“Ransomeware” spyware “Canada Police Cyber-Crime Investigation” Fake

Posted on 10/22/12 in Support, No Comments

New Virus/trojan scam…

Update and run your internet security programs. Microsoft Security Essentials, AVG, Malwarebytes have all removed the virus. You might have to run in safe mode.

Numerous local police forces have issued warnings regarding this. Here is the link for Waterloo Regional Police statement:

>Link Here<


Reference for removal instructions:


Police Cybercrime Investigation Department Virus Symptoms

  1. Computer systems “locks up” and can not be used properly.
  2. The Police Cybercrime Investigation Department ransomware virus creates directory files (application data) and registry entries which can halt the use of safe mode.
  3. A fake page prompts claiming to be from Canada: Police Cybercrime Investigation Department and displays a fake “Attention” message which details word for word:
  • Attention! Your PC is blocked due to at least one of the reasons specified below:
  • You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyright content, this infringing Article 128 of the Criminal Code of Canada.
  • Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty of two to eight years.
  • You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofila and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years.
  • Illegal access to computer data has been initiated from your PC, or you have been…
  • Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
  • Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of Personal Computer.
Web Cam Control

Cybercrime investigation department video recording

Just like most current ransomware infections the Police Cybercrime Investigation Department ransomware virus is no exception to record video from infected computers plugged in or built in web cams. At least, that’s what this infection claims though most occurances report that the camera feed is fake as well.
  • You can stop your webcam stream against this virus by denying flash. To deny flash please click here.

How To Remove Police Cybercrime Investigation Department Ransomware

Due to different progressions (variations) of the Police Cybercrime Investigation Department ransomware virus different steps for infected users are necessary. Whilst some infected computer users can access the internet, other may not be able to and will require a separate removal process.

Whatever the case is, do not give your money to this fraudulent organization.

Many ransomware victims report that they can access their computers using different accounts as the infected computer account as well as being able to use the computer after disconnecting from the internet. This is not the same for most infected computers.

Removal Options
  1. Anti-Malware Software – Scan and remove virus
  2. Manual Removal – Search for and remove infected files
  3. System Restore – Restore computer to a date and time before infection

1. Anti-Malware Software

Malwarebytes has been documeted to scan for and remove current ransomware ciruses. They offer a free and paid version which will both detect the malware and have the largest sample rate of most Antivirus and Anti-Malware software. Once you are finishsed with the software you may remove Malwarebytes or keep it on your machine for future issues. Keep in mind the paid version will keep your computer protected in real time against these attacks.


2. Manual Removal

Manual removal for this virus may be difficult as files can be hard to detect. Especially if you are not experienced with ransomware files created by ransomware such as the FBI Moneypak virus or The Interpol Department Of Cybercrime Ransomware.

Remove Directory Files

The files that the Canadian Police Cybercrime Investigation Department ransomware virus will be random but always located in %AllUsersProfile%, %AppData%, and %Temp% folders. Application Data (%AppData%) by default is a hidden Window’s folder. To learn more about how to show hidden files, folders, and drives pleaseclick here.

  • Open Window’s Start Menu and type %allusersprofile%, press Enter.

The exact file name has not been documented and is always changing therefore we can not provide the title. A suggestion is to search the %allusersprofile% folder for a suspicious file which was modified around the time of the infection. Remove this file. (The file will not be a .dat file)

  • Open Window’s Start Menu and type %appdata%, press Enter.

Access the “Local” folder and again, search for an undocumented file. There will most likely be 2 files created by the fake Canadian Police virus. One file will be an executable file (.exe). Search for suspicious files, and remove them.

  • Open Window’s Start Menu and type %temp%, press Enter.

There will most likely only be 1 files in this folder. Again, this file is not identified but may be similar to rool0_pk.exe. Search for a suspicious file and delete it.

Remove Registry Entries (Values)

To enter Window’s Registry Editor, please access Window’s Start Menu and type regedit into the search file, press Enter.

Remove the regitry values below created by the fake Canada Police ransomware virus.


  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”‘
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode’
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random].exe” /START “%Program Files%\Internet Explorer\iexplore.exe”



3. System Restore

The idea is to restore your system to a date and time (restore point) before it became infected. For more information concerning a system restore please click here.

Option 1: Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore Wizard

Option 2: Windows Start Menu Restore

Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Option 3: Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus (similar) will not allow you to type “explorer” anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Restore system files and settings