Remove 'Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt' ransomware

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,379
What is Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid?

Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid is a typical ransomware program that displays a fake warning from the German Police and locks the user desktop until he/she pays 150$ in return.
As this program is a scam do not be scared into paying when you see its alerts.You are strongly advised to follow our removal instructions below.

Am I infected with Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid ransomware?

This is how the main screen of Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid ransomware looks:

Ein-Vorgang-illegaler-Aktivitaten-wurde-erkannt.jpg


Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid ransomware Removal Instructions
(If you experience any problems completing these instructions, please start a new thread here)

STEP 1 : Start your computer in Safe Mode with Command Prompt

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. Do one of the following:
    • If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
    • If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press F8.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Command Prompt, and then press ENTER. For more information about options, see Advanced startup options (including safe mode).
    lGBtd.jpg



STEP 2: Remove the malicious registry key and file

  1. When Windows loads in 'Safe Mode with Command Prompt', the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter.
    cPSFH.png

    The Windows Explorer will open, do not close this window.
  2. Using the same Windows command prompt,type regedit and press Enter.
    0Lwph.png
  3. The Registry Editor will now open and you'll need to browser to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ and search on the list to the right for an registry entry named Shell.
    trAD8.png

  4. Right click on this registry key and select the “Modify” option. Its default value should be 'explorer.exe' however this infection modified this entry.
  5. Before you rename this registry entry to 'explorer.exe' , copy the location of the modified value to a piece of paper or Notepad because this value will point you to the ransomware executable file ,which needs to be removed.
    In our case, the malicious file is running from the Desktop and it's called “contacts.exe”, but the cyber crimanls may have changed the file name in your case so it might have a different name.

    nlgsb.png

  6. Modify the value of the registry entry back to 'explorer.exe'. Click OK to save your changes and exit the Registry editor.

    vMPAe.png

  7. Browse to the location indicated in the value of modified registry entry and delete the malicious file. In our case, the malicious file was running from the Desktop and it was called “contacts.exe”.
    0nKTO.png

  8. Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.
    JQx7q.png



STEP 3 : Download and scan with Malwarebytes Anti-Malware

  1. Please download the latest official version of Malwarebytes' Anti-Malware.

  2. Install Malwarebytes' Anti-Malware by double clicking on mbam-setup.
    AxE4f.png
  3. Follow the prompts. Make sure that Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware are checked. Then click Finish.
    EFk1d.png

  4. Malwarebytes Anti-Malware will now start and you'll be prompted to start a trial period , please select 'Decline' as we just want to use the on-demand scanner.
    HDseI.png

  5. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for malicious files.
    Yomki.png

  6. Malwarebytes' Anti-Malware will now start scanning your computer for infected files .When the scan is complete, click OK, then Show Results to view the results.
    dVY31.png

  7. You will now be presented with a screen showing you the malware infections that the program found.
    Please note that the infections found may be different than what is shown in the image.
    Make sure that everything is Checked (ticked) and click on Remove Selected.
    ZqRnb.png

  8. Malwarebytes' Anti-Malware will start now removing the malicious files.
    If during the removal process Malwarebytes will displays a message stating that it needs to reboot, please allow this request.
    kY6jB.png



STEP 4 : Download and scan with Hitman Pro

  1. Please download the latest official version of Hitman Pro.

  2. Once downloaded click on it to run it.
    NOTE : If you have problems starting Hitman Pro, use the “Force Breach” mode. Hold down the left CTRL-key when you start Hitman Pro and all non-essential processes are terminated, including the malware process. (How to start Hitman Pro in Force Breach mode - video)

    hmp-welcome.jpg

  3. Click Settings to proceed to the application scan options. Note that Hitman Pro 3 is free to use for the first 30 days, after which time it will prompt you to purchase a licence key.
    In the Settings menu, ensure that the options "Create Restore Point Before Removing Files" is checked, and click OK. Click Next to continue to the scan.

    hmp-settings.jpg

  4. The Setup screen is displayed. Here, you can decide whether or not you wish to install Hitman Pro 3 on your system. To proceed with installation, select Yes,create a copy of Hitman Pro so I can regularly scan this computer .Click Next to continue.

    hylc2.png

  5. Hitman Pro will start scanning your system for malicious software. Depending on the the size of your hard drive, and the performance of your computer, this step will take several minutes.

    ptCoy.png

  6. Once the scan is complete, a summary of detected malicious files is displayed.
    hmp-scanresults.jpg

  7. Click Next to start removing the infected files.Hitman Pro 3 will now cleanse the infected files, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.

