The Palestinian Civil Police Force Virus - How to remove

The Palestinian Civil Police Force virus is a ransomware that was designed to attack Arabian world aiming at unsuspecting computer users from Palestine. The ransomware belongs to Urausy family and besides some unique details in design and language of the text in the warning message does not differ much from other Trojans of this type. The bogus notification includes infected computer’s IP address and location information as well as warning informing about breaching the laws related to illegal usage and distribution of copyrighted material, viewing of pornographic files, and sending Spam. It demands a fine of 100$ (100 Euro or 500 NIS) to be paid using CashU prepaid payment system. To make the warning look even scarier a computer’s webcam is turned on and the surroundings are filmed. The message next to the webcam window informs that all the video information will be sent to a remote server and used for criminal’s identification.

The Palestinian Civil Police Force virus is distributed by employing malicious websites. Even legitimate web pages are not always safe as these might get compromised with viruses therefore you may still get infected while browsing one of them. Please note, if the website administrator has not removed such an infection you may get blocked more than once by going to the corrupted website again. For the source of infection to remain undetected Urausy family viruses like the Palestinian Civil Police Force virus are programmed to block an infected computer some time after the visiting of a corrupted website. Another method of infection distribution is social engineering when a non suspecting computer user installs Trojan herself thinking she downloads an update or a useful application. Although not that often but spam e-mails with attachments or malicious links as well as peer-to-peer file sharing websites are also used for virus distribution.

The only way of getting rid of the blocking is by removing the virus. Please note that paying the fine is not a solution. If you have more than one user’s account and at least one of them is not locked, you should login to it and scan your system with a legitimate program, for example Spyhunter. The virus will be removed and other users’ accounts unblocked.

Another way to unblock your computer is using System Restore:

• Press and hold F8 while it is restarting in order to select safe mode with a Command prompt.
• At the command prompt, type cd restore, and then press enter.
• Type rstrui.exe and press enter (for Windows Vista, 7 and 8, you should type : C:\windows\system32\rstrui.exe; for Windows XP – C:\windows\system32\restore\rstrui.exe).
• When the System Restore starts, select a restore point previous to this infection. Do not forget to scan your computer with Spyhunter for the malicious files to be removed.

If none of the above worked for you, you may need to follow these steps:

• Restart your computer. Press F8 while it is restarting.
• Choose safe mode or safe mode with networking.
• Launch MSConfig.
• Disable startup items rundll32 turning on any application from Application Data. Please note, that other locations can be also used.
• Restart the system once again.
• Scan with https://www.2-viruses.com/downloads/spyhunter-i.exe. It should detect and delete the Palestinian Civil Police Force virus. Watch a video guide of a similar virus illustrating the steps above:

If this fails, try Safe mode with Command Prompt:

• Restart your computer choosing Safe Mode with Command Prompt.
• Run Regedit.
• Search for WinLogon Entries. Write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe.
• Search registry for the Palestinian Civil Police Force virus files and delete the registry keys referencing the files.
• Try to reboot and scan with Spyhunter.
• Here’s a video guide that illustrates the removal of a similar virus:

Automatic Malware removal tools

Manual removal