Police Cybercrime Investigation Virus
Written by Tomas Meskauskas
Damage level: Severe
Police Cybercrime Investigation Departament virus removal guide
If you see a message purportedly from the Cyber Investigation Department demanding payment of a 100 CAD (Canadian Dollars) fine, your PC is infected with ransomware from the 'Reveton' family. This is a scam created by cyber criminals to scare you into believing that you have violated certain laws and to trick you into paying a bogus fine. This particular screen locker is targeted at Canadian computer users, however, other variants of this scam target computer users from the USA, UK, and Germany, etc.
Like its previous versions, this screen locker exploits the name of an authority in order to make the message appear authentic. Neither the Police Cyber Investigation Department nor any other authorities collect fines for copyright violations in this way. To further scare you into believing that this message and its demands are genuine, Cyber criminals incorporate a video recording window. This deceptive and intimidating tactic is used in the latest versions of 'Reveton' ransomware infections. The screen locker also displays your location, IP address, and ISP. Whilst on first inspection this message might seem legitimate, it is in fact a scam. Do not pay this fine - you will send your money to cyber criminals. The screenshots below are captured from Reveton and Urausy ransomware infections. The removal guide provided will help remove both of these screen-lockers.
Another variant of this ransomware virus called Police Cybercrime (Canadian Security Intelligence Service CSIS) "The computer is locked by Internet Service Provider", originates from a family called Revoyem (DirtyDecrypt). At time of writing, no known tools are available to decrypt the files encrypted by this ransomware virus.
Police Cybercrime Investigation Department ransomware originates from a family of ransomware called 'Reveton'; the previous versions targeting other countries were The FBI Federal Bureau of Investigation scam and Police Central e-crime Unit ransomware. Cyber criminals use your computer IP address to determine your country, and in this way, display the screen locker in your language. Ignore the threatening message displayed by this ransomware and eliminate it from your computer.
Ukash (Smart Voucher Limited) is a legitimate company and is not related to ransomware viruses - Cyber criminals use the name of this service to extort money from unsuspecting PC users.
A fake message displayed by the Police Cybercrime Investigation Department virus:
Police Cybercrime Investigation Department .
Attention! Your PC is blocked due to at least one of the reasons specified below:
You have been violating Copyright and Related Rights Laws (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article 128 of the Criminal Code of Canada. Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years. You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofilia and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years. Illegal access to computer data has been initiated from your PC, or you have been...
Article 208 of the Criminal Code provides for a fine of up to CAD 100,000 and/or a deprivation of liberty for four to nine years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law On Neglectful Use of a Personal Computer. Article 210 of the Criminal Code provides for a fine of CAD 2,000 to Cad 8,000. Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without knowledge, your PC may be infected by malware...
Police Cybercrime Investigation Departament virus removal:
Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account infected with the Cybercrime Investigation Department scam. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries detected.
After completing these steps, your computer should be clean. Reboot your computer in normal mode.
Alternative Cybercrime Investigation Departament virus removal guide:
If this ransomware blocks your screen when you start your computer in Safe Mode with Networking, try starting your PC in Safe Mode with Command Prompt.
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. In the opened command prompt, type explorer and press Enter. This command will open the explorer window. Do not close it and continue to the next step.
3. In the Command Prompt type regedit and press Enter. This will open the Registry Editor window.
4. In the Registry Editor window, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
5. In the right side of the window, locate "Shell" and right click on it. Click on Modify. The default value in the Data column is Explorer.exe - if you see something else displayed in this window, remove it and type Explorer.exe (take a note of whatever else was displayed in the Data column - this is the path of the rogue execution file). Use this information to navigate to the rogue executable and remove it.
6. Restart your computer, download and install legitimate anti-spyware software, and perform a full system scan to eliminate any remnants of Cybercrime Investigation Departament ransomware.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode, making its removal more complicated. For this step, you need access to another computer. After removing Cybercrime Investigation Departament ransomware from your PC, restart your computer and scan it with legitimate antispyware software to remove any possible remnants of this security infection.
Anti-spyware programs known to detect and remove Cybercrime Investigation Departament virus: