboutseven, at the gtaforums.com has found out that two mods have been quietly infecting thousands of PCs with malware. The mods in question are called Angry Planes and Noclip. The Angry Planes mod spawns kamikaze planes, while the Noclip mod allows the player to disable collision detection and pass through walls. When installed, these mods trigger a malware called Fade.exe.

If you have downloaded any of those mods (or any GTA V mod), we recommend that you update your antivirus software right away and then run a complete system scan to make sure you're not infected. Don't celebrate just yet though, even if you're antivirus reports nothing wrong. There have been reports that antivirus programs (particularly free ones like AVG) aren't detecting Fade.exe as a threat, so you might need to manually delete it.

Here's how, as posted in gtaforums.com by user aboutseven:

Instructions on virus removal:
If these files do not exist, do not assume you weren't affected. The virus could have deleted itself after grabbing what it needed to cover its tracks, or your anti-virus could have deleted it after it grabbed what it needed.

If you have used the mods Angry Planes and/or Noclip mod, then here is how to get rid of the virus, or check if it is still on your computer.

1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.

2. Go to your Temp folder at "C:\Users\*YOUR USER NAME*\AppData\Local\Temp"

3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.

4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.

5. Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.

6. Type in regedit in your Start menu search, or regedit.exe using run.

7. Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png HKEY_USERS is the first folder you expand, and the folder after it is a long string of characters, different for each person. Choose the one without "Classes" at the end. The key we are looking for is "Shell". If you are using a custom shell, remove the string after it that leads to Fade.exe. If it just contains explorer.exe and nothing after it, it should be fine to either remove it or keep it the way it is. If you have no idea what I'm talking about, just remove "Shell".

8. In registry go to "HKEY_CURRENT_USER\Software\Microsoft\" and look for "Fade" and "Leep" and delete them. "Leep" might only be related to the Noclip mod, as I did not have it.

9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the Noclip mod. Go to "C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64" and delete GTA5.exe if it exists.

10. Of course, remove the mods from GTA V. Do not re-add them. If the server that was grabbing information comes back online, you could be affected again if you decide to keep using the mods.

11. Consider running an anti-virus at this point, just to make sure you got all the instances.

12. Restart your computer to make sure all instances of Fade.exe are no longer running.

This is all that I currently know of for removing the virus, and I will try to update if more information is presented.
With how new the information is, I have no idea if this is a complete removal.

As the user posted, that information might not be accurate given that the malware itself was only recently discovered. It might be hiding in other directories that nobody is yet aware of. To be safe, change all your passwords for everything. Email, social media accounts, Steam. Everything. Users on various sites are already reporting that some of them have lost access to their Steam accounts.

Meanwhile, another user from gtaforums.com called ckck, has managed to partially sleuth out what the malware was doing. You can read all about it in their post, but the gist of it is that Fade.exe installed a bunch of crap into infected systems, including keyloggers and other malicious scripts.

As of right now, it's heavily recommended not to run any mods until more is known. There could be more of the mods floating around the net with similar malware embedded within them that are yet undiscovered.

Source: gtaforums.com
Via: PCGamer