CIBS Pol Virus is a ransomware that belongs to Urusay family and is known to block an infected computer‘s screen. Once this ransomware has attacked the system, it would not respond to almost any commands. Trojans of Urusay family are programmed to infect computers with versions made for the country where a PC is located. CIBS Pol Virus targets only computers that are in Switzerland.
After a ransomware infiltrates into the system, it starts working several minutes later. By this way cyber criminals mask the original source of the infection which is very often a corrupted website. Once a screen is locked, you will see a message that is supposed to be from local police authorities – CIBS Pol. Bundesamt fur Polizei:
ACHTUNG! Ihr Computer ist aus einem oder mehreren der unten aufgeführten Gründe gesperrt.
Sie haben gegen das Gesetz über «Urheberrecht und verwandte Schutzerchte» (Video, Musik, Software) verstoßen und unrechtmäßig urheberrechtliche Inhalte genutzt, bzw. Verbreitet und somit gegen Art. 128 des Schweizerischen Strafgesetzbuches verstoßen.
The message displayed looks very professional. It has police logo, cites extracts from laws and even includes a short message on the top of the window having your antivirus logo. CIBS Pol. Virus can identify what antivirus is being used by an infected computer and show its logo in the blocking message. If such a case when no antivirus is installed, it would display Windows logo. No wonder that victims of this scam fall for it and pay a fine of 100EUR. Scammers use prepaid payment systems like Ukash and PaySafeCard for collecting money which makes it almost impossible to trace them afterwards.
If you have your computer blocked by CIBS Pol. Virus, do not pay the fine. Even though the message promises that your PC will be unlocked, this is not true. To fix it and remove CIBS Pol. Virus completely you should follow one of the guides below (depending on the version of Trojan that infected your computer):
METHOD 1 (if CIBS Pol. Virus does not block Safe Mode with Networking):
- If CIBS Pol. Virus does not block it, select Safe Mode with Networking. You will need to restart your computer and press F8 while it is restarting;
- Launch MSConfig
- Disable startup items rundll32 turning on any application from Application Data;
- Restart your computer one more time.
- Scan system with https://www.2-viruses.com/downloads/spyhunter-i.exe. It will detect CIBS Pol. Virus and remove it. A video below illustrates these steps:
METHOD 2 (if CIBS Pol. Virus blocks Safe Mode)
- If CIBS Pol. Virus does not block it, restart computer choosing Safe Mode with Command Prompt.
- Run regedit. Look for Winlogon.
- There will be a key labeled Shell under Winlogon. It should refer to Explorer.exe or be blank. If there is something else referring an executable in one of user’s folders, replace it with explorer.exe.
- Save change and restart again but this time to safe mode with networking.
- Run msconfig and disable all unnecessary startup entries. You should be able to restart normally.
- Install and run https://www.2-viruses.com/downloads/spyhunter-i.exe. Scan the system and CIBS Pol. Virus executables. It is recommended to watch this video guide before using the method:
METHOD 3 (when all of Safe Modes are blocked by CIBS Pol. Virus)
Some of CIBS Pol. Virus versions might block all of safe modes. In the latter a case you will need uninfected computer. Download and save Anti-Malware program to Bootable antivirus CD/USB disk. Insert it to an infected computer. Antivirus should start working automatically and remove the blocking.
Automatic Malware removal tools