How To Remove The Canadian Police Cybercrime Investigation Department Ransomware Virus

What Is The Canadian Police Cybercrime Investigation Department Ransomware Virus?

The Police Cybercrime Investigation Department ransomware virus (fake Canadian Police virus, Canada Police Ransomware, Criminal Code of Canada Virus) is a virus (categorized as ransomare) that attempts to scam infected users via “holding their systems hostage“, or taking control of the infected computer, locking the computer from being used properly. The virus then prompts a fake “Attention!” style alert page which accuses the computer user (identified by IP and ISP) of violating several different Copyright (& Related Rights Laws/Video, Music, Software) and Criminal Codes of Canada (Child porno, Zoofilia, and etc).

Canda Police Cybercrime Investigation Department Virus

The Police Cybercrime Investigation Department ransomware virus demands a penalty fine to be paid in order to unlock and use the computer again. Many malicious cyber criminals earn revenue this way.

The Police Cybercrime Investigation Department ransomware virus infects computers mainly by phishing techniques such as email scams, drive by websites, infected websites, and Trojans.

Police Cybercrime Investigation Department Virus Symptoms

  1. Computer systems “locks up” and can not be used properly.
  2. The Police Cybercrime Investigation Department ransomware virus creates directory files (application data) and registry entries which can halt the use of safe mode.
  3. A fake page prompts claiming to be from Canada: Police Cybercrime Investigation Department and displays a fake “Attention” message which details word for word:

  • Attention! Your PC is blocked due to at least one of the reasons specified below:
  • You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyright content, this infringing Article 128 of the Criminal Code of Canada.
  • Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty of two to eight years.
  • You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofila and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
  • Illegal access to computer data has been initiated from your PC, or you have been…
  • Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
  • Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Web Cam Control

Cybercrime investigation department video recording

Just like most current ransomware infections the Police Cybercrime Investigation Department ransomware virus is no exception to record video from infected computers plugged in or built in web cams. At least, that’s what this infection claims though most occurances report that the camera feed is fake as well.
  • You can stop your webcam stream against this virus by denying flash. To deny flash please click here.

How To Remove Police Cybercrime Investigation Department Ransomware

Due to different progressions (variations) of the Police Cybercrime Investigation Department ransomware virus different steps for infected users are necessary. Whilst some infected computer users can access the internet, other may not be able to and will require a separate removal process.

Whatever the case is, do not give your money to this fraudulent organization.

Many ransomware victims report that they can access their computers using different accounts as the infected computer account as well as being able to use the computer after disconnecting from the internet. This is not the same for most infected computers.

Removal Options

  1. Anti-Malware Software – Scan and remove virus
  2. Manual Removal – Search for and remove infected files
  3. System Restore – Restore computer to a date and time before infection

1. Anti-Malware Software

Malwarebytes has been documented to scan for and remove current ransomware viruses. They offer a free and paid version which will both detect the malware and have the largest sample rate of most Antivirus and Anti-Malware software. Once you are finished with the software you may remove Malwarebytes or keep it on your machine for future issues. Keep in mind the paid version will keep your computer protected in real time against these attacks.
Remove Virus

2. Manual Removal

Manual removal for this virus may be difficult as files can be hard to detect. Especially if you are not experienced with ransomware files created by ransomware such as the FBI Moneypak virus or The Interpol Department Of Cybercrime Ransomware.

Remove Directory Files

The files that the Canadian Police Cybercrime Investigation Department ransomware virus will be random but always located in %AllUsersProfile%, %AppData%, and %Temp% folders. Application Data (%AppData%) by default is a hidden Window’s folder. To learn more about how to show hidden files, folders, and drives please click here.

  • Open Window’s Start Menu and type %allusersprofile%, press Enter.
%allusersprofile%

The exact file name has not been documented and is always changing therefore we can not provide the title. A suggestion is to search the %allusersprofile% folder for a suspicious file which was modified around the time of the infection. Remove this file. (The file will not be a .dat file)

  • Open Window’s Start Menu and type %appdata%, press Enter.
%Appdata%

Access the “Local” folder and again, search for an undocumented file. There will most likely be 2 files created by the fake Canadian Police virus. One file will be an executable file (.exe). Search for suspicious files, and remove them.

