PC gamers often look forward to mod games as it gives games a new and fun feel. However, installing mods is only fun as long as it does not install malware on your PC, as some Grand Theft Auto V users are finding out the hard way.
aboutseven, a user on the GTAForums, was the first to flag the issue of GTA V mods installing malware on your PC. He/She noticed a C# compiler running in the background of their PC. Further investigation traced it to a file "Fade.exe." The user also noticed that Internet access was being deployed by the compiler.
"That was the first red flag, as why would a compiler be accessing the Internet? (Again ignorant on this subject, maybe compilers do connect to the Internet for specific reasons that I do no know of). Second, not only was the normal system file of the .exe in the path url, but also an .exe located in my Temp folder called Fade.exe. I went to the location of this, and found the .exe with another folder called Data. Within that folder was another called Logs, and then two folders with recent dates, and within those were files called Session1.bin, Session2.bin, and so on," revealed aboutseven in the GTAForums.
Apparently, the entire thing was a keylogger. The user revealed that the use of mods such as Noclip and/or Angry Planes were responsible for the malware infection.
Some of the other popular mods for GTA V that were doing the rounds include the Ped Riot (Chaos Mode) mod, Atlantis mod, the Native Trainer mod, Script Hook V, The Vehicle Canon and Ragdoll on Demand mod.
Now, several sites that hosted mods have pulled the same down. It is recommended that users changes all their passwords.
To check if your PC is infected and to remove the virus, the following steps are suggested by aboutseven:
1. Press Ctrl+Shift+Esc and navigate to processes. Next, end csc.exe process.
2. Go to the Temp folder "C:Users*YOUR USER NAME*AppDataLocalTemp"
3. Sort files on the basis of date they were added. Look for .z and init.exe and delete them. In case you don't find .z, look for .x as some reports suggest it may have a different name.
4. People have also reported the existence of an unnamed .zip or .rar file that does not open. It looks like this: https://i.imgur.com/5an5ARa.png. If found, delete it.
5. Look for a folder (recently made) that is something like this https://i.imgur.com/knF3dAB.png. It will contain the Fade.exe — delete this folder.
6. In the Start menu, search type regedit or regedit.exe using run.
7. Look for the path ComputerHKEY_USERS. Expand this folder (reference https://i.imgur.com/bBtk8HM.png HKEY_USERS for the path given below in screen shot). You will see a string of characters (will be different for each one) and choose without "Classes" at end. Look for the "Shell" key/ Remove it.
8. Go to registry and navigate to "HKEY_CURRENT_USERSoftwareMicrosoft
Look for Leep and Fade. Delete the two.
9. Go to "C:Program Files (x86)SteamsteamappscommonGrand Theft Auto Vx64" and delete GTA5.exe to remove GTA5.exe if it exists inside the GTAV directory.
10. Erase the mods completely from GTA V and don't re-add them.
11. Restart the PC to ensure that any trace of Fade.exe is no longer there.