Home Gaming GTA V mods are hiding password-stealing malware

GTA V mods are hiding password-stealing malware

4 min read


One of the best things about PC gaming is the ability to mod games, and bring other people’s weird and wonderful imaginations to life. There exists a world of game-changing mods that extend the life of your game in incredible ways – usually for free. Mods are cool. Not so cool? When they’re Trojan horses, infecting your PCs with malware. That’s a thing that’s happening now, as users of some GTA V mods have discovered.

Two popular mods for the game have been discovered to house malware; the simple noclip mod, and more recently, the much-publicised Angry Planes mod. Two Trojans, init.exe and fade.exe, seem to be selectively infecting users PCs, according to the GTA Forums.

Fade, in particular, is a nasty one, known for stealing user passwords, so if you’ve installed any GTA V PC mods recently, you may want to check for infection, and then change every single password of yours. Worse is that the code for these bits of malware are able to be hidden inside GTA V’s scripting language files, and only installed when the game is run, bypassing many anti-malware and anti-virus programs. For a comprehensive look at what the malware is capable of, check out this post, here.

If you’ve installed the mods, you may want to do the following (According to the chap who discovered the infection):

If you have used the mods Angry Planes and/or Noclip mod, then here is how to get rid of the virus, or check if it is still on your computer.

1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.

2. Go to your Temp folder at “C:\Users\*YOUR USER NAME*\AppData\Local\Temp”

3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.

4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.

5. Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.

6. Type in regedit in your Start menu search, or regedit.exe using run.

7. Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png HKEY_USERS is the first folder you expand, and the folder after it is a long string of characters, different for each person. Choose the one without “Classes” at the end. The key we are looking for is “Shell”. If you are using a custom shell, remove the string after it that leads to Fade.exe. If it just contains explorer.exe and nothing after it, it should be fine to either remove it or keep it the way it is. If you have no idea what I’m talking about, just remove “Shell”.

8. In registry go to “HKEY_CURRENT_USER\Software\Microsoft\” and look for “Fade” and “Leep” and delete them. “Leep” might only be related to the Noclip mod, as I did not have it.

9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the Noclip mod. Go to “C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64” and delete GTA5.exe if it exists.

10. Of course, remove the mods from GTA V. Do not re-add them. If the server that was grabbing information comes back online, you could be affected again if you decide to keep using the mods.

11. Restart your computer to make sure all instances of Fade.exe are no longer running.

And remember: Change your passwords! This really sucks, and hidden malware could rather negatively impact the modding scene – perhaps even more than the prospect of paid mods.

Last Updated: May 15, 2015

Check Also

The Xbox was nearly Microsoft’s free trojan horse

Microsoft nearly sold their very first Xbox for free, but not for any reason you might exp…