Police Cybercrime Investigation Departament virus removal guide
If you see a message from Cyber Investigation Departament saying that you need to pay a fine of 100 Cad you can be sure that your PC is infected with a ransomware infection from the "Reveton" family. This is a scam created by cyber criminals to scare you into believing that you have violated some laws and to trick you into paying a non existent fine. This particular screen locker is targeted at Canadian computer users, other variants of this scam are targeting computer users from USA, UK, Germany, etc.
As it's previous versions this screen locker is exploiting the name of an authority to make the message appear more legitimate. Notice that the Police Cyber Investigation Departament nor any of the other authorities are collecting fines for copyright violations in such way. To further scare you into thinking that this message stating about a fine is real Cyber criminals have incorporated a video recording window. This deceptive way of scaring people has been used in the latest versions of the "Reveton" ransomware infections. This screen locker also displays your location, IP address, and ISP. While on the first sight this message could seem legitimate in reality it's a scam. You shouldn't pay this fine - you will send your money to cyber criminals. Screenshots below are taken from Reveton and Urausy ransomware infections, notice that the provided removal guide will help remove wither of these screen-lockers.
Another variant of this ransomware virus - Police Cybercrime (Canadian Security Intelligence Service CSIS) "The computer is locked by Internet Service Provider", originates from a family called Revoyem (DirtyDecrypt). Notice that at the time of writing this article no known tools are available to decrypt the files encrypted by this ransomware virus.
Police Cybercrime Investigation Departament originates from a family of ransomware called "Reveton", previous versions targeting other countries were The FBI Federal Bureau of Investigation scam and Police Central e-crime Unit ransomware. Notice that Cyber criminals using your computer's IP address can determine your country, the screen locker that is loaded on the infected machine will be shown in your language. You should ignore the threatening message presented in this ransomware and eliminate it from your computer.
Ukash (Smart Voucher Limited) is a legitimate company and it's not related to ransomware viruses - Cyber criminals are using this service to extort money from unsuspecting PC users.
Fake message shown in Police Cybercrime Investigation Departament virus:
Cybercrime Investigation Departament
Attention! Your PC is blocked due to at least one of the reasons specified below.
You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus
infringing Article 128 of the Criminal Code of Canada. Article 128 of the Criminal Code provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years. You have been viewing or distributing prohibited Pornographic content (Child Porno/Zoofilia and etc). Thus violating article 202 of the Criminal Code of Canada. Article 202 of the Criminal Code provides for a deprivation of liberty for four to twelve years. Illegal access to computer data has been initiated from your PC, or you have been...
Article 208 of the Criminal Code provides for a fine of up to Cad 100,000 and/or a deprivation of liberty for four to nine years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating
the law On Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of Cad 2,000 to Cad 8,000. Spam distribution or other unlawful advertising has been effected from your PC as a profit-seeking activity or without knowledge, your PC may be
infected by malware...
Police Cybercrime Investigation Departament virus removal:
Start your computer in safe mode. Click Start, then click Shut down. Select Restart and click OK. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Log in to the account that is infected with Cybercrime Investigation Departament scam. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.
After completing these steps your computer should be clean, reboot your computer in normal mode.
Alternative Cybercrime Investigation Departament virus removal guide:
If this ransomware blocks your screen when you start your computer in safe mode with networking, try starting your PC in safe mode with command prompt.
1. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. In the opened command prompt type explorer and press Enter. This command will open explorer window, don't close it and continue to the next step.
3. In the command prompt type regedit and press Enter. This will open the registry editor window.
4. In the registry editor window you should navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
5. In the right side of the window locate "Shell" and right click on it. Click on Modify. The default value data is Explorer.exe if you see something else written in this window remove it and type in Explorer.exe (you can write down whatever else was written in the value data section - this is a path of the rogue execution file) - use this information to navigate to the rogue executable and remove it.
6. Restart your computer, download and install a legitimate anti-spyware software and perform a full system scan to eliminate any left remnants of Cybercrime Investigation Departament ransomware.
If you can't start your computer in safe mode with networking (or with command prompt) you should boot your computer using a rescue disk. Some variants of ransomware disables safe mode making it's removal more complicated. For this step you will need access to another computer. After removing Cybercrime Investigation Departament scam from your PC restart your computer and scan it with a legitimate antispyware software to remove any possibly left remnants of this security infection.
Anti-spyware programs known to detect and remove Cybercrime Investigation Departament virus: