This topic has been locked
[PCMR] Tizaki Aug 21, 2014 @ 12:34pm
The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Nov 29 2014 Edit: Users are reporting they also find it in appdata/winrar and appdata/adobe folders. Your antivirus will likely be able to locate it, but it wouldn't hurt to look around and report in this thread where you found YOUR executable.

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1

----------

Thanks for reading. Sorry about all the repetitiveness, I need to make sure Google indexes this well so others can remove it. Please pass this on and leave a reply if it helped you. Thanks!
Last edited by [PCMR] Tizaki; Nov 29, 2014 @ 12:38am
< >
Showing 1-15 of 117 comments
BrinCe Aug 21, 2014 @ 4:06pm 
thanks soo much for the info i thought i am the only one who had it i kept deleting it but it somehow kept coming back so i had to lock the \reversed\steam and system32\tasks folders and i hope it doesnt come back
Jake0123 Aug 21, 2014 @ 9:00pm 
Thanks, I had this and I think this got rid of it
Satoru Aug 21, 2014 @ 9:11pm 
Please lets be super clear

Steam IS NOT INSTALLING BITCOIN MINING MALWARE

It jsut happens to be named steam.exe to fool people. If you have this, you downloaded and installed malware. Steam DID NOT DO THIS.

I just don't want to turn this into some kind of repeat of the ESL nonsense.
Last edited by Satoru; Aug 21, 2014 @ 9:13pm
BrinCe Aug 22, 2014 @ 10:13am 
i just deleted it and it came back to \my music\steam\reversed wow i dont know what to do i tried everything
[PCMR] Tizaki Aug 22, 2014 @ 10:31am 
Originally posted by Satoru:
Please lets be super clear

Steam IS NOT INSTALLING BITCOIN MINING MALWARE

It jsut happens to be named steam.exe to fool people. If you have this, you downloaded and installed malware. Steam DID NOT DO THIS.

I just don't want to turn this into some kind of repeat of the ESL nonsense.

Correct. This is not Valve, this is malware pretending to be Steam.




Originally posted by BrinCe:
i just deleted it and it came back to \my music\steam\reversed wow i dont know what to do i tried everything


Go to C:Windows/System32/Tasks. What do you see? It's coming back because it's in a scheduled task.
BrinCe Aug 22, 2014 @ 11:29am 
http://i61.tinypic.com/141sa5d.jpg maybe its the Steam-S-1-8-22-9865GUI ?
Last edited by BrinCe; Aug 22, 2014 @ 11:29am
[PCMR] Tizaki Aug 22, 2014 @ 11:37am 
Originally posted by BrinCe:
http://i61.tinypic.com/141sa5d.jpg maybe its the Steam-S-1-8-22-9865GUI ?

I think that may be it. Look at the date. Steam has been on your PC far longer than the 21st, and I doubt valve would just update/add a new task like that.

But first, I want to teach you something. Open that file up with notepad. Look for a directory inside of it. You'll probably find a mention of your "reversed/steam.exe" in there ;)

Let me know if you do, I'm almost certain you will, along with a mention of your music folder you talked about.
BrinCe Aug 22, 2014 @ 12:49pm 
i opened it with notepad and you were right there was this line <Command>"C:\Users\Iseq\Music\Steam\Reversed\steam.exe"</Command>
so should i just delete this file and it will never come back again ?
Aug 22, 2014 @ 12:54pm 
Can someone try to find out where the file originated from?
BrinCe Aug 23, 2014 @ 6:09am 
Tiz i deleted the Steam-S-1-8-22-9865GUI task and the steam/reversed folder... today i was checking the task folder again and there was a new task same name and everything so instead of deleting it i disabled it from the task scheduler i hope it wroks
Bad 💀 Motha Aug 23, 2014 @ 6:40am 
If it is an "exploit or hijack" then u should install Malwarebyte Anti-Exploit
http://www.malwarebytes.org/antiexploit/

However since u know where it is and what to look for, check the AppData folders on all your users. Since it's in Roaming though, that is shared for all users, which means that could launch on any Windows User when something has put itself in AppData/Roaming.

To properly view your Scheduled Tasks, go to Control Panel > Admin Tools > Task Scheduler for more details on those.

Check your Windows Startup via Run (Winkey+R) > MSCONFIG > Startup.

Scan your system with Spybot S&D 2.xx and Malwarebytes Anti-Malware
Last edited by Bad 💀 Motha; Aug 23, 2014 @ 6:49am
[PCMR] Tizaki Aug 23, 2014 @ 3:12pm 
Originally posted by snipar™:
Can someone try to find out where the file originated from?

That russian forum seems to think it's been around a while in different forms. From my browsing history, it looks like the person infected the machine via Yahoo Mail.
Hlavson Aug 29, 2014 @ 8:36am 
Any new info about origin of infection?
[PCMR] Tizaki Aug 29, 2014 @ 12:42pm 
Originally posted by Hlavson:
Any new info about origin of infection?

Nope, but this will probably get an explanation at some point. This thread shows up in Google searches now.
It's ShowTimeZ Aug 31, 2014 @ 7:44am 
Had this virus, helped me alot to delete it, hope it doesnt come back.

Malwarebytes, SUPER Antispyware, Microsoft Security essentials and CCleaner don't detect these files at the date i post this.
< >
Showing 1-15 of 117 comments
Per page: 15 30 50

Date Posted: Aug 21, 2014 @ 12:34pm
Posts: 117