How to remove virus in 3Ds Max manually without scripts and plugins

Author MastaMan
Updated on January 20, 2021
English and Русский

In this article, today we will look at how to remove the most common ALC and CRP viruses that have appeared on literally every 3D Stock, without using any scripts or plugins, how to prevent reinfection and how not to become a victim of fake antivirus software.

But first, what are viruses in 3Ds Max and where did they come from?

alc virus helpers
Loading...
The first mentions of strange non-removable objects that get into the scene appeared at the end of 2016. Then no one understood the strange appearance of Helpers in the scene with the names "¡¡×ý × û" and "×þ×ü" and it was assumed that these were objects of unsuccessful import from Auto CAD or similar programs.


As far as we know, ALC and CRP started their journey with Chinese 3D Stocks. But no one expected that by downloading a free model, you get such a "gift ".

ALC and CRP viruses gained more widespread distribution by the end of 2017, since there was no protection at that time, they got to 3D Stocks without any problems. Actually, this has become a key factor in the distribution and a global problem. Below I will write in detail about the ALC virus, since CRP is very similar to it.

Having tried different removal options using Maxscript, I accidentally managed to cause an error in the script controller, into which the malicious code was written. I saw a lot of obfuscated text in the Listener (Maxscript console), after careful analysis and reverse engineering, I was able to understand how this code works.


To my surprise, the malicious script tried to write itself to the script startup folder, registered callbacks, and launched when Merge, Open, X-Ref and other scene operations were performed. This meant that even if the files were removed from startup, any action with the scene could run the code to write itself back to files again, and Helpers that are not removed contributed to the initialization of this process.
The behavior reminded me of a typical "worm virus ", so I named it worm.3dsmax.alc.clb.

The security logic for commercial models or scenes was incorporated in the code. If it did not pass authentication, then ALC could change scene settings, materials, remove lights, etc. And in the latest modifications of ALC3, your renders and personal information can generally be sent to the C&C servers!

Although ALC was conceived as a form of protection for commercial projects of scenes and models, due to the incorrect operation of the code itself, 3Ds Max could malfunction, the undo function (CTRL+Z) could not work, and various kinds of bugs.
In the ALC code, there are no specific lines to break the undo function (CTRL+Z), cause a crash on startup, or slow down the 3Ds Max - these are all problems of poor adaptation of the code.

However, we have a script that spreads itself between scenes, can cause 3Ds Max to crash, break some functions like CTRL+Z, change something in the scene, degrade performance and interrupt the workflow, so it's correct to call it - a virus!

Since this is a regular script that is executed in the 3Ds Max environment, no one Anti-Virus can detect these viruses. They can be removed manually or with special scripts like Prune Scene.

It doesn't matter for what purpose or intentions it was created, in fact we have only one troubles and we cannot try to ignore this problem. I recommend sharing this article so everyone knows how to protect their work!

Distribution scheme for ALC and CRP

So, as it was written above, the ALC virus get to the scene under the guise of Helpers, in the Scale script controller. 3Ds Max is designed in such a way that when the scene is opened, all script controllers are executed. Thus, the execution of malicious code occurs.

Next, the script writes its code to hidden files in the script startup folder:
vrdematcleanbeta.ms
vrdematcleanbeta.mse
vrdematcleanbeta.msex​
Also, so-called callbacks are created, and the code from the script controller is also written in them and executed with Open, Merge, X-Ref.


Now let's imagine how it all works in combination: When you start 3Ds Max, scripts from the startup folder are executed, which create Helpers and write to callbacks. These auxiliary objects cannot be deleted and they easily migrate between scenes.
With each Open, Merge, X-Ref, Helpers are also created and a startup is recorded, after which the scene is automatically saved. When you open a scene with Helpers, all the same actions are performed: writing to startup, creating callbacks, automatic saving.

Thus, even if you delete files from startup, and somehow remove Helpers, a callback will still be executed, which will start the whole process again!

For the CRP virus, the scheme is the same, except that it is not written to the script controller, but to the Persistent global variable, which is saved with the scene and executed when the scene is started. And it injects malicious code into startup scripts.

How to remove ALC and CRP viruses manually

Removing hidden files from the startup folder will help prevent malicious code from running when 3Ds Max starts. Removal also helps if 3Ds Max does not start after infection or the program closes abnormally!

