Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

steamhelper.exe suspicious behavior


  • Please log in to reply
2 replies to this topic

#1 senn598

senn598

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 27 November 2015 - 03:55 PM

Hello!
 
A few days ago, I noticed that a Steam icon flashed on my taskbar for a second every time I logged on to Windows even though Steam was set not to start at log on. This seemed weird so I uninstalled steam, but the problem persisted.
 
Searching for "steam" in my C: drive, I found a steamhelper.exe file located in the '\appdata\roaming\steam\' folder. I submitted the file to virustotal.com for analysis, with the following result: https://www.virustotal.com/en/file/414bc2153f5aab78b2ff9cc0fc9bc2951cf28fdbf0db01a8420f6ff7e3088367/analysis/1448447340/
 
In Task Scheduler there is a task named "SteamClient" which starts steamhelper.exe at log on or every day at 19.55, with the arguments "/VERYSILENT /AFFID000186", which was first triggered on 28.09.2015.
 
MalwareBytes and Kaspersky Internet Security scans come up clean. 
 
Am I infected?
 
Thanks!


BC AdBot (Login to Remove)

 


#2 rwrjr

rwrjr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:01 AM

Posted 07 March 2016 - 05:44 PM

Same issue, including the Task Scheduler entry with the same arguments. Haven't found an explanation yet.

 

Using Windows 7 x64.

 

Here was the report Malware Bytes gave me on my most recent scan (now quarantined):

 

PUP.Optional.SteamClient     Type: File                   C:\Windows\System32\Tasks\SteamClient

PUP.Optional.SteamClient     Type: File                   C:\Users\user name\AppData\Roaming\Steam\SteamHelper.exe

PUP.Optional.SteamClient     Type: Registry Key     HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SteamClient

 

There are also a couple of "MultiPlug" Registry Key entries which I don't have the time to type out right now, but I don't think they're related to this. I can provide the full report scan if needed.


Edited by rwrjr, 07 March 2016 - 06:12 PM.


#3 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:09:01 AM

Posted 07 March 2016 - 07:17 PM

Same issue, including the Task Scheduler entry with the same arguments. Haven't found an explanation yet.

 

Using Windows 7 x64.

 

Here was the report Malware Bytes gave me on my most recent scan (now quarantined):

 

PUP.Optional.SteamClient     Type: File                   C:\Windows\System32\Tasks\SteamClient

PUP.Optional.SteamClient     Type: File                   C:\Users\user name\AppData\Roaming\Steam\SteamHelper.exe

PUP.Optional.SteamClient     Type: Registry Key     HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SteamClient

 

There are also a couple of "MultiPlug" Registry Key entries which I don't have the time to type out right now, but I don't think they're related to this. I can provide the full report scan if needed.

Hi,

 

Could you please create a new topic in this forum?

Thanks.


Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users