Todas las discusiones > Foros de Steam > Help and Tips > Detalles del tema
Este tema ha sido cerrado
[PCMR] Tizaki 21 AGO 2014 a las 12:34
The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Nov 29 2014 Edit: Users are reporting they also find it in appdata/winrar and appdata/adobe folders. Your antivirus will likely be able to locate it, but it wouldn't hurt to look around and report in this thread where you found YOUR executable.

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1

----------

Thanks for reading. Sorry about all the repetitiveness, I need to make sure Google indexes this well so others can remove it. Please pass this on and leave a reply if it helped you. Thanks!
Última edición por [PCMR] Tizaki; 29 NOV 2014 a las 0:38
< >
Mostrando 46-60 de 117 comentarios
HVK[st] 20 NOV 2014 a las 6:03 
Just noticed this popping up on the Mbam notifications, wondering how long this little pos was on my system now. Thanks for the info, and solution.
#46
Ouroboros 21 NOV 2014 a las 13:00 
my deepest thanks, OP. I've bought a gtx 970 and I was beginning to wonder why it was 60° at startup, and just browsing the web. also, 90% gpu usage... searched a little, ended up here, and found the glorious explaination. thank you.
#47
Coffee 21 NOV 2014 a las 14:56 
This is hardly a fix. You all need to make numerous deep scan with various tools.
It might still use less your hardwares but the infection is still there.
#48
friskyvirus 21 NOV 2014 a las 16:09 
Noticed this this morning. Though I thought there was something going on a few days ago so I reinstalled Windows 8.1 over Windows 7. The problem has carried over, which is interesting considering that I formatted my C drive with the OS installation. The only other files are videos, music, and games on different hard disks. I plan to delete the files in the OP and then run scans with Malwarebytes and 360 Total Security.
I think it's important that we know where this is coming from since I only use my desktop for gaming. Hardly any internet browsing at all except for school related stuff. Any real internet tasks happen on my MacBook.

Either way, very much appreciated OP.
#49
[PCMR] Tizaki 25 NOV 2014 a las 0:15 
Publicado originalmente por ­­Δ👽 Louna 👽Δ­­:
This is hardly a fix. You all need to make numerous deep scan with various tools.
It might still use less your hardwares but the infection is still there.

No. It's gone. Manually deleting and running a scan will completely remove it. No malware author adds a "surrender" feature to their stuff. It either runs or it's gone.
#50
Coffee 25 NOV 2014 a las 5:01 
Publicado originalmente por Tizaki:
Publicado originalmente por ­­Δ👽 Louna 👽Δ­­:
This is hardly a fix. You all need to make numerous deep scan with various tools.
It might still use less your hardwares but the infection is still there.

No. It's gone. Manually deleting and running a scan will completely remove it. No malware author adds a "surrender" feature to their stuff. It either runs or it's gone.

One scan hardly eradicated all.

You'd be surprised how a virus can regenerate or have a facade and run something else more hidden.
#51
Sajmi 26 NOV 2014 a las 10:41 
Hey dude, thanks for this topic I found out after 3 or 4 days that steam.exe is using 25% of my processor so I uninstalled Steam but it was still there. So I googled a bit and found your topic. It helped me a lot with this problem. But I found the folder in my Appdata/roaming/Winrar not in the steam folder. So if anyone is going to read this try to search through all the folders there. It seems, that it's trying to hide itself everywhere. I only hope, that it's not coming back. :)
#52
[PCMR] Tizaki 26 NOV 2014 a las 12:39 
Publicado originalmente por Princess Doge:
Hey dude, thanks for this topic I found out after 3 or 4 days that steam.exe is using 25% of my processor so I uninstalled Steam but it was still there. So I googled a bit and found your topic. It helped me a lot with this problem. But I found the folder in my Appdata/roaming/Winrar not in the steam folder. So if anyone is going to read this try to search through all the folders there. It seems, that it's trying to hide itself everywhere. I only hope, that it's not coming back. :)


