Metropolitan Police ransomware - advice requested

[insomniac1]

Hello and sorry for the cross-post. I didn't get much joy on the General forum.

Hello,

I suffered the infamous Metropolitan ransomeware infection today. After a lot of reading and restarts I managed to track down the source of the infection: it was not in HKLM but in HKCU under CurrentVersion.

To cut a long story short, I did the following (all in Safe Mode):
1. Found and deleted the infection using Malaware
2. Found the infected regedit key and removed it
3. Removed the responsible startup item from msconfig.exe

Despite all this, the machine kept hanging when I tried to start it up in Normal Mode. So then I resorted to a System Restore at a point about a week ago.

At first sight, the machine seems to be okay - running a bit slowly and some applications crashing. Eg. Soon after coming back online in Normal Mode, I tried installing Microsoft Security Essentials but it keeps crashing.

So my question is: should I be concerned that the malware still lives on after the restore? Should I just bite the bullet and do a full OEM recovery?

Thank you.

 

[pricetech]

My standard answer to that question is always the same;
Make sure your backups are up to date. Wipe the drive. Reinstall.
Some would disagree, but that's just my opinion. I usually find I spend less time with a reinstall than I do with a cleanup, and the reinstall always gets rid of everything evil.

Just one man's opinion.

 

[Alejandro85]

Generally, I think that, once a Windows installation was affected by a virus and damaged in some serious way, it's better to do a full reinstall (possibly reformat) instead of trying to repair whatever the virus might have done. Not that it's not possible, sure it's doable, but many times it just take more time to try to repair than simply blow off your install and start over.

The virus itself may have been removed, but any thing that it may have deleted or changed may still be altered. Probably that's the source of problems.

 

[dwarfer66]

I always do a format before reinstall, better safe than sorry.

 

[DBone]

My standard answer to that question is always the same;
Make sure your backups are up to date. Wipe the drive. Reinstall.
Some would disagree, but that's just my opinion. I usually find I spend less time with a reinstall than I do with a cleanup, and the reinstall always gets rid of everything evil.

Just one man's opinion.

Nope, it's two. Great advice, and the only thing that I would do.

 

[Night Hawk]

You may need a little help from a special removal tool designed to remove fake wares. Fakerean removal tool

Another free security for seeing Windows run normally again once a malware is taken offline would the other older VIPRE Rescue Program This runs from a temp folder without any installation required.

Both of those are from GFI there while you will still want to run a full security sweep of the drive once you have given each a try. Once you have Windows running normally again try downloading the 30day trial version for VIPRE Internet Security 2012 and run a full system scan.

Following the system scan turn the System Restore off. That will automatically clear all restore points ruling out any chance of reinfections from any points you have now while typically viruses not fake scam wares would be the thing to see them corrupted. Later you turn that back on and start seeing all new clean restore points created fresh.

 

[insomniac1]

Hello,

I have already done a full system scan with Malwarabytes, Avast and MSE. Malwarebytes caught one infection, Avast none and MSE two. For some reason after I managed to restore my machine to Normal mode, I had to uninstall Avast - it just didn't like co-existing with MSE.

I will follow all the steps you suggest but then do you suggest that I uninstall MSE and use VIPRE instead?

Also, is it worth buying the full version of Malwarebytes?

Thank you.

 

[Night Hawk]

The particular flavor of VIPRE is their premium version for that software that will do far more then others like Malwarebytes like offering a firewall as well as web filtering to block out bad sites once malicious code is detected. Sometimes I call it a little "overprotective" at times however.

The Clam av's free Spyware Terminator would tend to find more data miners when comparing the two. But VIPRE will do quite a bit more if you are looking at going with a paid for program. VIPRE will actually find bugs hidden in an zip or rar files you download posing as utilities which has now only been seen with the Windows 8 Windows Defender(MS SE under a different name included in 8).

Typically any av program's installer will automatically prompt to see any other av program removed first as part of the installation requirement. VIPRE is no different in that regard. Yet I reinstalled the free version of AVG right after first trying VIPRE out back in May 2010.

You can try the 30 day full featured trial where they email you an activation code that will expire in that amount of time to give a good look over before deciding on which purchase option.

The options are for 1, 2, 3yr. one or two pc and even offer a life time license for single pc.

 

[insomniac1]

Thank you for the information. On another note, considering I've been through the registry, msconfig and used multiple programs, do you think it's advisable for me to continue using my machine as is?

Or should I really backup my data and do a full system recovery? I'm a bit conflicted to be.

 

[Golden]

Hi,

You seem doubtful that you should, so follow your intuition : do a clean OEM install. I would if i was in your shoes.

http://www.sevenforums.com/tutorials/219487-clean-reinstall-factory-oem-windows-7-a.html

Regards,
Golden

 

[insomniac1]

I'm fairly familiar with computers, since I have an IT-centric-ish job. I'm just one of those that thought it would never happen to me.

Oddly enough, I feel a bit violated that my machine got infected and I have some nagging doubts, so I think I will go for the break-the-glass option.

