How to remove FBI virus (Ransomware Removal Guide)

In 2012 we discovered ransomware that was imitating the FBI in hopes to extort currency from unsuspecting victims. We coined the term FBI due to our findings and were the first and only website to publish information about this computer virus. Now a days, a lot has evolved with ransomware in the United States. Some ransomware will still pretend to be the FBI but the that threat of the FBI is becoming more obsolete as people are no longer tricked into believing it.

FBI Virus

The FBI virus is still around but a lot has changed. Ransomware has moved away from only restricting access to a victim’s computer to encrypting, deleting, or storing files in a password locked archive. This allows the malware authors to hold files on the computer for ransom instead of the entire machine by promising victims a way to decrypt, decode, or recover encrypted, password-locked, or deleted files.

The term FBI virus can be used to describe many variants of ransomware that uses a FBI logo or claims to be the FBI. The FBI virus is essentially a computer virus (ransomware) that locks access to a computer system, displays a message that claims to be from the FBI stating that the computer was involved in prohibited activities, and demands a payment in order to unlock the computer and avoid penalties or jail-time from the FBI. The FBI virus can also refer to ransomware that encrypts files on a computer, changes the filenames, adds a new file extension, and ultimately holds the files ransom for a hefty fee.

If your computer has been locked or encrypted by an a source that claims to be the FBI then you are infected with the FBI virus. However, do not be alarmed because the FBI did not actually lock your computer or corrupt the files on your computer. You are not in trouble with the FBI if this happens to you. This is a computer virus that is in no way, shape, or form associated with the FBI or any legitimate government agency.

If your computer is infected with the FBI virus it may become locked and a full-screen window may appear that claims to contain a message from the FBI. The fake FBI message usually claims that the computer was used illegally and in order to avoid jail-time or other consequences the computer owner must pay a fine via Greendot MoneyPak cards, UKash Vouchers, REloadit, Ultimate Gaming Cards, Bitcoins, PayPal, or other online payment or credit sources.

It is not recommended to pay ransomware authors to decrypt your files. This will only support their activities. Instead you can use programs like Shadow Explorer or Recuva to try and restore corrupted files if you were not able to decrypt your files for free.

Aliases: FBI virus, FBI ransomware, FBI MoneyPak virus

botcrawl icon FBI Virus Removal Guide

1. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.

download malwarebytes

buy now button

2. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

3. Once the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

5. Download and Install HitmanPro by Surfright to perform a second-opinion scan.

download hitmanpro

6. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

7. Once the HitmanPro scan is complete click the Next button.

8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

9. Click the Reboot button.

10. Download and Install CCleaner by Piriform to cleanup junk files, repair your registry, and manage settings that may have been changed.

download ccleaner

buy now button

11. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

12. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

13. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.


This troubleshooting guide to remove FBI ransomware contains different options to remove this infection.

Manual FBI virus removal

1. Open Windows Start Menu, type %appdata% into the search field, and press Enter.
2. Go to: Microsoft\Windows\Start Menu\Programs\Startup
App Data Start Menu
3. Remove ctfmon (ctfmon.lnk if in dos). This is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu, type %userprofile% into the search field, and press enter.
5. Go to: Appdata\Local\Temp

6. Remove rool0_pk.exe,[random].mof , and V.class


The virus files may have names other than “rool0_pk.exe” but file names should appear similar with the same style of markup. There may also be 2 files, 1 being a .mof file. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus and removal of V.class is done for safe measure.

FBI Moneypak Files:

The files listed below are a collection of what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, delete all given files if located. Keep in mind, [random] can be any sequence of numbers or letters and some files may not be found in your infection.

%Program Files%\FBI Moneypak Virus
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%UserProfile%\Desktop\FBI Moneypak Virus.lnk

End ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).


Remove Registry Values:

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.

HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

System Restore – Recovery

Below we detail 3 different instructions to restore or recover a common Window’s computer.

Windows Start Menu Rstrui.exe Restore

  1. Access Windows Start menu
  2. Type rstrui.exe into the search field and press Enter
  3. Follow instructions in Window’s Restore Wizard

Start Menu Restore

Start Menu System Restore

  1. Access Windows Start menu and click All Programs.
  2. Click and open Accessories, click System Tools, and then click System Restore.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Follow the simple instructions to Restore your computer to a date and time before infection.

Safe Mode With Command Prompt Restore

If you can not access Window’s desktop, this is the suggested step. If it is difficult to start windows in safe mode; if Windows’s brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer system. Unplug if necessary.

2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the FBI MoneyPak ransomware virus will not allow you to type anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Restore system files and settings

Safe Mode with Networking

For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

  • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.

1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.

Safe mode with networking

  • Make sure to log into an account with administrator rights.

The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners

2. There are a few different things you can do…

  • Pull-up the Start menu, enter All Programs and access the StartUp folder.
  • Remove “ctfmon” link (or similar).

This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.

Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).

3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.
How To Reset Internet Explorer Proxy Settings

  • Option 1

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

Restart Internet Explorer and then follow the steps listed previously to run the scanner

  • Option 2

Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.


4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

Flash Drive

  1. Turn off your computer system and Unplug your internet connection
  2. Turn the machine back on (In some cases the virus can only open if your machine is plugged into the internet)
  3. On another (clean) computer, download Malwarebytes or your preferred removal program and load the Mbam-Setup.exe (or similar) file onto the flash drive
  4. Remove the flash drive from the clean computer and insert it into the affected machine, proceed to install Malwarebytes (etc) using the setup file located on the flash drive.
  5. Run a full system scan, Malwarebytes will find and eradicate malicious files
  6. Restart your machine

Optical CD-R

  1. Place a blank CD-R into your CDROM drive
  2. Download and place Microsoft Defender or your prefered removal program onto the blank CD-R
  3. Restart your computer and boot from CD

“You may need an old school keyboard (not the USB, but the PC connector type) since the virus delays the USB startup. The Defender will clean your PC in totality. This virus is somehow complex, but is no match for Windows Defender. After the scan is complete, run again a full scan without a restart.”

Slave Hard Disk Drive

If you are having complications with Anti-Malware software a suggestion would be to slave your HDD, then proceed to scan. You will need a second operating computer and tools to remove your hard drive. *Please note this may be difficult for some users and there are other options to scan your hard drive during complications. This is a common practice for local computer technicians.

  1. Remove the Hard Disk Drive from your computer.
  2. On the circuit board side of your HDD set the drive to “slave”.
  3. Connect the slave drive to an unaffected computer.
  4. Scan the slave drive, and proceed to remove any malware on the drive. Make sure to scan each user account.
  5. Reconnect the HDD to your original computer.
How to stay protected against future infections

The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.

Real-time security software

Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.

download norton security
Common Online Guidelines

  • Backup your computer and personal files to an external drive or online backup service
  • Create a restore point on your computer in case you need to restore your computer to a date before infection
  • Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
  • Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
  • If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
  • Avoid torrents and P2P clients
  • Do not open email messages from senders you do not know

Sean Doyle

Jacob is a tech author and engineer with over 20 years of experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and other topics. Jacob's content has been featured in numerous publications.

540 Responses

  1. Computer Guy says:

    I just go to the “task manager” and in “applications” find the the one that indicates the virus and right click it and “end”. It will close your browser. If you reopen your browser you may have the option to “restore” web pages, don’t do it. Better to reboot at this time.
    To start “task manager” press keys Ctrl, Shift and Esc. Go from there. I also use CCleaner if I don’t reboot.
    I have run Malwarebytes and other scanners after all this and I never find anything related to the ransom virus.

  2. joseph shelly says:

    All u have to do is type in all the credit card information useing all fake numbers push send and ur device will immediately unlock!

  3. C. Good says:

    I have Verizon wireless. I took my phone to them and they reset my phone and it was removed.

  4. g says:

    This info saved my life butall I had to do was factory reset my phone that was my only option at that point I despize people who make dumb viruses and reak havoc on in knowing people

  5. ken says:

    the moneypak virus goes full screen on my compu and won’t let me do anything at all. how did you guys get this antivirus program to load and work????

