DotFab Blog » Malware Removal»How to Remove Royal Canadian Mounted Police Virus? (Ransomware Removal Guide)

How to Remove Royal Canadian Mounted Police Virus? (Ransomware Removal Guide)

 

Your computer desktop has been taken over by a notification from Royal Canadian Mounted Police International Cyber Security Protection Alliance (ICSPA)? It says your computer is blocked due to the violation of the Copyright and Related Rights Law etc.. You are freaked out, and wondering if this is true and should you pay the alleged fine? Actually, it is just a computer virus. This article will guide you to remove this virus. Read on.

 

What Is Royal Canadian Mounted Police Ukash Virus?

 

Royal Canadian Mounted Police Ukash virus or ICSPA virus is categorized as ransonware and belongs to the Urausy malware clan. Once this virus gets on your computer, you will see a full screen bogus notification purported to be from Royal Canadian Mounted Police which claims your computer has been blocked due to the illicit activities such as using or distributing copyrighted content, viewing or distributing prohibited pornographic content… You need to pay a fine of CAD $100, 150 or 300 through the prepaid payment system Ukash to unlock your PC. This notification is a fake alert and has nothing to do with Royal Canadian Mounted Police. Even if you have committed the illicit activities mentioned in the fake notification you should not pay the ransom, because no government organization would work in such way.

RCMP-virus

Part of the message displayed in this notification:

ATTENTION! Your PC is blocked due to at least one of the reasons specified below

You have been violating “Copyright and Related Rights Law” (Video, Music, Software) and illegally using or distributing copyrighted content, this infringing Article 128 or the Criminal Code of Canada.

Article 128 of the Criminal Code provides for a fine of 200 to 500 minimal wages or a deprivation of liberty for 2 to 8 years.

 

Royal Canadian Mounted Police Ukash virus will lock up your Windows operating system and all the applications, so you can’t run any antivirus or antimalware programs to remove it. It will display the fake notification within few seconds whenever you log on into Windows operating system or Safe Mode with Networking.

Furthermore, Royal Canadian Mounted Police Ukash virus manages to have access to your installed webcam, so what is happening in your room is recorded and shown on the bogus notification. This has freaked many users out and tricked them into paying the non-existing fine.

Royal Canadian Mounted Police Ukash virus message is a scam. You should never pay the fine as it requested, because even you pay the money, your computer would not be unlocked.

Other Prevailing  Ransomware Infections:U.S. Department of Homeland Security RansomwareREloadit VirusPolice Central e-crime Unit VirusFBI Cybercrime Division VirusYour Computer Has Been Locked RansomwareICE Cyber Crimes Center Moneypak VirusAustralian Federal Police (AFP) Ukash VirusCheshire Police Authority PCeU VirusFBI MoneyPak VirusFBI “System Failure” Virus

 

How Does Royal Canadian Mounted Police Ukash Virus Infect a Computer?

 

Royal Canadian Mounted Police Ukash virus gets on your computer when you visit malicious websites or compromised websites that may drop this Trojan onto your computer, or when you install free software. Sometimes it will disguise as useful software. Spam email is also a way to distribute this kind of virus, so be cautious when you get email from unknown address and do not open the attachment or links contained in such emails.

 

How to Remove Royal Canadian Mounted Police Ukash Virus?

 

                                                                                                                         

Deny Flash

Some variants of ransomware exploit Java or Flash vulnerabilities to load the malicious code. The symptoms of the infection may be suspended by denying flash. Then you can navigate through the infected system. If step is not necessary for the removal, then skip to the next step.

To deny/disable flash:
Visit http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html → select the Deny radio option

                                                                                                                         

Outline of the Removal Guide

 

Option 1 Restore the Operating System Through Safe Mode with Command Prompt

Step 1 Boot your computer to Safe Mode with Command Prompt
Step 2 Restore your computer to a restore point
Step 3 Scan and remove malicious files with Anvi Smart Defender

Option 2 Use Anvi Rescue Disk to Remove Royal Canadian Mounted Police Ukash Virus

Step 1 Use a clean computer to download Anvi Rescue Disk files
Step 2 Record Anvi Rescue Disk iso image to USB drive
Step 3 Configure your computer to boot from USB drive/CD/DVD
Step 4 Boot your computer from Anvi Rescue Disk
Step 5 Scan and remove malicious files and repair registry errors
Step 6 Scan and remove persistent residual files with Anvi Smart Defender

                                                                          


 

Option 1 Restore the Operating System Through Safe Mode with Command Prompt

 

System Restore will bring your computer operating system back to a point before you get infected by this Royal Canadian Mounted Ukash virus.

 

Step 1 Boot your computer to Safe Mode with Command Prompt

1. Turn off your computer and then back on.

 

2. During the start, tap F8 key repeatedly till you are brought to the Windows Advanced Options Menu.

 

3. Use the arrow keys to highlight Safe Mode with Command Prompt and then press Enter.

Safe Mode with Command Prompt

 

Step 2 Restore your computer to a restore point

 

1. Once the Command Prompt window comes out, quickly type “explorer” and hit Enter.

If you fail to do so in a few seconds, the ransomware will not allow you to type any more. You should restart the computer to the safe mode and repeat the process.

system restore 1

 

2. Next, type rstrui and press Enter to launch System Restore

4

 

Or, close the Command Prompt window, then locate the file rstrui.exe and press Enter to launch System Restore.

The location of the file:

Windows XP: C:\windows\system32\restore\rstrui.exe

Windows 7/Vista: C:\windows\system 32\rstrui.exe

rstrui.exe file

 

3. Follow all the steps to restore your computer system to an earlier time and date (restore point) before the infection.

