zaF
Well-known member
- Location
- West Midlands
Hey all, felt that I should make the people of ALUK aware of this as its quite a big issue.
If you have installed GTA V mods, check for malware now. Two mods by the name of "Simple Noclip" and "Angry Planes" have been found to install a "Fade.exe" program which is known for stealing passwords.
The file is located in your temp folder so check there, these are the only two I know about as of now. But please be careful and do some research before installing a mod from here on out. This fucking sucks, and I thought that the modding community was better than this.
If you have installed any GTA V mods, change all of your passwords now just to be safe. This includes steam.
Here is the official post which may help you.
Hey all, first time posting here.
Please excuse my ignorance on this subject, as I could be over reacting about something I simply have no knowledge of, but this has definitely raised some red flags.
I came across something pretty startling today after reviewing my processes that were running on my computer. I tend to do this a lot out of paranoia, just checking that I don't have stuff running in the background that I don't want running, or if I ever possibly run into something that is out of the ordinary that could possibly be malware. I happened to notice that the Windows C# compiler running the background as csc.exe. I have never noticed noticed this running in the background, and there really is no reason for a C# compiler to be running in the background because I've never even programmed in C#. This is a normal system file, but I decided to pop open Process Explorer and took a look at the process in detail. First thing I noticed is that it was sending and receiving some data across the internet. That was the first red flag, as why would a compiler be accessing the internet? (Again ignorant on this subject, maybe compilers do connect to the internet for specific reasons that I do no know of). Second, not only was the normal system file of the .exe in the path url, but also an .exe located in my Temp folder called Fade.exe. I went to the location of this, and found the .exe with another folder called Data. Within that folder was another called Logs, and then two folders with recent dates, and within those were files called Session1.bin, Session2.bin, and so on.
Here are some images of the folder hierarchy and the files in question:
https://i.imgur.com/knF3dAB.png
https://i.imgur.com/75CjxPw.png
https://i.imgur.com/pUtFzbY.png
https://i.imgur.com/BrFp7fQ.png
https://i.imgur.com/XaxXN0t.png
So sure enough, I'm freaking out at this point. The Fade.exe had hijacked an official system file, the C# Compiler, and was accessing the internet while keeping what seems to be logs of my system in the hidden temp directory. I then did a Malwarebytes scan and it reported that Fade.exe had also hijacked a part of the registry to force this program to start up on windows logon, as can be seen here: https://i.imgur.com/bBtk8HM.png
Also, two other files were created in the temp directory with the names .z and init..exe which can be seen here: https://i.imgur.com/jEds84Q.png
I did more research on this Fade.exe program, but couldn't find anything except for this single instance here which seems to fit the description perfectly: http://vms.drweb-av....irus/?i=4337630
For some reason, directly scanning the file with Malwarebytes reports that it is not malware, and only 3 out of 56 virus scanners found Fade.exe to be malicious: https://www.virustot...a9336/analysis/
Now where does GTA V modding come into this? Well, I compared the date of when the Fade.exe instance was created to whatever I had in my download folder. I don't go around downloading random programs from non-trusted sources, so I couldn't believe that I had gotten a virus from a program. Well sure enough, I noticed all the mods that I had downloaded for GTA V had matched the date when this folder was created. I decided to experiment. I first deleted all instances of the Fade.exe folder, the files in the temp folder, and the registry hijack. I then ran GTA V with the mods installed. Fade.exe had returned after the game had loaded up (not to the menu screen, to the game itself), along with everything else. Again I removed the Fade.exe and all the other stuff, and I then removed all mods but ScriptHook V and its Native Trainer and relaunched the game. The first thing I noticed is that GTA V started up fullscreen when I did this, when it started windowed with the mods installed. Also, with the mods installed, I always noticed a flashing window right before the game finished loading which was gone after removing the mods. After starting up GTA V without the mods and only ScriptHook V, there was no Fade.exe or any other files.
Please note that all mods are .asi and .lua type mods. It's not like I ran some random program or something.
This brings me to you guys, because due to my ignorance, I have no idea if this is normal behavior or not. It sure doesn't look like normal behavior, especially considering that it hijacks the registry for windows startup, runs in the background without GTA V running, and seems to be contacting a server. Have mods ever been vulnerable to things like this before? I'm going to post this right now so people can go ahead and read it, but I'm going to try and update this with more information after I do some more testing to see which mod is causing this.
Update: The first mod that I found to be the culprit was Angry Planes, which can be found here: https://www.gta5-mod...ts/angry-planes
I tested it twice, I would remove the Fade.exe and all of the other files, load up GTA V with only Angry Planes installed, and the Fade.exe would appear with the registry hijacks and other files. Loading up GTA V without Angry Planes does not add any files, so I can only assume that this mod is the one causing it.
Also I should add the the creator of ScriptHookV which allows modding in GTA V has confirmed these two mods to be malicious.