  6. Anonymous says:


  7. Anonymous says:

    phew!!! The first time I saw this I tried forever to download malaware bytes but some reason my laptop wouldn’t except it. so I shut down the machine and looked at my options. I was thinking about haveing somebody just fix it for me but today the malaware bytes worked!! goodbye fbi virus…..have fun in new mexico~XD

  8. Anonymous says:

    your free malware software found and killed this virus with no problem. Thank you all very much

  9. Anonymous says:

    Does anyone have a free moneypak code that will work for me.

  10. Anonymous says:

    What if i don’t pay it would it stay there? ….what would happen i have a tablet so it blocks everything and i cant get into anything ….can so one please help…

  11. Anonymous says:

    thank you

  12. Tabor says:

    My phone is infected. HELP!!!

  13. djg says:

    removal: in chrome/fe goto tools –> developer tools –> elements. u will see html inside head tag , right click on the script tag and delete all of them and then close the browser. Also u can try putting in any 14 digit number and click the submit button it will always work

  14. anonymous says:

    hope this works.

  15. Anonymous says:

    how did your fbi thing happen

  16. Anonymous says:

    i like pankakes

  17. Ehns0mnyak says:

    Kudos to whoever wrote this. It was a pain, even for a seasoned vet.

    On an older slower machine, you have roughly 3 seconds after explorer.exe loads before the virus takes control. If your fast, you can ctrl-alt-delete and get to task manager in time to force quit explorer.exe. Closed a couple of the non critical processes, and new process explorer.exe.

    Luckily I was able to get into windows, and run malware bytes.

    7 of the malicious files were hiding out in the \windows\temp\(8 random chars).exe
    and a final in \documents and settings\(username)\local settings\temp\(18 random chars).exe

  18. Anonymous says:

    i love the ppl that poseed this im going to make it much more strict and back track ip and resend

  19. Steven Peterson says:

    Information above helped me get rid of the virus. Very accurate info, thank you.

  20. RG2 says:

    I have this on a Mac it just blocks Chrome.

  21. Bart says:

    Thank you, it fixed my issue. Altough the method that ONLY worked for me was the command line. Easy just install malwarbyte on the flash, type explorer and you are good to go.

    Thanks again for resource.

  22. Lee Riker says:

    Thank you so much! I used the safe mode with networking and ran the malwarebytes scan and it locate two bot files and I removed them, restarted and whalahhhh! It worked! You are awesome. Thanks for putting this information out there for us!

  23. Emil says:

    This afternoon7,June I got the FBI Trojan. I managed to remove it using the SAFE MODE RESTORE instructions you provided. Thanks for your Help. I noticed a restore point got established about the time I got the trojan. When I clicked SHOW WHAT IS REMOVED AND ADDED ther were no files in either action. It did say it was a windows update butI wonder if this was the path on how the trojan got access to my computer

  24. Jenna says:

    Thank you… This worked!!!!!!!!!!!!

  25. Rodger says:

    I have been hit twice now with FBI virus and am using malwarebytes this time . I used an old Kaspersky disk first time to remove the virus, but got it again after the 30 day trial.The only way I could get the computer to clear the white screen was to tap the power button quickly then x out the close program prompt. This doesn’t remove the virus but frees up the computer till you restart or it pops up again after leaving on. System restore did not work on this version either time. I am confident this software will work but don’t want to wait at the computer for full scan to finish. I hope the”Button Tap” will help someone else. I stumbled onto the idea out of sheer frustration.

  26. Shane says:

    Just had this FBI Moneypak Virus pop up on me tonight… Logged on to my computer, and then all of a sudden I was smacked with an incredibly startling notice. I was trying to figure out what I had done wrong haha. After finding this post, I was able to start safe mode and download the Malwarebytes Anti-Malware software. It’s scanning now, and has already found 32 infected objects! I have a Lenovo Thinkpad (Windows 7), and I want to make sure this dilemma gets resolved. Is there anything else I may need to do to clear this up?

    Thanks for the assistance!

    • Shane says:

      Just finished the Malwarebytes scan and deleted all the infected files… Thanks for your help and assistance!! You guys are awesome!!!

    • Anonymous says:

      I have Windows vista and did rebooted in safe mode with networking. Then did a system restore. Worked liked a charm! Thank botcrawl!

  27. Craig says:

    I had to hook my hdd up to my dad’s computer and had it scanned with MalewareBytes. My computer worked normally after that, but I did a second scan with AVG just to be sure and it caught a few more trojans. One file was named wij1b.bat and now on startup I get a RUNDLL error saying that wij1b.bat could not be found. I found a file in my documents and settings\all users\application data folder (where it said the .bat file should be) and found another file called b1jiw.pad. Are these part of the virus and how would I make RUNDLL stop trying to load it?

  28. Bryan says:

    Finally got rid of this thing tonight. The newest version of this was tough. Been working on removing it for 4 days. Finally the latest update of HitManPro did the trick. I think had to fix some file extension settings after the virus was gone. I couldn’t open ANY .exe file. That was the easiest part thanks to Microsofts FIX-IT. I’ll be more careful next time. Learned a good lesson.

  29. Anonymous says:

    I almost fell for this!…I thought I had unknowingly stumbled on an illegal site….I about cried thinking I had to come up with 300 dollar in three days!…..

  30. shane says:

    Why didnt my firewall and Mcafee antivirus stop this?

  31. Anonymous says:

    Amazing!!!! So glad I didn’t have to punish my brother in law…and he was too. You guys are wonderful and saved us alot of money

  32. Deanna Hanson says:

    Thank you soo much for your help with this virus, This thing attacked my 13 year old sons computer. Scared the crap out of him, he thought he had done something wrong. I got his computer back by using the safe mode with command prompt restore option and am now running malware bytes and a full virus scan on it.

  33. Anonymous says:

    how can you remove it using remote control? I remote in to my customer’s PC but i’m unable to do anything, like CTRL ALT DEL etc. Customer does not know how to press F8 upon bootup. =/

  34. Anonymous says:

    Used the safe mode restore….worked perfectly…thank you.

  35. Marc says:

    Thanks for this great article! I used safe mode and restored my system and used malwarebyte to scan it through and it was OK today. Best regards!

  36. Anonymous says:

    i did something idk if its listed here but this was my second run-in with the virus so since I have windows8 I used some sort of reset? anyways I wiped my whole computer clean. EAT THAT YA —-ing VIRUS

  37. Steve says:

    When I first saw this I was stunned. I wasn’t looking at anything wrong, but it locked the computer up pretty good.
    I luckily logged off, and then on to my wife’s user and did the system restore just hoping. I have done this for the 4th time today, so either it is getting spread a lot or I still have it – but my point is to have everyone set-up at least one additional user account, for at least this purpose.

  38. Empower says:

    “Safe Mode” Worked perfectly! Ty

  39. Alex says:

    Thank you a lot! This happened to my child’s computer, and she was crying and scared! On her computer it had a different picture, but she thought it was real.

  40. Dan Lawler says:

    Stupid mugu trick. These Nigerian idiots will try anything to con you.. They figure the 419 is not working anymore. The dating scams are getting clobbered so some stupid hack come up with this. Remember no law enforcement official will ever block your computer and demand a ransom (your entitled to due process of law) If there is a real problem they will visit you personally and have to present a search warrant. (a judge will not issue that unless there is hard evidence that a crime may have been committed)

  41. Kella says:

    I don’t know if the malicious info or whatever is actually gone from my computer BUT it indeed worked! My laptop is back to normal and the FBI fake thing is now gone from my eyes.. or sight or something. I am not too sure if it’s fully gone though. I used a scan thing like for to scan for affected programs.. and then yeah.. I thought Norton still could be a little helpful, even though I had to renewal my uh membership? Anyways, thank you so much for saving my life. I could’ve done suicide.. yeah, weird but I have been teased and tortured enough. (Not like hurting others kind of torturing)


  42. Anonymous says:

    Your guys team was the first to investigate and publish removal instructions about this ransomware and you guys are still the best. Thanks for the hard work!

  43. Nathan says:

    Awesome guys. Thank you. Did the safe mode command prompt, thanks so much.

  44. Anonymous says:

    Thank you! So helpful!

