Search This Blog

Thursday, February 14, 2013

International Cyber Security Protection Alliance (ICSPA) virus

International Cyber Security Protection Alliance, also abbreviated as ICSPA, is a well-known international agency that is meant to maintain and protect security in the online web space. Its mission is to prevent illegal activities of users who surf the Internet. Needless to mention, there are many of those who perform all kinds of illegal actions while they’re online. This includes downloading illegal samples of audio and video files, copying them onto various multimedia devices and distributing them among various customers for the purpose of obtaining illegal profits. Indeed, such proceeds are illegal due to violation of copyrights of the owners of these multimedia samples. This also relates to illegal software downloads, which are also quite popular in the cyber world today. Nevertheless, there are many hackers to day who use the good name of International Cyber Security Protection Alliance (ICSPA) for their evil plots. In particular, there’s a fresh ransomware program that belongs to the Urausy family that locks the desktop of infected computers and asks for money to be paid by user in order to unlock the computer.

The logo and the name of International Cyber Security Protection Alliance (ICSPA) are widely used in many of such new ransomware lockers. According to the information we possess with, the following lockers contain the ICSPA logo:

  • Australian Federal Police ransomware
  • Royal Canadian Mounted Police ransomware
  • FBI. Cybercrime Division ransomware

Once these lockers attack your system they immediately hijack your desktop, without giving you a chance to do anything at all. The keyboard is also disabled, and the only thing you can do is to reboot the PC through the hard reset button. This doesn’t help to unlock the system, and the same locked status persists. The malware asks victims to pay the fine through indication of Ukash, Paysafecard or GreenDot MoneyPak payment systems. However, you should be clever and smart enough to understand that ICSPA would never ask you to pay fines to them through the services of such payment companies, even though they’re decent ones. Whatever the case might be, this is a fake fine that is not associated with the police and other law enforcement bodies. Instead, this is a ransom that is so desirable by hackers. They can’t wait until you obey their instructions and pay the fine eventually. Please, never make such a serious mistake. Ignore the scary accusations of this ransomware about the crimes you’ve never committed online. Disregard the entire message of the locker you see on your screen. Instead, please carefully follow the guidelines below that will help you get rid of ICSPA scam from your computer effectively.

Automatic removal solution (recommended):

  1. Go to your friend, relative or anybody else who has computer with Internet connection.
  2. Take your USB flash drive / Memory Stick with you.
  3. Download GridinSoft Trojan Killer installation file from this site and save it to your USB flash drive / Memory Stick.
  4. Get back to your infected PC and insert the USB Drive / Memory Stick into the respective USB slot.
  5. Perform hard reset (press reset button on your computer) if your infected PC has been on with ransomware's background. If not, then simply turn your PC on.
  6. Before the very boot process begins keep repeatedly hitting “F8” button on your keyboard.
  7. In the window that appeared select “Safe mode with command prompt” option and press Enter.
  8. Choose your operating system and user account which was infected with ransomware virus.
  9. In the cmd.exe window type “explorer” and press “Enter” button on your keyboard.
  10. Select “My Computer” and choose your USB flash drive / Memory Stick.
  11. Run the installation file of GridinSoft Trojan Killer. Install the program and run scan with it. (update of the program will not work for “Safe mode with command prompt” option)
  12. When the hijackers are successfully disabled (fixed) by GridinSoft Trojan Killer you may close GridinSoft Trojan Killer application.
  13. In the cmd.exe window type “shutdown /r /t 0” and press “Enter” button on your keyboard.
  14. Upon system reboot your PC will be unlocked and you will be able to use it just as before the infection took pace.
  15. However, it is recommended that you now update GridinSoft Trojan Killer and run the scan with it again to remove the source of the infections causing ransomware to infect your PC.

Automatic removal video:

Ransomware manual removal milestones (optional and might not be effective):

  1. Restart your system into "Safe Mode with Command Prompt". While the PC is booting press the "F8 key" continuously, which should present the "Windows Advanced Options Menu" as presented in the image below. Apply the arrow keys in order to move to "Safe Mode with Command Prompt" and hit Enter key of your keyboard. Login as the same user you were previously logged in under the normal Windows mode.
  2. Once Windows boots successfully, the Windows command prompt would appear as described at the screenshot below. At the command prompt, type-in the word "explorer", and press Enter. Windows Explorer should open. Please do not yet close it. You can minimize it for a while.
  3. Afterwards open the Registry editor by applying the same Windows command prompt. Type-in the word "regedit" and hit Enter button of your keyboard. The Registry Editor should open.
  4. Find the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ In the right-side panel select the registry entry named Shell. Right click on this registry key and select "Modify" option. Its default value should be "Explorer.exe". However, ransomware did its job, and so after you click "Modify" you would see totally different value of this registry entry.
  5. Copy the location of the modified value of the above-mentioned registry entry to the piece of paper or memorize its location. It shows where exactly the main executable of ransomware is located.
  6. Modify the value of the registry entry back to "explorer.exe" and save the settings of the Registry Editor.
  7. Go to the location indicated in the value of modified registry entry. Remove the malicous file. Use the file location you copied into the piece of paper or otherwise noted in step in previous step. In our case, ransomware's virus file was located and running from the Desktop. There was a file called "contacts.exe", but it may have different (random) name.
  8. Get back to "Normal Mode". In order to reboot your PC, when at the command prompt, type-in the following phrase "shutdown /r /t 0" (without the quotation marks) and hit Enter button.
  9. The virus should be gone. However, in order to clean your PC from other possible virus threats and malware remnants, make sure to download and run GridinSoft Trojan Killer downloadable through the button below.

Manual removal video:

Associated virus files to be removed:


Associated virus registry entries to be removed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[random].exe"

1 comment:

  1. Thanks for sharing complete information on removal of International Cyber Security Protection Alliance. I found it very helpful.
    cyber bit