All Discussions > Steam Forums > Help and Tips > Topic Details
bla Oct 30, 2014 @ 7:19am
Is this a legit Steam.exe file trying to access network?
Location is at:
<SystemDrive>:\Users\<UserName>\AppData\Roaming\WinRar\Reversed\Steam.exe

Inside is 1 Folder labelled Kernael which contains 1 file: x11mod.cl size:277kb
and 10 files including that Steam.exe, which are:
config.xml
libcurl.dll
libeay32.dll
libidn-11.dll
libpdcurses.dll
pthreadGC2.dll
ssleay32.dll
steam.comp
steam.exe
zlib1.dll

Can someone please advise whether to allow this or not...? I am rather suspicious due to official steam updates usually never alerted my firewall.

Thank you vm in advance guys.
< >
Showing 1-5 of 5 comments
Spawn of Totoro Oct 30, 2014 @ 7:21am 
No, it is not.

Sounds like the "Steam" Bitcoin malware I've been hearing about.

http://steamcommunity.com/discussions/forum/1/35221584425122691/

By the user Tizaki:

The new "\AppData\Roaming\Steam\Reversed\steam.exe" BitCoin malware: How to detect and remove it
What is it?

There's some new malware going around that uses your GPU to mine for BitCoins. Even while idle, you'll see spikes around 90-95% in GPU usage. During games, this can be devastating and reduce your performance to almost nothing. In my case, League and TF2 were both dropping to around 30FPS thanks to VSync. Without VSync, they'd stutter horribly between 20 and 50. Another user claims to have been infected with it the same day I had: http://steamcommunity.com/discussions/forum/1/35221031685365357/

What does it do?

It somehow installs itself and mines for BitCoins. That's pretty much it. It's pretty easy to know when it's on your system because it's barely usable. I don't know how it gets there because I wasn't using the computer at the time of infection.

How do I find it and remove it?

Navigate to \AppData\Roaming\Steam\Reversed. Once there, delete it. It doesn't appear in msconfig as far as I can tell, so you'll have to manually remove it from the directory. Once removed, run a scan with free antimalware such as ComboFix or Norman Malware Cleaner or AVZ: http://support.kaspersky.com/common/service.aspx?el=1698#block2, and MBAM(uncheck pro trial): https://www.malwarebytes.org/mwb-download/. Heck, run all of them.

Edit: It also stores itself in your System32/Tasks folder: http://www.cyberforum.ru/viruses/thread1242413.html. You'll have to delete these as well to prevent it from updating and re-installing if your scan doesn't catch these.

More information, translated from russian: http://www.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fpchelpforum.ru%2Ff26%2Ft140072%2F&sandbox=1
Last edited by Spawn of Totoro; Oct 30, 2014 @ 7:24am
#1
bla Oct 30, 2014 @ 7:26am 
Originally posted by Spawn of Totoro:
No, it is not.

Sounds like the fake "Steam" Bitcoin malware I've been hearing about.

There is also version.dat inside the WinRar folder

Which ones should I delete? The whole WinRar folder?

Any idea where I might have gotten it from?

I just turned on my computer and updated a few games, Path of Exile (done), and Warframe (in progress)

I had not installed any new software since before my previous on/off cycle so I am really confused.... is it known to be dormant for a while before activating itself?

It was asking to connect TCP to 5.61.33.146 which is in Germany
#2
Spawn of Totoro Oct 30, 2014 @ 7:30am 
I updated my post with information another user game on how to remove it.

There are many ways to get it, so I couldn't say how you got infected.
#3
bla Oct 30, 2014 @ 7:46am 
Ok I see the additional info now... Thanks a lot Totoro you just saved me alot of trouble :)
#4
76561198132827599 Dec 31, 2014 @ 9:11pm 
Since it is not a actual WinRar folder, yes you can delete the whole thing. I had this stupid thing once before and it was under the exact same false folder. This thing caused Runtime R6025 Pure Virtual Function Call Errors and caused ultra bright light in some games with AAA turned all the way up, LOL, This thing is a real pain. It was also causing Max Payne 3 to run like crap on Ultra settings. And I knew something was wrong then when my old 650 Ti could almost max out Max Payne 3. I almost thought my V-Ram on my R9 270 was starting to fail until I had GPU-Z log my GPU functions and I noticed it still running at over 90% while running no game, So I looked in to see what file was doing it and that is how I found it. I am so sick of lazy xxxxxx leeching off people! Buy your own xxx hardware and ruin it and leave my stuff alone! You can slap my face and call me anything you want, But when you mess with my RIG you messed up big!






Originally posted by bla:
Originally posted by Spawn of Totoro:
No, it is not.

Sounds like the fake "Steam" Bitcoin malware I've been hearing about.

There is also version.dat inside the WinRar folder

Which ones should I delete? The whole WinRar folder?

Any idea where I might have gotten it from?

I just turned on my computer and updated a few games, Path of Exile (done), and Warframe (in progress)

I had not installed any new software since before my previous on/off cycle so I am really confused.... is it known to be dormant for a while before activating itself?

It was asking to connect TCP to 5.61.33.146 which is in Germany
#5
< >
Showing 1-5 of 5 comments
Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details
Date Posted: Oct 30, 2014 @ 7:19am
Posts: 5
Start a New Discussion

Discussions Rules and Guidelines