- zaF
If you have installed GTA V mods, check for malware now. Two mods by the name of "Simple Noclip" and "Angry Planes" have been found to install a "Fade.exe" program which is known for stealing passwords.
The file is located in your temp folder so check there, these are the only two I know about as of now. But please be careful and do some research before installing a mod from here on out. This fucking sucks, and I thought that the modding community was better than this.
If you have installed any GTA V mods, change all of your passwords now just to be safe. This includes steam.
Here is the official post which may help you.
Hey all, first time posting here.
Please excuse my ignorance on this subject, as I could be over reacting about something I simply have no knowledge of, but this has definitely raised some red flags.
I came across something pretty startling today after reviewing my processes that were running on my computer. I tend to do this a lot out of paranoia, just checking that I don't have stuff running in the background that I don't want running, or if I ever possibly run into something that is out of the ordinary that could possibly be malware. I happened to notice that the Windows C# compiler running the background as csc.exe. I have never noticed noticed this running in the background, and there really is no reason for a C# compiler to be running in the background because I've never even programmed in C#. This is a normal system file, but I decided to pop open Process Explorer and took a look at the process in detail. First thing I noticed is that it was sending and receiving some data across the internet. That was the first red flag, as why would a compiler be accessing the internet? (Again ignorant on this subject, maybe compilers do connect to the internet for specific reasons that I do no know of). Second, not only was the normal system file of the .exe in the path url, but also an .exe located in my Temp folder called Fade.exe. I went to the location of this, and found the .exe with another folder called Data. Within that folder was another called Logs, and then two folders with recent dates, and within those were files called Session1.bin, Session2.bin, and so on.
Here are some images of the folder hierarchy and the files in question:
https://i.imgur.com/knF3dAB.png
https://i.imgur.com/75CjxPw.png
https://i.imgur.com/pUtFzbY.png
https://i.imgur.com/BrFp7fQ.png
https://i.imgur.com/XaxXN0t.png
So sure enough, I'm freaking out at this point. The Fade.exe had hijacked an official system file, the C# Compiler, and was accessing the internet while keeping what seems to be logs of my system in the hidden temp directory. I then did a Malwarebytes scan and it reported that Fade.exe had also hijacked a part of the registry to force this program to start up on windows logon, as can be seen here: https://i.imgur.com/bBtk8HM.png
Also, two other files were created in the temp directory with the names .z and init..exe which can be seen here: https://i.imgur.com/jEds84Q.png
I did more research on this Fade.exe program, but couldn't find anything except for this single instance here which seems to fit the description perfectly: http://vms.drweb-av....irus/?i=4337630
For some reason, directly scanning the file with Malwarebytes reports that it is not malware, and only 3 out of 56 virus scanners found Fade.exe to be malicious: https://www.virustot...a9336/analysis/
Now where does GTA V modding come into this? Well, I compared the date of when the Fade.exe instance was created to whatever I had in my download folder. I don't go around downloading random programs from non-trusted sources, so I couldn't believe that I had gotten a virus from a program. Well sure enough, I noticed all the mods that I had downloaded for GTA V had matched the date when this folder was created. I decided to experiment. I first deleted all instances of the Fade.exe folder, the files in the temp folder, and the registry hijack. I then ran GTA V with the mods installed. Fade.exe had returned after the game had loaded up (not to the menu screen, to the game itself), along with everything else. Again I removed the Fade.exe and all the other stuff, and I then removed all mods but ScriptHook V and its Native Trainer and relaunched the game. The first thing I noticed is that GTA V started up fullscreen when I did this, when it started windowed with the mods installed. Also, with the mods installed, I always noticed a flashing window right before the game finished loading which was gone after removing the mods. After starting up GTA V without the mods and only ScriptHook V, there was no Fade.exe or any other files.
Please note that all mods are .asi and .lua type mods. It's not like I ran some random program or something.
This brings me to you guys, because due to my ignorance, I have no idea if this is normal behavior or not. It sure doesn't look like normal behavior, especially considering that it hijacks the registry for windows startup, runs in the background without GTA V running, and seems to be contacting a server. Have mods ever been vulnerable to things like this before? I'm going to post this right now so people can go ahead and read it, but I'm going to try and update this with more information after I do some more testing to see which mod is causing this.
Update: The first mod that I found to be the culprit was Angry Planes, which can be found here: https://www.gta5-mod...ts/angry-planes
I tested it twice, I would remove the Fade.exe and all of the other files, load up GTA V with only Angry Planes installed, and the Fade.exe would appear with the registry hijacks and other files. Loading up GTA V without Angry Planes does not add any files, so I can only assume that this mod is the one causing it.
Also I should add the the creator of ScriptHookV which allows modding in GTA V has confirmed these two mods to be malicious.
- zaF
Last edited by a moderator:
