Can't get rid of this virus

Hello.

I think the topic name explains it all. I’ve got a virus and I can’t get rid of it… I’ve tried removing models, reverting to older version, using special plugins, uninstalling plugins, but no success at all!

This virus is extremely annoying - when it launches, it starts reloading all parts of my game and moving them to random places until all parts of game are centered, rendering the game unplayable.

However these malicious scripts appear in output, unfortunately I cannot track down the origin of these scripts.

Output:

virus1973×129 171 KB

virus21256×114 168 KB

virus31247×565 858 KB

disable the most suspicious scripts that you find and if that solves your problem, start undisabling the disabled scripts until the error occurs again

The problem is that these virus scripts are hidden! They cannot be found either in explorer or in Script Searcher (CTRL + SHIFT + F).

what plugins do you have currently? Have you inserted free models?

This is likely hidden inside another script. Check all of your scripts for anything unusual such as require(numbers). Some plugins are also malicious and have the same title, description and icon as the original. Check all of your plugins like / dislike ratio and amount of favourites to see if it is unusual.

I’ve already did full searching on my game, so I suspect that Plugin has infected my game, but I cannot find any script that causes this virus.

Try disabling one plugin at a time to see if it fixes the issue.

Have you checked for a plugin or disable each one?

Here’s what I’ve done (in a row):

*Removed all the plugins and installed anti-virus plugins (plugins which have been recommended in DevForum, to help find backdoors),
*Searched for all suspicious strings using CTRL + SHIFT + F.
*Removed models to see if that virus comes from a model.

I will keep removing model-by-model to see if it finally resolves. If not, well, then my only choice would be moving the game to different place.

The anti virus could also contain dangerous material. I would recommend finding one posted on the devforum by someone who is trusted. You could also insert a script into server script service with this code:

game.DescendantAdded:Connect(function(new)
    print(new.Name, type(new), ‘-‘, new.Parent)
end)

This should print out any new scripts or objects added to your game so you can locate the source of the malicious code.

(The ‘ may not work because for some reason it doesn’t work in studio, you will just have to replace them.)

Good idea, if I would be able to track the source of that code then I’d be able to remove it. I will give it a try.

Just made an edit so it prints out the new objects name.

A friend of mine was having the same issue due to a plugin that ran a rogue Heartbeat thread which cloned in a new element when one was deleted. I whipped this up and it seemed to work. Paste this into the command bar.

game:GetService("RunService").Heartbeat:connect(function(step) 
	for i,v in pairs(game.Workspace:GetChildren()) do -- Which service it's going to
		for k,q in pairs(v:GetChildren()) do  -- You could add a check where it determines that it's parent is a model
			if q.ClassName == "RotateP" then -- ClassName of the virus. Don't rely on names. Names can change. 
				q:remove() -- Remove if meets condition
			end 
		end 
	end 
end)

Side-note: Make sure to customize this to your needs. I’ve left comments in to help you. Should put you in the right direction

Hope this helps!

There are settings to enable hidden objects in the Explorer panel. Make sure you try disabling all of your plugins as well, to make sure they aren’t injecting it when you play solo etc.

image1244×1216 47.1 KB

Once you find the cause of the virus, make sure to post here. Sometimes there are improvements we can make to make them easier to find, for example making certain objects start showing up in the Explorer UI. We did this with some obscure weld/motor types a while ago (RotateP etc) that revealed many of these virus scripts.

Update (November 2021): Plugins need your permission to inject scripts now. There is also no way to hide scripts from the explorer, so this setting is unnecessary.

A quick way to find all scripts in your game is to type script into the search bar in the explorer panel, like this. This should help quickly find a virus script should your game have one in it. I’d also suggest reviewing every model you insert from the Toolbox to check for any scripts that don’t belong there.

If I’m correct, that image of the LoadLibrary is from the admin script called “Kohl’s Admin.” Many parts of the modules are deprecated because of LoadLibrary.

Go ahead and try make a new place, and copy ONLY all the models/ parts you have.

Then see if the same thing happens, if it does its probably in one of your models, if not then go ahead and keep moving everything to the second place and see if the virus comes up. One again if it doesnt, then your good and you can use the second place as the new clean version.

I finally got rid of this virus by removing every single free-model from my game. Due to this I’ve lost approx. 30% of progress to this virus.

I’m starting to not trust freemodels anymore because of this incident, from now I’d rather spend those 30 minutes creating a model by myself rather than taking a ready one which is most likely infected.

Welp, atleast I’m glad I don’t have to start over the development of the game.

Sad to see that many exploiters are uploading freemodels as an advantage to ruin other peoples’ creations.

Why do you want to delete CoreGui? It doesn’t make sense to me.

I’ve never seen it in the gui before

Then this Ninja gui suddenly showed up so I thought it was that?

Is that gui actually important and I’m trying to delete the wrong one? @ _ @

You are attempting to delete a service. CoreGui is very important, so I’d recommend not touching it.
Try seeing whats in StarterGui.