homosapienboy (05-15-2015),Whoopies (05-15-2015)
Instructions on virus removal:
If these files do not exist, do not assume you weren't affected. The virus could have deleted itself after grabbing what it needed to cover its tracks, or your anti-virus could have deleted it after it grabbed what it needed.
If you have used the mods Angry Planes and/or Noclip mod, then here is how to get rid of the virus, or check if it is still on your computer.
1. Press Ctrl+Shift+Esc, go to processes, and end the csc.exe process.
2. Go to your Temp folder at "C:\Users\*YOUR USER NAME*\AppData\Local\Temp"
3. Sort the files by date added, and find .z and init..exe and delete those. Some reports say that .z might be named differently, like .x.
4. Some people also reported an unnamed archive file (.zip or .rar) that could not be opened that looks like this: If this exists, delete it.
5. Then find a recently made folder, should be named something like this: (I believe that this is a randomly generated name for each person hit) and should contain Fade.exe. Delete this folder.
6. Type in regedit in your Start menu search, or regedit.exe using run.
7. Go to the path located at the bottom of this screenshot: HKEY_USERS is the first folder you expand, and the folder after it is a long string of characters, different for each person. Choose the one without "Classes" at the end. The key we are looking for is "Shell". If you are using a custom shell, remove the string after it that leads to Fade.exe. If it just contains explorer.exe and nothing after it, it should be fine to either remove it or keep it the way it is. If you have no idea what I'm talking about, just remove "Shell".
8. In registry go to "HKEY_CURRENT_USER\Software\Microsoft\" and look for "Fade" and "Leep" and delete them. "Leep" might only be related to the Noclip mod, as I did not have it.
9. There are also reports that a malicious GTA5.exe is placed inside the x64 in the GTA V directory, probably related to the Noclip mod. Go to "C:\Program Files (x86)\Steam\steamapps\common\Grand Theft Auto V\x64" and delete GTA5.exe if it exists.
10. Of course, remove the mods from GTA V. Do not re-add them. If the server that was grabbing information comes back online, you could be affected again if you decide to keep using the mods.
11. Consider running an anti-virus at this point, just to make sure you got all the instances.
12. Restart your computer to make sure all instances of Fade.exe are no longer running.
This is all that I currently know of for removing the virus, and I will try to update if more information is presented.
With how new the information is, I have no idea if this is a complete removal.
If in doubt, and you still don't feel safe, format and reinstall Windows. I reinstalled Windows myself just to be on the safe side.
Change your passwords!
If you have any doubt about being hit by the virus, don't ask if you should, just change your passwords. It's worth the hassle in the event your passwords were really stolen.
If you downloaded Angry Planes or the Noclip mod and played GTA V with them, you were most likely hit with a keylogger or other methods of password grabbing such as getting passwords saved in your browsers, and I strongly suggest changing all passwords. Do the steps above first before changing them. Just because you don't see any of the files above, don't assume you weren't hit. The virus could have had a way of deleting itself from your computer to cover traces. I'd also suggest using something like Keepass in the future for keeping your passwords in an encrypted database, since it is very easy for something like a virus to grab saved passwords in web browsers.
If you need any help pls PM me maybe I can help you.
homosapienboy (05-15-2015),Whoopies (05-15-2015)
Thank you so much, always i delete my Temp file, because when i surfing on internet Temp file is getting bigger and when i close my computer i delete the Temp folder first.
I was use angry planes mod for 5 minutes and deleted it (1 weeks ago and temp folder is deleted 1 weeks ago) and now i see this thread and check it again, there is no fade or anything just some google chrome things.
But when i look my regedit.exe > software > microsoft i found a Fade folder. A few regedit keys in there and deleted them.
Now, i will format my pc but i want to ask something.
I have SSD (windows + gta v on ssd) and 1 TB seagate harddisk + 500 gb samsung harddisk on my pc.
There is my family pictures, movies, musics... Is there in safe? Should i do something to my harddiscs? Or i just format to Local Disc C?
The initial code executed acts as a loader for another standard trojan (one of the many RAT trojans available out there).
The trojan that becomes resident in the system and appears as the csc.exe process is quite interesting.
It's very basic, but loads several modules that add capabilities to it. These modules can consist of pre-compiled DLLs or Visual C# and C# code which it will compile using the installed .NET Framework on the system.
The loader is highly obsfucated using Redgate SmartAssembly. The modules rolled out with the loader are included as an encrypted resource blob in the loader. Because of this analyzing the compile executable is very difficult. The easiest way to actually analyze the activity is to load the virus/malware into a virtual machine and capture memory dumps of the running process. This was you get most of the decoded dlls/code which remain resident in memory.
I can confirm what the OP said about logging and also confirm that I located the encryption key. However, I did not spend the time to determine the procedures to decrypt the log file as most of the contents were also unencrypted in memory
My first clue that something was going wrong, and the first memory dump I got of the process in action was when the administrator of the trojan sent a command to start UDP flooding an IP in Denmark at around 10AM EST on May 11th.
According to the log, shortly before this UDP Flood module was activated, he also activated a Twitch chat flooding module.
The target of these attacks was:
https://www.twitch.tv...thedanishviking
77.68.209.7
Further investigation revealed the following modules active:
Facebook spam/credential stealing module
Twitch spam/credential stealing module
Messenger.com spam/credential stealing module
A Steam spamming module
A Steam module that evaluates the items in your inventory and their value based on current market value
A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one appdow to another)
A UDP flooding module
There were others I hadn't deciphered and didn't see in action.
All of the spam/credential stealing modules above will attempt to rip your session cookies for each of the above sites from IE/Chome/Firefox and use the credentials to do their thing.
It stores all this information in a Session#.bin file as described above and ships it to the RAT admin's server.
Now, here's the juciest and most useful bit.
The C&C server is apcrypt.duckdns.org which resolves to 45.58.121.105. It's a cheap windows VPS with a company called https://www.cloudieweb.com/which is utilizing dedicated server rented from Choop*****m
This server is running Remote Desktop on 3389 as well as a webserver, which I believe is acting as an endpoint/C&C server for the RAT. The RAT uses SSL to communicate with this server so I was unable to spy any of that activity in an meaningful way in the time I had available.
Maybe this will help you I am short on time. If you read this and still don't know what to do I try helping you in about 1 hour.
Last edited by Necktof87; 05-15-2015 at 08:00 AM.
Whoopies (05-15-2015)
My english is not good so i can't understand the exactly, but thanks, i'm looking with translate with sentence, sentence.
I just wanna ask this > Should i format my harddisks? (Not windows installed, just my musics or personal files)
Whoopies (05-15-2015)
I got Virus protection what got rid of it, sucks for u lot. Malware Bytes/Advanced System Care 8.1. I'd recommend it guys
Thank you i formatted my pc, installed drivers. everything okey.
Can i use online scripthook and endevour menu for GTA V? Is it safe?
I mean angry planes had Fade.exe virus, endevour menu is got anything like that?
DAMN...
Whoopies (05-15-2015)
Thank you dude
Necktof87 (05-21-2015)