Beef Goulash Dec 26, 2013 @ 3:55pm
Virus activity during a game
I was in a game fullscreen when it switched back to Windows and a small window popped up saying "Your computer is locked…" followed by a list of file types it claims to have locked and that I need to pay for something to get them back. The window is smaller than the Windows Calculator and it wasn't particularly well designed to look legitimate so I know it was a fraud. What shocked me was that it stole focus from a Steam game. I didn't have a browser window open at the time so it almost certainly came through Steam, which I would never have considered possible. I shut down the machine by holding the power button not 30 seconds after the virus appeared. I'm now wondering how serious the problem is. Anyone got an idea?
Thanks!
Showing 1-13 of 13 comments
< >
rmoreau_jr Dec 26, 2013 @ 4:01pm 
you can turn your comp back on and run it in secured mode to run a virus scan. If you don't have an anti-virus program, I would seriously invest in one or get a free one after you do a scan.
Isnogood Dec 26, 2013 @ 4:02pm 
it can be several days ago you got the virus
crunchyfrog Dec 26, 2013 @ 4:14pm 
Oh no, you got this lovely CryptoLocker virus that's currently doing the rounds.

As Moreau Jr has stated, you can't remove the virus just by "normal" usage.

First, I'd recommend you Google for CryptoLocker solutions specifically, but generally, you need to download MalwareBytes and CCleaner for good measure.

Once you've done that and installed them, start your PC in Safe mode (normally by hitting F8 while it boots up). Then run them both, preferably MalwareBytes first.

Once they've done their thing, they'll normally restart the system where you can carry on as normal. However, this CryptoLocker nasty is pretty intensive so I wouldn't be surprised if this is useless - so I emphasise Googling for precise help.

Oh and by the way, it DIDN'T come through Steam. CryptoLocker by nature will sit dormant for some time, probably days before activating - is it so surprising they've been activating over Christmas?
Last edited by crunchyfrog; Dec 26, 2013 @ 4:16pm
Beef Goulash Dec 26, 2013 @ 4:35pm 
Thank you for all your replies. I have MSE on the infected system and right now I'm doing a scan in Safe Mode. I did search for the behaviour prior to restarting the computer but all the results are for those virus that pretend to be law enforcement agencies taking action on copyright issues. The one I have is much simpler so those solutions may not apply to my case. Anyway I'll try them after the scan. Good to know Steam is still secure.
crunchyfrog Dec 26, 2013 @ 4:37pm 
Originally posted by Beef Goulash:
Thank you for all your replies. I have MSE on the infected system and right now I'm doing a scan in Safe Mode. I did search for the behaviour prior to restarting the computer but all the results are for those virus that pretend to be law enforcement agencies taking action on copyright issues. The one I have is much simpler so those solutions may not apply to my case. Anyway I'll try them after the scan. Good to know Steam is still secure.

As I said Google specifically for CryptoLocker - it was verified on the BBC News website a few days ago that millions have been affected in recent days with this.

You're doing the right procedure, but I will repeat that one of the reasons this is so notable in the news is because it's affected so many and because it hooks into some Microsoft established code, making it a real ♥♥♥♥♥♥♥ to get rid of, so you might need some unusually specific procedure to go through.
Last edited by crunchyfrog; Dec 26, 2013 @ 4:38pm
Psychedelic Soldier Dec 26, 2013 @ 5:49pm 
Ok what sites have you been visiting lately? cause im gonna stay away from those :P
Beef Goulash Dec 26, 2013 @ 11:10pm 
crunchyfrog, thank you for your advice. I do remember reading the news from BBC's website back in like November.
And for whoever might be interested, I took another look at that irritating window and it says the following:
"Your computer is LOCKED. All files with extensions *.exe, *.doc, *.xml, *.docx, *.rar, *.zip are ENCRYPTED. Trying to bypass this will make them unRECOVERABLE!
To UNLOCK your computer and decrypt files you must do SURVEY.
Tip: SMS Surveys unlock faster."
Below there's a hyperlink says "Open Survey" and below that is a input box with a "Unlock" button to its right. This window doesn't appear until the desktop and taskbar etc. are loaded. Then it hides everything but I could still open web browser by pressing the physical button on the keyboard. I was also able to open the Ctrl-Alt-Del screen (Windows 7 SP1) but the malware disabled the task manager button in the registry table. While in Safe Mode, I located and deleted this file called svhost .exe in User/AppData… I also deleted the corresponding entry in registry table. However, when I boot up back in normal mode, the malware was able to recover itself. Previously I did a full scan in Safe Mode with MSE and it detected no threat. I haven't been able to find an exactly matched profile for this malware on the Internet, obviously it's not as popular.
I visited nfscars.net before, since someone asked.

