所有讨论 > Steam 论坛 > Help and Tips > 主题详情
此主题已被锁定
[PCMR] Tizaki 2014 年 8 月 21 日 下午 12:34
The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Nov 29 2014 Edit: Users are reporting they also find it in appdata/winrar and appdata/adobe folders. Your antivirus will likely be able to locate it, but it wouldn't hurt to look around and report in this thread where you found YOUR executable.

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1

----------

Thanks for reading. Sorry about all the repetitiveness, I need to make sure Google indexes this well so others can remove it. Please pass this on and leave a reply if it helped you. Thanks!
最后由 [PCMR] Tizaki 编辑于; 2014 年 11 月 29 日 上午 12:38
< >
正在显示第 76 - 90 条,共 117 条留言
クラ 2015 年 1 月 11 日 上午 1:38 
Thanks
#76
Coffee 2015 年 1 月 11 日 上午 8:03 
引用自 Bumbefly Nicky Test םו
Jack, don't post links to possible malware-sites on a forum. Would you want other ppl to go there and also recieve the malware?

Also, don't name and shame on the forums, that guy probably is a victim too, seeing how many games he has and his VACban. Besides, the Forum-nick of that account has already changed.


Virus don't cause VAC ban.
#77
[PCMR] Tizaki 2015 年 1 月 30 日 下午 3:51 
引用自 Δ👽 Louna 👽Δ
Virus don't cause VAC ban.

Some can. Some even do it intentionally.
#78
zayzo 2015 年 1 月 30 日 下午 3:55 
I hope that this will fix Steam online for me, It has been loading for 5 minutes without any success.
#79
Coffee 2015 年 1 月 30 日 下午 8:10 
引用自 Macintrash
引用自 Δ👽 Louna 👽Δ
Virus don't cause VAC ban.

Some can. Some even do it intentionally.


People always said that but never came with solid proofs.
#80
irkella 2015 年 2 月 3 日 下午 12:26 
I discovered a new place that it likes to hide while searching through its task file...

AppData\Roaming\Raptr\Reversed\steam.exe
#81
Winnie 2015 年 2 月 24 日 下午 10:57 
This topic helped me a lot. I removed this thing and it still didn't come back.

p.s. Topic is in russian but it is pretty easy to understand or to translate with google.


http://forum.worldoftanks.ru/index.php?/topic/1435644-%D1%82%D1%80%D0%BE%D1%8F%D0%BD-steamexe-%D1%80%D0%B5%D0%B7%D0%BA%D0%BE%D0%B5-%D0%BF%D0%B0%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5-%D1%84%D0%BF%D1%81-%D0%BF%D0%BE%D1%81%D0%BB%D0%B5-%D0%B7%D0%B0%D0%BF%D1%83%D1%81%D0%BA%D0%B0-%D0%BA%D0%BE%D0%BC%D0%BF%D0%B0/
最后由 Winnie 编辑于; 2015 年 2 月 24 日 下午 10:57
#82
SomethingUnreal 2015 年 3 月 23 日 下午 8:04 
A quick update, Malwarebytes scan engine ahs been updated to remove this miner virus. They worked with me to get it fixed and they rep said they will update the scan engine to remove this virus.
#83
Coffee 2015 年 3 月 23 日 下午 8:41 
引用自 BiHSomethingUnreal
A quick update, Malwarebytes scan engine ahs been updated to remove this miner virus. They worked with me to get it fixed and they rep said they will update the scan engine to remove this virus.


Malwarebytes isn't the best for many infections, good tool but not worthy much alone.
No wodner why it take you so long to have the tool to properly remove it lol.
#84
Fr0thy 2015 年 3 月 23 日 下午 8:55 
Thanks a lot mate
#85
niandra 2015 年 4 月 17 日 上午 8:41 
I found the file "Steam_x64-S-2-106-91" in System32/tasks .. that is the task file that starts the steam miner. I found the actual "steam" file in my Thunderbird/CODEXi folder.
#86
Coffee 2015 年 4 月 17 日 上午 8:45 
引用自 john f.
I found the file "Steam_x64-S-2-106-91" in System32/tasks .. that is the task file that starts the steam miner. I found the actual "steam" file in my Thunderbird/CODEXi folder.


What antivirus antispyware you have?
#87
Bones Johnson 2015 年 4 月 18 日 下午 12:37 
Found steam.exe*32 running in processes, and can't end it with task manager. Looking for the suggested files, AppData and Roam don't even exist on my PC. Ran it through Zone Alarm and the latest Malewarebytes scan, but still nothings showing up despite not being able to open steam again, my computer crashing most likely more then 5 times in the past few weeks and things keep bugging out.

I believe it's this bit of maleware, but I can't find it any where. I'm at a loss what to do...
#88
Coffee 2015 年 4 月 18 日 下午 3:23 
引用自 UltESUrist Mercenary-Dwarf
Found steam.exe*32 running in processes, and can't end it with task manager. Looking for the suggested files, AppData and Roam don't even exist on my PC. Ran it through Zone Alarm and the latest Malewarebytes scan, but still nothings showing up despite not being able to open steam again, my computer crashing most likely more then 5 times in the past few weeks and things keep bugging out.

I believe it's this bit of maleware, but I can't find it any where. I'm at a loss what to do...


You should have installed a decent security system first such NOD32 Antivirus (Which do spyware too).

Appdata exist, you just need to display hidden folder and maybe system files.
#89
beanboy 2015 年 5 月 4 日 下午 6:55 
I do not have a appdata/roaming//Steam folder. the steam is not in roaming, anywhere else it would be?
#90
< >
正在显示第 76 - 90 条,共 117 条留言
每页显示数: 1530 50

所有讨论 > Steam 论坛 > Help and Tips > 主题详情
发帖日期: 2014 年 8 月 21 日 下午 12:34
回复数: 117
发起新讨论

讨论规则及指引