It is my first time to do anything like this, i.e. using an online community forum. However, I am needing some assistance.
Recently, my computer has been infected with this Metropole Police UKASH virus. I have read previous posts concerning unlocking the computer, removing the virus and decrypting locked files with this Dr. Web decryption software.
However, I took my computer to the local computer shop, whereby my documents folder was saved and then the computer reinstalled with virus removed. However, after taking back my computer, I noticed that most of my Jpeg photographs from my Panasonic digital camera were locked and could not be opened. Also a few of my recent text documents were locked and my Notepad HTML files had been messed about.
Since I had a few old back-up Jpeg files I then tried this Dr. Web decryption software, i.e. uploading one previous good Jpeg file and then uploading the same infected encrypted file. Unfortunately, the returned message was ' No match between files found. Second file should be like first, just encrypted '. I am therefore confused as to why it is saying this, since I know they are the same files.
I have looked at file properties between saved files, a few of the files that were not infected and the infected files. The file name remains the same, i.e. it has not been changed to 'locked' by the virus, the file size is slightly different between good saved file and the same infected file, and also the infected locked files do not seem to now have the camera EXIF properties anymore. Also, the infected files have changed to 'read-only', whereby the good files are only ticked 'archive'.
It is also interesting to note that only the Jpeg photograph files from my Panasonic camera were infected, Jpeg photographs from two other cameras were not infected, i.e. I can still see and open them. Also, there are for some reason three Panasonic Jpeg photographs that seemed to have been left alone and working amongst the countless other infected Jpeg files within the same folders.
If anyone can enlighten me on this problem, i.e. not being able to use this decryption software, I would be most grateful.
You just need to unhide some files, right? From what you say the infection is gone.
Download and run Unhide.exe to restore missing files, icons and shortcuts http://download.bleepingcomputer.com/grinler/unhide.exe
You may get warnings going to that link, go there anyway and see if that helps.
If that doesn't help then download Hijackthis and post its log as instructed near the end of the last link in my signature below and tell whichever forum you post to what has happened so far.
If anything like this happens in future, best not to panic and immediately power off without clicking anything other than those controls. Then power up into Safe Mode and use System Restore to go back to before it all started,.
if successful, temporarily turn off System Restore to delete the infected restore point, then you should be OK.
Thank you Ex_Brit for the response.
I downloaded and ran Unhide.exe. The following came back as :
Processing A : \ drive : 0 files processed.
Processing C : \ drive : 35109 files processed.
Processing F : \ drive : 0 files processed.
The C : \ DOCUME 1 \ My Name 1 \ Locals 1 \ Temp \ smtp \ folder does not exist !
Unhide cannot restore your missing shortcuts !
Please see this topic in order to learn how to restore default Start menu shortcuts : http://www.bleepingcomputer.com/forums/topic405109.html
Searching for Windows Registry changes made by Fake HDD rogues.
No registry changes detected.
.......... I then downloaded Hijackthis, and ran a system scan and saved a log file. It seemed to automatically save it within Notepad.
I did not know how to post its log near the end of the last link in your signature.
Any further advice would be appreciated.
Post the HJT log on one of the forums listed right underneath the Hijackthis header. You'll have to join whatever one you select of course.