Home Gaming GTA V mods are hiding password-stealing malware

GTA V mods are hiding password-stealing malware

3 min read
46

Trojanhorse

One of the best things about PC gaming is the ability to mod games, and bring other people’s weird and wonderful imaginations to life. There exists a world of game-changing mods that extend the life of your game in incredible ways – usually for free. Mods are cool. Not so cool? When they’re Trojan horses, infecting your PCs with malware. That’s a thing that’s happening now, as users of some GTA V mods have discovered.

Two popular mods for the game have been discovered to house malware; the simple noclip mod, and more recently, the much-publicised Angry Planes mod. Two Trojans, init.exe and fade.exe, seem to be selectively infecting users PCs, according to the GTA Forums.

Fade, in particular, is a nasty one, known for stealing user passwords, so if you’ve installed any GTA V PC mods recently, you may want to check for infection, and then change every single password of yours. Worse is that the code for these bits of malware are able to be hidden inside GTA V’s scripting language files, and only installed when the game is run, bypassing many anti-malware and anti-virus programs. For a comprehensive look at what the malware is capable of, check out this post, here.

If you’ve installed the mods, you may want to do the following (According to the chap who discovered the infection):

If you have used the mods Angry Planes and/or Noclip mod, then here is how to get rid of the virus, or check if it is still on your computer.

1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.

2. Go to your Temp folder at “C:\Users\*YOUR USER NAME*\AppData\Local\Temp”

3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.

4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.

5. Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.

6. Type in regedit in your Start menu search, or regedit.exe using run.

7. Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png HKEY_USERS is the first folder you expand, and the folder after it is a long string of characters, different for each person. Choose the one without “Classes” at the end. The key we are looking for is “Shell”. If you are using a custom shell, remove the string after it that leads to Fade.exe. If it just contains explorer.exe and nothing after it, it should be fine to either remove it or keep it the way it is. If you have no idea what I’m talking about, just remove “Shell”.

8. In registry go to “HKEY_CURRENT_USER\Software\Microsoft\” and look for “Fade” and “Leep” and delete them. “Leep” might only be related to the Noclip mod, as I did not have it.

9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the Noclip mod. Go to “C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64” and delete GTA5.exe if it exists.

10. Of course, remove the mods from GTA V. Do not re-add them. If the server that was grabbing information comes back online, you could be affected again if you decide to keep using the mods.

11. Restart your computer to make sure all instances of Fade.exe are no longer running.

And remember: Change your passwords! This really sucks, and hidden malware could rather negatively impact the modding scene – perhaps even more than the prospect of paid mods.

Last Updated: May 15, 2015

46 Comments

  1. Admiral Chief

    May 15, 2015 at 08:39

    I feel for the guys, I really do. BUT, ALWAYS play a game through before you start cheating!

    Reply

    • Matin

      May 15, 2015 at 10:18

      Goddammit man.

      Reply

  2. K1FF J1MB0B (sizzle edition)

    May 15, 2015 at 08:39

    In all seriousness, why would you choose to play a platform where shit like this is rampant?

    Reply

    • Admiral Chief

      May 15, 2015 at 08:42

      BECOZ MODZ AND GREFFIEKS BROE

      Reply

      • Blood Emperor Trevor

        May 15, 2015 at 08:43

        AWEH!

        Reply

      • Hammersteyn

        May 15, 2015 at 08:43

        En daai gestoemde specials my lanie

        Reply

        • Dutch-Trevor Matrix

          May 15, 2015 at 08:44

          En al die blou moewies wat jy kan aan dink! Vir boggeroll my China!

          Reply

      • Thats_how_I_Troll

        May 15, 2015 at 10:21

        Because it is easier to spell…

        Reply

      • Skoobaz

        May 15, 2015 at 11:43

        DUIDELIK!

        Reply

    • Lord Chaos

      May 15, 2015 at 08:42

      Because of the massive Sony hack(s)?

      Reply

    • Dutch-Trevor Matrix

      May 15, 2015 at 08:43

      BECAUSE I’M BATMAN!!!!

      Reply

    • Blood Emperor Trevor

      May 15, 2015 at 08:43

      Danger’s my middle name.

      Reply

      • Dutch-Trevor Matrix

        May 15, 2015 at 08:45

        I thought it was Emperor.

        Reply

        • Blood Emperor Trevor

          May 15, 2015 at 08:47

          No, that’s the second half of my title. It’s actually Blood Emperor Trevor Danger Stone the Humble, Saviour of Humanity.

