Rosync virus is attacking my game!

Plugin, look for any unknown plugins you may have installed.

1 Like

im sorry to hear that!

In studio, do Ctrl + Shift + F and a little popup will appear like this:

image

type in these terms one at a time:

require
getfenv
fenv
loader

look through all the scripts that pop up.

if nothing is sus, then please take a look at @flarezhu’s post (link below):

let me know if this helps!

5 Likes

It is 100% a virus.

It could be a plugin or a script, but a lot of scripts in these virus models have getfenv() in them and trying basically lag your game with a bunch of useless lines with getfenv() in them.

Like, a lot of these getfenv() scripts come in TestService or ServerScriptService. (it is a plugin then)
But what hidden is in these getfenv() scripts? They actually added a line that basically requires something. Here’s an example: require(34238904329042) If you see one of these scripts, just delete them. Another thing is just searching in the explorer any useless scripts that you did not add.

Just delete the virus plugin if you find virus scripts in serverscriptservice, or other.

(and if you find anything with loader, delete it too.)

1 Like

Thanks for all your advice, I installed a another plugin named “Venom” wich is mentionned in another devforum post on how to clean games from this kind of things… I quarantained all the script, deleted the one I didn’t need but it seems that during the game, in the serverScriptService a module script appears. It is called “MainModule” do you think it is from roblox or it is still this virus ?

Run a plugin scan with GameGuard and show me the results.

How do I know its safe ? A lot of those “Anti-virus” are virus.

By looking at how big the community is, how many likes on the devforum it has, and maybe even looking at that source. :smiley:

Ok I am gonna install it today !

1 Like

But is it normal your plugin has -1 dislikes ? LOL

The virus may come from a Plugin. Uninstall some Plugins

Then you can use the Plugin I made for finding any Scripts in your game.

After installation find Massive Find option in your Plugins, click on it and in the Type window type Script. Note: the Plugin only checks the Workspace!

THANK YOU SO MUCH @Dan_PanMan, you really saved me with your plugin, I deleted all the “getfenv()” script and all of those virus from my game ! Again, thank you !

3 Likes

I just saw that my post got marked as a solution- are you able to tell me exactly which plugin was causing the problem? (So that I and others can avoid it in the future)

it’s a plugin called roblox plus that you installed in roblox studio that creates a backdoor for exploiters
EDIT: that happened to me and delete the bot and you have to delete that script in all the scripts you have in the game

Not only, also other plugins uses this because I don’t even know what is roblox plus.

1 Like

It was named model scopes by woot3.

1 Like

Rosync is a backdoor used to provide exploiters a way to exploit on server-side, by giving them ability to run stuff under server code. Rosync also likely has a list of all backdoors games on a discord or something for exploiters to find backdoored games to cheat into, if you have a plugin named “Virus Destroyer” I suggest you to remove it asap, and look over every single plugin you own. Look at the like ratio, comments, and the creator. Be careful!

Well, by one don’t get any “Anti-Virus”. Unless your adding free models or something to your game, you shouldn’t get it or need it.

Me and my partner have removed all our plugins and this line of the script keeps showing back up.

1 Like

RoSync is a backdoor virus that comes from a plugin. Example; If you are in team create with friends and when they create a script and RoSync appears outta nowhere, that would mean that one of your devs has a fake/suspicious plugin or a plugin that has a backdoor. If you want to get rid of it, you would have to tell your friends to uninstall each plugin, and make sure it’s made by the original owner and not made by a new user or by an alt/group.

You could either remove the virus or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse("\101\114\105\117\113\101\114"). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

When the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned. It calls the require function with the asset id. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each other in an attempt to hide the final script in the chain.

The script uses require to get a chain of module scripts, which will eventually lead to a server-sided backdoor.