How To Remove The Canadian Police Cybercrime Investigation Department Ransomware Virus

What Is The Canadian Police Cybercrime Investigation Department Ransomware Virus?

The Police Cybercrime Investigation Department ransomware virus (fake Canadian Police virus, Canada Police Ransomware, Criminal Code of Canada Virus) is a virus (categorized as ransomare) that attempts to scam infected users via “holding their systems hostage“, or taking control of the infected computer, locking the computer from being used properly. The virus then prompts a fake “Attention!” style alert page which accuses the computer user (identified by IP and ISP) of violating several different Copyright (& Related Rights Laws/Video, Music, Software) and Criminal Codes of Canada (Child porno, Zoofilia, and etc).

The Police Cybercrime Investigation Department ransomware virus demands a penalty fine to be paid in order to unlock and use the computer again. Many malicious cyber criminals earn revenue this way.

The Police Cybercrime Investigation Department ransomware virus infects computers mainly by phishing techniques such as email scams, drive by websites, infected websites, and Trojans.

Police Cybercrime Investigation Department Virus Symptoms

1. Computer systems “locks up” and can not be used properly.
2. The Police Cybercrime Investigation Department ransomware virus creates directory files (application data) and registry entries which can halt the use of safe mode.
3. A fake page prompts claiming to be from Canada: Police Cybercrime Investigation Department and displays a fake “Attention” message which details word for word:

• Attention! Your PC is blocked due to at least one of the reasons specified below:
• You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyright content, this infringing Article 128 of the Criminal Code of Canada.
• Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty of two to eight years.
• You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofila and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
• Illegal access to computer data has been initiated from your PC, or you have been…
• Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
• Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.

Web Cam Control

How To Remove Police Cybercrime Investigation Department Ransomware

Due to different progressions (variations) of the Police Cybercrime Investigation Department ransomware virus different steps for infected users are necessary. Whilst some infected computer users can access the internet, other may not be able to and will require a separate removal process.

Whatever the case is, do not give your money to this fraudulent organization.

Many ransomware victims report that they can access their computers using different accounts as the infected computer account as well as being able to use the computer after disconnecting from the internet. This is not the same for most infected computers.

1. Anti-Malware Software

Malwarebytes has been documented to scan for and remove current ransomware viruses. They offer a free and paid version which will both detect the malware and have the largest sample rate of most Antivirus and Anti-Malware software. Once you are finished with the software you may remove Malwarebytes or keep it on your machine for future issues. Keep in mind the paid version will keep your computer protected in real time against these attacks.

2. Manual Removal

Manual removal for this virus may be difficult as files can be hard to detect. Especially if you are not experienced with ransomware files created by ransomware such as the FBI Moneypak virus or The Interpol Department Of Cybercrime Ransomware.

Remove Directory Files

The files that the Canadian Police Cybercrime Investigation Department ransomware virus will be random but always located in %AllUsersProfile%, %AppData%, and %Temp% folders. Application Data (%AppData%) by default is a hidden Window’s folder. To learn more about how to show hidden files, folders, and drives please click here.

• Open Window’s Start Menu and type %allusersprofile%, press Enter.

The exact file name has not been documented and is always changing therefore we can not provide the title. A suggestion is to search the %allusersprofile% folder for a suspicious file which was modified around the time of the infection. Remove this file. (The file will not be a .dat file)

• Open Window’s Start Menu and type %appdata%, press Enter.

Access the “Local” folder and again, search for an undocumented file. There will most likely be 2 files created by the fake Canadian Police virus. One file will be an executable file (.exe). Search for suspicious files, and remove them.

• Open Window’s Start Menu and type %temp%, press Enter.

There will most likely only be 1 files in this folder. Again, this file is not identified but may be similar to rool0_pk.exe. Search for a suspicious file and delete it.

Remove Registry Entries (Values)

To enter Window’s Registry Editor, please access Window’s Start Menu and type regedit into the search file, press Enter.

Remove the regitry values below created by the fake Canada Police ransomware virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”

3. System Restore

The idea is to restore your system to a date and time (restore point) before it became infected. For more information concerning a system restore please click here.

Option 1: Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard

Option 2: Windows Start Menu Restore

Standard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Option 3: Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus (similar) will not allow you to type “explorer” anymore.

4. Once Windows Explorer shows up browse to:

• Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
• Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.