  • Open Window’s Start Menu and type %temp%, press Enter.
%temp%

There will most likely only be 1 files in this folder. Again, this file is not identified but may be similar to rool0_pk.exe. Search for a suspicious file and delete it.

Remove Registry Entries (Values)

To enter Window’s Registry Editor, please access Window’s Start Menu and type regedit into the search file, press Enter.

Remove the regitry values below created by the fake Canada Police ransomware virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”

3. System Restore

The idea is to restore your system to a date and time (restore point) before it became infected. For more information concerning a system restore please click here.

Option 1: Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard

Option 2: Windows Start Menu Restore

Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Option 3: Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus (similar) will not allow you to type “explorer” anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Restore system files and settings

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

80 Responses

  1. Prousarick says:

    Sean, you ROCK! I thank you for sharing your invaluable expertise.

  2. M-L says:

    is the virus works on mac’s because i saw the web page and didn’t have further problem just yet

  3. Anonymous says:

    Thank you!!!!!!

  4. Anonymous says:

    Thank you soooooooo much!

  5. Sean says:

    Thabk you so much, this was seriously freaking me out

  6. Anonymous says:

    Thanks a lot very good and useful information, I shared with.my friends as many are affected by this virus

  7. Doron says:

    Thank you so much. used the manual version to get up and running downloaded and am running Malwarebytes now.

  8. Anonymous says:

    what happens ifyou cant remove olice

  9. bob says:

    thank you soooo much! scared me haha totally freaked out a little till i could actually look at what it was asking for

  10. Abid says:

    Thank You very much … best advise ever had …

  11. Anonymous says:

    Thank you so much Sean. You save my day. I got scared by that virus!

  12. Sylph says:

    God damn thank you so much ! You’re my hero! I got so scared this virus popped in my face just as I was confirming a download xD I was able to use option 3 in like 10 min and now everything seems fine ! 🙂

  13. Anonymous says:

    My computer would not start in any sort of safe mode, but I figured out how to get past the lock screen in regular startup. When on the locked screen disconnect any Internet access to your computer, from there, in the second “credit card” pay option put the number “0” 16 times and enter it as a credit card number. That acted as a payment and took off the lock screen long enough for me to follow these steps to remove the virus!

  14. doodool says:

    Thank you so much for the instruction.

  15. Anonymous says:

    Seriously man i thought some little shit was on mylap top fucking with the stuff the warning sepcified. but then i saw how much money they wanted and i immediatly knew it was a virus.
    it took me close to 2 hours to get rid of the virus because i had to do it manually
    thanks you to whoever posted this
    and does anyone know how you actaully get the virus (site wise)

  16. Carey says:

    Awesome awesome awesome, thanx alot Sean, that one did kinda scare me, your the man!!!

  17. Doug in Canada says:

    Thanks for the help with this terrible virus. I found Supa_roost’s file was on my computer too.

  18. Alex says:

    Wow thanks a lot Sean. I’m no computer wiz and option 3 worked great for me thanks again

  19. Supa_roost says:

    The latest mutation is using the following reg string . [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    shell = “explorer.exe,%AppData%\skype.dat”. Delete the Shell string and the file skype.dat found under %AppData%\ (press windows key and r to get the run command and type in %AppData%). As always do this in safe mode. Safe mode with networking might fail, so use Safe Mode with command prompt.

  20. J. B. says:

    This guide was detailed, yet very simple and straight to the point. 15 minutes ago I just had my first (and hopefully last) experience with this Ransomware virus. It was so bad that I could not turn on my computer or access anything (even safe mode) until trying several times. I just managed to restore the system back to a few days ago and everything is looking good so far.

    I owe you big, thanks so much!!

  21. Bee Divine says:

    This just happened to me the file name it was under was:
    – kcheeyualpqzrons
    – kcheeyualpqzrons.exe

  22. Anonymous says:

    Very good thank you Good to see someone knows what is going on! Deleted that bad Bas dard for the registry.
    From Northern Canadian Suffer

  23. Anonymous says:

    very good thank you

  1. October 20, 2018

    […] complete information please visit: http://botcrawl.com/how-to-remove-the-canadian-police-cybercrime-investigation-department-ransomware… How To Remove Police Cybercrime Investigation Department Ransomware Due to different progressions […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.