Unity True Facials [v0.5 Pro] [HenryTaiwan]

4.00 star(s) 43 Votes
Discussion Reviews (43)
Blacktearss

Blacktearss

Newbie
Feb 18, 2020
38
32
Has anyone had problems regarding the virus that this game brings? I remember downloading it last year and having quite a few problems. They even took money from me through PayPal. I don't know if it was a coincidence or it really has a virus. I await comments.
 
P

poopybutt77

Newbie
Sep 24, 2020
20
70
DO NOT RUN THIS GAME

UNTIL THE DEVELOPER / OP CAN EXPLAIN THESE DETECTIONS, AND FILE OPERATIONS.



You must be registered to see the links


You must be registered to see the links


Both do the same, both have different anti virus results.


The virus one, injects into C:\Program Files (x86)\Google1608_1329478733\bin\updater.exe

1719209202970.png


Does this really look like something this forum shouldn't look into?

Do I need to manually reverse engineer this executable to prove the developer (OR ORIGINAL POSTER !! ! ) is doing something fishy.

1719209308668.png

Related parents, aka shared file hashes. Why is it affiliated with keygens, and random zips???

It establishes connections to multiple external IP addresses. These connections are potentially command-and-control (C2) servers, indicating the malware's attempt to communicate with an external source for instructions or data exfiltration.

Spawns new processes and services, indicating the execution of its payload and attempts to maintain control over the infected system.

It modifies registry entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to ensure it runs every time the system starts.

Changes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to manipulate system services, often to disable security-related services or to create new malicious services.

Modifies the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE, potentially to affect browser behavior and user credential handling.

1719210244976.png 1719210301677.png

The malware creates numerous .tmp files in the user's temporary directory (AppData\Local\Temp). These files are likely used as intermediate stages in the malware's execution process.

The malware uses cmd.exe to execute batch files (.bat) located in the temporary directory. These batch files are used to execute the primary malicious payload.

The malware masquerades as the Google updater to blend in with legitimate processes. This is indicated by paths like C:\Program Files (x86)\Google\Update\.

By creating and executing multiple batch files, the malware ensures persistence and continuous execution, making it harder to remove.
 
Last edited:
  • Like
  • Haha
  • Wow
Reactions: Velomous, 2233332224, Taurus188 and 13 others
JhonLui

JhonLui

Active Member
Jan 13, 2020
692
580
poopybutt77 said:
.
Click to expand...
Nothing of sorts happens on my pc...
But since I'm no expert, I propose a simple and quick solution to doublecheck these findings:

Install Sandboxie and run the game in the sandbox, than go to check the sandbox file structure if anithing of the above is actually there.. or if it's just another "you are in danger! gimme your money" thing.
 
C

captainlurker

Newbie
Jun 7, 2018
32
13
poopybutt77 said:
DO NOT RUN THIS GAME

UNTIL THE DEVELOPER / OP CAN EXPLAIN THESE DETECTIONS, AND FILE OPERATIONS.



You must be registered to see the links


You must be registered to see the links


Both do the same, both have different anti virus results.


The virus one, injects into C:\Program Files (x86)\Google1608_1329478733\bin\updater.exe

View attachment 3764914


Does this really look like something this forum shouldn't look into?

Do I need to manually reverse engineer this executable to prove the developer (OR ORIGINAL POSTER !! ! ) is doing something fishy.

View attachment 3764915

Related parents, aka shared file hashes. Why is it affiliated with keygens, and random zips???

It establishes connections to multiple external IP addresses. These connections are potentially command-and-control (C2) servers, indicating the malware's attempt to communicate with an external source for instructions or data exfiltration.

Spawns new processes and services, indicating the execution of its payload and attempts to maintain control over the infected system.

It modifies registry entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to ensure it runs every time the system starts.

Changes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to manipulate system services, often to disable security-related services or to create new malicious services.