  45. Marc says:

    I know very little about computers…but this might help others. I have 2 HD with 2 OS.After infected C: drive boot, I booted with secondary F: and installed malwarebytes with thumb drive. I scanned the C drive and could not locate the virus…BUT…i did not realize when I booted with my old F: drive it reshuffled drive identifiers….so I did locate virus when I scanned the new F: drive which was the C: drive from my infected boot…….DUMB on my part…wasted several hours

  46. Sam says:

    I got hit with the FBI Moneypak virus this afternoon. I was able to do a system restore by tapping F11 on my HP Computer when the computer started up. After the system restore was done, my computer was back to normal, and I also scanned my hard drive with Norton to make sure I was OK. I was really worried that the virus was real, and the FBI were going to arrest me within 72 hours! Glad it wasn’t real after all.

  47. anonymous says:

    My laptop has been hit with what I assume is another update of this virus, it claims to be from the US Dept. of Justice, it demands $450 on a moneypak within 48 hours. It’s really frightening, especially when you have no idea what you did to incur this type of intrusion

  48. Anonymous says:

    Wow thank you for helping me remove the virus. I think you guys did a great job explaining.

  49. Anonymous says:

    Thank you so much. You are a life saver

  50. Anonymous heterosexual says:

    ILOVE YOU !!!

  51. Anonymous says:

    Can they access all my information in my computer? if so, what should I do? I really don’t know anything about computer. Thanks

  52. Anonymous says:

    I have this virus infected my computer too. I have many important information (like bank acct and SSN on some documents) saved in my document folder. Wonder if the hacker really take all information?

  53. Anonymous says:

    Thank you so much guys. I really appreciate this information. If it wasnt for this I would have taken a zero on an important assignment for school. Seriously thank you so much

  54. Anonymous says:

    Great solution,
    Got stuck with FBI virus and didn’t know what to do. This helped so much and worked like a charm the first time. I used the safe mode with command prompt. I have a windows 7 computer and used the browser C:\windows\system32\rstrui.exe. They aren’t kidding about typing in explorer as soon as it appears. May want to pay attention to see when this comes up because after 3 seconds you have to restart. To get my computer into safe mode I had to force shut down by taking the battery out of the laptop. Great trick and it is simple.

  55. Douglas Adkins says:

    I had opened up my “Task Manager” and started ending processes until it went away. I started with processes that looked out of place and left the others alone (of course).
    I came upon one labeled as “euhzwbbp.exe” and when I ended that process, it disappeared.
    Hope this helps!

  56. Anonymous says:

    Thank you so very much for this information. I’m currently on bed rest
    and need my computer to stay connected to the outside world. This article saved my sanity.

  57. melissa says:

    Thank you so much with your help I fixed my computer:-)

  58. GPaige says:

    If you can get to Safe Mode on your windows 7; system restore fixed it in about 10 minutes. Thanks to whomever posted all those tips, I finally got it to work after unplugging my pc for 30 mins.

  59. Anonymous says:

    Big thanks to the authors. Everything seems to be back to normal. Very much appreciated!

  60. Anonymous says:

    Coolest website in the world. Thank you so much guys!

  61. Anonymous says:

    I just ran into this program and boy was it a pain in the @ss. First off, it looks like the hacker has now adapted. If I go into safe mode, the computer will restart by itself soon after. Not to be defeated, I ran “windows in safe mode while opening command prompt” instead. I then went to “C:\Users\[your name]\AppData\Roaming” where I found 2 files, skype.dat and skype.ini. So, I deleted them both. I’m glad I don’t use skype since it would have blown right past me. To be on the safe side, I also went to “C:\Users\Ross Chan\AppData\Local\Temp” and did a del * there before restarting.

    Voila! Virus gone. I them proceeded to do a system restore and scan. Hope this helps for anyone else having this problem, and don’t let the hackers win!

    • Anonymous says:

      Thanks a lot!! It works!! Go to “windows in safe mode while opening command prompt” and type “cd C:\Users\[your name]\AppData\Roaming”, then type “dir”, I found those 2 files, skype.dat and skype.ini. Type “del filename” and ENTER!! Restart the computer and run AVG. Everything back to normal!

  62. Timothy Kent says:

    Thank you! There should be an award for people like you

  63. Anonymous says:

    Thank you so much !!! The Safe Mode With Command Prompt Restore worked for me !! THANK YOU

  64. Just passing by says:

    Thank You! I did the system restore and my computer is now working, am gonna scan the whole computer with AVG just to make sure everything is fine. Thanks again for all your help.

    • randy says:

      You all deserve a medal! Worked first time! Using avg now to make sure everything is good!
      Thanks Guys!!!!

      • richard says:

        thank u for all ur help, i followed ur instuctions and got rid of the fbi ransomware. i would love to find out who is putting this virus out and punish them. thasnk u again u saved me from having to reinstall windows 7

  65. Anonymous says:

    Thank you for the instructions! I used the steps in the forum for creating accounts

  66. Emily says:

    sean you are really hot <3

  67. Saidah says:

    Thank you so much!! It worked !

  68. Anonymous says:

    Thank you for the tutorial on how to get rid of the FBI ransom ware. My 17 year old son was trying to download an application on his laptop at what he thought was a Boy Scout affiliated website and got the ransom ware instead. I had heard of it at work but couldn’t remember how to get rid of it. Now I’d just like to figure out who developed it and bring them to justice by which I mean put a bullet in their worthless head. Thanks again.

  69. Anonymous says:

    Thank you for providing this valuable information. Restoring from safe mode helps

  70. twldgtr says:

    I figured out the System Restore in Safe Mode method myself, but it’s good to see a confirmation here that it did remove the threat entirely.

  71. Anonymous says:

    You guys are awesome! Allready had that malware once but this time it was waay harder to get away. Thanks for all those different methods

  72. Anonymous says:

    Good God, you should get an award or something for this free and thorough guide. I thought I had to buy another laptop, you completely saved me. Many thanks!

  73. Mrs M says:

    Thank you soooo much!!!!!

  74. Anonymous says:

    Opening with command promt and typing explorer is what saved me. Holy crap this was a nasty bug. It forced me to shut down in regular safe mode.

  75. Helen says:

    I finally managed to enter rstrui.exe at the command prompt and restored system. THANK YOU!!

  76. mckeldw says:

    Tried Malwarebytes free version which worked in about 15 minutes. I’ll gladly pay the $25 scan regularly.

  77. Snedman says:

    instead of going to safe mode select System Restore. Restore it to a day+ before the problem started to occur. That worked for me.

  78. Anonymous says:

    I bet all you people that did download child porn just about crapped your pants

  79. anonymss says:

    Finally I am able to fix it …
    I was affected couple of days ago and it was so annoying, as I was not able to run any anti-virus, as it shows white screen and nothing can be done.

    Luckily I have 2 user accounts (admin and Guest), From guest account I provided access to admin files c:/users/admin_acct/appdata and local , roaming, temp all locations as provided as solution 2 above
    Then I ran malwarebytes from guest acc, it deleted all malware in admin accoutn and I am done

  80. It’s no point blaming the FBI for infecting their computer with such ransomware that disguise itself as FBI, whether it is FBI Anti-Piracy Warning or similar. The FBI has been aware for a long time, and yet it is still evolving. It’s one thing to keep the anti-malware and anti-virus solutions updated as well as operating system security updates to prevent infections.

  81. pg says:

    How long should the system restore take after the safe mode command prompt boot up to remove this disgusting virus…

    This is the second time we got it but this time it displayed child porn thumbnail pics!!! I was having a seizure trying to get away from it!!! I hope whoever is responsible for this slop finds forgiveness a higher power – they’re not getting it in this life! So sick and tired of this hacking crap – can’t get a real job!

  82. Bill Sandberg says:

    I had this virus on Windows XP and this virus did not funtion unless it was connected to the inernet. I started my AVG anti virus to download updates and then connected to the internet. AVG picked it up right away and I was able to expell it.

  83. Chris says:

    Than you. I had hard time with this virus, until I found your post. After I could reach explorer was easy pie.

  84. STEVE says:


  85. Anonymous says:

    Excellent sugestion. It was very useful. Thanks a lot.

  86. Anonymous says:

    Thank you!! I was freaking out!

  87. Anonymous says:

    “Malware has blocked and quarantined a treat.” Beatiful!

  88. Savannah says:

    THANK YOU THANK YOU THANK YOU!!! I was able to get in through safe with command and do a system restore. Should I still go back and do a check for manual removal?

  89. Billy CA says:

    Thank you! I just got this FBI virus and you’ve just saved me! THANK YOU SO MUCH

  90. Buford T Justice says:

    I solved mine in a way I haven’t read about.

