How To Remove The Canadian Police Cybercrime Investigation Department Ransomware Virus

What Is The Canadian Police Cybercrime Investigation Department Ransomware Virus?

The Police Cybercrime Investigation Department ransomware virus (fake Canadian Police virus, Canada Police Ransomware, Criminal Code of Canada Virus) is a virus (categorized as ransomare) that attempts to scam infected users via “holding their systems hostage“, or taking control of the infected computer, locking the computer from being used properly. The virus then prompts a fake “Attention!” style alert page which accuses the computer user (identified by IP and ISP) of violating several different Copyright (& Related Rights Laws/Video, Music, Software) and Criminal Codes of Canada (Child porno, Zoofilia, and etc).

Canda Police Cybercrime Investigation Department Virus

The Police Cybercrime Investigation Department ransomware virus demands a penalty fine to be paid in order to unlock and use the computer again. Many malicious cyber criminals earn revenue this way.

The Police Cybercrime Investigation Department ransomware virus infects computers mainly by phishing techniques such as email scams, drive by websites, infected websites, and Trojans.

Police Cybercrime Investigation Department Virus Symptoms

  1. Computer systems “locks up” and can not be used properly.
  2. The Police Cybercrime Investigation Department ransomware virus creates directory files (application data) and registry entries which can halt the use of safe mode.
  3. A fake page prompts claiming to be from Canada: Police Cybercrime Investigation Department and displays a fake “Attention” message which details word for word:

  • Attention! Your PC is blocked due to at least one of the reasons specified below:
  • You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyright content, this infringing Article 128 of the Criminal Code of Canada.
  • Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty of two to eight years.
  • You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofila and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
  • Illegal access to computer data has been initiated from your PC, or you have been…
  • Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
  • Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Web Cam Control

Cybercrime investigation department video recording

Just like most current ransomware infections the Police Cybercrime Investigation Department ransomware virus is no exception to record video from infected computers plugged in or built in web cams. At least, that’s what this infection claims though most occurances report that the camera feed is fake as well.
  • You can stop your webcam stream against this virus by denying flash. To deny flash please click here.

How To Remove Police Cybercrime Investigation Department Ransomware

Due to different progressions (variations) of the Police Cybercrime Investigation Department ransomware virus different steps for infected users are necessary. Whilst some infected computer users can access the internet, other may not be able to and will require a separate removal process.

Whatever the case is, do not give your money to this fraudulent organization.

Many ransomware victims report that they can access their computers using different accounts as the infected computer account as well as being able to use the computer after disconnecting from the internet. This is not the same for most infected computers.

Removal Options

  1. Anti-Malware Software – Scan and remove virus
  2. Manual Removal – Search for and remove infected files
  3. System Restore – Restore computer to a date and time before infection

1. Anti-Malware Software

Malwarebytes has been documented to scan for and remove current ransomware viruses. They offer a free and paid version which will both detect the malware and have the largest sample rate of most Antivirus and Anti-Malware software. Once you are finished with the software you may remove Malwarebytes or keep it on your machine for future issues. Keep in mind the paid version will keep your computer protected in real time against these attacks.
Remove Virus

2. Manual Removal

Manual removal for this virus may be difficult as files can be hard to detect. Especially if you are not experienced with ransomware files created by ransomware such as the FBI Moneypak virus or The Interpol Department Of Cybercrime Ransomware.

Remove Directory Files

The files that the Canadian Police Cybercrime Investigation Department ransomware virus will be random but always located in %AllUsersProfile%, %AppData%, and %Temp% folders. Application Data (%AppData%) by default is a hidden Window’s folder. To learn more about how to show hidden files, folders, and drives please click here.

  • Open Window’s Start Menu and type %allusersprofile%, press Enter.
%allusersprofile%

The exact file name has not been documented and is always changing therefore we can not provide the title. A suggestion is to search the %allusersprofile% folder for a suspicious file which was modified around the time of the infection. Remove this file. (The file will not be a .dat file)

  • Open Window’s Start Menu and type %appdata%, press Enter.
%Appdata%

Access the “Local” folder and again, search for an undocumented file. There will most likely be 2 files created by the fake Canadian Police virus. One file will be an executable file (.exe). Search for suspicious files, and remove them.

  • Open Window’s Start Menu and type %temp%, press Enter.
%temp%

There will most likely only be 1 files in this folder. Again, this file is not identified but may be similar to rool0_pk.exe. Search for a suspicious file and delete it.

Remove Registry Entries (Values)

To enter Window’s Registry Editor, please access Window’s Start Menu and type regedit into the search file, press Enter.

Remove the regitry values below created by the fake Canada Police ransomware virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”

3. System Restore

The idea is to restore your system to a date and time (restore point) before it became infected. For more information concerning a system restore please click here.

Option 1: Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard

Option 2: Windows Start Menu Restore

Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Option 3: Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus (similar) will not allow you to type “explorer” anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Restore system files and settings

  • Prousarick

    Sean, you ROCK! I thank you for sharing your invaluable expertise.