Modifies the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE, potentially to affect browser behavior and user credential handling.

View attachment 3764941 View attachment 3764942

The malware creates numerous .tmp files in the user's temporary directory (AppData\Local\Temp). These files are likely used as intermediate stages in the malware's execution process.

The malware uses cmd.exe to execute batch files (.bat) located in the temporary directory. These batch files are used to execute the primary malicious payload.

The malware masquerades as the Google updater to blend in with legitimate processes. This is indicated by paths like C:\Program Files (x86)\Google\Update\.

By creating and executing multiple batch files, the malware ensures persistence and continuous execution, making it harder to remove.
Click to expand...
Oh shit this sounds serious! Do you have anyway instructions to remove this thing from your PC?
 
  • Like
Reactions: McBenji
MavisFeatherlight

MavisFeatherlight

Member
Mar 17, 2019
487
582
people are fucking stupid here.... if only 2 or 3 engines on Virustotal were positive for potentially dangerous malware, I would have said "yep, that's a false positive" but over fucking 20???
from that point on there is something seriously wrong with the "game"
I will avoid this shit as long as no one can prove to me 100% that they are all just false positives
 
B

badidea1010

New Member
Jul 5, 2018
1
1
poopybutt77 said:
DO NOT RUN THIS GAME

UNTIL THE DEVELOPER / OP CAN EXPLAIN THESE DETECTIONS, AND FILE OPERATIONS.



You must be registered to see the links


You must be registered to see the links


Both do the same, both have different anti virus results.


The virus one, injects into C:\Program Files (x86)\Google1608_1329478733\bin\updater.exe

View attachment 3764914


Does this really look like something this forum shouldn't look into?

Do I need to manually reverse engineer this executable to prove the developer (OR ORIGINAL POSTER !! ! ) is doing something fishy.

View attachment 3764915

Related parents, aka shared file hashes. Why is it affiliated with keygens, and random zips???

It establishes connections to multiple external IP addresses. These connections are potentially command-and-control (C2) servers, indicating the malware's attempt to communicate with an external source for instructions or data exfiltration.

Spawns new processes and services, indicating the execution of its payload and attempts to maintain control over the infected system.

It modifies registry entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to ensure it runs every time the system starts.

Changes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to manipulate system services, often to disable security-related services or to create new malicious services.

Modifies the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE, potentially to affect browser behavior and user credential handling.

View attachment 3764941 View attachment 3764942

The malware creates numerous .tmp files in the user's temporary directory (AppData\Local\Temp). These files are likely used as intermediate stages in the malware's execution process.

The malware uses cmd.exe to execute batch files (.bat) located in the temporary directory. These batch files are used to execute the primary malicious payload.

The malware masquerades as the Google updater to blend in with legitimate processes. This is indicated by paths like C:\Program Files (x86)\Google\Update\.

By creating and executing multiple batch files, the malware ensures persistence and continuous execution, making it harder to remove.
Click to expand...
i want to ask , did you download files from patreon directly or from some guy in this forums? , can we confirm if it is injected by strangers to the game or it is programmed by the developer in the game
 
  • Like
Reactions: Glockhemp
P

poopybutt77

Newbie
Sep 24, 2020
20
70
badidea1010 said:
i want to ask , did you download files from patreon directly or from some guy in this forums? , can we confirm if it is injected by strangers to the game or it is programmed by the developer in the game
Click to expand...
thats why im ALSO accusing the original poster, and the "source" of this build.

im using the files ONLY found from here

I cannot 100% accuse the DEV when we are using this middleman for releases.
 
Last edited:
  • Like
Reactions: Glockhemp and McBenji
P

poopybutt77

Newbie
Sep 24, 2020
20
70
captainlurker said:
Oh shit this sounds serious! Do you have anyway instructions to remove this thing from your PC?
Click to expand...
do not rely on 'removing' viruses.

just assume all your infomation is compromised.