    In Windows 7 I wasn’t able to get into safe mode (endless boot loop), and was almost completely locked out in regular mode. I had the ransom page displayed in full screen. Ctrl+Alt+Del brought up the normal screen, but task manager would not work.

    Out of frustration I started clicking the links on the ransom page just so I could see something different (how much worse could it get?) I believe the key was clicking on the email link at the bottom of the page (you’ll see why later). I hit Ctrl+Alt+Del -> Shut Down to make my next attempt at a new strategy. When I did, the shut down hung up asking if I wanted to force Outlook to close. Apparently hitting the email link had launched Outlook in the background. I IMMEDIATELY hit CANCEL when Windows asked if I would like to force Outlook to close before Windows had a chance to close it and continue the shut down. The shutdown stopped, but the virus processes had already ended in prep for shutdown. I had my computer back, but still had to remove the virus with MalwareBytes.

    I hope this can help someone else.

  91. Anonymous says:

    thanks a lot!

  92. Mr C says:

    YOU PERVERTS!! ALL OF YOU!! and me too….

  93. R Higgins says:

    I don’t know how to thank you. so far it worked with system restore. My malaware for some reason was off. thank you again

  94. Anonymous says:

    The system restore procedure worked. Thank you very much!!

  95. Ian Zipf says:

    I wonder how many people fell for this, and how much money the person made…

  96. Anonymous says:


  97. Joe says:

    Did the restore thank you so much it’s great to have people like you for help your a lifesaver it worked great to get rid of it my uncle also thanks you since it was his computer I fixed with ur help

  98. Anonymous says:

    This site was a real lifesaver for us. We were able to remove the virus using the system restore suggestion. Will be getting some anti malware for sure. Thanks again…

  99. Anonymous says:

    excellent explainations…corrected problem. Thank you

  100. Anonymous says:

    I booted up with “enable VGA mode”. The FBI virus initially blocked everything. I left it running without doing anything for about 15 minutes; magically the FBI disappeared and I was able to use system restore. The screen layout was distorted but still workable. Hope this will work for you too.

  101. Sali says:

    Thanks for the guide..found this on my dad’s laptop, he really doesn’t know about computers (neither do I) but I’m on the internets a lot more and knew this was probably a virus with a quick fix. He was about to take it to the computer shop tomorrow and gave me $$ for removing it 😀

  102. Anonymous says:

    Thank you so much for the help!!! i was so scared!!

  103. tom says:

    I must have a newer version of the malware as the version i had disabled the ability to restart in safe mode. if you tried, you get the blue screen. So here is what worked for me…

    Once i disabled my internet I was able to get on to my pc pretty easily. you have a few options here depending on how you connect. If you have a desk top, just unplug the network cable. Some laptop’s have a switch on the outside that you can just turn the network off, but others you might have to disconnect your router or modem.

    now that you no longer have an internet connection, turn on your computer and all should seem seems to be tricked some way by not having an internet connection( of i should say this was my experience).

    i went into control panel and created a new user with admin privileges. i then restarted the computer and logged in on the new account i just created. all seems to be fine. I restored the internet connection and then went to and downloaded the free version(when you install uncheck the trial of the pro version). after you install, run the update so you have the latest definition files and run a Full scan on your computer. after the scan is done, let it repair the files it has identified.

    i then turned the internet connection off again and restarted the computer. When it came back up, i logged on under the original account and ran Malware bytes that was installed from the other account( it will appear on both). it found a few more trojan’s which I removed after the scan was complete. Your computer will restart after it removes the trojan’s. Everthing seems normal now, so i deleted the second account that was created above.. good luck with this nasty malware..

  104. Joe says:

    I was able to download Malwarebytes, but now every second a notice pops up that says the program has blocked & quarantined a threat svchost.exe Trojan.Agent – does this ever stop or will the Virus continue to try and attach my computer?

  105. Anonymous says:

    Thx for guide I seriously almost cried when this fbi thing popped up

  106. stan says:

    The only way I could get rid of the virus was to start-up in safe mode with command prompt and run malwarebytes from the command line.

  107. stan says:

    I got the virus today (Dec. 27). Perhaps it is a new/nastier version. In safe mode and safe mode w/networking, I get a blank white screen within a few seconds of windows booting up. I already have malwarebytes on my computer and can try to activate it, and believe it starts, but almost immediately the white screen comes up and I can’t do or see anything. Note that it is just a blank white screen, without the FBI scam verbage. When I power down, just before the machine turns off, the white screen disappears, and I can see my desktop.

    I can get the task manager option screen with , but no matter what option I take, it just puts me back to the blank white screen.

    I tried the system restore option via the command prompt. It did not work as expected, but eventually (somehow) I got the user interface to open and I selected a restore point from a few days ago. After a considerable amount of time running, the system restore failed due to lack of memory space (not sure if that is legit or nonsense from the virus).

    Any help is appreciated.

  108. M B says:

    Thank You so much downloaded software already and read about the restore option so i will try it tomorrow.

  109. Anonymous says:

    I did a system restore and it worked perfectly! I was in a panic for an hour before I tried this.

  110. Anonymous says:

    if u do pay the £100 what do u do then?

  111. AADAM says:

    I deleted the account that had the virud and ran a scan and the virus didnt show up, am i safe?
    the virus only affects one account when i deleted the account i also deleted the files on the acoount

    • Sean Doyle says:

      I can’t technically say yes, but you should be fine.

      Make sure you run a full-system scan with reputable Antivirus (or AM) software that has experience removing this particular infection.

  112. Ba'lal Shelahgra says:

    It took me about 5 minutes to “remove” this, just got it 10 mins ago, system restore to a restore point I had made and bam. Now to see if my Empire total war saves got saved as well…

  113. Madho says:

    Thank you very much

  114. Anonymous says:

    I was infected with yet another variant of this ransomware yesterday. Let me just say the first time I had it, I was able to remove with a system restore while in safe mode w/ networking. The next time, i had to do it w/ safe mode via command prompt. Yesterday however the command prompt didn’t even work as the ransomware kicked in before i started typing anything. (doesn’t matter if I typed in ‘explorer’ before the 2-3 seconds. I was able to to safe mode w/ networking but this time I logged in as Administrator and did a system restore. My point is every time I get this virus it is removing options to recover.

  115. anthony williams says:

    I was fortunate enough to have another user on my computer and downloaded the MALWAREBYTE program and it seems to have worked . since im leaving a comment from my user ya think its alright . Im not really good with computers. any input would be appreciated.

    • Sean Doyle says:

      Run a full system scan using Malwarebytes, you can also try free Antivirus scanners suggested on this page.

      Also, search for any files listed on this page related to the infection.

      If nothing is detected or located, that’s a good sign.

      If you are using Malwarebyte’s software and would like to know more about the infection from their standpoint, feel free to contact their support team. They are always happy to assist.

  116. Anonymous says:

    I seriously almost had a panic attack when the screen popped up. i was dead scared and didnt know what to do but as soon as i saw everyones comments here i felt so much better. It took me the longest time to find where to reset the computer to a previous time but as soon as i found it the whole thing took less than a minute. So happy for this. Really quick and easy

  117. amason28 says:

    Thanks for this excellent article, it’s the best I have seen. My surfing account was infected on Dec. 11 but my admin account was not affected (never surf with admin rights!) and I was able to delete the infected account and then recreate it (using the option to keep the account’s files); this broke the virus There ws no cftmon in my case, but a random-named exe and some flash updates, all loaded into AppData\Local\Temp at the time 2:37 PM of the intrusion.

    The virus attacks immediately, which makes it vulnerable as the rogue exe can be found by searching for *.exe and then deleting it using the admin account.

    What alarms me is this. The exe inherits the privilege of the infected account. How was it able to disable McAfee? How was it able to prevent rebooting in safe mode in my case? And how was it able to prevent Restore, run from the admin account, from initializing? This suggests a (to me) unknown vulnerability in 64-bit Win-7. Fortunately, no virus so far seems to be capable of privilege escalation, but this trojan was doing more than should have been possible..

  118. Mike P says:

    Thank you guys for the info! Very scary virus… Your tip’s worked like a charm.