As an addition step it's recommended that you download other free anti-malware software from the list below and run a full system scan :


If you are still experiencing problems on your machine, please start a new thread here.




Removing the residual damage from Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid

STEP 1 : Make sure that DNS settings are not changed

  1. Right click on the Network icon in the Notification area, and click on Open Network and Sharing Center.
    iKUf0.png
  2. Click on the Change adapter settings link in the left blue pane.
    nX5Rf.png
  3. Right click on Local Area Connection icon and select Properties.
    uuE9i.png
  4. Select Internet Protocol Version 4 (TCP/IPv 4) and click Properties button.
    UvSEz.png
  5. Choose Obtain DNS server address automatically and click OK.
    44032302.png



STEP 2 : Check Windows HOSTS file
The hosts file is one of several system facilities to assist in addressing network nodes in a computer network. It is a common part in an operating system's Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
Because of its role in local name resolution, the hosts file represents an attack vector for malicious software. The file may be hijacked, for example, by adware, computer viruses, trojan horse software, and may be modified to redirect traffic from the intended destination to sites hosting content that may be offensive or intrusive to the user or the user’s computer system.

  1. Go to > C:\WINDOWS\system32\drivers\etc.
    ZO11L.png
  2. Double-click “hosts” file to open it. Choose to open with Notepad.
    ICJx6.png
  3. The “hosts” file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes.
    Windows XP :
    GosL9.jpg

    Windows Vista and 7 :
    vMS3u.png

    You can find more details on how to reset your host file here.



STEP 3 : Remove other forms of residual damage

If you still are experiencing residual damage after removing this infection, you can download and use the Windows Repair tool from tweaking.com to fix the problems.
Windows Repair is an all-in-one repair tool to help fix a large majority of known Windows problems including registry errors and file permissions as well as issues with Internet Explorer, Windows Update, Windows Firewall and more. Malware and installed programs can modify your default settings. With Tweaking.com - Windows Repair you can restore Windows original settings.
Use the bellow button to download Windows Repair (All In One) :



Watch the bellow video in order to see how to use Windows Repair :


If you are still experiencing problems on your machine, please start a new thread here.



How was I infected with Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid?
This attack mainly relies on social engineering in order to defeat the security built into modern operating system and browser software and install itself onto victims' computers. A website may, for example, display a fictitious warning dialog stating that someone's machine is infected with a computer virus, and encourage them through social engineering to install or purchase scareware in the belief that they are purchasing genuine antivirus software.
Most have a rootkit component, which users are misled into installing. The rootkit may be disguised as:
  • A browser plug-in or extension (typically toolbar)
  • An image, screensaver or archive file attached to an e-mail message
  • Multimedia codec required to play a certain video clip
  • Software shared on peer-to-peer networks
  • A free online malware scanning service
Some ransomware, however, propagate onto users' computers as drive-by downloads which exploit security vulnerabilities in web browsers, pdf viewers, or email clients to install themselves without any manual interaction.
More recently, malware distributors have been utilizing SEO poisoning techniques by pushing infected URLs to the top of search engine results about recent news events.



How can I prevent these infections?

A. Prevent malware with smart online behavior

The single biggest factor in preventing a malware infection on your PC is you. You don't need expert knowledge or special training. You just need vigilance to avoid downloading and installing anything you do not understand or trust, no matter how tempting, from the following sources:

From a website: The internet is a dangerous place so try to stay away from sites offering commercial software serial numbers, keygens or other hacked material.
Download programs only from reputable websites that have confirmed the software is malware free.If you are unsure, leave the site and research the software you are being asked to install. If it is OK, you can always come back to site and install it. If it is not OK, you will avoid a malware headache.

From e-mail: If you're not familiar with the sender, do not open, download, or execute any files or email attachments. Some viruses replicate themselves and spread via email. Stay on the safe side and confirm that the attachment was sent from a trusted source before you open it.

