The aforementioned thread, "CSGO Simple External ESP v1.0 By Synconan" was approved but appeared to be actually malicious. It is estimated that over 800 users downloaded and potentially ran the file without realising they may have been infected with a SteamStealer trojan.
The trojan was hidden under many layers of code making it hard to detect. It operates by decrypting these layers and then injecting the trojan into the original "CSGO ESP.exe" process.
The trojan operates by scanning Steam.exe for your Steam ID and initiating a hidden trade by trading items belonging to the following game IDs:
- 730 (Counter-Strike: Global Offensive)
- 570 (Dota 2, looks for items with these tags: common, uncommon, rare, mythical, legendary, immortal, arcana)
- 440 (Team Fortress 2)
It sends the items to the following Steam ID: 76561198136701777. Resolving this ID produces the following Steam profile page:
https://steamcommunity.com/id/synconan/
His IP's are 58.173.1.145 and 82.8.41.117 for anyone that wants revenge.
The process does appear to be "persistent" meaning that works to ensure that it keeps running no matter what you do. It does this by continuing to restart the process whenever one is closed and sets a registry key on startup called "Multimedia Class Scheduler". It is found at the following location:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Run\M ultimedia Class Scheduler
Once solution suggested by @UnfairestB to combat the persistent nature of the trojan is the following:
Code:
Once the 'atiesrx.exe' pops up:
-Start task manager.
-Find "atiesrx.exe" in the list and right click it > Properties > Security tab > Edit... > Deny everything, on all accounts in the list above (if possible).
-Now apply your changes and press Ok.
-Go back to your task manager and right click "atiesrx.exe" once again > End process tree.
-Once the process is terminated it should not come back.
After the process is successfully killed along with "CSGO ESP.exe", delete the startup entry from the registry.
On behalf of MPGH Staff, I would like to apologise for what has occurred despite not being directly involved the the situation and will try my best to help those affected. I have not personally run the file myself but this is what I could gather purely from static analysis.