How To Remove The Canadian Police Cybercrime Investigation Department Ransomware Virus

What Is The Canadian Police Cybercrime Investigation Department Ransomware Virus?

The Police Cybercrime Investigation Department ransomware virus (fake Canadian Police virus, Canada Police Ransomware, Criminal Code of Canada Virus) is a virus (categorized as ransomare) that attempts to scam infected users via “holding their systems hostage“, or taking control of the infected computer, locking the computer from being used properly. The virus then prompts a fake “Attention!” style alert page which accuses the computer user (identified by IP and ISP) of violating several different Copyright (& Related Rights Laws/Video, Music, Software) and Criminal Codes of Canada (Child porno, Zoofilia, and etc).

Canda Police Cybercrime Investigation Department Virus

The Police Cybercrime Investigation Department ransomware virus demands a penalty fine to be paid in order to unlock and use the computer again. Many malicious cyber criminals earn revenue this way.

The Police Cybercrime Investigation Department ransomware virus infects computers mainly by phishing techniques such as email scams, drive by websites, infected websites, and Trojans.

Police Cybercrime Investigation Department Virus Symptoms

  1. Computer systems “locks up” and can not be used properly.
  2. The Police Cybercrime Investigation Department ransomware virus creates directory files (application data) and registry entries which can halt the use of safe mode.
  3. A fake page prompts claiming to be from Canada: Police Cybercrime Investigation Department and displays a fake “Attention” message which details word for word:

  • Attention! Your PC is blocked due to at least one of the reasons specified below:
  • You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyright content, this infringing Article 128 of the Criminal Code of Canada.
  • Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty of two to eight years.
  • You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofila and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
  • Illegal access to computer data has been initiated from your PC, or you have been…
  • Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
  • Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Web Cam Control

Cybercrime investigation department video recording

Just like most current ransomware infections the Police Cybercrime Investigation Department ransomware virus is no exception to record video from infected computers plugged in or built in web cams. At least, that’s what this infection claims though most occurances report that the camera feed is fake as well.
  • You can stop your webcam stream against this virus by denying flash. To deny flash please click here.

How To Remove Police Cybercrime Investigation Department Ransomware

Due to different progressions (variations) of the Police Cybercrime Investigation Department ransomware virus different steps for infected users are necessary. Whilst some infected computer users can access the internet, other may not be able to and will require a separate removal process.

Whatever the case is, do not give your money to this fraudulent organization.

Many ransomware victims report that they can access their computers using different accounts as the infected computer account as well as being able to use the computer after disconnecting from the internet. This is not the same for most infected computers.

Removal Options

  1. Anti-Malware Software – Scan and remove virus
  2. Manual Removal – Search for and remove infected files
  3. System Restore – Restore computer to a date and time before infection

1. Anti-Malware Software

Malwarebytes has been documented to scan for and remove current ransomware viruses. They offer a free and paid version which will both detect the malware and have the largest sample rate of most Antivirus and Anti-Malware software. Once you are finished with the software you may remove Malwarebytes or keep it on your machine for future issues. Keep in mind the paid version will keep your computer protected in real time against these attacks.
Remove Virus

2. Manual Removal

Manual removal for this virus may be difficult as files can be hard to detect. Especially if you are not experienced with ransomware files created by ransomware such as the FBI Moneypak virus or The Interpol Department Of Cybercrime Ransomware.

Remove Directory Files

The files that the Canadian Police Cybercrime Investigation Department ransomware virus will be random but always located in %AllUsersProfile%, %AppData%, and %Temp% folders. Application Data (%AppData%) by default is a hidden Window’s folder. To learn more about how to show hidden files, folders, and drives please click here.

  • Open Window’s Start Menu and type %allusersprofile%, press Enter.

The exact file name has not been documented and is always changing therefore we can not provide the title. A suggestion is to search the %allusersprofile% folder for a suspicious file which was modified around the time of the infection. Remove this file. (The file will not be a .dat file)

  • Open Window’s Start Menu and type %appdata%, press Enter.

Access the “Local” folder and again, search for an undocumented file. There will most likely be 2 files created by the fake Canadian Police virus. One file will be an executable file (.exe). Search for suspicious files, and remove them.

  • Open Window’s Start Menu and type %temp%, press Enter.

