Všechny diskuze > Fóra služby Steam > Help and Tips > Detaily tématu
Toto téma bylo uzamčeno
[PCMR] Tizaki 21. srp. 2014 v 12.34
The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Nov 29 2014 Edit: Users are reporting they also find it in appdata/winrar and appdata/adobe folders. Your antivirus will likely be able to locate it, but it wouldn't hurt to look around and report in this thread where you found YOUR executable.

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1

----------

Thanks for reading. Sorry about all the repetitiveness, I need to make sure Google indexes this well so others can remove it. Please pass this on and leave a reply if it helped you. Thanks!
Naposledy upravil [PCMR] Tizaki; 29. lis. 2014 v 0.38
< >
Zobrazeno 91105 z 117 komentářů
Coffee 4. kvě. 2015 v 18.56 
NF.McTaz původně napsal:
I do not have a appdata/roaming//Steam folder. the steam is not in roaming, anywhere else it would be?



Just get a good antivirus/antispyware...
#91
[PCMR] Tizaki 5. kvě. 2015 v 14.54 
Later on in the thread, people were mentioning where theirs was hiding. You should probably just do a malware scan and see if it finds it on its own. Malwarebytes Chameleon should do it. Look in your running processes and end anything suspicious. You could even try Safe Mode (press F8 at startup). Keep trying and post how you got rid of it here once you do, so Google searches link to your post and the latest version of this can still be caught and removed.
#92
W. 13. kvě. 2015 v 10.02 
Thanks a lot Macintrash, i was trying to find out what the hell it was for a few months. Finally removed it after finding this post.
there's a few other threads going around which seem to think it's something else, i've tried to divert them to this post. In my case, my "steam" cpu usage was always hovering at 30% useage
Naposledy upravil W.; 13. kvě. 2015 v 10.34
#93
Maxwell_NL 20. kvě. 2015 v 15.59 
I cant find any thing i can use some help!
#94
[PCMR] Tizaki 20. kvě. 2015 v 17.12 
Is your GPU definitely being used? Like with AMD system monitor or NVidia equivalent?
#95
ДLUMINUMAN 28. kvě. 2015 v 23.39 
The way I found it is:

Noticed how crazy hot the room my PC is in was getting. Used GPU-Z to see what's happening and noticed it had 90% load all the time!
Checked with Process Explorer (had to download this tool) and this showed that nothing was using GPU load. This told me an invisible process was using the GPU.

Finally I used various tools to find and get rid of the malware. At tool called RKILL found and stopped the coin miner malware. I verified this by checking in GPU-Z that the GPU load was now 0%. I used this thread I found, to very good effect:

http://forum.cheatengine.org/viewtopic.php?t=578889&sid=14b6c06dac68db54a3ec3128f588005b

Not everything was the same as what they talk about there, but it helped me find the malware, and also find the Task it created in Task Scheduler (was different but had the word STEAM in it). So far so good.
#96
Vampire Detective 31. kvě. 2015 v 13.33 
Note: It is not located in the Steam folder (the Valve application), so do not waste your time there. Malwarebytes and the anti-virus programs out there will not get rid of it. Don't bother.

It needs to be manually removed by YOU.

Step 1: Start up an application like HW monitor to check for two things: 1) GPU utilization 2)GPU temp. You will see that these two things are not normal.

Step 2: If Steam (the actual steam client that you use for gaming) is running, shut it down.

Step 3: Open up TASK MANAGER. Go to "Processes" and if need be, scroll down to find "Steam * 32" or something that says Steam. If you read Step 2, you'll know why I said to shut down Steam game app first.

Step 4: Right-click on this "Steam*32" or whatever name it is under, and select "open file location." It will take you right to the source. Delete it.

For me, it was in Appdata/Roaming/Shadow of Mordor

Step 5: Also, delete the "Steam file" in the System32/Tasks folder. You should find one file with the name Steam in it. DELETE it.

A lot of the advice in this thread and others are good, but they're all over the place. I thought I'd make it easier for you guys. Cheers.
Naposledy upravil Vampire Detective; 31. kvě. 2015 v 13.35
#97
Coffee 31. kvě. 2015 v 16.04 
Elann původně napsal:
Note: It is not located in the Steam folder (the Valve application), so do not waste your time there. Malwarebytes and the anti-virus programs out there will not get rid of it. Don't bother.

It needs to be manually removed by YOU.

Step 1: Start up an application like HW monitor to check for two things: 1) GPU utilization 2)GPU temp. You will see that these two things are not normal.

Step 2: If Steam (the actual steam client that you use for gaming) is running, shut it down.

Step 3: Open up TASK MANAGER. Go to "Processes" and if need be, scroll down to find "Steam * 32" or something that says Steam. If you read Step 2, you'll know why I said to shut down Steam game app first.

Step 4: Right-click on this "Steam*32" or whatever name it is under, and select "open file location." It will take you right to the source. Delete it.

For me, it was in Appdata/Roaming/Shadow of Mordor

Step 5: Also, delete the "Steam file" in the System32/Tasks folder. You should find one file with the name Steam in it. DELETE it.

A lot of the advice in this thread and others are good, but they're all over the place. I thought I'd make it easier for you guys. Cheers.


The easier the way you clean a virus, the less effective it is.
`
Also you are aware that a single infection can act different each time?
#98
xrayman 31. kvě. 2015 v 20.16 
Elann původně napsal:
Note: It is not located in the Steam folder (the Valve application), so do not waste your time there. Malwarebytes and the anti-virus programs out there will not get rid of it. Don't bother.

It needs to be manually removed by YOU.