          Reply

          • Dutch-Trevor Matrix

            May 15, 2015 at 08:48

            I take it you weep whenever a form says: Full Names…

          • Blood Emperor Trevor

            May 15, 2015 at 08:50

            Whenever someone gives me a form i shout, “NOT APPLICABLE!”, tear it in half and throw it back in their faces, then wait for them to guess what I wanted. Woe betide them if they guess wrong.

          • Lord Chaos

            May 15, 2015 at 08:51

            Well there goes Humble…

          • Admiral Chief

            May 15, 2015 at 08:51

            xD

          • Blood Emperor Trevor

            May 15, 2015 at 08:52

            Not really, you have no idea how much worse I could be. 😉

          • Lord Chaos

            May 15, 2015 at 08:53

            For that to happen you’d have to go outside and interact with people…

          • Blood Emperor Trevor

            May 15, 2015 at 08:54

            And I don’t, because I’m humble. I don’t want all of you people to feel insignificant when compared to me.

          • Hammersteyn

            May 15, 2015 at 08:51

          • Admiral Chief

            May 15, 2015 at 08:52

            LOoOL

          • Lord Chaos

            May 15, 2015 at 08:48

            Daenerys? Is that you?

          • Skoobaz

            May 15, 2015 at 11:44

            …and swatter of infidels?

          • Marc O Polo

            May 15, 2015 at 13:20

            First of his name…

      • Kromas,powered by windows 10.

        May 15, 2015 at 09:00

        Your surname Powers by any chance?

        Reply

        • Admiral Chief

          May 15, 2015 at 09:01

          No, it’s ‘ToAllOfHisStalkerVictims’

          Reply

    • Hammersteyn

      May 15, 2015 at 08:44

      Because 4K, even though less than 5% can afford it.

      Reply

      • Lord Chaos

        May 15, 2015 at 08:47

        Not even.

        4K would be nice, but I’m running everything on full at 70fps which also looks pretty

        Reply

    • Kromas,powered by windows 10.

      May 15, 2015 at 08:56

      Because this. (Replace Mac with console of choice) 😛

      Reply

      • Blood Emperor Trevor

        May 15, 2015 at 08:59

        LOL

        Reply

  3. RinceTriss

    May 15, 2015 at 08:40

    LOL. PC Mastervirus

    Reply

    • FoxOneZA

      May 15, 2015 at 09:58

      Kinect’s alter ego lives on in malware.

      Reply

  4. Hammersteyn

    May 15, 2015 at 08:42

    Just imagine Steam were selling mods and it contained malware, also this is cool…

    http://img-9gag-fun.9cache.com/photo/am0QwG2_460sa.gif

    Reply

    • Blood Emperor Trevor

      May 15, 2015 at 08:43

      Don’t have to imagine, they sold AC:Unity.

      Reply

      • Admiral Chief

        May 15, 2015 at 08:44

        Indeed, they hide uPlay in some games

        Reply

    • Lord Chaos

      May 15, 2015 at 08:44

      Haha, Dragon kitteh

      Reply

    • Dutch-Trevor Matrix

      May 15, 2015 at 08:49

      The Devil Cat! THE DEVIL CAT WALKS AMONG US!!!!

      Reply

    • Brady miaau

      May 15, 2015 at 09:15

      Beyond cool. I love this!

      Reply

    • HairyEwok

      May 15, 2015 at 09:50

      See this is exactly why we love mods XD

      Reply

  5. Blood Emperor Trevor

    May 15, 2015 at 08:42

    Let me guess, the mod authors are saying… “Hey guys, it’s just a false positive! Don’t believe them.”

    Reply

    • David

      May 15, 2015 at 09:17

      Actually one of the mods mentioned in the Kotaku reviewed was proven NOT to have malware, which hurt the maker – luckily LazyGamer isn’t LazyJournalist and didn’t make the same mistake. 🙂

      Reply

  6. BurnZ

    May 15, 2015 at 09:44

    Console peasants FTW! But seriously this really sux! Cant every one just play nice?

    Reply

  7. Axon1988

    May 15, 2015 at 15:23

    BASICS… Keep an antivirus handy, and possible anti-malware. And then really, use your fucking firewall! Let your firewall notify you when an app or service is trying to upload / download data. And block it. EASY, really REALLY easy.

    We live in the year 2015. These things should be taught to people who want to use a pc and play games on it.

    Reply

  8. 40 Insane Frogs

    May 17, 2015 at 10:31

    Switches on PS4 – laughs!

    Reply

Leave a Reply

Your email address will not be published.

Check Also

The Xbox was nearly Microsoft’s free trojan horse

Microsoft nearly sold their very first Xbox for free, but not for any reason you might exp…