  119. Anonymous says:

    1. FIRST OF ALL, let me reiterate, even though others have said it on this thread before, that the perpetrators of this virus are SCAMMERS who do NOT represent the FBI or any other government agency!!!! You should NEVER try to get rid of this virus by paying any amount of money through Moneypak as instructed by the scammers in the “FBI” popup window.
    Which brings me to…
    How To Remove The FBI Virus In Ten Minutes — Five Easy Steps (This works with any variant or version of the FBI Virus or FBI Moneypak Virus) —
    Step One (1) — UNPLUG YOUR NETWORK CABLE FROM YOUR PC (or temporarily disable your wireless connection) after powering down your PC. THIS IS THE KEY STEP, since the FBI popup window the virus uses to lock up your PC cannot activate without an online connection.
    Step Two (2) — Power up your PC with the network still disabled, and boot to Windows as usual. Ignore any warnings about loss of internet/network connection.
    Step Three (3) — Go to the “System Restore” utility that comes with every Windows PC (In my Win XP system, it was under “Start”, then “Programs”, then “Accessories”, then “System Tools”, then “System Restore”).
    Step Four (4) — In the “System Restore” utility, select “Restore My Computer To An Earlier Time”, then click “Next”. On the next screen, select the “System Checkpoint” for the day before the virus showed up on your PC. If you are not sure when the virus first showed up, select a date that is several days before you first noticed the virus. (NOTE: The PC automatically creates at least one “System Checkpoint” per calendar day.) Click Next, then click next again to confirm your selected “Restore Point”. This will delete anything that was added or altered on your PC after the selected “Restore Point”, INCLUDING ANY TRACE OF THE VIRUS!!
    Step Five (5) — As the System Restore utility reboots your PC, plug your network cable back into your PC (or restore your wireless connection). Your PC should then reboot and begin functioning as usual.

  120. Luke says:

    Downloaded malwarebytes just got virus. My computer works, But I keep getting a popup in the bottom right hand corner saying malewarebytes blocked acces to a potentially harmful webpage blah blah blah….svchost.exe. Happens every minute or so. How do i get rid of this trojan svchost.exe. I have ran a full scan. Please let me know if anyone else has had this problem and how to get rid of it.

  121. John says:

    Got this virus Wednesday morning. Wife called me at work and told me our son caught on her PC. When I came home that evening I read it and knew right away it was a hoax. It even had a the “FBI song” running through our speakers. I tried to reboot into safe mode without any success. I wish I would have seen this site before. But my solution was I was fortunate to have another spare hard drive available. So I unplugged the infected drive and install a complete OS on that drive.

    Once I got everything up and running I made sure I had AVG installed and Zonealarm. before I hooked up the infected drive to copy my data files. I made sure I scanned everything before I moved it over. Afterwords I just nuked the drive with a hard drive eraser.

    What concerns me was that i was running AVG 2013 (free) and Malwarebytes.

    Personally if I could find the POS that created this virus I would cut off his fingers with a pair of tin snips. (dull ones at that one at a time)

  122. Jordan says:

    What I personally did to stop the FBI moneypak:
    Start computer, hit F8 in the beginning
    selected safe mode with command prompt
    waited, then signed into my account
    *then immediately entered “explorer” without quotes and hit Enter (do this within 3 seconds)
    then clicked start at the bottom left, then clicked the folders: windows, then system32, restore
    then click the rstrui file
    Choose a system restore point to a time that was before FBI moneypak

    If this worked for me it will probably work for you. Thank you for the guide.

  123. Naj says:

    ‘FBI’ vesion on my computer does not allow me to get past ‘safemode’
    and typing ‘rstrui.exe’ comes up as invalid entry.
    How can I get over this?

  124. freaked out says:

    OMG so I was yes looking at fem joy.LOL I am an artist and to me its just beautiful bodys, some naked yes but my laptop went into a frenzy….started popping up porn, and bad porn that made me want to throw up.Then the FBI thing popped up, I flipped out as a mom of 6 on PTA and a gma thought Id have the FBI at my door loose my kids and go to jail. I could not get my lap top to shut down. I unplugged it, Rebotted it, in tears ….ready for this I called the local police. He said it was a virus. I told him scared the you know what out of me. I rebotted and went into safe mode. I am ok and safely on my lap top BUT NOT FUNNY!!! And I am imbarassed as all get out. Terrible virus and to think ppl probally pay this. Sad. Thank God I didnt have to pay a ton of money to a PC man, no offense to those who make a living off this I just dont have the extra money. SO thats my awful story. Yes I really thought the worst and thought I was going to jail for looking at fem joy LOL.I feel stupid…

  125. Mel says:

    THank you SOOOO Much!! You saved my day!! 🙂

  126. Technical Support says:

    Great Article. We have to remove the FBI moneypak virus all the time. this article definitely got us going in the right direction. Thanks Sean!!!

  127. Christie says:

    I’m doing this now, hope it works!!! Windows 7

  128. Anonymous says:

    Thank you so much! This worked great. Once restored, ran a virus scan and it showed the malware and

  129. Anonymous says:

    Followed your process and it worked great. Thanks for everything.

  130. Daryl says:

    Maybe I was lucky, but l had what looked like the worst of the FBI Virus. Fortunately, l was able to start in Safe Mode, run CCleaner and use the Tools function to look at the Start items. There was one entitled Microsoft Update with a Russian source. I disabled it and rebooted. Windows 7 came up just fine and it looks liike my programs work normally.

  131. justme says:

    Great information here. I actually reformatted my computer and am now having to update everything. I did try to start up in safe mode but was still unable to do anything.

  132. Anonymous says:

    Thank you so much. I had a really difficult one and i would have had to pay someone to fix it for me. your doing the lords work

  133. Anonymous says:

    Update: Once in, I ran MalwareBytes again and found an infection. So cleaned that out and still working fine. Please let me know if this worked as well for you. Thanks.

  134. Renee says:

    Sean you are my BFF for life!!! Thank you for posting this information, it worked!! You are the best!

  135. Anonymous says:

    Thank you so much ! My son was using my computer when the virus popped up. He texted me begging me not to be mad, he so scared. Lol. I yelled and told him to stay of my CPU, but I had no idea what it said, so I finally read it tonight and flipped a lid, I was so mad at him and was actually going to pay. Then I just prayed about it, after I decided to look up moneypak to see if I can purchase one online, and thank God this website popped up. You have saved my son and me,,mainly you have saved him, lol. Thank you again. I’m sure he would thank you also.

  136. Anonymous says:

    what if you cant start in any safe mode it shows up in safe mode also is there any solution?

  137. Anonymous says:

    And also, what will happen if it is not removed from my computer? i havent see it pop back up yet. Does that mean im good from it? Please reply.

  138. Anonymous says:

    How do you know if the virus is gone? I restarted my laptop and let it go through its usual start up. I dont see and hear the fbi warning anymore. Its been about an hour since it first came up. Is it gone or is it somewhere and i have to remove it still? Please help.

  139. Anonymous says:

    Thank you, Sean. I wouldn’t have been able to resolve this if it wasn’t for you.

  140. Jenrageous says:

    Seriously…thank you. Thanks for using your brain to do good for others than to use it to cause havoc and destruction. The virus popped up when my son was using the computer and he was terrified to tell me. You saved us both! Lol. Thanks for sharing your expertise and knowledge. Happy Thanksgiving to you and yours!

  141. Anonymous says:

    OMG i tried soooo many things. I can’t open safe mode so now i am about to cry. I GOT MY MOM’S COMPUTER BACK. If you can’t access safe mode then TURN OFF ETHERNET. My computer has a little switch at the bottom that turns off internet access so that it won’t connect to the internet. THATS HOW THE VIRUS SHUTS YOUR COMPUTER DOWN. Then i did step 3. Now i do daily scans for that virus to make sure it doesn’t come back. ASK ME IF YOU NEED HELP!!

  142. Khalil says:

    Thank God ! My mom would have killed me if she seen this on her new labtop!

    Thanks Again!

  143. Anonymous says:

    Thank you so much, I hope see you soon.

  144. rob says:

    THANK YOU SO MUCH! The system restore from safe mode worked fine. You are really awesome for doing this…very thoughtful to put these repair instructions up…not for money…just to be a good person. Thanks again

  145. Anonymous says:

    This totally works!!! I tried many youtube videos and have been trying for daysssssssssssss! I did followed these simple steps and it removed the virus. I had 10 in my computer that I removed. If you have a flash drive, it was the best option. It took 5 minutes.