Change your passwords, ON A DIFFERENT PC

If using a password manager, do this one first.

Wipe windows, using a bootable usb that was created from a DIFFERENT PC.

Malware can steal, and upload all your local cookies, passwords in less than 1 second, and then continue a keylogger for more information.

More complex rootkits can infect new window install USB drives Aswell.
 
  • Like
Reactions: McBenji
rev_10

rev_10

Member
Sep 16, 2022
267
438
poopybutt77 said:
DO NOT RUN THIS GAME

UNTIL THE DEVELOPER / OP CAN EXPLAIN THESE DETECTIONS, AND FILE OPERATIONS.



You must be registered to see the links


You must be registered to see the links


Both do the same, both have different anti virus results.


The virus one, injects into C:\Program Files (x86)\Google1608_1329478733\bin\updater.exe

View attachment 3764914


Does this really look like something this forum shouldn't look into?

Do I need to manually reverse engineer this executable to prove the developer (OR ORIGINAL POSTER !! ! ) is doing something fishy.

View attachment 3764915

Related parents, aka shared file hashes. Why is it affiliated with keygens, and random zips???

It establishes connections to multiple external IP addresses. These connections are potentially command-and-control (C2) servers, indicating the malware's attempt to communicate with an external source for instructions or data exfiltration.

Spawns new processes and services, indicating the execution of its payload and attempts to maintain control over the infected system.

It modifies registry entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to ensure it runs every time the system starts.

Changes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to manipulate system services, often to disable security-related services or to create new malicious services.

Modifies the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE, potentially to affect browser behavior and user credential handling.

View attachment 3764941 View attachment 3764942

The malware creates numerous .tmp files in the user's temporary directory (AppData\Local\Temp). These files are likely used as intermediate stages in the malware's execution process.

The malware uses cmd.exe to execute batch files (.bat) located in the temporary directory. These batch files are used to execute the primary malicious payload.

The malware masquerades as the Google updater to blend in with legitimate processes. This is indicated by paths like C:\Program Files (x86)\Google\Update\.

By creating and executing multiple batch files, the malware ensures persistence and continuous execution, making it harder to remove.
Click to expand...
Dude this is just stupid and nonsense. I don't even have the files that the game, which you blatantly claim as a virus, apparently generates. In fact, none of the TF files i have ever connect to the internet. Stop this paranoia please, this is 100% false positive stuff. And all of your "proof" is only based on what VirusTotal says, lmfao, but when you manually check any system, you will see that nothing of what is claimed in there ever happens, again, merely a false positive. Chill out and quit acting so stupid, learn how computer programs work, ffs. There are no "spawned" services on my system and each time i open the game, it has 0% of connection to the internet nor any sort of bandwith usage.

The registry keys you posted, again, only based on what a website says and blindly trusting it (and without keeping in mind that it's just running a simulation of what a program may do) have zero changes on my system as well. In fact, i can upload them all if you want just so you realize how wrong you are and how just DUMB your "info" is.

Full Malwarebytes scan reports zero malware on my system. Not that it's needed, but you are really misleading people here.

You must be registered to see the links
 
Last edited:
  • Red Heart
  • Like
Reactions: D0v4hk1n and parakep
gghhoosstt123

gghhoosstt123

Member
Oct 9, 2022
108
74
poopybutt77 said:
DO NOT RUN THIS GAME

UNTIL THE DEVELOPER / OP CAN EXPLAIN THESE DETECTIONS, AND FILE OPERATIONS.



You must be registered to see the links


You must be registered to see the links


Both do the same, both have different anti virus results.


The virus one, injects into C:\Program Files (x86)\Google1608_1329478733\bin\updater.exe

View attachment 3764914


Does this really look like something this forum shouldn't look into?

Do I need to manually reverse engineer this executable to prove the developer (OR ORIGINAL POSTER !! ! ) is doing something fishy.