The author may have updated it since to use different folders, but ordering by date will still allow you to easily find what folders contain the recent infection. If "winrar" contains Steam.exe, you'll know it's fake. AFAIK Winrar doesn't install to that folder.
#53
friskyvirus 26 NOV 2014 a las 13:54 
Publicado originalmente por Princess Doge:
Hey dude, thanks for this topic I found out after 3 or 4 days that steam.exe is using 25% of my processor so I uninstalled Steam but it was still there. So I googled a bit and found your topic. It helped me a lot with this problem. But I found the folder in my Appdata/roaming/Winrar not in the steam folder. So if anyone is going to read this try to search through all the folders there. It seems, that it's trying to hide itself everywhere. I only hope, that it's not coming back. :)

Mine was in appdata\adobe\
None of my antivirus was able to detect the files even when I scanned the directory it was located in. So that's disturbing. But deleting the files as OP suggested solved the issue for me.
#54
Grendel817 11 DIC 2014 a las 5:36 
------ORIGINS OF THIS MALWARE-----
I don't know if this was posted before but i will say this.
Malware came to my computer with ClassicShell program for win 8.1
And it installed virus here: C:\Users\User_Name\AppData\Roaming\ClassicShell\googleupd.exe
My Malwarebytes Anti-Malware v2 free detected it as RiskWare.BitMiner.
I quarantined it so if anyone want's that exe i shall send them for analyze.
I Also deleted files from steam folder in roaming like OP mentioned and system32\tasks file
#55
76561198132827599 17 DIC 2014 a las 8:38 
Just got rid of it! daxx leeches! Why don't they leave us gamers alone! We are not hurting anybody! Now they are starting to make it personal when they mess with my gaming RIG! You can call me every name in the book! You can slap my face! But when you mess with my RIG then you messed up bad!
Última edición por JoeyBalls; 17 DIC 2014 a las 8:40
#56
Coffee 17 DIC 2014 a las 9:46 
Publicado originalmente por ted_isted:
Just got rid of it! daxx leeches! Why don't they leave us gamers alone! We are not hurting anybody! Now they are starting to make it personal when they mess with my gaming RIG! You can call me every name in the book! You can slap my face! But when you mess with my RIG then you messed up bad!


Your rig like you call it is just not protected well.
#57
[BSLS]Weapon_X_ 27 DIC 2014 a las 6:05 
Hello, I just logged in to say thanks for this thread! found it using google.

I wanted to add that I found mine in : AppData\Roaming\BSplayer\CODEXi\Steam Client
and the win32 task was : Steam_x64-S-2-106-91

I didnt have the Reversed folder and it wasn't a 'steam.exe' but a command and many dlls, so I deleted the whole CODEXi folder and the task

I also spent 3 days looking at what was wrong with my GPU.. I'm so glad I've found that thread! Thanks again for all the help!
#58
Coffee 27 DIC 2014 a las 6:52 
Publicado originalmente por BSLSWeapon_X_:
Hello, I just logged in to say thanks for this thread! found it using google.

I wanted to add that I found mine in : AppData\Roaming\BSplayer\CODEXi\Steam Client
and the win32 task was : Steam_x64-S-2-106-91

I didnt have the Reversed folder and it wasn't a 'steam.exe' but a command and many dlls, so I deleted the whole CODEXi folder and the task

I also spent 3 days looking at what was wrong with my GPU.. I'm so glad I've found that thread! Thanks again for all the help!


If you have so many suspicious files, better do a full scans again and again instead of manual delete.
#59
Toxic Player 30 DIC 2014 a las 3:29 
do you hear about Steam *32? (not Steam.exe *32 - Valve's Steam)
#60
< >
Mostrando 46-60 de 117 comentarios
Por página: 1530 50

Todas las discusiones > Foros de Steam > Help and Tips > Detalles del tema
Publicado el: 21 AGO 2014 a las 12:34
Mensajes: 117
Comenzar una nueva discusión

Normas y directrices sobre discusión