Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Met Police virus claims to have encrypted my files. Cannot open .doc .jpg etc


  • Please log in to reply
26 replies to this topic

#1 Bentham

Bentham

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 January 2013 - 07:27 PM

My PC was recently attacked by a variant of the Met Police / ukash scareware virus. It froze the PC so that ievery time it booted up it presented the message screen. I couldn't get access to any function of the PC. Advice to boot up in various safe modes all failed so I removed the hard drive to a USB caddy on ano,ther PC and tried cleaning with malware bytes and AVG and removed 2 trojans. PC now appears to be clean but all jpg doc txt PDF files cannot be opened. Virus message claimed that personal files had been encrypted and payment of fine was required to recover them. No luck with any advice on repairing files thus far. Can you help me find out what the virus did to the files and whether this can be reversed. Thanks for looking

BC AdBot (Login to Remove)

 


#2 martin_h

martin_h

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 22 January 2013 - 08:50 AM

I too would like some information on this one, I am in exactly the same position, removed the virus but now have all my media files locked.

#3 madmanbean

madmanbean

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 24 January 2013 - 05:08 PM

Have exactly the same problem.

Have found and removed the virus.. I just need to sort the encypted files!

Have tried the tool from Dr Web but as the encypted file is a different size from the un encrypted sample it will not work!

This has to be the worst virus ever.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,378 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:16 PM

Posted 24 January 2013 - 08:08 PM

Hello, lets try this...
Remove the Win32/Reveton or Police Central e-crime Unit Ransomware
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security

#5 madmanbean

madmanbean

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 25 January 2013 - 02:24 AM

There are a number of tools around to remove this virus but the main problem is that the encrypted files remain! This really is the nastiest of viruses and what I and others seek is someway to decrypt files not links to yet another virus scanner.

#6 Bentham

Bentham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 26 January 2013 - 06:50 PM

Reading about this virus, it seems to be pretty common. The results of infection vary somewhat between PCs which might affect the means of getting rid of it. However removing the virus is not the issue. I wonder if the damage to the files is a relatively new development of the virus as i can find nothing of use from Internet searches to understandi the damage to the files to see if there is a possibility of recovering them. The virus claims they have been encrypted . I doubt this is the case. My fear is that the files are just trashed with no way of reversing the process.

Any help from someone with expertise in recovering corrupted files would be much appreciated.

#7 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 27 January 2013 - 12:56 PM

What were these files renamed as?

#8 Bentham

Bentham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 27 January 2013 - 04:35 PM

Grinder,

Files were not renamed. Nothing seems to be altered about their location or directory structure. Everything looks normal until you try to open the file. Application opens as normal but fails to open file. E.g. Word reports " there was a problem with the file" and asks if you wish to repair file. This does not work. Notepad and word pad cannot open either. If word files are copied to another laptop notepad and word pad similarly cannot open them on the other laptop.
The same is true of jpg files. Windows picture viewer returns " no preview available" and they cannot be displayed in Internet explorer or other image software. Irfan view reports that it cannot read the header.

I haven't managed to get any program to make any sense of them

#9 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 27 January 2013 - 08:31 PM

If you can, please submit one to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Not sure if I can do anything about it, but worth taking a look.

#10 BoroRob

BoroRob

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 28 January 2013 - 03:28 PM

This is a new variant of the Ukash virus, other topics can be found on pchelpforum.com here and here.

This new variant apparently encrypts files with a Random encryption key per file so its impossible to recover lost files. I so hope this is not true! I'm hoping someone @ bleeping can fix this hence my post.

I am a PC Repair guy from the North East of the UK and this virus is becoming more and more frequent and users are destroyed that there files are lost, CV's, tax returns, the lot.. Gone.. Not good!

You can spot the encryption if you open a file with a text editor. At the start of the text you can see CR_M0x04i?. In all your encrypted files.


I really hope someone can make a tool to fix this. This is a nasty one.

I have attached 3 different encrypted jpegs here if anyone wants to take a look at the encryption. As far as I'm aware it's only common files that are encrypted, office documents, picture documents etc. Exe's seem O.k


Regards,
BoroRob

Edited by BoroRob, 28 January 2013 - 04:52 PM.


#11 Bentham

Bentham
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 28 January 2013 - 05:40 PM

Grinler,

I have submitted a jpg to the link you provided.

Rob,

Thanks for the links. All the files affected on my PC are prefixed as you reported when opened with a text editor. Very interesting reading - good to get an understanding of what the virus has done but not very encouraging with regards to a fix for these files.

Just to confirm, no sign of any exe files being attacked, just .doc .jpg .pdf .xls

#12 gmbrereton

gmbrereton

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 PM

Posted 28 January 2013 - 06:27 PM

I have the same issue, can no longer use itunes or MS office documents

#13 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:01:16 PM

Posted 28 January 2013 - 06:46 PM

Sorry to pop in but

Grinler could the file permission been changed?

If we change file permission access could the file be saved?
Posted Image

#14 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:01:16 PM

Posted 28 January 2013 - 08:08 PM

Disregard my previous post.
Posted Image

#15 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 39,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 PM

Posted 28 January 2013 - 08:50 PM

No this is not a permission issue unfortunately. Files have been encrypted. Looking into it, but doesn't look promising.

If you have backups, you may want to use them. You can also try previous versions on the affected files to see if that can restore to a unencrypted version.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users