Can you suggest a list of security tools to use in the fresh install? So far I've been suggsted:
- Sandboxie
- Vipre Internet Suite / MSE / Avast Free / AVG Free equivalent
- Malwarebytes
- Hijack This

 

[Anthony]

I agree, time to reinstall. Clean is Lean

After clean install use firefox with some plugins, i.e adblock, noscript are just a few i use

 

[Golden]

Hi,

Don't go overboard with the anti-malware : one would be likely to detect the 'signature' of another as malware, leading to false positives.

Suggestions come down to personal preference and personal experience. My recommendation would be:
- MSE
- Malwarebytes (paid if you want it to be resident)
- Windows Firewall
- Keep Java, and the Adobe suites (Flashplayer & Reader) updated (if you don't use them, uninstall them)

Note : the only difference between free and paid Malwarebytes, is that the paid version offers:
- malicious IP blocker
- automatic database updates
- update and scanning scheduler
- resident in memory
The actual scanning engine in both the free and paid versions is exactly the same.

Regards,
Golden

 

[insomniac1]

Understood, thank you for the help.

 

[Layback Bear]

Their are as many opinions on security programs as their are stars in the sky. Here is what I use.
1. Windows 7 built in firewall (active)
2. Microsoft Security Essentials (active)
3. Malwarebytes Anti Malware Pro (active)
4. Filehippo Up Date Checker (on demand)
5. Super Anti Spyware (on demand)
All updated/checked several times a day
Lastly I try to keep myself updated so I don't do dumb things. Works most of the time.

 

[Night Hawk]

Besides a look at VIPRE the Web Of Trust browser addon mentioned before is a good one to have. The firewall in VIPRE does quite a bit more then what you would see with the Windows firewall for sure like adding web filtering and intrusion protections. The Windows version is more like another UAC rather then an effective block of things.

Another one to grab would be the Secunia Personal Software Inspector (PSI) being a free program that keeps everything you have updated when you run the checks with it. When everything is up to date you are less vulnerable.

The one thing I found immediately here once i started running VIPRE was the need to dump rather then add multiple malware removers and other things. I got sick of that when running AVG previously plus the need for 3 or 4 other programs?! to fill in the gaps.

As far as browsers are concerned none are ever 100%! FireFox sees as many trojans, trojan droppers, and other crud as any other browser. With the 64bit flavor of that WaterFox being used here I went to try out a new program and new tool bar I couldn't get rid of by uninstalling WaterFox was to be in the Mozilla folder since I still had FF installed! Once I dumped FF and reinstalled WaterFox no unwanted addon tool bar!

As far as jumping at the generally "Last Resort Option" of wiping the drive entirely that depends on the type of bug(s) found as well as how Windows was effected if at all. If you are seeing numerous problems despite having every bug cleaned off then you would need to consider starting over fresh even nuking the C primary to see a brand new to remove any possible traces.

The reason for the wipe would be similar to what was seen recently on a Vista laptop with a fake ware removed but somehow the OS was trashed! Without a full wipe turning off the System Restore feature to see all present restore points dumped would be the smart move which will then see fresh points made when turned back on later.

As far as being struck by a bug I could bet you some 90% of the pcs out there already have something on them without the owners even knowing about it! A great deal of the time they are hidden in free programs you download or connect to download unwanted items or put you through the accept or deny prompting for junk while trying a new program out during it's install. Bugs come in all forms!

 

[bigcitycat]

dont run two antivirus on same machine. That will slow your machine down. You can use malwarebytes at same time because its not actively protecting your system but avast and mse together is a no no.

 

[Night Hawk]

Avast isn't that good to start with! The MS SE on the other hand can be installed along with VIPRE while one simply replaces the need for the other and offers much more being a paid for full featured software.

VIPRE itself will run in the background and won't even be noticed regardless if you are running a full screen app or game. AVG went on after the initial VIPRE Antivirus Home Premium being the 2010 name without running into any clash but was surpassed by the newer updated software.

Typically however two av programs will try to nuke the other often seeing a second as a system security threat. The active protections each offers don't mesh well together from the beginning.

The best protection is prevention however. The better the web filtering the less likely chance of getting stung while browsing online! 99% of bugs are placed on a system from where? A bad site! or by phantom chain letter type self replicating I-Worm type viruses which grab the contacts list from your email account if you have Windows Mail enabled or have Outlook by way of an MS office suite.

 

[insomniac1]

Hello all,

Thank you very much for all the information and help, I really appreciate it. I performed a OEM System Recovery last, which included a format of the Windows partition. It wasn't as painful as I was anticipating and I'm more or less back up and running.

Collating the advice on this forum, I'm using:
- MSE
- Malwarebytes
- NoScript for Firefox

Apart from keeping everything updated - thank you for the Secunia and FileHippo recommendation - I was thinking of also using Sandboxie. Is that a bit over the top?

Thanks again for your help and opinions, everyone.