    I’m very, very pleased!

  146. J says:

    WOW!! I am Amazed. Thank you for guiding me in the right direction. For I am not a computer savy person at all. Quick and easy. Very helpful, thanks again. You literall saved my life!

  147. joey B says:

    This is the second time I got this virus. First time I started in safe mode command propmt and restrored. This time it will not open in safe mode it reboots everytime I choose the safe mode option…any ideas??

  148. Wyatt says:

    Thanks a ton! When this got onto my computer, I was flipping out. The moment I got this I told my mom that we had to pay a fine. But being the calm person she is, she got us to this website and we fixed it. So thanks again. Where do I report the “Microsoft Employees”? Or who do I report them to?

  149. tony says:

    thanx a million !!!!!!!!!!!!!!!!!

  150. Anonymous says:

    Thanks Sean you saved my life.

  151. Anonymous says:

    PS. Just wanted to say thanks Sean for the very informative and easy to follow step by step instructions you had. your leave a comment area had some issues in the name and email area so I had to reply to my original post. Thanks again, scott g.

  152. Anonymous says:

    I got the FBI ransome trojan ($200 fine ver) while clicking on a video link about justin beber and selina gomez breakup on or about 1130am 11/10/12. it locked up my pc pretty hard. good thing I have another laptop available to research the virus. found your site and did a systems restore from safe mode that brought back functionality to the infected pc. I am now running full scans with MS security essentials, spybot, and malwarebytes. It appears the virus is gone but I will keep an eye on things for a while just to be sure.

  153. Tony says:

    The ctfmon is saying its open in another file and I don’t know what to do help

  154. Alec says:

    Thank you so much you guys are awesome saved me a huge hassle

  155. Anonymous says:

    Just had the pleasure of looking at this FBI virus, didn’t have a way to look it up online so I had to find it myself, Boot to safe mode + command prompt, open regedit, navigated to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\Winlogon
    (I’ve had a fake antivirus do this to me before)

    Found an entry that was modified:
    Name: shell
    Type: REG_SZ
    Changed value: explorer.exe, C:\Users\****\AppData\Local\(Random).exe

    I changed the value back to explorer.exe and reboot…

    For those who don’t know the registry much, this entry is the “On log on” program launcher, as soon as your user has been authenticated (either clicked or user/password is correct), windows runs what programs are specified in this entry.

    If you try to manually remove the virus don’t forget to check this location

  156. bjake12012 says:

    Got this virus a day ago on my Windows 7 XP version…after much searching I ran Norton NPE Crimeware virus software in Safemode. The installation required a shutdown and restart. After restart I accepted the license and ran the software. The software noted that file: dtresfflsceez.exe was running in my startup menu and was considered a virus. Engaged the removal feature and clicked continue. The file was removed successfully. Restarted my machine and ran a Quick scan and located additional tracking cookies. Removed the cookies, shutdown the machine and ran an additional full scan. All is working now…I hope this helps someone.

  157. eduardo says:

    what if the ctfmon.exe file is not in the start up menu?

  158. Bob says:

    Hell yes this got my computer going again! Thanks a lot! I thought I was about to have to spend a lot of money on repairs! Thanks again!

  159. Anonymous says:

    You are amazing thank you!

  160. Anonymous says:

    This virus is getting me tons of business for my PC repair side job. Though it does seem to be dying down, now I’m seeing more of the File Recovery, File Restore, etc virus.

    Something like this literally can take 2 minutes to remove if you have a way to get outside windows and see the files on your PC.

    Program Data, and user > App Data > Local are the main folders I find these in.

  161. Anonymous says:

    I ended up backing up my photos/videos to another hard drive in safe mode and then reformatted my harddrive. Im about to find this little pukehead who created this so called fbi virus where he’s living at.

  162. Anonymous says:

    Just got the virus – your web site very helpful. Used Safe Mode with Command Promp to go back two days and restore computer. thanks

  163. Anonymous says:

    Got it this morning. I rebooted and scandisk started. I deleted temp files and that seemed to take care of it. Also ran a virus scan afterwards. Nothing found

  164. El Hefe says:

    I just got hit with this virus 2 days ago. Locked up pretty bad. Older PC w/ Windows XP Pro. Could not enter safe mode of any kind so could not manually delete virus files. I have Malwarebytes(TM)but i could not get most recent updates. I did scan with older version but PC shut down before completion (MWBTS found infection but could not finish delete on restart). I disconnected router and sat there very pissed. Then I reconnected router, turned on PC normally and was able to click on MWBTS icon on desktop before FBI virus could take over. Updated MWBTS and started full scan (will take at least 2-3 hours)and as sooon as scan was running, disconnected router and deleted virus after scan. Then ran quick scan and full scan again to be sure. 0 malicious items. All seems well. Think I will stop using IEX and use Firefox from now on. I’ve read that FF w/ NoScript addon is safer. Good luck fellow surfers!

  165. Anonymous says:

    I disabled this virus by using safe mode and then typing ‘regedit’ into the bar and hitting enter. Then, I was able to find an unknown program in the Startup programs. From there, I disabled it and it does not run anymore. However, it is still there. It just doesn’t appear anymore.

  166. Anonymous says:

    wait what if we are called??? i got this and my friend got this but he was called

    • Anonymous says:

      It is still a fake. If you can get the number from caller id or something call them back and tell them you are from MI6 or Interpol or something and that they should stay in their house and wait for the police to arrive. Be as creative as the hackers.I was once called by some Idiots claiming to be the FBI who wanted a credit card. I gave them the real phone number of the local FBI office (and a fake credit card) I would love to have seen their faces if they called. Remember, remember, the FBI, no matter what you may have heard does not collect fines. 2)This virus like many others is really a family of viruses (even if the screens look the same or similar) and like any virus it is constantly mutated. That’s why it’s so hard to stop. Get good anti virus software. Keep it up to date. Read up and learn how to cope with thse bastards. Otherwise, relax, pour yourself a nice glass of scotch and get to work.

  167. Anonymous says:

    Feleted CTFMON on sset up file, worked

  168. Anonymous says:

    thanks soooooo much

  169. Anonymous says:

    Thank you so much!!!!! Purchased the full version of Malwarebytes so hopefully it doesn’t happen again….

  170. Anonymous says:

    Thank you so much. I promise to pray for you everyday. You honestly saved me!

  171. Anonymous says:

    thank you soooo much!

  172. Anonymous says:

    this is helpful:) when i first saw the FBI page i litterally started crying because i really thought i had to pay $200 for my fine or i had to be sent to jail for 3 years.(i still a teen!) But till’ i went on google and searched how to Remove FBI moneypak and founded results, you wouldnt believe how happy and glad i was for google and this page! :’) tears of JOY

  173. Jim says:

    Thanks for the manual clean up instructions. I was able to find and remove the ctfmon file easily in safe mode with networking enabled. However, after a lot of trail and error with Vista, I finally found the appdate/local/temp file folder but could not find the listed files to remove in this location. I then started into a really protracted effort to do a system restart using accessories/system tools/system restart. I probably initiated restart at least a half dozen times and it always stopped with a disk error message that I assumed was caused by one of the malware files. I also was able to start and run McAfee virsus scan after removing the ctfmon file. After the virus scan was complete (it indicated no virus present) I was able to do a disk recovery operation which took overnight to complete. In the morning, I was finally able to do a system recovery going back to a date I knew for certain I did not have this malware. I hope the rotten a-holes that invented this virus do many years in jail and are banned from life from owning any further computer equipment.

    This is my second experience with malware and both times its was immediately obvious the page that popped up was bogus. The FBI would never be involved with this type of shake down regardless of what people believe about the US Government and its actions. The previous experience was with the MS Security malware. Both have been a real pain to remove.

    This site is the absolute best of the sites I looked through on removal. It had easy to follow instructions and did not require buying more conflicting software to resolve the problem. Wish the site was listed first when browsing. It would have saved a fair amount of time as other sites were selling malware software without assurance of success.

  174. Anonymous says:

    This was the best, thanks!

  175. Daniel Servin says:

    Thank You Guys for all You Have Done to Help Me and other Panicked People Out There!

  176. Alex says:

    Thank you for the tip it was really helpful

  177. C says:

    Thanks for the detailed analysis.

