Users of Grand Theft Auto 5 Mods “Angry Planes” and “NoClip” have been surprised to find some nasty viruses plaguing their PCs. These viruses include Key loggers, Spam Bots that take control of your Twitch, Facebook, and YouTube accounts, a bot that can do things to your Steam inventory, and other nasty trojans.
It’s unfortunate, and a little ironic, that this type of thing is found in the world’s most popular crime simulator. For virus creators, GTA 5 is an active feeding ground.
Users on the GTA forums found the virus to be attributed to a program called Fade.exe. Some Anti virus programs will not even find this as a virus.
If you have installed these mods and feel you have been infected, a user by the name of aboutseven posted some removal instructions. The instructions they have at the moment are as follows:
- Press Ctrl+Shift+ESC, go to processes, and end csc.exe
- Go to your Temp folder at C:Users”Your User Name”AppDataLocalTemp
- Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.
- Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: http://i.imgur.com/5an5ARa.png If this exists, delete it.
- Then find a recently made folder, should be named something like this: https://i.imgur.com/knF3dAB.png (this can be randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.
- Type in regedit in your Start menu search, or regedit.exe using run.
- Go to the path located at the bottom of this screenshot: https://i.imgur.com/bBtk8HM.png HKEY_USERS is the first folder you expand, and the folder after it is a long string of characters, different for each person. Choose the one without “Classes” at the end. The key we are looking for is “Shell”. If you are using a custom shell, remove the string after it that leads to Fade.exe. If it just contains explorer.exe and nothing after it, it should be fine to either remove it or keep it the way it is. If you have no idea what that is, just remove “Shell”.
- In registry go to “HKEY_CURRENT_USERSoftwareMicrosoft” and look for “Fade” and “Leep” and delete them. “Leep” might only be related to the Noclip mod.
- There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the Noclip mod. Go to “C:Program Files (x86)SteamsteamappscommonGrand Theft Auto Vx64” and delete GTA5.exe if it exists
- Of course, remove the mods from GTA V. Do not re-add them. If the server that was grabbing information comes back online, you could be affected again if you decide to keep using the mods.
- Consider running an anti-virus at this point, just to make sure you got all the instances.
- Restart your computer to make sure all instances of Fade.exe are no longer running.
- With how new the information is, this may not be a complete removal. If in doubt, and you still don’t feel safe, format and reinstall Windows.
These instructions may change as new information is released, stay tuned for more updates!
Published: May 15, 2015 05:20 am