*SteamStealer Trojan* CSGO Simple External ESP

The aforementioned thread, "CSGO Simple External ESP v1.0 By Synconan" was approved but appeared to be actually malicious. It is estimated that over 800 users downloaded and potentially ran the file without realising they may have been infected with a SteamStealer trojan.

The trojan was hidden under many layers of code making it hard to detect. It operates by decrypting these layers and then injecting the trojan into the original "CSGO ESP.exe" process.

The trojan operates by scanning Steam.exe for your Steam ID and initiating a hidden trade by trading items belonging to the following game IDs:
- 730 (Counter-Strike: Global Offensive)
- 570 (Dota 2, looks for items with these tags: common, uncommon, rare, mythical, legendary, immortal, arcana)
- 440 (Team Fortress 2)

It sends the items to the following Steam ID: 76561198136701777. Resolving this ID produces the following Steam profile page:
http://steamcommunity.com/id/synconan/

His IP's are 58.173.1.145 and 82.8.41.117 for anyone that wants revenge.

The process does appear to be "persistent" meaning that works to ensure that it keeps running no matter what you do. It does this by continuing to restart the process whenever one is closed and sets a registry key on startup called "Multimedia Class Scheduler". It is found at the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Run\M ultimedia Class Scheduler

Once solution suggested by @UnfairestB to combat the persistent nature of the trojan is the following:
After the process is successfully killed along with "CSGO ESP.exe", delete the startup entry from the registry.

On behalf of MPGH Staff, I would like to apologise for what has occurred despite not being directly involved the the situation and will try my best to help those affected. I have not personally run the file myself but this is what I could gather purely from static analysis.

Thank you!

obviesly no one could stay mad at the one who aproves liek most of the files. i wish u could forgive urself

btw how can i fix this cuz i downloaded it a while ago

Thank you, kind sir. This was really a lot of help !

Yes, this has happened before.

Since turb0z "left" every hack released thus far was either fake or complete shit. Anyways, @Color, dont blame yourself, everyone makes mistakes.

Thanks mate, appreciate it.

In other words, fuck you.

You are welcome!

I don't think you should leave over such thing, it's just, I think we'd prefer you'd download and run the hack through Sandboxie and see whether these hacks are legit. I know it's effort, which is why I do it myself when I download hacks, just in case it decides to run some other bullshit on my PC. Also, you should make a sticky which shows a guide which shows a user how to block the program from editing anything in the SYSTEM. Regarding the hack, I disabled the access the hack had on my PC, which minimalised what the hack could do. Disabled the 'rights' the program had to SYSTEM

Sooo... Should I change my password?

ehmm... ive a process called atiersxx.exe so with 2 x`s, is this the same or not ?