  178. TP says:

    GONE in 30 seconds! I had only 1 user account with Norton360 and the FBI bug apparently got by that. I went with option 4 . . . removed the “ctfmon” file then restarted normally. Everything appears back to normal. Couldn’t have been easier. To be safe, I started a 2nd ADMIN log-on and downloaded and ran malwarebytes from that profile. It found 2 infected files which were removed. After mandatory restart, I switched back to normal account and ran malwarebytes again . . . all clean. Thanks, saved me a $150 geek squad fee!!!

  179. Ernie Thorn says:

    I got the virus on 2 computers within minutes of eachother, all I was doing was deleting junk mail. I simply restored the Dell laptop to its birthdate and the Sony simply restored it to a few months ago. I did not have to use safe mode, just had to turn of my wireless router. Both are back to normal now. In both cases, my expired Norton anti virus pop up popped up wanting me to renew, hmmm.

  180. Anonymous says:

    Thanks for the help on this great work!

  181. Paul says:

    So, I got hit with this piece of crap virus. BEST WAY to get rid of it…TRUST ME…First, hopefully you have a second user on your PC . Always set up a back door sign in as ADMIN. Dont use it unless you really need to….LIKE NOW !!!! Go to the web and bring down MALWARE BYTES. Its free but it is a TRIAL VERSION. Activate it through your alternate sign on, not the user that you contracted the virus under – you wont be able to anyway because of the “FBI LOCKOUT” Run the clean up twice. I bought the ultimate for $39.00 and boy was it worth it. Once you have run the complete application you can sign on as normally do. THEN RUN IT UNDER THE USER THAT ORIGINALLY GOT STUCK UP THE BUT WITH THE VIRUS. It will clean the files that are not shared as the user that was infected. Total time to fix this once you down load Malwarebytes is about 30 minutes. SO….SCREW FBI-$200.00 By the way, I didnt mention that I have Norton 360 and Windows invader running. This virus has an awfully long and thin needle

  182. Anonymous says:

    Thank you very much. This page loads fast for all the cotnent on it btw. =)

  183. Anonymous says:

    Thank you sooooo much!!! I freaked out when i got the FBI warning but with this instructions it was easy to remove ! I didnt have access to safe mode but to the safe mode with command prompt! Then it took me 5 minutes and the virus was gone! It seemed so easy, i hope everything is gone! But not to take any risks i guess i will reinstall windows again! Should i? Thank you again sooo much this was soooo helpful an easy!

    • Eric Ramseur says:

      Thank YOU!!! I don’t even know how to download illegal stuff. I’ve been paying for everything like a sap, so I FREAKED when this message came up. I was right in the middle of writing a 25 page paper for my Masters classes and hadn’t backed up to Dropbox. Safe mode with Command Prompt, Explorer, system restore. end of story. Awesome!!!

  184. paige henry says:

    Thank you! Flash drive option wouldn’t work, but safe mode did. I was ready to chuck the whole laptop if it wasn’t for this help :O)

  185. KCM says:

    Thaks for the solutions. I tried all the manula steps but didn’t find the files as specified.Then installed Malwarebytes and it removed the virus. Thanks again for this information.

  186. Manny says:

    Thanks for the good work, very clear instructions. Got theVirus this morning, McAfee didn’t fix it , restore the system to previous point didn’t work – tried it many time. Malwarebytes could see the virus and trojans but couldn’t remove it from the system, same happend with AVG. Finally MICROSOFT SECURITY ESSENTIALS did all the job.Now my PC works very smooth.Thanks

  187. RDS says:

    I did not get a screen like you’ve been showing but instead a audio file that kept say “warning, FBI blah, blah, blah” over and over. So far system restore seems to have worked. Thanks for the easy instructions.

  188. Anonymous says:

    Thank You. Simplified explanations to remove this stupid virus

  189. Anonymous says:

    Best instructions to remove this stupid fbi virus on the internet. Many thanks!

  190. Rob Schulz says:

    Ugh, what a freakin’ pain. I’m on a laptop now while my computer is running Malwarebytes. It hasn’t found anything yet..

    This FBI deal blocked Safe Mode (all forms), and it was a race against time doing the ‘ol Start Menu / Run / explorer / Computer / C / Windows / System32 / Rstrui deal. What a PAIN. I finally got it to click (on like the 30th attempt. I’m sure thats great for your computer), picked the Restore Point that was made yesterday afternoon, and I should note that I also unplugged my internet before that final successful one. it is STILL unplugged.

    Now, I should be good to go with the Restore Point? There won’t be any residual stuff? Very helpful here, though the range of ways to defeat it (since some won’t work) is infuriating. I like questions that are like “Hungry?” and the answer is “eat food.” Which is what I’m going to go do now.

    Thanks a bunch, and a confirmation to put my worried mind at ease would be great.

  191. Bay says:

    Thank you very much.
    I got the virus, try to restore the sys. , I worked but when turn on the internet, the malware overtook my laptop again. Try reboot the laptop by F8, it didn’t work.I have to scratch the comp. to get the safe mode with networking, download the Malwarebite, ran program and it worked perfect. Many Thanks

  192. Matt May says:

    This site (Sean) was instrumental in helping me (seemingly) defeat this. Thank You sir!

    Just as a note to others: I used a hybrid solution wherein I downloaded MalWareBytes in safe mode and ran it. It detected a trojan. I then restarted in normal mode. I then ran XXXX to be sure. Both services are free and bless them for that.

    Furthermore, before you fellow Norton subscribers decide to contact them, realize they haven’t a clue on this yet. They overtook my computer remotely for 1&1/2 hours before giving up. It took me an additional 3 hours of experimentation to (again, seemingly) beat it.

    Thanks again.

  193. BrianB says:

    Does removing using a system restore still leave some trace of the malware on your system? I checked this out with the FBI and they said even if you are able to remove it yourself there could be some lingering thing there that might record keystrokes or download personal information, credit cards etc?

  194. Ken says:

    Other websites are copying and pasting your article just to let you know and I gave them a piece of my mind!

  195. Anonymous says:

    I got this virus last night and was going to pay bucks to get someone to take it off.(By the way, companies want between $70-160 to get rid of this virus) I found this website and saved some money. I got into the Safe Mode on my computer and went to Systems Restore in my Accessories folder and restored my computer to a point from last week. It seems to have worked. I can get on the internet with no problems. I don’t have any anti virus software so maybe its hiding somewhere but for now I’m happy.

  196. Anonymous says:

    Booted in Safe Mode and did a System Restore and that removed it. After the restart Norton Security was disabled. Clicked to restart it. Doing a full system scan now.

    Had File ‘dxdgztzl.exe’ in ‘C:\Windows\’ looks like this is a random dile name.
    also had startup entry for ‘dxdgztzl.exe’ showing in MSConfig Startup and the Registry for


  197. Anonymous says:

    Hello and thx for the info.
    I did the system restore before finding this site, which reaffirmed what I did will work. However, one side affect is that it disabled my Norton. I still have the icons, but when I click on them, nothing happens. Also, the Norton icon is gone from my system tray. I’ll try re-installing Norton and see if I can get it back that way. But why did Norton let it get by in the first damn place???? I’m pretty pissed off at ymantec right about now!!!!