From physical media: Your friends, family, and associates may unknowingly give you a disc or flash drive with an infected file on it. Don't blindly accept these files; scan them with security software. If you are still unsure, do not accept the files.

From a pop-up window: Some pop-up windows or boxes will attempt to corner you into downloading software or accepting a free "system scan" of some type. Often these pop-ups will employ scare tactics to make you believe you need what they are offering in order to be safe. Close the pop-up without clicking anything inside it (including the X in the corner). Close the window via Windows Task Manager (press Ctrl-Alt-Delete).

From another piece of software: Often, a software installer includes optional installs, such as a toolbar or other programs. Be very careful what you agree to install. Always opt for the custom installation and deselect anything that is not familiar, especially optional software that you never wanted to download and install in the first place. It goes without saying that you should not install software that you don’t trust.

From illegal file-sharing services: You're on your own if you enter this realm. There is little quality control in the world of illegal software, and it is easy for an attacker to name a piece of malware after a popular movie, album, or program to tempt you into downloading it.

B. Prevent malware with the right software

1. Keep your Operating System, Software, and Drivers Up-To-Date

It is essential that you keep your operating system, software, and drivers updated with the latest hotfixes, patches, and security releases from the manufacturer on a regular basis.
Make sure that the Windows Updates are turned on and that you have the latest security releases and patches for your operating system.
Let Windows automatically check for security updates. Windows 7 is using this setting out of the box - just make sure it's really turned on.
Cybercriminals are increasingly targeting home users. Their entry points are vulnerabilities (certain code errors or bugs) in popular third party (non-Microsoft) programs, which are exploited and used as a gateway to compromise PCs and access confidential data such as passwords, online profiles, and bank details.The only way to prevent these types of attacks is to apply security updates, or “patches” which are offered free-of-charge by most software vendors.

2. Build up your malware defenses

The Internet is not a safe place if you go online without securing your computer, in order to avoid any malware infection is important that build up a solid malware defense system.
This is a list of components that should be part of your security configuration :
  1. Antivirus Engine
  2. Firewall
  3. Behavior Blocker
  4. Host Intrusion Prevention System
  5. Virtualization Software
  6. Site Advisor
  7. On-demand Scanners
You can build up your malware defenses with our help by starting a thread in our Security Configuration Wizard forum.

3. Secure your browser

  • Consider the use of an alternate Browser, such as Firefox, Google Chrome, or Opera, which are not susceptible to the same vulnerabilites of Internet Explorer 7 and 8 or update your Internet Explorer to the latest version.
  • Disable unnecessary plug-ins in your web browser. This will help keep you safe from malicious scripts and activeX exploits
  • Use available add-ons to improve it's general security.
  • Take advantage of your browser's pop-up blocking, download screening, and automatic update features.
You can start a thread in our Security Configuration Wizard forum and we will help you secure your browser.

4. Back up all of your data
Because your information could be lost or compromised , make regular backups of your information so that you still have clean, complete copies .
Back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them.
Determining how often to back up your data is a personal decision. If you are constantly adding or changing data, you may find weekly backups to be the best alternative; if your content rarely changes, you may decide that your backups do not need to be as frequent. You don't need to back up software that you own on CD-ROM or DVD-ROM—you can reinstall the software from the original media if necessary.

5. Use a Limited/Standard User Account (LUA)

With Windows 7 working as a standard user has become more convenient than ever. There's no reason not to work with restricted permissions, what makes a giant leap in your computer's safety. The way Microsoft found to keep security, comfort and function in balance by integrating User Account Control (UAC) that seamlessly, is one of the benefits Windows 7 offers.When using a Limited/Standard User Account , your user profile might still getting compromised, but not Windows 7 basic operating system in the background. Even your profile got hit, all your pictures, MP3 files or documents can be restored easily by logging in to another account that is not yet compromised.
  • To change your account type go to : Start -> Control Panel -> User Accounts and Family Safety -> User Accounts -> Change your account type
  • To create a new Limited/Standard User Account : Start > Control Panel > User Accounts and Family Safety > User Accounts > Manage Accounts > Crate New Account



Tehnical details for Achtung!!!Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eid :
Code:
Files:
=========================

[random].exe

Registry values:
=========================
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top