Cheat Engine

HiSaZuL

Yeah I know bragging rights right there. Guess after 3-4 years of never updating windows or caring about virus...err I mean... anti-virus/malware/firewall software I finally caught me a virus. Super proud of myself.

Was causing a gpu load to skyrocket to 90ish %. Looks like it also send some crap somewhere but I can't be arsed to find out what or where, don't even know how to...

Found a single mention of this bugger online. Names itself CODEXi and plants itself into Roaming folder under... either Steam or Ubisoft etc.

In task manger it named itself steam while it wasn't even in steam folder... them people making this crap are on whole different level of retarded...not even with capital letter and I had no steam running so well anyway...

Anyone dealt with this crap before? Can I just delete this bugger and call it a day?

atom0s · Posted: Fri Jan 09, 2015 3:57 am Post subject:

From the description you gave alone, without looking it up, it sounds like a bitcoin miner or something on that line if its raping your GPU. The data its sending out is probably wallet information etc. to obtain what to mine for and so on.

Now with that, looking it up does confirm its a coin miner for dark coin.
The user account its tied to is: overbtc123.

It launches as:
steam.exe overbtc123.

It creates a scheduled task to force itself to start on system startup.

From the look of it, it does not create other files or infect your system though. So cleanup looks like it should be easy.

Delete the following files if they exist:
C:\Users\<your_name>\AppData\Roaming\Identities\CODEXi\*
C:\Users\<your_name>\AppData\Roaming\steam\* (Note: Steam does not make a file here so it is safe to delete the whole folder if it exists.)
C:\Users\<your_name>\AppData\Roaming\newsi_2\*

Others have reported the following files existed from this too:
- C:\Users\<your_name>\AppData\Roaming\Update~1\* (Stated that files included in this folder were infected.)
- C:\Users\<your_name>\AppData\Roaming\ (Within the roaming folder, look for googleupd.exe, some said this was infected too.)
- C:\Users\<your_name>\AppData\Roaming\ (Within the roaming folder, look for other copies of steam.exe or just 'steam' without an extension. Delete those as well.)
- C:\Program Files (x86)\GoforFiles Updater\* (Delete anything with this similar name.)
- C:\Windows\System32\Tasks\GoforFilesUpdate (Delete anything with this name.)
- C:\Windows\System32\Tasks\ (Delete anything with the name like 'Steam-S-1-1-11-1111GUI', UpdaterEx, etc.)

Others have reported the following as well:
- CODEXi will hide itself in random folders within the AppData/Roaming folder. So be sure to search for other copies and delete those as well.
- The infection creates (possibly) tasks within the C:\Windows\Tasks\ folder, look for any that look suspicious etc. and delete them.
- Creates a file at: C:\Program Files (x86)\Internet Explorer\ieplore.exe.bat - Delete this as well.
- Alters Internet Explorer zone settings and other possible protection settings.

Delete the following task from your schedule tasks:
Control Panel -> Administrative Tools -> Task Scheduler
- Look for any task running steam, Steam does not create any tasks normally, so anything steam related can be deleted.
- Delete any and all other tasks that are not what you want on your system etc.

Outside of this, the main exe does not appear to actually execute anything to redownload stuff or infect other things. Just seems like whatever installs this trojan is the file dropper itself and just tries to spread a few files around to ensure that the file is run. Does not appear to recreate itself etc. However after removal try and get a scanner to double check things.

As for a recommendation, I personally dunno. I don't use any anti-virus as most are resource hogs or install all kinds of stupid bloat-ware now a-days.
In most cases if you want something decent you are going to have to pay / or find a cracked copy of one.

You can check out one of the many free ones such as AVG, MalwareBytes, etc.

HiSaZuL · Posted: Fri Jan 09, 2015 5:26 pm Post subject:

Aha thank you for pointing me to how the little bugger starts! It was in fact in task scheduler under the name "Steam_x64-S-2-106-91".

On subject of personal amusement with worthless scanning software. Ran it though a few decent online ones that are free like Malwarebyte and none of them notices it at all even with full scans. Which is why I mentioned I stopped bothering with that rubbish years and years ago. Hogs resources install crap and does nothing useful at the end of the day >_>

Anyway appreciate pointing me to the start trigger. I spent good 20 minutes poking and prodding registry and found nothing relevant to this should have checked the obvious place.

Anyway this was semi amusing, been a long time since I had a virus lol. Probably ever since I stopped using anti-virus software.

atom0s · Posted: Fri Jan 09, 2015 8:38 pm Post subject:

A lot of times, things like this will go undetected by scanners because it is a legit program. It is just installed on your system unwillingly. With that, most times, the installer application will deleted itself after the job is done. It simply wants to turn your system into a miner for the benefit of someone else. That said, the intent is not to infect your system, they want it running top notch, uninfected and undetected to make the most out of it.

zm0d · Posted: Fri Jan 09, 2015 9:04 pm Post subject:

poopsticksgalore · How do I cheat? Reputation: 0 Joined: 30 Jan 2015 Posts: 1

By any chance do any of you play counterstrike global offensive and have been on any community deathmatch servers hosted by a group called Hellsgamers? Found a folder in mine called Hellsgamers ...found that really suspicious.

atom0s · Posted: Sat Jan 31, 2015 1:23 am Post subject: