“Metropolitan Police” Ransomware - Help please!!!

I have been hit with some nasty malware that locks my computer and presents me with a full screen notice saying that I have been detected by the Metropolitan Police eCrimes Unit as doing something illegal online (it is not very specific about what, and I wasn’t actually doing anything illegal anyway) and must pay an immediate fine of £100 (via a link in the notice) to unlock my machine. I cannot close this screen or access any other programs (even via Cntrl-Shift-Escape) while it is up. Scary at first, but obviously, this is a scam. The problem lies in safely getting back control of my computer.

I am on Windows 7 Professional, 64 bit.

The only way I found to get out of the ransomware screen was to do a hard reset, by holding down the on button. I was then able to reboot into safe mode, from where I ran scans with both Malwarebytes and Microsoft Security Essentials. However, neither of these programs find anything wrong! I was also unable to update the definitions for Security Essentials from safe mode, although Malwarebytes seemed to update OK. I also tried doing a system restore to a recent restore point, but it failed.

I have also found that I can successfully boot into Windows normal mode provided that I am disconnected from the internet. As soon as an internet connection is established, however, the ransomware screen re-appears and locks up the computer again. In normal mode, disconnected from the net, everything seems OK except that Cntrl-Alt-Delete does nothing, and although Cntrl-Shift-Escape does open Task Manager, it immediately closes again, so I cannot see what process are running, or kill any of them. I ran Malwarebytes and Security Essentials in this mode too, but they still found nothing.

From safe mode, I was able to get on line, and I Googled ““metropolitan police e crimes virus””. However, the first hit ( at deletevirus.net) is tagged by Google as itself unsafe! Lower down the Google page I found some information at http://www.prlog.org/11795782-police-central-crime-unit-virus-how-to-remove-pceu-scam.html but for actual removal instructions, this directs you back to the deletevirus.net site that Google warns against! I found more information at http://trojan-killer.net/police-central-e-crime-unit-pceu-ransomware-removal/ but this directs you to download a program called GridinSoft Trojan Killer and run it from safe mode. I am feeling a bit gun shy now. I did try Googling for info on GridinSoft Trojan Killer but what little I found did not seem terribly definitive, although it is available on CNET, which is perhaps a good sign. On the other hand, GridinSoft is apparently based in the Ukraine, and it also seems a bit odd that the instructions say that after running it, and booting back into normal mode, I should update the GridinSoft program and run it again.

I am not sure that I trust random sites offering malware advice, especially as Google has at least one of them tagged as an attack site itself… However, I trust the Dope. Should I try GridinSoft Trojan Killer? Should I run it twice, like they say? Is there anything better anyone can suggest?

Also, this malware seems to have been around since at least February, so how come neither Malwarebytes nor Security Essentials seem to know about it? Is it somehow blocking their action, even in safe mode?

Malware writers mutate their programs quite often. Once the major AV programs start detecting it, they change the program to be undetectable again. Later, rinse, repeat.

This why you will see 10 or more variations of the same virus listed.

Generally, you keep trying different programs until you find one that mostly fixes things. This one is probably bad enough you will need to just copy all your data files, wipe the drive and re-install the OS.

Try, for example, Kaspersky RescueDisk:


Copy it to a CD or flash drive (via a clean computer), boot off of it and see what it finds.

Oh, and never, ever leave your computer connected to the Net until you are 100% sure the infection is gone.

Malwarebytes run from safemode.