Step 1: Start up an application like HW monitor to check for two things: 1) GPU utilization 2)GPU temp. You will see that these two things are not normal.

Step 2: If Steam (the actual steam client that you use for gaming) is running, shut it down.

Step 3: Open up TASK MANAGER. Go to "Processes" and if need be, scroll down to find "Steam * 32" or something that says Steam. If you read Step 2, you'll know why I said to shut down Steam game app first.

Step 4: Right-click on this "Steam*32" or whatever name it is under, and select "open file location." It will take you right to the source. Delete it.

For me, it was in Appdata/Roaming/Shadow of Mordor

Step 5: Also, delete the "Steam file" in the System32/Tasks folder. You should find one file with the name Steam in it. DELETE it.

A lot of the advice in this thread and others are good, but they're all over the place. I thought I'd make it easier for you guys. Cheers.

Be aware that you will also have a task to auto re-download this ♥♥♥♥♥ each time you reboot. Carefully scan your tasks that are not from a known source and you'll find it easy.

Click Start, type "Task Sceduler" in the search box and click the link, a quick read of your active tasks will tell you most/all are from legit sources - if you got hit by this ♥♥♥♥♥, one wont - it's set to run at boot, and differs for all. Disable the likely candidate and reboot, if your GPU temp is normal you got it :)
#99
Coffee 31. kvě. 2015 v 20.35 
xrayman původně napsal:
Elann původně napsal:
Note: It is not located in the Steam folder (the Valve application), so do not waste your time there. Malwarebytes and the anti-virus programs out there will not get rid of it. Don't bother.

It needs to be manually removed by YOU.

Step 1: Start up an application like HW monitor to check for two things: 1) GPU utilization 2)GPU temp. You will see that these two things are not normal.

Step 2: If Steam (the actual steam client that you use for gaming) is running, shut it down.

Step 3: Open up TASK MANAGER. Go to "Processes" and if need be, scroll down to find "Steam * 32" or something that says Steam. If you read Step 2, you'll know why I said to shut down Steam game app first.

Step 4: Right-click on this "Steam*32" or whatever name it is under, and select "open file location." It will take you right to the source. Delete it.

For me, it was in Appdata/Roaming/Shadow of Mordor

Step 5: Also, delete the "Steam file" in the System32/Tasks folder. You should find one file with the name Steam in it. DELETE it.

A lot of the advice in this thread and others are good, but they're all over the place. I thought I'd make it easier for you guys. Cheers.

Be aware that you will also have a task to auto re-download this ♥♥♥♥♥ each time you reboot. Carefully scan your tasks that are not from a known source and you'll find it easy.

Click Start, type "Task Sceduler" in the search box and click the link, a quick read of your active tasks will tell you most/all are from legit sources - if you got hit by this ♥♥♥♥♥, one wont - it's set to run at boot, and differs for all. Disable the likely candidate and reboot, if your GPU temp is normal you got it :)


Only stopping its auto launching will simply just remove the auto launch, yet you're still infected.


It's absurd that so many think simply deleting one file or doing one thing remove an infection, no wonder why it keep infecting people.
#100
♥Kyun!Soft♥ 24. čvn. 2015 v 2.56 
Found the bastard hiding in my appdata/roaming/skype/CODEXi folder. I was wondering why there was a codexi name in my skype login list. It also has some coinminer dlls and such, one such name was "quarkcoin". To be honest, I've had that "Codexi" name since last month. I kept getting these "steam.exe has stopped working" even though my steam isn't even running. Then just recently my games started to stutter and such. My CPU temp skyrocketed to 92 degrees and my mainboard temp was at a steady 86 degrees. I thought it was my heatsink or thermal paste, so I replaced them but the problem still persists. I then looked at my task manager and saw a steam*32.exe despite steam being closed. I ended the program thinking it must've been a bug. Then I played a game, waiting for it to lag, but it didn't. So I searched for the steam.exe virus because if I ended the program and it stopped lagging my games, then it must've been a virus of some sort. I came across this and I deleted the CODEXi folder, the Steam thing in my system32/tasks folder (I also checked SysWow64/tasks just in case), and I ran Malwarebytes. everything is fine now. Cheers!
#101
76561198189293285 24. čvn. 2015 v 2.58 
Help!
#102
pink polo :( 23. čvc. 2015 v 18.43 
Thanks for the help, had this virus. Also just wanted to say that for me it came from my .minecraft folder.
#103
Shotology101 1. srp. 2015 v 8.20 
Thanks so much for this thread. I've been having this issue from since Windows 7. I formatted my pc and did a fresh installation of Windows to 8.1 then upgraded to 10 when it became available. I heard my tower sounding a bit loud, checked my temps and my motherboard, cpu and gpu were seriously heating up. When I checked Task Manager, this Steam thing started again. I realized this may have come from the installation of either core temp or a google chrome extension.

I ran through this thread and found the folder in C:\Users\<user>\AppData\Roaming\Dropbox\CODEXi

I then proceeded to delete that folder.

One trick I learned is that when the program is running, you can actually just right click on it and go to properties and you'll see the directory the file is located in. I also found the file int he system32/tasks folder and deleted it as well. I do hope i don't get this thing again.
#104
Coffee 1. srp. 2015 v 17.57 
Woah, people still get infected so easily?

This thread is NOT the solution. you don't clean a virus with a simple folder delete xD.
#105
< >
Zobrazeno 91105 z 117 komentářů
Na stránku: 1530 50

Všechny diskuze > Fóra služby Steam > Help and Tips > Detaily tématu
Datum zveřejnění: 21. srp. 2014 v 12.34
Počet příspěvků: 117
Zahájit novou diskuzi

Pravidla a pokyny k diskuzím