Last edited by Beef Goulash; Dec 26, 2013 @ 11:16pm
crunchyfrog Dec 27, 2013 @ 10:23am 
Originally posted by Beef Goulash:
crunchyfrog, thank you for your advice. I do remember reading the news from BBC's website back in like November.
And for whoever might be interested, I took another look at that irritating window and it says the following:
"Your computer is LOCKED. All files with extensions *.exe, *.doc, *.xml, *.docx, *.rar, *.zip are ENCRYPTED. Trying to bypass this will make them unRECOVERABLE!
To UNLOCK your computer and decrypt files you must do SURVEY.
Tip: SMS Surveys unlock faster."
Below there's a hyperlink says "Open Survey" and below that is a input box with a "Unlock" button to its right. This window doesn't appear until the desktop and taskbar etc. are loaded. Then it hides everything but I could still open web browser by pressing the physical button on the keyboard. I was also able to open the Ctrl-Alt-Del screen (Windows 7 SP1) but the malware disabled the task manager button in the registry table. While in Safe Mode, I located and deleted this file called svhost .exe in User/AppData… I also deleted the corresponding entry in registry table. However, when I boot up back in normal mode, the malware was able to recover itself. Previously I did a full scan in Safe Mode with MSE and it detected no threat. I haven't been able to find an exactly matched profile for this malware on the Internet, obviously it's not as popular.
I visited nfscars.net before, since someone asked.

It could possibly be a variant of CryptoLocker - that's the problem with these bloody viruses. Plenty of ♥♥♥♥♥♥♥♥s out there to modify them.

The only other thing I would do is have a good look through the usual antivirus people's sites (mcAfee, Avira, MS, Norton et al) and see what the latest is.

Sorry I can't be of more specific help.
Pvt_Booger Dec 27, 2013 @ 12:59pm 
I hope for you it is not Cryptolocker. There is no solution for this virus other than formatting your drive, as you will not be able to recover your encrypted files. The virus uses sophisticated encryption algorithms which make recovery virtually impossible.
crunchyfrog Dec 27, 2013 @ 3:28pm 
Originally posted by Pvt_Booger:
I hope for you it is not Cryptolocker. There is no solution for this virus other than formatting your drive, as you will not be able to recover your encrypted files. The virus uses sophisticated encryption algorithms which make recovery virtually impossible. :devilskiss:

That's not strictly true.

It is possible to remove the majority (if not all) of it. However, some files can remain encrypted, and it is indeed a real ♥♥♥♥♥♥♥.

That's precisely why I've adived to keep a close eye on the security professionals for data.

Although I would also add, as you say, it might be better all-round to reformat/reinstall.

As I understand it there's no evidence to show that anything's being stolen, just the ransom seems to be the point. However, if this has crept in, then it's highly likely other stuff may have.
I know what option I'd go for, personally - reformat.
Last edited by crunchyfrog; Dec 27, 2013 @ 3:30pm
Pvt_Booger Dec 27, 2013 @ 3:53pm 
Originally posted by crunchyfrog:
That's not strictly true.

It is possible to remove the majority (if not all) of it. However, some files can remain encrypted, and it is indeed a real ♥♥♥♥♥♥♥.

That's precisely why I've adived to keep a close eye on the security professionals for data.

Although I would also add, as you say, it might be better all-round to reformat/reinstall.

As I understand it there's no evidence to show that anything's being stolen, just the ransom seems to be the point. However, if this has crept in, then it's highly likely other stuff may have.
I know what option I'd go for, personally - reformat.

The virus itself is easy to remove but, as far as I am aware, the files are impossible to retrieve other than by paying. This is simply because the algorithm is unique to the infected machine, and the passkey generated is also unique. This is only stored server-side and it is non-retrievable (other than by paying, as indicated).

I suppose it could technically be possible to decrypt the files but it would require a brilliant mind and a lot of patience.

If you are aware of anything new though do share, as to my knowledge this is one of the most destructive viruses in the last few years.
Pvt_Booger Dec 27, 2013 @ 3:55pm 
Sorry, I should have added "Assuming the OP is infected with Trojan.Cryptolocker"
crunchyfrog Dec 27, 2013 @ 4:02pm 
Originally posted by Pvt_Booger:
Sorry, I should have added "Assuming the OP is infected with Trojan.Cryptolocker"

I don't disagree with you at all.

I was just trying to fully explain the situation (to avoid the usual scaremongering). As far as anything new, no I have nothing to share, but it does depend on what's going on - the version of Crypt Locker, and more importantly what stage it's all at.

I certainly agree and emphasise that once those files are encrypted, they're as good as gone. It is a pure ♥♥♥♥♥♥♥.

This is why I emphasised the keeping an eye on the professional's sites - they're always the best source of info, and what (and if) it does get cracked, that's the way you're going to find out first.

However, I will reiterate that in the long run the OP should do two things:
(1) Reformat and reinstall. Give up the ghost.
(2) Review their browsing habits and check their security setups. It got in somehow, and there's no record of it coming from anywhere "reputable".
Last edited by crunchyfrog; Dec 27, 2013 @ 4:03pm
Showing 1-13 of 13 comments
< >
Per page: 15 30 50
Date Posted: Dec 26, 2013 @ 3:55pm
Posts: 13