ACCDFISA – RansomWare – Removal Notes + More

UPDATE (2/26/12 @ 8:20PM CST): Lawrence Abrams has posted a guide to removing this infection over at His post includes notes that were not included in this post and also provides a much more automated process for removal. If you are removing this infection, I would consider his post a must-read! Do not consider your system fully repaired until you have thoroughly read through his removal instructions.

NOTE: It would be really useful to take a look at the previous post by Joe P. regarding this RansomWare infection here:

In addition, JSnell has posted some useful information on regarding his experience with removing this infection:


  • THE PROCESS DESCRIBED IN THIS POST WAS PERFORMED IN A WINDOWS SERVER 2008 R2 ENVIRONMENT. Unfortunately, I do not have access to another version of Windows Server to test this procedure on. The process should be fairly similar for each edition of Windows Server. Your comments and feedback will be very useful in providing information regarding how this process varies on other systems.
  • EVERY REFERENCE MADE TO THE “C: DRIVE” REFERS TO THE DRIVE THAT HOLDS THE CONTENTS OF THE WINDOWS SERVER OPERATING SYSTEM. This could very well vary for your system and should be adjusted appropriately.


Disclaimers / Additional Notes (PLEASE, PLEASE READ):

  1. I would STRONGLY urge you to take a backup of the system as soon as possible, even if it is still infected. Although, we have learned a good bit about this infection over the past week, we still do not fully understand each and every step of its progression. Finding a way to backup the infected system before ever beginning the removal process would be ideal (i.e. cloning all hard drives that have been infected). However, I realize that this may not be easily feasible on all systems. For that reason, I will include a note in the post where the next easiest backup point is. Please listen to my word of advice and take a backup at this point if at all possible. In addition, this would be a great time to put a plug in for off-site backups if you have not already implemented one. Based on the information that has been found so far, off-site backups would not have been affected by this infection as long as the location being backed up to is not mapped as a local drive for some strange reason.
  2. The steps described in this post are intended for those who have experience managing Microsoft Server systems. Please do not make any changes to your system if you are unsure of what you are doing, as you could cause major problems. Under no circumstance am I responsible for any damage that occurs to your data.
  3. Unfortunately, it appears that this particular infection deletes some types of files from the very beginning, such as Exchange and SQL database files. I’m honestly not sure what the best procedure would be to try and recover these files. The only suggestion I have is to run a program such as GetDataBack that has the ability to check for deleted files that haven’t been overwritten by the file system yet. Keep in mind that the more activity that occurs on the server, the less likely you are to have success with such a process. Therefore, I would suggest attempting this by connecting the server’s hard disk drives to another system and then run whatever type of recovery software you wish to from that system.
  4. I am certainly not a virus removal expert, but I hope that the information I have learned through trial and error will help others. I will do my best to help everyone I can who is suffering from this particular infection. Please leave your feedback in the comments so that I can correct the information in this post as needed.
  5. There are some specific references to certain software products in this article. I do not have any affiliation with the companies or groups who produce such software, but their products have worked successfully for me while trying to remove this infection. Any software mentioned in the post is the property of their respective owners and they deserve the credit for their functioning.


Getting Started:

Let’s jump right into it. If you are reading this post, it is likely that the screen shown below is the first sign of an infection you came across, other than a loss of network connectivity. It states something to the effect of “the server has been used to access illegal content on the internet and was shut down by the ACCDFISA, an acronym for the Anti Cyber Crime Department of Federal Internet Security Agency.”

It then asks for a $100 in order for the attacker to send you a code that allows you to access your system once again. After going through the executable file that causes this particular splash screen to load, I was able to recover a code that seems to successfully disable this screen from appearing at startup. However, I do not wish to publish it or the procedure involved in recovering this code at this time, as I cannot prove that inputting the code does not cause some additional problem, such as removing a security feature or enabling the infection to proceed further with some type of harmful action. The next steps should provide a perfectly adequate way to disable this initial screen and move forward with the virus removal.


