Store Page
Garry's Mod
All Discussions Screenshots Artwork Broadcasts Videos Workshop News Guides Reviews

Garry's Mod

Store Page
View Stats:
Global Achievements
Seraphim May 2, 2015 @ 8:00pm
AVAST! Detected malicious content within Gmod Server Downloads
I am unaware of which server I joined that seeded these files into my gmod folder, but my AVAST! Anti-virus has recently found three Trojans in server files that were downloaded by connecting to a Garry's Mod server. I haven't invested much time investigating exactly what the issue was or who was distributing the malicious content, but here are the file paths and numerical .gma file codes that were labeled as infected:


>>> C:\Program Files (x86)\Steam\SteamApps\common\GarrysMod\garrysmod\downloads\server\263159708.gma
Threat Level: HIGH - JS:ScriptDC-inf [Trj]

>>> C:\Program Files (x86)\Steam\SteamApps\common\GarrysMod\garrysmod\downloads\server\267390105.gma
Threat Level: HIGH - JS:ScriptDC-inf [Trj]

>>> C:\Program Files (x86)\Steam\SteamApps\common\GarrysMod\garrysmod\downloads\server\272281226.gma
Threat Level: HIGH - JS:ScriptDC-inf [Trj]


I'm not sure if this is what anyone needs or if this will be of any use to somebody, but I thought it would be better safe than sorry to post my findings. I understand the possibility that this was just a classical case of an anti-virus registering weird things as threats, but just in case I was hoping somebody with more technical expertise could look further into the matter. I'm a little too busy at this very moment to track this stuff down myself, nor do I really have the know-how to really understand how to proceed with this situation.

If there's any more information that I can give that might be of use to any developers or server-goers looking to solve this problem or put a red flag on it, I would be happy to assist.

Again, could be a false alarm - so if anybody who knows more about this than I do can step up to the plate and take over, I think on behalf of the community it's safe to say that we would all appreciate it.

Thank you for your time, reader. Be mindful of what Garry's Mod servers you join (apparently.)

-Seraphim
< >
Showing 1-12 of 12 comments
Baked (Banned) May 2, 2015 @ 8:50pm 
Most likely isn't a false alarm. .gma files on Gmod are typical to contain high-powered Trojans and malware-related technology, as it can disguise itself as a another 12MB addon on a random DarkRP server.
#1
MrEWhite May 2, 2015 @ 8:58pm 
Originally posted by Doge:
Most likely isn't a false alarm. .gma files on Gmod are typical to contain high-powered Trojans and malware-related technology, as it can disguise itself as a another 12MB addon on a random DarkRP server.
nice troll m8
#2
SotaPerna May 3, 2015 @ 5:26pm 
I've never played public in Gmod, I only use it for personal playing. Tought the thing seems to be that JS:ScriptDC-inf [Trj] seems to have been fairly common problem with the game for the last few weeks, sadly. But what's interesting is that my Avast detected the said threat in the addon I had used for a long time by then and it hadn't shown as a threat before...
#3
skyking (Banned) May 3, 2015 @ 6:33pm 
There's a lot of malware in the workshop and in servers at this point. I'd recommend you stick with trusted servers for now, as Valve and Facepunch have a lot of cleaning up to do on here.
#4
Whiterabbit May 3, 2015 @ 7:08pm 
Hi, for once these aren't false positives. The addons you posted all contain code that would allow the owner to execute any code on your server. If you are only playing single player you have nothing to worry about. If you are hosting a server with these addons than you can be exploited. Discussion: http://facepunch.com/showthread.php?t=1463699&p=47654387#post47654387
#5
Whiterabbit May 3, 2015 @ 7:09pm 
"But what's interesting is that my Avast detected the said threat in the addon I had used for a long time by then and it hadn't shown as a threat before..."

The code has been in the addons since at least August 2014 and AVs are only just getting around to including it in their definitions.
#6
SotaPerna May 4, 2015 @ 5:18am 
That one addon I got flagged was one called "gmod player model pack 7", which I could no longer find on the workshop.

"The addons you posted all contain code that would allow the owner to execute any code on your server. If you are only playing single player you have nothing to worry about."

So these threads are the kind of which only affect the game servers but not the computer in general?

EDIT: also, when visiting facepunch thread linked above, Avast showed JS:ScriptDC-inf [Trj] threat on it... but not on facepunch.com in general.
It seems that the thread included some gzip which Avast took as a threat
Last edited by SotaPerna; May 8, 2015 @ 6:18am
#7
Dio May 8, 2015 @ 5:58am 
I got this too, It's not only you. I just installed Avast Yesterday, Did a big scan today, and Tadumm.... You have to be happy you got 3, Because i got 4 of those things.
+MaKeman[FIN] Exact the same. This will become an ACTIVE thread, i think.
#8
Dio May 8, 2015 @ 6:03am 
Microsoft detects this as: Trojan:HTML/Redirector.CF
it's a redirector link, Smart guy told me on the Avast Forums *-*
#9
Dio May 8, 2015 @ 6:04am 
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aHTML%2fRedirector.CF#tab=2 for more information
#10
OldTimer Nov 4, 2017 @ 2:08am 
I believe this thread, it has happened to me too many times and its all because i installed gmod addons

First time i got this virus was around june 2017, my computer got slow, my bios settings were changed and my hdd was always 100% used. I had to reinstall windows which was hard to do because of my virus infected pc.

After that i only played CSGO and My Summer Car(which got lower fps after the virus) on my pc. A month later, i downloaded gmod again and after running it, it ♥♥♥♥♥♥ my pc again! So i did another reinstall of windows. By this time i got suspicious.

Another month passed with 0 problems and i decided to download gmod once more, i unsubscribed to all my addons first, and my pc was fine! I installed most of my previous addons (cars,maps,vehicles,tools etc) and the virus got my pc again!!

The steam workshop for gmod is what i wouldn't call safe anymore and if moderators could not possibly check the millions of addons from 2008-2017 so for now i suggest keeping away from gmod workshop and play with what you have
#11
Dio Nov 4, 2017 @ 1:47pm 
Firstable, thank you for bumping this thread from 2015. Secondable, this hasn't happened to me anymore since I don't join that server anymore. It was probaply one of the addons the server had, or an infected website on its loading screen.
#12
< >
Showing 1-12 of 12 comments
Per page: 1530 50

Garry's Mod > Help / Problems / Bugs > Topic Details
Date Posted: May 2, 2015 @ 8:00pm
Posts: 12

Discussions Rules and Guidelines