Close 3Ds Max. Go to the following folders:
C:/Users/User Name/AppData/Local/Autodesk/3dsMax/xxxx- 64bit/ENU/scripts/startup
C:/Program Files/Autodesk/3Ds Max xxxx/scripts/Startup
Note!
Red indicates username and version, which may differ from you.
Next, you need to display hidden system files. To do this, go to the View tab, click Options.
file explorer view options
Loading...
In the window that opens, go to the View tab and disable Hide protected operating system files (Recommended).
file explorer view protected system files
Loading...
The following files indicate the presence of a virus:
vrdematcleanbeta files
Loading...
Remove all hidden files from these folders!
Note!
If you are not sure what you are doing right and are afraid of messing up your workflow, download and install Prune Scene.
Prune Scene - will help to correct the consequences of infection and do all the necessary work for you!
Check each script in these folders for malicious code injection. Open the file with the text editor Notepad, if the search for the file does not find "CRP_AScript", then the file is clean.
If you find "CRP_AScript", you must remove this part of the code, from the line in which the phrase was found to the end of the file. Then save the file.

Launch 3Ds Max, you should no longer see hidden Helpers or feel other effects of viruses.
Warning!
It should be keep in mind that this way you have removed viruses from your 3Ds Max! But if you open an infected scene, the process will start over. It is impossible to remove viruses from infected scenes without special antivirus scripts like Prune Scene!
Download Prune Scene Free

Simple virus protection

Sample text
Я думаю, многие читатели уже догадались, что необходимо запретить доступ на запись в папки автозагрузки скриптов.
Для этого для папок:
I think many people have already guessed that it is necessary to deny write access to the scripts startup folders.
To do this, for the folders:
C:/Users/User Name/AppData/Local/Autodesk/3dsMax/xxxx- 64bit/ENU/scripts/startup
C:/Program Files/Autodesk/3Ds Max xxxx/scripts/Startup
Set write protection through the properties of the (Read Only) folder.
Note!
Write protection helps you avoid virus spreading problems. But it should be keep in mind that some scripts can no longer be added or modified. For example, if you have MegaScans Bridge installed, you will most likely receive an error and will not be able to launch it.
It is worth treating with understanding and responsibility, the ban on writing to these folders!
Open the file with a text editor:
C:/Users/User Name/AppData/Local/Autodesk/3dsMax/xxxx- 64bit/ENU/3dsMax.ini
Find the following parameters and set the value for them to "0".
LoadStartupScripts=0
LoadSaveSceneScripts=0
LoadSavePersistentGlobals=0
Set write protection for the 3dsMax.ini file.
Note!
By setting write protection for 3dsMax.ini and changing the described parameters, some 3Ds Max settings may not be saved in the future! And also Custom Attributes and some animation controllers may not work.
It is worth understanding what blocking writing to the 3dsMax.ini settings file can affect!

As described above, viruses can write to callbacks and execute malicious code on Open, Merge, X-Ref files. This means that if you run a scene with a virus, all subsequent files that are opened will be infected as long as the current 3Ds Max session is open.

If you do not want to endure the inconvenience associated with the inability to save settings or problems with scripts in autorun, such as MegaScans or file infection in the current session, I recommend using specialized software for tracking and removing Prune Scene viruses.

Beware of scammers!

Recently, I have seen more and more different kinds of "Antivirus" appear, which help with cleaning script viruses. Moreover, they release not only scripts, but third-party applications (programs).
Gullible users download software from unknown resources and unknown brands, which most likely contains a Trojan or other more serious computer virus.
Important!
Never download *.exe files or run them! This also applies to the installation of different plugins * .dlo, * .dlc, * .dll, etc.
Do not download anything from Chinese sites or unverified resources!
There is a great risk that unscrupulous developers could add malicious code there !
At the moment I know only a few proven developers: 3DGROUND Prune Scene (7 years), SiNI Software Forensic (6 years) and Autodesk Security Tools. Download anything else, I highly do not recommend!

3DGROUND Prune Scene is a simple, free, lightweight script with easy installation. Doesn't need to restart 3Ds Max after installation. It has the largest number of virus signatures at the moment. The startup folder is protected from re-infection. Well-optimized signatures do not slow down 3Ds Max. Has a super function - search for viruses in the file system, without opening the files themselves! Updates are released quite often, and if you have a license, you can update "over the air" by clicking just one Update button in just a second.

Autodesk Security Tools - the official antivirus from Autodesk, updated not as often as we would like. Quite complex installation via Windows Installer. Has fewer viral signatures compared to analogues. The code is not written optimized and may cause slowdowns in 3Ds Max.

SiNI Software Forensic is a full-fledged plugin that works faster than scripts, but has a number of shortcomings. Quite difficult to install and understand. Requires 3Ds Max restart after installation or update. There is a dependence on 3Ds Max versions. Updates are not released as often. Has a complex licensing system. An internet connection is required even if you are using the free version. Has the same number of virus signatures as Autodesk Security Tools.

Use software from this list and be careful!


{{commentsMsg}}
  

No one has posted a comment yet
{{comment.lastname}} {{comment.name}} {{comment.date}}
{{comment.text}}


SUBSCRIBE TO OUR NEWSLETTER

{{subscribeMsg}}