ACCDFISA Protection Program Ransomware - How To Remove?

Type: Ransomware

ACCDFISA Protection Program is a cyber infection, ransomware, that tries to mislead its victims that they are infected with dangerous virus illegally sending various spam messages filled with malicious links from their computers. To make this look really convincing, malware locks its victims out of the Windows desktop and displays misleading alert that asks to make a $100 payment via Moneypak or Paysafecard services. It also claims that you must do that within 48 hours if you don’t want to find all your documents and operating system deleted. In fact, it archives all the documents into archives with a password and runs malicious processes that delete files upon decryption attempt.

However, no matter that ACCDFISA states that it represents the Anti Cyber Crime Department of Federal Internet Security Agency, you must never fall for it because it seeks only to get some money from you. By convincing its victims that they have been found to spread malicious links to websites filled with child pornography or other illegal content, scammers simply try to encourage them to pay the fine. However, you must only ignore ACCDFISA ransomware and its alert, saying something like that:

ACCDFISA Protection program
Warning! Access to your computer is limited.

From your computer was detected mailing (spam)advertises illegal sites with child pornography, which contradicts law and harm other networking users.

Probably your computer has been infected and as a result our service locked access to your computer, including a fully networked access (except for our staff).

As the virus sends the illegal spam mail is very dangerous and modifies itself every 48 hours, including removing our program protection, you have 48 hours, otherwise we will remove all protection program data including the operating system and all your files without possibility of recovery.

To solve this problem you need to buy and send sms with MoneyPak or Paysafecard or Ukash code (100$ or 100E) and your Reference Number: 471951751100 to the special service phone number: +18722161445 or email:

You can buy MoeyPak card at the nearest stores: Walgreens, Walmart, CVS/pharmacy, Kmart, SevenEleven, Rite Aid or go to to find location stores near you.

To find Paysafecard location stores near you visit or Ukash at

After that our experts withing 1-3 hours will do audit and clean up your computer from viruses sending out spam and send out you sms on the cell phone or email (from which you sent card code and your reference number) control code (which unlock your PC) that must be enter here.

After a  closer look it has been revealed that this program starts as soon as PC is rebooted. It additionally removes Windows Safeboot Registry key so that its victims wouldn’t be capable to reach Safe Mode and remove it from their PCs. If you have ACCDFISA on your computer, make sure you don’t pay for it and remove this ransomware without any delay. According to this post, malware might be distributed manually at the moment, by hackers infecting machines through stolen passwords. This means that you should change your windows password, and (if this happened to companies PC) notify administration staff.

NOTE: It is very important to decrypt data after the ACCDFISA Protection Program malware process is terminated, or you might loose information on your PC.

ACCDFISA Protection Program special removal instructions

1. If you are stuck in screen asking for Control Code, try entering 753491980167921.

2. To recover your internet access, go to your network and sharing center, press on your network, properties, Internet Protocol version 4. You will need to enter correct information of your network adapter. A good guess is using automated settings (obtain an IP address automatically). Contact your ISP for details.

3. Run :

net stop netprofms
net stop WdiServiceSysHost
sc delete netprofms
sc delete WdiServiceSysHost
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v svchost /f

Reboot afterwards.

4. C:\Windows\system\wcmtstcsys.sss or C:\Windows\SysWOW64\wcmtstcsys.sss will contain all the files that have been “encrypted” by ACCDFISA Protection Program. These encrypted programs are in fact RAR archives, encrypted with password 1a2vn57b348741t92451sst0a391ba72. So encrypted has became document.doc.aes. Download winrar program and unencrypt them all.
5. Scan your PC with Microsoft’s malicious software removal tool, Malwarebytes Anti-Malware, spyhunter and your regular antivirus. ACCDFISA Protection Program might be a result of keylogger attack. It is extremely important to change passwords after this infection.

Automatic ACCDFISA Protection Program Ransomware removal tools

Note: Reimage trial provides detection of parasites and assists in their removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.  We might be affiliated with some of these programs. Full information is available in disclosure

Manual removal


Important Note: Although it is possible to manually remove ACCDFISA Protection Program Ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on


About the author

 - Passionate web researcher

I have been working with project for a while now and I would like to think that our research team has managed to raise awareness about cyber security. I study the newest infections, help out with manual instructions and answer questions that our users might have.

February 27, 2012 14:34, June 3, 2013 14:05

3 thoughts on “ACCDFISA Protection Program Ransomware

  1. I got a variant of it today too. Nothing is working for me either. I was able to get to safe mode but beyond that, none of the files that we’re supposed to delete are there.

Leave a Reply

Your email address will not be published. Required fields are marked *