    • Jeff

      I’ve gotten this webpage talking about the virus but nothing happened

  • M-L

    is the virus works on mac’s because i saw the web page and didn’t have further problem just yet

    • That may likely just be a “browser lock” that has nothing to do with malicious files on your computer.

  • Anonymous

    Thank you!!!!!!

  • Anonymous

    Thank you soooooooo much!

  • Sean

    Thabk you so much, this was seriously freaking me out

  • Anonymous

    Thanks a lot very good and useful information, I shared with.my friends as many are affected by this virus

  • Doron

    Thank you so much. used the manual version to get up and running downloaded and am running Malwarebytes now.

  • Anonymous

    what happens ifyou cant remove olice

  • bob

    thank you soooo much! scared me haha totally freaked out a little till i could actually look at what it was asking for

  • Abid

    Thank You very much … best advise ever had …

  • Anonymous

    Thank you so much Sean. You save my day. I got scared by that virus!

    • Anonymous

      I got it

  • Sylph

    God damn thank you so much ! You’re my hero! I got so scared this virus popped in my face just as I was confirming a download xD I was able to use option 3 in like 10 min and now everything seems fine ! 🙂

  • Anonymous

    My computer would not start in any sort of safe mode, but I figured out how to get past the lock screen in regular startup. When on the locked screen disconnect any Internet access to your computer, from there, in the second “credit card” pay option put the number “0” 16 times and enter it as a credit card number. That acted as a payment and took off the lock screen long enough for me to follow these steps to remove the virus!

  • doodool

    Thank you so much for the instruction.

  • Anonymous

    Seriously man i thought some little shit was on mylap top fucking with the stuff the warning sepcified. but then i saw how much money they wanted and i immediatly knew it was a virus.
    it took me close to 2 hours to get rid of the virus because i had to do it manually
    thanks you to whoever posted this
    and does anyone know how you actaully get the virus (site wise)

  • Carey

    Awesome awesome awesome, thanx alot Sean, that one did kinda scare me, your the man!!!

  • Doug in Canada

    Thanks for the help with this terrible virus. I found Supa_roost’s file was on my computer too.

  • Alex

    Wow thanks a lot Sean. I’m no computer wiz and option 3 worked great for me thanks again

  • Supa_roost

    The latest mutation is using the following reg string . [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    shell = “explorer.exe,%AppData%\skype.dat”. Delete the Shell string and the file skype.dat found under %AppData%\ (press windows key and r to get the run command and type in %AppData%). As always do this in safe mode. Safe mode with networking might fail, so use Safe Mode with command prompt.

  • J. B.

    This guide was detailed, yet very simple and straight to the point. 15 minutes ago I just had my first (and hopefully last) experience with this Ransomware virus. It was so bad that I could not turn on my computer or access anything (even safe mode) until trying several times. I just managed to restore the system back to a few days ago and everything is looking good so far.

    I owe you big, thanks so much!!

  • Bee Divine

    This just happened to me the file name it was under was:
    – kcheeyualpqzrons
    – kcheeyualpqzrons.exe

  • Anonymous

    Very good thank you Good to see someone knows what is going on! Deleted that bad Bas dard for the registry.
    From Northern Canadian Suffer

  • Anonymous

    very good thank you

  • Anonymous

    THANKS DUDE RESTORE WORKS THANKS A LOT……..

  • Anonymous

    Thanks a bunch man. System restore worked for me.

  • Anonymous

    System Restore worked perfectly – THANKS!

  • Anonymous

    Thank you so much Sean.

  • Anonymous

    Thanks so much dude!!
    You are the boss!
    I thought what the hell?
    Is’n Canada a free country?
    Luckily it is.

  • Howie

    Sean Doyle isTHE best Cyber Security Expert !!!!!
    I used option 2 fix my bug in 5 mins!!! Thanks from Victoria BC!!!

  • Anonymous

    thank you so much!!!!

  • Anonymous

    Sean, you are now one of my best friends in the world – THANK YOU!!

    After I used Malwarebytes I did all your Manual Removal steps and actually found a few misc items that were not removed by MBAM, so also deleted the few additional files that had the timestamp of when things went bad (JScript file and a few DATs) using your directions – again, THANK YOU

  • Farzad

    Sean, you are awesome, they wanted to charge me 89$ online, with your help I got rid of the virus in no time!

  • Anonymous

    If you can get task manager running, “End Process” the services.
    you’ll have about 5 seconds before you can use “del” from a cmd window to delete the major exe file that is bothering you.
    Mine was in the C:\Users\Adam\wgsdgsdsgs.exe something like that.

    for the longest time, i couldn’t use the “de” command from cmd to remove it, even in safe mode, even after removing read-only attribute. But killing the services fixed.

  • S. Squires

    Had to use the safe mode with command line to do a system restore to the previous day. Booting to a GUI, normally or in safe mode, would cause the virus to lock my computer within seconds so couldn’t run virus scan or anything. The command line fix worked…back up and running in normal mode and running virus scan just to be sure.