Please note that some professionally crafted ransomware variants will delete all your system backup, so you can’t execute system restore. If that is the case, follow Option 2 to get rid of this nasty computer virus.

 

Step 3 Scan and remove malicious files with Anvi Smart Defender

 

After restore the Windows operating system, you need to run a system can to make sure that there is no malware or malicious files on your computer and to prevent Royal Canadian Mounted Police Ukash virus from reanimating.

 

1. Run a computer scan with Anvi Smart Defender and remove the infected files.

Anvi Smart Defender direct download link: http://www.dotfab.com/download_asd.html

Download and install Anvi Smart Defender → run Anvi Smart Defender → switch to Scan tab → run a Full Scan

Anvi Smart Defender

 

2. Boot your computer into normal mode and run a system scan again to make sure all the infected files were removed.


 

Option 2 Use Anvi Rescue Disk to Remove Royal Canadian Mounted Police Ukash Virus

 

If your computer is blocked from everything, including the running of Safe Mode with Command Prompt, and all the restore points are deleted, then you need to go through Option 2.

You can follow the instructions in the following video to get rid of the Royal Canadian Mounted Police Ukash virus by using Anvi Rescue Disk.

 

Or, you can follow the following step by step instruction.

 

Step 1 Use a clean computer to download Anvi Rescue Disk files

Download the Anvi Rescue Disk iso image file Rescue.iso and the USB disk production tool BootUsb.exe from Anvisoft official site.

Direct download link: http://www.anvisoft.com/software/rsd/

Please kindly note that Rescue.iso is a large file download; please be patient while it downloads.

 

Step 2 Record Anvi Rescue Disk iso image to USB drive

You can also record the iso image to a CD/DVD. We will introduce the steps to record iso image to a CD/DVD in following guide.

1. Connect USB to the computer.

You’d better backup your important data and format your USB drive before use it to record the iso image.

2. Locate your download folder and double click on BootUsb.exe to start it. And then click “Choose File” button to browse into your download folder and select Rescue.iso file as your source file.

USB burning

3. Select the path of USB drive, such as Drive H:

4. Click “Start Burning” to start the burn of USB Rescue Disk boot drive.

5. Close BootUsb.exe tool when you get the following message.

congratulations

Now, you have bootable Anvi Rescue Disk to repair your infected computer.

 

Alternative Option-Record the iso Image to a CD/DVD

Any CD/DVD record software is fine for burn iso image. If you don’t have one, you can download and install Nero Burning ROM and ImgBurn. Here we will use Nero Burning ROM for demonstration purpose.

1. Open and start Nero Burning ROM and select Burn Image from the drop-down menu of the Recorder.

CD/DVD recorder

2. Locate your download folder and select Rescue.iso file as your source file and then click Open button.

3. Click Burn button to start record the iso image.

After a few minutes, you will have a bootable Anvi Rescue Disk to repair your computer.

 

Step 3 Configure your computer to boot from USB drive/CD/DVD

Restart your infected computer and configure your computer to boot from USB drive/CD/DVD that recorded Anvi Rescue Disk. Basically, you can use F8 to load USB boot menu.

For different motherboard, you may need to use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.

boot menu instruction

The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:

• Ctrl+Esc
• Ctrl+Ins
• Ctrl+Alt
• Ctrl+Alt+Esc
• Ctrl+Alt+Enter
• Ctrl+Alt+Del
• Ctrl+Alt+Ins
• Ctrl+Alt+S

 

Step 4 Boot your computer from Anvi Rescue Disk

 

1. Restart your computer and press any key to load Anvi Rescue Disk.

2. After you enter Anvisoft Rescue Disk menu, please selected your preferred language and press Enter to continue.

Anvi Rescue disk language setting

 

Step 5 Scan and remove malicious files and repair registry errors

1. Now you are in the mini Operating system, please double click Rescue tool to start Anvi Rescue disk.

Anvi Rescue Disk

 

2. Make sure that your computer is connected to network connection before you run a scan on your computer. You can go to Network Troubleshooting Tips for Ransomware Removal using Anvi Rescue Disk for tutorial.

Internet connection

 

3. Run a full scan by clicking the “Scan Computer” button in the middle of the program to detect and kill the PC lockup virus.

Anvi Rescue disk scan

 

4. Clicking “Fix Now” to Remove the detected threat by Anvi Rescue Disk.

Anvi Rescue disk fix now

 

5. Switch to Repair tab. Scan and fix the registry error with the “Repair” module of Anvi Rescue Disk.

Anvi Rescue disk repair

Important Note: You must repair the registry error after kill the virus. You are probably disabled to boot your Windows without fixing registry damaged by the virus.

 

Step 6 Scan and remove persistent residual files with Anvi Smart Defender

Some ransomware variants are incredibly persistent, so you are highly recommended to download the antimalware promgram Anvi Smart Defender to remove all the detected threats as prompted.

Download-ASD-in-Rescue-Disk

After download, please restart your computer to normal Windows mode and then go to the folder: C:\Users\[username]\Downloads.

Double click asdsetup.exe file to install Anvi Smart Defender, then perform a Full Scan.

Or you can download it from this direct download link: http://www.dotfab.com/download_asd.html when you boot your computer to normal Windows mode.

Now your computer should be free from the infection of Royal Canadian Mounted Police Ukash virus.

 

Malware prevention tips                                                                                  

Malwares usually explore the vulnerabilities of your computer system to infect your computer. You should update your system timely and patch the system vulnerabilities when prompted.

Apart from that you can keep the antimalware program Anvi Smart Defender as an additional protection to your computer. The Guard function puts your computer under a real-time protection, but you need to buy its pro version to get Full Guard. It will keep you away from malware and malicious websites.

Click Anvi Smart Defender to buy its pro version.