Check the creator of any plugins or models you have in the game
If it’s by someone with like “TopRobloxPlugins” or similar then it’s a malicious plugin
1 Like
Usually, they come from plugins. You should always install plugins from trusted creators, and check who created it, like I said, if it’s from a fishy name like “RobloxCreator” or “RobloxPluginCreator”, the malicious plguin probably came from them
1 Like
It is possible that it can steal your game ASSETS or LOCAL & MODULE scripts, but not the server scripts (I guess)
what if i have 1800 scripts 
4 Likes
Yikessssss
Plugins can edit code, maybe try making a plugin script that would get rid of the line?
I have no experience with editing code like this, but I think it could be possible
Are those backdoors can delete the scripts in-game?
Since some of my scripts are in ServerScriptService and ReplicatedStorage
This is an advanced virus.
Basically that RoSync thing is a much more complicated require(ID) script, which loads something.
And you see it is likely put deep into that fake “Anti-Virus” Script to be undetected and won’t be found by searching for require API’s.
That Ant-Virus is a load script, that loads a script, that loads a script, that loads a script, that basicallty continues for a very long time till it loads a disguised backdoor that seems like a server-sided exploit.
Entering this also put those weird texts in other scripts I believe.
Anyways, with BTRoblox’s handy-dandy source viewer, I’ve determined that the person made alt accounts and used a special botting mechanism to make tons of loader scripts spawn in from that single loader script, most being called “Asset” to look normal, up until the backdoor.
2 Likes
Lol I would spam the hell out of his Webhook.
6 Likes
OMG This rabbit hole goes deep!
I sorted through them, I’ve found over 50 so far and all of their linking accounts.
Some of the accounts are banned, some are not, all look very suspicious.
Sadly, some of these link back to very old accounts too.
I’ve done so much work chasing down these accounts and where they go.
I really hope there’s a way to get someone at Roblox to help do something about this.
3 Likes
After finding this in my game which highly ticked me off, I decided to do some looking into it.
That plugin:
https://www.roblox.com/library/5722705373/Light-Editor-Updated
Comes from this group:
https://www.roblox.com/groups/7840914/Creator-Studi#!/about
By gregg3 who has apparently been deleted, but did not necessarily use that account to upload the real plugin
(I actually doubt they did).
It loads this plugin:
https://www.roblox.com/library/5722703997/MeshLoader
Which is uploaded by this alt
https://www.roblox.com/users/1888346787/profile/
Which loads this plugin:
https://www.roblox.com/library/5700633205/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719844019/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633462/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633735/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633977/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634215/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633230/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719845707/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633488/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633762/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634001/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634242/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633265/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719847055/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633515/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633787/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634024/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634267/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633289/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719848182/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633544/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633811/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634047/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634293/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633311/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719849465/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633582/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633839/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634077/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634318/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633330/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719850548/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633608/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633865/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634102/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634338/Asset
Which loads this plugin:
https://www.roblox.com/library/5700633362/Asset
Which is uploaded by this alt
https://www.roblox.com/users/1719851574/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633362/Asset
… So this keeps going but I’m tired and need some sleep. Any help locating the source of this, and all the linked accounts so they can be turned in, would be greatly appreciated!
13 Likes
Okay, I finished my search.
If you ask me, ALL of these plugins need to be removed and all of these accounts should be banned.
As well as I think this thief needs to be IP/HWID banned.
So continuing my first list…
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
https://www.roblox.com/users/1719852440/profile/
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin: (by the same alt)
Which loads this plugin:
Which is uploaded by this alt
https://www.roblox.com/users/1719856666/profile/
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633711/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700633958/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634194/Asset
Which loads this plugin: (by the same alt)
https://www.roblox.com/library/5700634436/Asset
Which loads this plugin: (Looks like source!)
Which looks like it is the real source of the backdoor…
It is using a very obfuscated plugin.
Which is uploaded by this alt (More recent activity)
https://www.roblox.com/users/1722897238/profile/
(More recent activity and older alt account)
27 Likes
The dedication you have by doing all this research to discover how all this thing works is impressive. REAL impressive! Thumbs up from me for doing all of this extensive investigation! 
6 Likes
Hey, you guys can use this script I made, I know its not efficient but it does the work (sometimes).
(this code was made in a rush)
for i,v in pairs(game:GetDescendants()) do
pcall(function()
if v:IsA("Script") then
if string.find(v.Source, "RoSync Loader") then
local code = ""
local splitted = string.split(v.Source, "\n")
for lineNum, line in pairs(splitted) do
if not string.find(line, "Last synced") then
code = code.."\n"..line
end
end
v.Source = code
end
end
end)
end
basically, what it does is that:
- go through all scripts and find a “RoSync Loader”.
- if it finds the string in the script source, it would
- run through all the lines in the script and find “Last synced” (or just "RoSync Loader could work too)
- if it finds that string in that specific line, it will not include the line, otherwise then the line would be included.
- then after all the lines has been searched and rewritten, it’ll change the source of the script.
for those who wishes to correct my code, please go ahead. make it efficient.
11 Likes
Here’s my version of a RoSync remover. To use this save it into the local plugins folder.
local button = plugin:CreateToolbar("oreoollie"):CreateButton("rm rosync", "Removes RoSync virus.", "rbxassetid://4826065214")
button.Click:Connect(function()
game:GetService("ChangeHistoryService"):SetWaypoint("remove RoSync")
button:SetActive(false)
local totalFixed = 0
for _, v in ipairs(game:GetDescendants()) do
local s, e = pcall(game.IsA, v, "BaseScript")
if not (s and e) then continue end
local occurrences
v.Source, occurrences = string.gsub(v.Source, "%s%-%-%[%[ Last synced.+", "")
totalFixed += math.clamp(occurrences, 0, 1)
end
warn("Fixed", totalFixed, "RoSync infected scripts")
end)
RoSyncRemover.lua (642 Bytes)
10 Likes
Heres another rosync remover that you can just run in command barRosyncremover.txt (683 Bytes)
1 Like
yeah it’s just a virus and it can just be from plugins or models, I had that on my game and I was confused on what it was.
I also get that script with the Intro Creator plugin
1 Like
it gives you a message saying to turn on http requests so it can teleport you and stuff
1 Like
I made that, its an older version of the script i posted hahaha
All of these malicious scripts come from scam plugins.
If it keeps inserting “getfenv()” or some other suspicious thing into your game, then it can’t be anything but a plugin doing that. All you have to do is to find that plugin and get rid of it. Then make sure that the suspicious line of code doesn’t get inserted anymore. Finally, use the Find tool in script editor to search through all your scripts for that malicious line of code and make sure there are no such left.
Simply put: stop installing stupid random scam plugins with [NEW] [UPDATED] tags and everything is going to be okay.