    Thanks so very much…very much appreciated!!!!

  • Anonymous

    How do you disable wifi?

    • 1. Navigate to your Network Connections.

      Control Panel > Network and Internet > Network Connections

      2. Right click the Wi-Fi icon and select Disable. Do the same to Enable Wi-Fi once again.

  • Anonymous

    thers and easier way then useing command prompt just disable your wifi or internet from your computer and run system restore

  • Anonymous

    Thanks! I was ready to toss my laptop!

    • Anonymous

      yup me too

  • Anonymous

    thanks a lot! keep up the great articles, these virus creators make me sick.

  • Pierre

    Thanks Sean it was very kind of you to help with this little nasty

  • Anonymous

    Whew!What a relief!You are a great Man! Thank you!

  • James Sprague

    Thank you! Did a restore following your advice and everything now working fine. Going to notify my virus software company that their program didn’t stop this virus. Thank goodness for your post – otherwise I was going to take computer over to have commercial firm fix problem. You saved time and money!

  • Anonymous

    THANKS A MILLION!!!

  • Anonymous

    Thank you so much for the help.. I almost paid until something made me look up possible scams! My computer is back to rights now thanks to you!

  • Anonymous

    thank you so much.

  • Anonymous

    I just want to say thank you for posting this help. Since we can’t get back at the guys who make these viruses its great to see community support in finding them and helping those that get infected. GOOD WORK!!!

  • Anonymous

    whoever made this virus deserves to die, thankyou for your help

  • Someone

    If you reboot in command prompt safe mode but can’t get explorer running in time, but it still lets you access the command prompt, type “notepad” and press Enter, then use Notepad’s Open box (Ctrl-O or File > Open) to navigate to the program you want to run (switch the file type from text files to all files or enter “*.*” in the name box & press Enter to see programs). Right-click the program and click Open, and it should start.

  • Anonymous

    OK I got this on PC using a 64 bit edition of Windows 7. It got installed getting by AVG anti virus program. I found it as an exe file called lsass.exe. Enable hidden folder options. Open my computer. Click on drive ur using that has ur operating system ur using right now. Open hidden file folder called ProgramData. You will find the lsass.exe there. Delete that lsass.exe file. I did not have to go to reg or anywhere else to delete files. PC is ok now. I did this via using another operating system to access this affected drive. You can also do it using safe mode accessing the current drive directly to delete this file. Just make show you enabled hidden folder options. This files is about 44.0 KB in size. Good Luck. And dont panic .. u can always remove this affected drive from your pc and install to another friends family pc as a secondary drive to remove this file.

    • Anonymous

      Dude I tried everything else and then read your post and found it.
      Thanks !!!!!!

  • Anonymous

    WOW THANK YOU SO MUCH

  • anon

    OMFGGG THANK YOU SOOOO MUCH!!!!

  • Anonymous

    Thank you!! My computer is still in the restore process, but not only did it unlock it, my roommate is terrified to look at porn now!

  • Pingback: Canada Police Cyber-Crime Investigation()

  • Anonymous

    Thank you so much! The malware really had me scared there for a while but your advice helped me clean it up. Thanks!

  • Anonymous

    Sorry didn’t have “.exe” on the end…

  • Anonymous

    Thank you! Just used these steps and it worked, “rsturi” didn’t Jane “.exe” on the end, but it worked anyways!!!

  • DAvid

    You are the best. Thanks so much for posting this. I used option 3 and it worked perfectly.

  • Anonymous

    Thank you very much for having this information happen to me recently as well . This website helped me out a lot

  • Anonymous

    phew….well done

  • Quincy

    Thank you so much for this information. I’m computer savvy enough, ‘enough’ being the key term here, to know that any suspicious prompt that asks me for money is essentially bogus, but I’d never seen anything like this before. The lock-up page looked 100% legit and did, in fact, scare me into a standing position in front of my computer for a bit. But as per your suggestions, I ran a system restore and it worked like a charm. Once again, thank you, thank you, thank you.

  • Anonymous

    Thanks so much, it worked! I wish we could go after these guys that came up with this stupid virus.

  • Anonymous

    Thank you for the steps. I am not computer-savvy and yet was able to make it work. Thanks for sharing.

  • bj

    thanks this worked well

  • Scot

    Worked well, thank you

  • Anonymous

    thanks really helpful

  • Anonymous

    Thanks so much!!!

  • Anonymous

    Thank you so much, it really helps me a lot!

  • Anonymous

    thank you thank you. worked like a charm (safe mode option). much appreciated.

  • Anonymous

    Thank you… This saved me from alot of headaches

  • Anonymous

    Thnx

  • Anonymous

    Thank you so much you just can even know how this helped me!!! Im so happy right now!! My computer is working like before all that!! I’ll never thanks you anough!!!!!

  • Anonymous

    thank you

  • Anonymous

    Thank you!!!

  • Heatyher

    Thank you so much. This saved me a lot of misery.