There will most likely only be 1 files in this folder. Again, this file is not identified but may be similar to rool0_pk.exe. Search for a suspicious file and delete it.

Remove Registry Entries (Values)

To enter Window’s Registry Editor, please access Window’s Start Menu and type regedit into the search file, press Enter.

Remove the regitry values below created by the fake Canada Police ransomware virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”

3. System Restore

The idea is to restore your system to a date and time (restore point) before it became infected. For more information concerning a system restore please click here.

Option 1: Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard

Option 2: Windows Start Menu Restore

Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Option 3: Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus (similar) will not allow you to type “explorer” anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Restore system files and settings

Sean Doyle

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.

Comments ( 79 )

  1. ReplyProusarick
    Sean, you ROCK! I thank you for sharing your invaluable expertise.
    • ReplyJeff
      I've gotten this webpage talking about the virus but nothing happened
  2. ReplyM-L
    is the virus works on mac's because i saw the web page and didn't have further problem just yet
    • ReplyAuthorSean Doyle
      That may likely just be a "browser lock" that has nothing to do with malicious files on your computer.
  3. ReplyAnonymous
    Thank you!!!!!!
  4. ReplyAnonymous
    Thank you soooooooo much!
  5. ReplySean
    Thabk you so much, this was seriously freaking me out
  6. ReplyAnonymous
    Thanks a lot very good and useful information, I shared friends as many are affected by this virus
  7. ReplyDoron
    Thank you so much. used the manual version to get up and running downloaded and am running Malwarebytes now.
  8. ReplyAnonymous
    what happens ifyou cant remove olice
  9. Replybob
    thank you soooo much! scared me haha totally freaked out a little till i could actually look at what it was asking for
  10. ReplyAbid
    Thank You very much ... best advise ever had ...
  11. ReplyAnonymous
    Thank you so much Sean. You save my day. I got scared by that virus!
    • ReplyAnonymous
      I got it
  12. ReplySylph
    God damn thank you so much ! You're my hero! I got so scared this virus popped in my face just as I was confirming a download xD I was able to use option 3 in like 10 min and now everything seems fine ! :)
  13. ReplyAnonymous
    My computer would not start in any sort of safe mode, but I figured out how to get past the lock screen in regular startup. When on the locked screen disconnect any Internet access to your computer, from there, in the second "credit card" pay option put the number "0" 16 times and enter it as a credit card number. That acted as a payment and took off the lock screen long enough for me to follow these steps to remove the virus!
  14. Replydoodool
    Thank you so much for the instruction.
  15. ReplyAnonymous
    Seriously man i thought some little shit was on mylap top fucking with the stuff the warning sepcified. but then i saw how much money they wanted and i immediatly knew it was a virus. it took me close to 2 hours to get rid of the virus because i had to do it manually thanks you to whoever posted this and does anyone know how you actaully get the virus (site wise)
  16. ReplyCarey
    Awesome awesome awesome, thanx alot Sean, that one did kinda scare me, your the man!!!
  17. ReplyDoug in Canada
    Thanks for the help with this terrible virus. I found Supa_roost's file was on my computer too.
  18. ReplyAlex
    Wow thanks a lot Sean. I'm no computer wiz and option 3 worked great for me thanks again
  19. ReplySupa_roost
    The latest mutation is using the following reg string . [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] shell = "explorer.exe,%AppData%\skype.dat". Delete the Shell string and the file skype.dat found under %AppData%\ (press windows key and r to get the run command and type in %AppData%). As always do this in safe mode. Safe mode with networking might fail, so use Safe Mode with command prompt.
  20. ReplyJ. B.
    This guide was detailed, yet very simple and straight to the point. 15 minutes ago I just had my first (and hopefully last) experience with this Ransomware virus. It was so bad that I could not turn on my computer or access anything (even safe mode) until trying several times. I just managed to restore the system back to a few days ago and everything is looking good so far. I owe you big, thanks so much!!
  21. ReplyBee Divine
    This just happened to me the file name it was under was: - kcheeyualpqzrons - kcheeyualpqzrons.exe
  22. ReplyAnonymous
    Very good thank you Good to see someone knows what is going on! Deleted that bad Bas dard for the registry. From Northern Canadian Suffer
  23. ReplyAnonymous
    very good thank you