Steps to Disable Initial Splash Screen:

  1. Download some type of live Windows disc that allows you access to the hard drive and allows you to make security setting changes to folders. My disc of choice was Hiren’s BootCD (download location: ), which includes a bootable version of “Mini Windows XP”. After downloading the zip, extract it and burn the .iso file included to a disc using your favorite disc image burning utility. You will then want to insert the disc into the system and boot from it. In the first screen that appears after booting from the disk, select the second option in the list that states “Mini Windows Xp”.
  2. Once Mini Windows Xp has loaded, navigate to C:\ProgramData (which is a hidden folder) using My Computer. Right-click on the “local” folder and select properties. Next, select the Security tab and select “Advanced”. Now, uncheck “Inherit from parent the permission entries…”, click “Copy” when the next dialog box pops up, and then click “OK” to save these changes. You can now remove all users except for “SYSTEM”.  For the user “SYSTEM”, select “Deny” for the “Full Control” setting. This should prevent the splash screen from loading, as this folder contains the file that the splash screen loads from.
              Note 1: Some may ask why we are not just deleting this folder. There are two answers: ( 1) we may need some of the files in this folder later and (2) this prevents any other virus-related service or executable from recreating the files in this directory.
    Note 2: JSnell, who has recorded his experience with this virus in a post on, mentioned that he was able to perform these steps by booting into safe mode. The reason why I did not go that route is because we were not able to boot into safe mode on the originally infected machine. Also, based on looking through certain files that this virus executes, it appears that it attempts to disable the safe mode boot option.
  3. Next, click okay to exit the properties dialog and save the new security settings. Remove Hiren’s BootCD from the disc tray. You can now select “Shutdown” from the “Start” menu, select the “Restart” option from the drop-down menu, and then click “OK”. Allow the system to reboot into Normal mode.


Steps to Disable the Loading of Virus-Related Services and Startup Entries:

  1.  Once the system has rebooted in Normal mode, login using an administrative account so that registry entries can be edited.
    IMPORTANT: Now would be a perfect time to complete a backup of some sort if your backup software of choice is still functioning properly. If such software is not functioning properly, consider using the built-in backup function in Windows server or some other freeware option to create a successful backup. So far, I haven’t run into an issue with losing data at this point, but it is always better to be safe than sorry!
  2. Click on the “Start” menu and select “Run”. Open the registry editor by typing “regedit” and clicking “OK”
  3. BEFORE making any changes, be sure to backup the registry by selecting “Export…” from the “File” menu. Next choose the location where you would like the registry backup saved and type in a file name for it. BE SURE that the radio button next to “All” is selected in the “Export range” section at the bottom of the window. You can now click “Save”.
  4. The following entries now need to be removed from the registry. Right-click on each of the entries listed below and select “Delete”. When asked to confirm the deletion, select “Yes”.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\svchost
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WdiServiceSysHostNOTE: You may receive an error when selecting the last two and when trying to delete them. Just click okay if the errors appear and still attempt to delete them.
  5. DO NOT SKIP THIS STEP. After deleting completing the above step and exiting out of the registry editor, reboot the system. This should prevent the virus-related processes from starting once the reboot is complete.


Backing Up the Virus-Related Folders/Files:

  1.  VERY IMPORTANT. Log back on to the system after the reboot. Find and copy the following folders and files to a backup location of your choice. I would suggest creating a new folder to place them all in so that you do not misplace them. These folders and files will be absolutely crucial to recovering encrypted data if they turn out to be needed. I would even suggest copying these files to a second external location just in case something happens to the first copy. Here is the list of folders and files:
    >C:\ProgramData\local      (This is a hidden folder. In order to copy this folder, you will have to double-click on it first and select “Take Ownership” or change the permissions manually before copying the folder. This is due to the fact that we took away our right to access this folder earlier when we booted into Mini Windows XP.)
    >C:\decrypt      (this is a hidden folder)
  2. The final file you need will most likely be called “sys100s.exe”. You will also need to backup this file along with the ones listed above. The only way to locate this file is to do a search of the C: drive, as it will probably be found in a user’s internet cache files (where Internet Explorer stores its temporary files). When running the search on the C: drive, I would suggest only searching for “sys100” and not including the final “s” or the “.exe” file extension, as it is possible that there may be different derivatives of this file whose filenames slightly vary.NOTE: Don’t worry about deleting any of the files from the C: drive at this time, as they should not be causing any problems. We will go back in the very end once we have confirmed everything is resolved and remove them.


