Willkommem bei Windows Update

Updated: May 31, 2012 Rogue 4 Comments

Willkommem bei Windows Update is another ransom Trojan on the loose. This Trojan will block your access to Windows and locks the desktop, making it unusable. The only active window after the attack is the ransom page that contains the following message:

“Willkommem to Windows Update
Sie haben sich mit einen Windows-Verschlusselungs Trojaner infiziert.”

It is a German message that after translation will reveal this message:

“Welcome To Windows Update
You have been infected with a Windows Trojan Verschlusselungs.”

This ransom Trojan will also leave a file “ACHTUNG-LESEN.txt” on your desktop and it will contain this German messages:

Sehr geehrte Damen und Herren, anscheinend wurde das Update Programm vollständig unterbrochen. Jetzt kann das Virus nur manuell beseitigt werden. Dies brauchen Sie um Ihre Dateien benutzen zu können. Falls Sie also die gesperrten Daten brauchen, senden Sie uns bitte 200 Euro Ukash Code an die Email: security-center@inbox.lt, so bald dieser Code geprüft wurde, erhalten Sie ein Update Programm. Falls Sie Ihre Daten nicht brauchen raten wir Ihnen dringend Ihren Computer zu formatieren um den Virus vollständig zu entfernen. Ukash können Sie an einer beliebigen Tankstelle erwerben und auch in mehreren Internetcafes in Ihrer Nähe. mfG Ihr Security Team

When translated to English it will reveal this content:

Ladies and Gentlemen, apparently the update program has been completely disrupted. Now the virus can only be removed manually. This you need to use your files to. So if you need the locked data, please send us 200 euros Ukash code to the email: security-center@inbox.lt so soon, this code has been tested, you will receive an update program. If you need your data, we strongly advise you to reformat your computer to completely remove the virus. Ukash can be purchased at any gas station and in several Internet cafes in your area. Your Security Team

As you can see, the Trojan gives instructions on how to unlock Windows. You must purchase the code by paying the ransom to designated methods. Once the payment is settled, victims need to email the transaction details to security-center@inbox.lt. It will only then that attackers will send the unlock code through an email reply.

This kind of Trojan not only disables the desktop, but also makes some of your files hidden. Apart from that, it will block user’s access to Task Manager and Registry editor probably to avoid manual removal of Trojan.

We suggest not to pay the ransom. Aside from being so pricey (100 Euro), you are only allowing the attacker to take profit from this illegal doings. To remove this ransom Trojan, follow the guide below. It requires a tool from trusted known vendor so rest assure that our removal procedure is legit.

Screenshot Image:

Trojan Ransom

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

[cf]regis[/cf] [cf]files[/cf]

How to Remove Willkommem bei Windows Update

Download Kaspersky Rescue Disk

1. Download the ISO image of Kaspersky Rescue Disk 10 (kav_rescue_10.iso) from this link.
2. Download the Kaspersky Rescue Disk Maker (rescue2usb.exe) from this link.

Create A Bootable USB Drive

3. Insert a clean USB flash drive to available slot. To record the ISO file and create a bootable USB drive, double-click on rescue2usb.exe. It will extract the files and create a folder called Kaspersky Rescue2Usb.

4. Kaspersky USB Rescue Disk Maker should run after the extraction. If not browse the Kaspersky Rescue2Usb folder and run the rescue2usb file.
5. From Kaspersky USB Rescue Disk Maker console, click on Browse and locate the file kav_rescue_10.iso.

Kaspersky Rescue Disk Maker

6. On USB Medium, select the USB drive you wanted to make as bootable Kaspersky USB Rescue Disk. This will become a bootable virus scanner.
7. Click in Start to begin the process.
8. When the process is complete, it will display a notification message. Your tool to remove "Willkommem bei Windows Update" is now ready.

Rescue Disk Created

Boot The Computer From The USB Kaspersky Rescue Disk 10

9. Since "Willkommem bei Windows Update" uses a rootkit Trojan that controls Windows boot functions, we need to reboot the computer and select the newly created Kaspersky USB Rescue Disk as first boot option. On most computers, it will allow you to enter the boot menu and select which device or drives you wanted to start the PC. Refer to your computer manual.
10. If you successfully enters the boot menu, choose the USB flash drive. This will boot the system on Kaspersky Rescue Disk. Press any key to enter the menu.

Kaspersky Rescue Disk 10 Menu

11. If it prompts for desired language, use arrow keys to select and then press Enter on your keyboard.
12. It will display End User License Agreement. You need to accept this term to be able to use Kaspersky Rescue Disk 10. Press 1 to accept.
13. The tool will prompt for various start-up methods. We highly encourage you to choose Kaspersky Rescue Disk Graphic Mode.

Remove "Willkommem bei Windows Update" Using Windows Unlocker

14. Once the tool is running, you need to run WindowsUnlocker in order to delete registry that belongs to "Willkommem bei Windows Update". On start menu located at bottom right corner of your screen, select the K icon or select WindowsUnlocker if it is present on the Menu.

15. Select Terminal from the list. A command prompt will open.

Run Terminal on Rescue Disc

16. Type windowsunlocker and press Enter on your keyboard.

Command for Windows Unlocker

17. From the selection, choose 1 - Unlock Windows to remove "Willkommem bei Windows Update". Use up/down arrow on keyboard to select and press Enter.

Windows Unlocker

18. This utility will start removing any components that blocking you from accessing the computer. It will display a log file containing actions performed on the infected computer like deleted infected file and removed registry entries.

19. After removing components of "Willkommem bei Windows Update". You need to scan the system using the same tool. On start menu, select Kaspersky Rescue Disk.

Kaspersky Rescue Disk Scanner

20. Be sure to update the program by going to My Update Center tab. Click on Start update.
21. After the update, go to Object Scan tab and thoroughly scan the computer to locate other files that belong to "Willkommem bei Windows Update".
22. Restart the computer normally when done.

Alternative Removal Method for Willkommem bei Windows Update

Option 1 : Use Windows System Restore to return Windows to previous state

If Willkommem bei Windows Update enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Willkommem bei Windows Update infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.

Option 2 : Willkommem bei Windows Update manual uninstall guide

IMPORTANT! Manual removal of Willkommem bei Windows Update requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.

1. Kill any running process that belongs to Willkommem bei Windows Update.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Willkommem bei Windows Update files (refer to Technical Reference) and click End Process.

End Task

2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.

Run Regedit

3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.

4. Delete all files dropped by Willkommem bei Windows Update.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.

Technical Reference

Associated Files and Folders:

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to Willkommem bei Windows Update payment refund or lost serial key, kindly check the FAQ for rogue program first.

4 Comments

Tomas
May 24, 2012 @ 12:56:45

What about decrypting files done by this trojan ?

filename sample :
VjlxtjlqEAlfEtgpsA

no extension
johnB
May 24, 2012 @ 23:42:06

Tomas, there are certain encryption level for each ransomware infection. I suggest you submit a sample file to dr. web and they will give you a tool with proper command to decrypt your files.
https://vms.drweb.com/sendvirus/?lng=en
John
Jul 14, 2012 @ 13:13:47

Have you found a tool or solution to decrypt these files?

I have tried the Kaspersky Rannoh and Avira tools but it is unable to decrypt
Don
Jul 26, 2012 @ 16:55:29

Same problem removed virus, cant access files pic doc n same one.. Any help? How to encrypt?