Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eidgenossenschaft. Virus removal guide

andy | December 5, 2011

Lately, the new threat has been spreading through the Internet, saying “Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eidgenossenschaft“. This virus threat belongs to the group that gave origin for Metropolitan Police and La Policia Espanola viruses. This message can pop in front of you at any time. It wants you to pay 150 Swiss francs (about $160). What does it mean? It actually says that users have spread some illegal content inside the web and now they should pay for that. It’s not only the illegal content but spam as well. So, if the person does not pay this money his/her computer’s every single piece of information will be eliminated within 24 hours. But the most important part about all this is that this warning message “Achtung!!! Ein Vorgang illegaler Aktivitaten wurde erkannt. Schweizerische Eidgenossenschaft” tries to fool you by asking you to pay. It is completely fake. Do not do anything about it except removing, of course. If you pay you will just lose your money and nothing else. You still can have your computer in a good state if you follow our instructions. After you’ve performed our recommendation nothing will be blocked or damaged, so you need to remove this virus at once. You can easily do it with our help. Follow all the steps and soon the problem will be solved.

Ransomware

Ransomware

Important removal milestones:

  1. Restart your system into “Safe Mode with Command Prompt”. While the PC is booting press the “F8 key” continuously, which should present the “Windows Advanced Options Menu” as presented in the image below. Apply the arrow keys in order to move to “Safe Mode with Command Prompt” and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Safe Mode with command prompt

    Safe Mode with command prompt

  3. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word “explorer”, and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  4. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word “regedit” and hit Enter button of your keyboard. The Registry Editor should open.
  5. You know how it normally looks like, don’t you? Well, here is the screenshot of it:

  6. Find the following registry entry:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

    In the right-side panel select the registry entry named Shell. Right click on this registry key and select “Modify” option. Its default value should be “Explorer.exe”. However, the virus did its job, and so after you click “Modify” you would see totally different value of this registry entry.

  7. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of this virus is located.
  8. Modify the value of the registry entry back to “explorer.exe” and save the settings of the Registry Editor.
  9. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, the virus file was located and running from the Desktop. There was a file called “contacts.exe”, but it may have different (random) name.
  10. Get back to “Normal Mode”. In order to reboot your PC, when at the command prompt, type-in the following phrase “shutdown /r /t 0″ (without the quotation marks) and hit Enter button.
  11. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Associated virus files to be removed:

[random].exe

Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"Shell" = "[random].exe"

5 Comments

  1. Nadja says:

    I have had this virus on my computer for over a week…. annoying! I tried to remove it with the above steps, but when i click on modify, it remains at “explorer.exe” so i have no files to delete. Does anyone have an Idea what else i can try??

    thanks so much for your help,
    Nadja

  2. andreas says:

    Nadja,

    If you have the problem with the removal or some other questions, please write us here:
    http://trojan-killer.net/support/

    We will help you to cope with your problem.

  3. Jess says:

    Nadja,

    Did you get a solution? I have the exact same problem as you.

    Thanks you very much for your help.
    Jessica

  4. Kast says:

    Hello

    You have to change the same setting in “HKEY_CURRENT_USER”.

    regards

  5. Edwin says:

    I used System Restore to restore my computer to an earlier date, which removed the ransomware/virus completely.

Leave a comment

*