Restoring TCP/IP Settings:

  1.  At this time, the TCP/IP settings can be reset for whichever network adapters were affected. If you’re not sure of how to do this, proceed to the Control Panel, select Network and Internet, and then select Network Connections. Right-click on the network adapter of your choice and select Properties. Once the next dialog loads, select “Internet Protocol Version 4 (TCP/IPv4)” and then select “Properties”. Once the next dialog loads, you should see that the IP address, default gateway, an etc. have been changed by the virus. You can now change these options back to whatever static settings they should be or select the radio button next to “Obtain an IP address automatically” and “Obtain DNS server address automatically”. Repeat this process if you have more than one adapter that was affected.


“Decrypting AES Files” (Extracting Password-Protected RAR Archives):

  • The attackers would love for you to think that all of your files have been encrypted using the AES algorithm. In reality, every file that has an .aes extension has been placed in its own password-protected RAR archive.
  • There is a “decrypter” program that is included with the virus. I have had mixed results running this program. One time it deleted files when I input files that I had recovered and another time it actually extracted the files back to their correct locations. However, for the same reason I did not provide a code for the initial splash screen, I will also not provide any of these codes, as it could cause permanent damage to your system.
  • If you just need to extract a couple of files using a RAR archive extractor, I’ll save you the trouble of reading through the next steps and tell you that the password that worked for me is the following: 1a2vn57b348741t92451sst0a391ba72
  • There is a chance that the password shown directly above and in Step 5 of this section is dynamically generated on each infected system. If this turns out to be the case, I will post instructions for how to find this password.

NOTE: I am completely aware that the process I describe below is extremely cumbersome. However, this is the easiest process I can think of at the moment. If you have a better idea of how to go about this process, please post it in the comments below and if I am able to verify that it works, I will modify this section.

  1. Download whatever RAR archive extractor you prefer and install it on the affected system. The only requirement is that it support password-protected archives (which may be all of them, I’m not sure). In our case, 7-zip File Manager worked well. It can be downloaded here: . The following steps will involve using 7-zip to extract the necessary files. The process will vary with other programs.
  2. Create a folder to make a copy of all of the archived files to. Also, create a folder somewhere to extract all the RAR archives to. These can be on the system itself or on an external device. Just be sure that the drive that these folders are located on is large enough to hold a copy of all of the archived and extracted files. It appears that the files were not compressed when they were placed into archives, so whatever size is shown in the search results (described below) is the size they will be when extracted.
  3. Open up Computer and continue to the root of whichever drive you which to extract files from first. In the search box, type “*.aes” (without the quotation marks) and allow the search to fully complete. On the original system that I worked with that was infected, the search returned approximately 15,000 files and took about an hour to an hour and a half to complete.
  4. Once you are sure that the search has discovered all the archived files on that drive, select all of the files (CTRL + A) and copy the files (CTRL + C). Then navigate to the folder that you created in Step 2 that was created to hold a copy of all of the archived files. Paste (CTRL + V) the files into this folder.
  5. Open up 7-zip File Manager and navigate to the same folder that you just pasted all of the files into. Then select all (CTRL + A) of the files and click the Extract button near the top-left of the program window. In the dialog windows that appears, set the “Extract to:” path to the folder that you created in Step 2 to extract files to. For “Path mode:”, select “Full pathnames” from the drop-down menu. In the password box, type in: 1a2vn57b348741t92451sst0a391ba72
  6. Select “OK” and wait for 7-zip to finish extracting all of the files.
  7. Once the extraction completes, navigate to the folder that you extracted to and select all (CTRL + A) of the folders and files. Copy (CTRL + C) the folders and files.
  8. Navigate to the root of the drive that you pulled the archives from and paste (CTRL + V) the folders and files there. (Be sure that you have enough space on the drive to paste all of the extracted files.) If you are asked if you want to merge folders, select “Yes”. If there are quite a few, I would check the “Do this for all current items” option.
  9. Steps 2 through 8 of this section will need to be repeated for each drive that needs files recovered from it.


