Windows 7: Metropolitan Police ransomware - advice requested

Hello and sorry for the cross-post. I didn't get much joy on the General forum.

Hello,



I suffered the infamous Metropolitan ransomeware infection today. After a lot of reading and restarts I managed to track down the source of the infection: it was not in HKLM but in HKCU under CurrentVersion.

To cut a long story short, I did the following (all in Safe Mode):
1. Found and deleted the infection using Malaware
2. Found the infected regedit key and removed it
3. Removed the responsible startup item from msconfig.exe

Despite all this, the machine kept hanging when I tried to start it up in Normal Mode. So then I resorted to a System Restore at a point about a week ago.

At first sight, the machine seems to be okay - running a bit slowly and some applications crashing. Eg. Soon after coming back online in Normal Mode, I tried installing Microsoft Security Essentials but it keeps crashing.

So my question is: should I be concerned that the malware still lives on after the restore? Should I just bite the bullet and do a full OEM recovery?

Thank you.

My standard answer to that question is always the same;
Make sure your backups are up to date. Wipe the drive. Reinstall.
Some would disagree, but that's just my opinion. I usually find I spend less time with a reinstall than I do with a cleanup, and the reinstall always gets rid of everything evil.

Just one man's opinion.

Generally, I think that, once a Windows installation was affected by a virus and damaged in some serious way, it's better to do a full reinstall (possibly reformat) instead of trying to repair whatever the virus might have done. Not that it's not possible, sure it's doable, but many times it just take more time to try to repair than simply blow off your install and start over.

The virus itself may have been removed, but any thing that it may have deleted or changed may still be altered. Probably that's the source of problems.

I always do a format before reinstall, better safe than sorry.

Nope, it's two. Great advice, and the only thing that I would do.

You may need a little help from a special removal tool designed to remove fake wares. Fakerean removal tool

Another free security for seeing Windows run normally again once a malware is taken offline would the other older VIPRE Rescue Program This runs from a temp folder without any installation required.

Both of those are from GFI there while you will still want to run a full security sweep of the drive once you have given each a try. Once you have Windows running normally again try downloading the 30day trial version for VIPRE Internet Security 2012 and run a full system scan.

Following the system scan turn the System Restore off. That will automatically clear all restore points ruling out any chance of reinfections from any points you have now while typically viruses not fake scam wares would be the thing to see them corrupted. Later you turn that back on and start seeing all new clean restore points created fresh.

Hello,

I have already done a full system scan with Malwarabytes, Avast and MSE. Malwarebytes caught one infection, Avast none and MSE two. For some reason after I managed to restore my machine to Normal mode, I had to uninstall Avast - it just didn't like co-existing with MSE.

I will follow all the steps you suggest but then do you suggest that I uninstall MSE and use VIPRE instead?

Also, is it worth buying the full version of Malwarebytes?

Thank you.

The particular flavor of VIPRE is their premium version for that software that will do far more then others like Malwarebytes like offering a firewall as well as web filtering to block out bad sites once malicious code is detected. Sometimes I call it a little "overprotective" at times however.

The Clam av's free Spyware Terminator would tend to find more data miners when comparing the two. But VIPRE will do quite a bit more if you are looking at going with a paid for program. VIPRE will actually find bugs hidden in an zip or rar files you download posing as utilities which has now only been seen with the Windows 8 Windows Defender(MS SE under a different name included in 8).

Typically any av program's installer will automatically prompt to see any other av program removed first as part of the installation requirement. VIPRE is no different in that regard. Yet I reinstalled the free version of AVG right after first trying VIPRE out back in May 2010.

You can try the 30 day full featured trial where they email you an activation code that will expire in that amount of time to give a good look over before deciding on which purchase option.

The options are for 1, 2, 3yr. one or two pc and even offer a life time license for single pc.

Thank you for the information. On another note, considering I've been through the registry, msconfig and used multiple programs, do you think it's advisable for me to continue using my machine as is?

Or should I really backup my data and do a full system recovery? I'm a bit conflicted to be.

Hi,

You seem doubtful that you should, so follow your intuition : do a clean OEM install. I would if i was in your shoes.

Clean Reinstall - Factory OEM Windows 7

Regards,
Golden