View attachment 3764915

Related parents, aka shared file hashes. Why is it affiliated with keygens, and random zips???

It establishes connections to multiple external IP addresses. These connections are potentially command-and-control (C2) servers, indicating the malware's attempt to communicate with an external source for instructions or data exfiltration.

Spawns new processes and services, indicating the execution of its payload and attempts to maintain control over the infected system.

It modifies registry entries in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run to ensure it runs every time the system starts.

Changes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to manipulate system services, often to disable security-related services or to create new malicious services.

Modifies the key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE, potentially to affect browser behavior and user credential handling.

View attachment 3764941 View attachment 3764942

The malware creates numerous .tmp files in the user's temporary directory (AppData\Local\Temp). These files are likely used as intermediate stages in the malware's execution process.

The malware uses cmd.exe to execute batch files (.bat) located in the temporary directory. These batch files are used to execute the primary malicious payload.

The malware masquerades as the Google updater to blend in with legitimate processes. This is indicated by paths like C:\Program Files (x86)\Google\Update\.

By creating and executing multiple batch files, the malware ensures persistence and continuous execution, making it harder to remove.
Click to expand...
forget about AV i don't even have windows defender and i had no issue so far with it lmao
 
CachedBaguette

CachedBaguette

Member
Mar 26, 2022
335
651
Normally I would probably consider this a false positive as mods are stating, but this game had spawned almost the same files like these in poopybutt77 post. One of the few differences was that "chromeupdate.exe", which in my case was the "operaupdate.exe". All files were blocked by antivirus, but I still will have to wipe out my entire second PC.
 
rev_10

rev_10

Member
Sep 16, 2022
267
438
gghhoosstt123 said:
forget about AV i don't even have windows defender and i had no issue so far with it lmao
Click to expand...
The .exe file does NOTHING of what this guy believes only because a website simulates its "behavior". To begin with, the game has zero connection to the internet, you can check the reports in Task Manager and you could also check the current connections on your computer with a CMD command:
You must be registered to see the links


Secondly, the game's .exe doesn't "spawn" any extra services lmao, the guy just posts that idiotic BS, but provides no real info on that. I am always very aware of what runs on my computer, what services are running, background stuff, start up programs and such, i keep my system tweaked and i ALWAYS know what is running and what shouldn't be running, i use stuff such as Process Explorer for example. I can guarantee this game and none of its files are malicious or malware.

Don't trust someone that is literally pasting screenshots from a website that simulates malware behavior based on a false positive, if he knew what he was talking about, he'd run the files on a Virtual Machine and show us the amount of "bad" behavior the game would create in Windows. Then he tells people to wipe Windows :FacePalm:.
 
  • Like
Reactions: uZer05, parakep and gghhoosstt123
hieiyyh

hieiyyh

Newbie
Jul 17, 2019
86
123
Blacktearss said:
Has anyone had problems regarding the virus that this game brings? I remember downloading it last year and having quite a few problems. They even took money from me through PayPal. I don't know if it was a coincidence or it really has a virus. I await comments.
Click to expand...
HOLY SHIT! Now i'm worried, last time i played it was version 0.42b, didn't downloaded the 5.0. :eek:
 
rev_10

rev_10

Member
Sep 16, 2022
267
438
CachedBaguette said:
Normally I would probably consider this a false positive as mods are stating, but this game had spawned almost the same files like these in poopybutt77 post. One of the few differences was that "chromeupdate.exe", which in my case was the "operaupdate.exe". All files were blocked by antivirus, but I still will have to wipe out my entire second PC.
Click to expand...
Why do you have to wipe out your entire second PC? What happened? Which AV blocked those files? Did you use Malwarebytes to check for more stuff and let the program have a second opinion? Where are these viruses that now are making you re-install Windows again? What you are saying doesn't make any sense.
 
You must log in or register to reply here.
Top Bottom
4.00 star(s) 43 Votes