Final Steps / Cleanup:

  1. I would suggest rebooting the system at this point just to make sure that everything is in working order.
  2. If you are positive that all of your files have been successfully extracted and put back in their place, you can once again search each drive for all of the .aes files, select them all, and delete them.
  3. You can now delete the virus-related folders and files that you made a copy of in the section “Backing Up the Virus-Related Folders/Files”. These no longer serve a purpose by staying on your system. However, I would not delete the backup of these files that you made, just in case it is needed.



  • No one seems to be sure what exactly initiates the download of the sys100s.exe file that begins the visual activities of the virus and archives files on the system. The only way to be 100% sure that the virus is removed from you system is to reinstall your edition of Windows Server. I’m hoping that we can soon track this virus back further and find exactly what the root cause/security flaw is that is allowing such an infection through. One theory so far is that there could possibly be a keylogger that is capturing user credentials. This is based on the fact that Joe P., who wrote the previous post on this blog concerning this RansomWare infection, was able to see in his client’s server logs where a successful login occurred right before the symptoms of the virus began appearing. This is obviously very concerning that there was not a failed login attempt before this successful one. I will attempt to keep everyone updated if I learn anymore information about this infection.
  • Please leave your feedback and comments below, as this is the only way I have of knowing that the removal process is working successfully for others. I apologize if I have gone into way too much detail in this post, but I am just trying to put out as much information as I can about this infection so that hopefully it helps as many people as possible.


9 Responses to “ACCDFISA – RansomWare – Removal Notes + More”

  1. Larry says:

    In my case a keylogger was most likely not used. Based on our security event logs for the server, they got into our 2008 TS via the local admin account which nobody ever uses to log in with.

  2. Marcin Wisniowski says:


    All is saved. This worked better than a love charm! There is a river of thanks flowing from Mt. Everest unto your hands Tim. Thank you!

  3. Marcin Wisniowski says:

    In my client’s case it was a brute force attack. I found logs of a multitude of failed Terminal Server logon attempts preceding a successful logon. The password and username were categorically weak: admin and Password1 respectively. I’ve also found DUBrute on the desktop suggesting that they, at least, have planned to instigate further attacks from this computer.

  4. Joe P. says:

    There was a brute force attack about two days before the infection. However, the password that was used was eleven characters long and had all four complexities. The attack went on a few hours and then would stop for a few more. This went on for nearly two days with the source IP changing between seperate attacks. It is easy to say that someone had a list of addresses where port 3389 was open and began a brue force attack. I wonder just how the password would have been in a password list…

  5. Marcin Wisniowski says:

    I have developed a short and easy way to automate the decryption process. You need to make sure that you have 7zip installed and the 7z.exe executable in the %PATH% or that you provide a full path to the executable in the following command:

    for /f “tokens=*” %i in (‘dir *.aes /a /b /s’) do cd “%~pi” & 7z.exe e -p1a2vn57b348741t92451sst0a391ba72 “%i” & del /q “%i”

    This needs to be run from a command line run as administrator once from the root of every drive where the encrypted files reside.

    This does not do any error checking…if needed you can slap:
    & echo %i %errorlevel% >> decrypt.log

    It will create decrypt.log in the directory from which the command is run, presumably the root of a drive, and record the file name and affix a 0 for sucess and 1 for failure.

    This will also delete the encrypted file after it has been decrypted/extracted ( del /q “%i” ). If you want to be on the safe side you can remove that, but make sure you have enough space to accommodate the files to be extracted.

    And once more…Thank you Tim!

Leave a Response