Összes téma > Steam fórumok > Help and Tips > Téma részletei
Ez a téma zárolásra került
[PCMR] Tizaki 2014. aug. 21., 12:34
The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Nov 29 2014 Edit: Users are reporting they also find it in appdata/winrar and appdata/adobe folders. Your antivirus will likely be able to locate it, but it wouldn't hurt to look around and report in this thread where you found YOUR executable.

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1

----------

Thanks for reading. Sorry about all the repetitiveness, I need to make sure Google indexes this well so others can remove it. Please pass this on and leave a reply if it helped you. Thanks!
Legutóbb szerkesztette: [PCMR] Tizaki; 2014. nov. 29., 0:38
< >
3145/117 megjegyzés mutatása
FakeSauroN 2014. okt. 26., 5:58 
Thanks, steam.exe crashed every time and it was independent from the real steam. Guess it was malware,but your method helped me. Thanks alot.
#31
Coffee 2014. okt. 26., 7:01 
FakeSauroN eredeti hozzászólása:
Thanks, steam.exe crashed every time and it was independent from the real steam. Guess it was malware,but your method helped me. Thanks alot.


I doubt this method REALLY clean your PC completely.
#32
Lauris 2014. okt. 26., 9:23 
ty
#33
Natxo 2014. nov. 3., 6:08 
I havent got the steam folder un roaming, is that normal?
#34
NanoPi 2014. nov. 3., 6:31 
Steam is not supposed to be in the AppData folder unless you put it there

Steam puts everything in the folder you installed it to, which defaults to:

Program Files (x86), Program Files, or your regional equivalent if your version of Windows has a different default.
Legutóbb szerkesztette: NanoPi; 2014. nov. 3., 6:53
#35
Seven7 2014. nov. 3., 6:34 
NanoPi eredeti hozzászólása:
that's NOT normal. Steam does not use those folders

Steam puts everything in its Program Files folder
/fixed
#36
Coffee 2014. nov. 3., 8:52 
Seven7 eredeti hozzászólása:
NanoPi eredeti hozzászólása:
that's NOT normal. Steam does not use those folders

Steam puts everything in its Program Files folder
/fixed


Incorrect.

It's depend where you choose to install it.
#37
abalian 2014. nov. 3., 14:11 
I found it, ended the process (driver crashed), and GPUs went back to normal before finding this thread. I'm glad I found this thread though so I know I'm not the only one and didn't know about the System32/Tasks thing. Thank you! The "Reversed" folder was in my YOUDONTKNOWJACK AppData folder for some reason.
Legutóbb szerkesztette: abalian; 2014. nov. 3., 15:22
#38
['//] Sett 2014. nov. 10., 8:33 
I can confirm that the new, free Malwarebytes does do the trick. Just make sure you disable real-time antivirus while it scans, things will go smoother. :)

1. Successfully delete the folder (reversed...)
2. Remove item from Tasks (S-1-XYZ...)
3. Malwarebytes found several more registry entries under various registry keys
Or you can just do No3 and spare yourself. >.<

Seems to be in order now, nothing's pinging to outside and no suspicious processes. Many thanks to the OP, your post is first on google's result list.
#39
SomethingUnreal 2014. nov. 13., 13:07 
I sent a message tot he Malwarebtes team. I performed a full system scan and malwarebytes says my system is clean. I removed it manually and I hope it dose not come back.
#40
Coffee 2014. nov. 13., 15:16 
BiHSomethingUnreal eredeti hozzászólása:
I sent a message tot he Malwarebtes team. I performed a full system scan and malwarebytes says my system is clean. I removed it manually and I hope it dose not come back.


Malwarebytes won't detect everything.
Huge chance your computer isn't fully clean after a Malwarebytes scan.
#41
JokerProductions 2014. nov. 15., 7:16 
Cheers for the info. PC had been running odd the past few days. Today I saw my CPU shoot to 80% usage while just browsing the web. Saw it was a steam.exe and googled it. Found this article and now I'm good.

FYI, this isn't exclusive to just The Steam folder in Appdata. Mine was in a Winrar folder. I would just search all of Appdate for steam and go through one by one and make sure it actually belongs to Steam. I also removed the Steam task from System32/tasks and rebooted my PC. That sorted everything out. Frames in my games are back up to where they were before this issue started a couple days ago.
#42
xrayman 2014. nov. 16., 5:04 
I'd like to thank the OP for this info too. I just noticed my CPU activity was rather high, and it's never steam.exe in the list - always Steam Client something, as it's a properly signed executable. My son gleefully advised me I'd picked up a bitcoin miner within seconds of asking him if he had a folder in appdata steam\reversed. No wonder my last few D3 sessions have been a touch sketchy :/ MAB didn't spot it and Combofix isn't updated for Windows 8.1 yet - I'm hoping deleting the folder and task, and searching my HDDs for steam.exe outside the official folder is enough :/
#43
Lac3y 2014. nov. 20., 3:20 
Had this problem myself. steam.exe was using 100% of my GPU and 25% of my CPU. Absolutely tanked performance in games. Glad I have gotten rid of it.
#44
Jomarcenter - MJM 2014. nov. 20., 3:53 
Reason why I kept my Task manager open every time I open my PC so I can easily monitor it.
#45
< >
3145/117 megjegyzés mutatása
Laponként: 1530 50

Összes téma > Steam fórumok > Help and Tips > Téma részletei
Közzétéve: 2014. aug. 21., 12:34
Hozzászólások: 117
Új téma nyitása

Hozzászólási szabályok és irányelvek