  198. Anonymous says:

    I succeeded in fixing my laptop, which has Windows XP Professional Service Pack 3. I use Microsoft Security Essential for my antivirus, antispyware, antimalware. When I booted up Windows, I got my desktop display minus all icons and taskbar. Since there was no Start button and putting my mouse curos in the lower left corner did nothing, I decided to use Safe Mode with Command Prompt. In my case, a black screen opened with the words Safe Mode in the four corners and a title showing my version of Windows. By waiting about 20 seconds, a command prompt window opened in the upper left corner. I typed in explorer and pressed Enter. By waiting a minute or two, the Windows Explorer window opened up. I browsed to c:\windows\system32\Restore. I clicked on the file rstrui and pressed Enter. Be patient and wait. The Restore window opened up and I restored to a system checkpoint about a month ago. Restore then restarted my laptop
    and opened Windows successrully. A pop-up window displayed to state Restore finished and stated that some files were renamed. I clicked on a link to see the names of the renamed files :url.dll, urlmon.dll, and winnet.dll in the Windows/system32 folder. Since I have Microsoft Security Essentials installed and it normally runs at Windows startup, I got a error pop-up which stated it failed with error code 0x80070715. In other words, the virus corrupted Security Essential so that I could not do a scan of my computer. I tried to do Control Panel->Add/Remove Programs to uninstall Security Essential. A mostly blank window opened up with two blank buttons. I guessed the left button was Yes to do the uninstall which then ran. I had a copy of the install exec for Security Essential which I ran to install Security Essential successfully. I then ran it to do a full computer scan. It took two hours to complete and found five suspicious items : four of them were Trojans (Win32/Ransom.KF) and the fifth was labelled Exploit (Java/blacole.GD). The first two Trojans had container file in the Local Settings/Temp folder wpbt0.dll and the file was [INJECTOR_CL]->(UPX). The next two Trojans had ccntainer file in the c:\System Volume Information folder as A0121748.exe and the file was A0121748.exe->[INJECTOR_CL]->(UPX). The Java container file was in my userid folder as \.jpil_cache\jar\1.0\ and the file was this zip->bkwa\bkwa.class. My laptop is now running normally as far as I can tell. Also, I had Security Essential run another Full Scan, which detected no new threats.

  199. pokeonimac1 says:

    malwarebytes saved my life! (so did the fact that i had multiple accounts) I restored to previous version before an update, and then used malwarebytes to do a full scan (around 2 hours) however once you see thst the number of mailicious objects has not increased in the past hour, feel free to abort scan and delete those files. then, run a quick scan (or a full scan) to make sure you’ve removed all.

  200. Garrett says:

    Ok so right now I’m typing this on a iPad so I’m not sure if it will work. Right now my laptop is in safe mode with networking and norton 360 is running a full system scan .

    You Guys have helped me a lot. I wanted to cry I was so mad. THANK YOU <3

  201. tomtom says:

    Removed it with STOPzilla, worked great. People PLEASE don’t put any info into this and other rogues!

  202. DiSurgTech says:

    I just about had a heart attack!! Thanks for saving me from pulling my hair out. I had to restore my computer after going through the safe mode since the first option didn’t work.

  203. Domenica says:

    Thank you, thank you, thank you!!!

  204. Anonymous says:

    awesome! Thanks for all the help!

  205. Steve says:

    Thanks for getting me through this nasty malware virus. I used the instructions for safemode with networking, then reset my computer to a few days prior. It looks like the virus is gone. Thanks for the help!

  206. Anonymous says:

    Thanks! Why is this not first on google, the website I went to before was terrible. Hopefully this gets bumped up on Google soon.

  207. Dan says:

    Sean, many thanks for your very informative blog.

    It just happened to me and yes it’s quite annoying. It actually takes about 10 minutes to fix the problem and can be done with the Malwarebytes Anti-Malware software in “Safe Mode with Networking,” as mentioned above.

    Some articles claim that these guys have been extorting about $50,000 per day on average. I’m shocked that the FBI (or foreign equivalent) hasn’t yet apprehended the culprits.

  208. Anonymous says:

    Ya’ll are absolutely AMAZING!! Thank you sooooo much!!!

  209. Anonymous says:

    can someone but in spanish

  210. Anonymous says:

    im very scared

  211. Anonymous says:

    Thank You so much for this, it was very helpful ^^ btw does malwarebytes completely blocks the virus out?

    • Sean Doyle says:

      The free version of Malwarebytes is just a malware scan and removal tool that will remove this infection.
      The paid version of Malwarebytes gives you real time protection against intrusions.
      So yes, the paid version does block this particular virus out in real time. But new variants and similar infections that have not been sampled yet can be left undetected. If that’s the case Malwarebytes offers support for such issues and will add the new variant to their next update.

  212. Anonymous says:

    1st I just wanted to say Thanks! I will be bookmarking this site and plan to join too. Like the person before me this is Great Stuff.

  213. Brent Carpenter says:

    Easy, too lazy to do anything, just restored it. thanks for the help with FBI virus man

  214. Aaron says:

    Safe mode, msconfig found the virus. File name was irb700..done..good stuff

  215. Richard Alexander says:

    I hadn’t heard of this virus before today, when my employer sent me to recover a client’s computer. When I left the client, 4 hours later, his computer seemed to be functional, but I had the uncomfortable feeling the virus might just be waiting a while before reappearing. After looking over these instructions, I can see things I needed to have done.

    BitDefender 2010 CD found the Trojan and removed it, but the Trojan came back. I deleted the file that kept getting infected, then deleted the entire folder (“Pepper Flash” for Google Chrome).

    System Restore to a week earlier did not stop the virus. I then set the system back 6 weeks.

    Norton AV was pre-installed on the computer. When I double-clicked on the Norton icon after cleaning the infection, the virus popped up its extortion window. I tried to uninstall Norton, but nothing happened when I gave the system the command to continue removal. So, I manually deleted as much of Norton as I could find, including in the Registry. I could not remove the Norton icon from the Add/Remove Programs list, but I did get it off the toolbar. All that remains are a few references in Registry that I didn’t have time to delete.

    I installed and scanned the system with avast! and SUPERAntiSpyware, removing 300+ cookies. Then, I uninstalled those programs.

    I installed MS Security Essentials.

    In the end, the user was able to back up his files from his computer, and the computer appeared to be functioning normally, though set back 6 weeks and without Google Chrome or Norton working.

  216. oleg says:

    Thank you very much for different solutions since they are all important. I installed AVG and after scanning for 3 hours it found 56 corrupted files. After removing it, the virus didn’t stop. I am not sure why. So I had to get Malwarebytes and after only 5 min of scanning it found 3 files. Removed, and the problem is gone. Thank you for providing this information and thanks to Malwarebytes.

  217. daryl says:

    thank you thank you very much you are a lifesaver i downloaded malwarebytes anti-virus and it works like a charm ty very much

  218. Jay says:

    I was able to get rid of this only after disabling my internet. I could not use Safe Mode (it would bluescreen) and it was too quick to do any of the system restores. Once I disconnected my router, I was able to come up and do a system restore. Thanks for the info. This one scared the hell out of my 18 yo son.

  219. Anonymous says:

    Thanks so much I down loaded the malwarebytes software and it worked like a charm!

  220. Anonymous says:

    Thank you so much – the Safe mode with networking option worked like a charm.

  221. Anonymous says:

    Thanks a lot for an easily followed walkthrough. Safe mode with command prompt worked great!

  222. Anonymous says:

    I did a traceback hack and sent 11,001 links to do root inline script that should keep them intertained lol.
    I also sent script to homeland security ” maybe they will shut down ill got funds end for company funds procured should keep them busy.
    Hack back targeting got to love it. JUST remember Hacker/s there are just as smart and Smarter other/s on this planet -_N-^e_o^

  223. Anonymous says:

    Thank you for such a thorough discussion. Once I disconnected the internet connection, it was easy to kill the virus with AVG.

  224. kadi says:

    thanks a thousand lots am not from the usa am from dubai i dont know how or why i got an FBI stuff but at least i searched for it and ur the only one who helped me

    thank you <3!!!

  225. Anonymous says:

    Omg thank u sooooooo much that scared the crap out of me haha the mal thing work for me so I’m fine now 🙂 this helped alot thanks!!!!

  226. Anonymous says:

    damn…definitely scared at first when i saw this

    safe mode command prompt instructions worked for me

    tried the safe mode with networking, but as soon as i logged in, the fbi moneypak ransomeware tried loading up (a white screen with something to the effect of this page will take 30 seconds to load)

    after doing system restore from safe mode command prompt, my pc is back to normal. thanks.

  227. Mike says:

    Thanks Sean, you rock. I was unable to even access my desktop in safe mode, or safe mode with networking. Your instructions on restoring from the safe mode with command prompt is what worked, and easy to follow!

  228. Mason says:

    The easiest way around the program starting up is to completely remove Internet access to your computer. Tried removing the files manually, but it sucks on Windows 7. Easier to just do a system restore. Your computer manually sets a restore point pretty often (mine was done at noon today and another one was done 4 days ago).

    • Anonymous says:

      If you do a system restore, would you lose anything like progress made on a written document or something, or does it only restore files, and leaves anything manually saved?

  229. Anonymous says:

    Followed the steps for safe mode with command. It worked great. I was able to restore to another date. Thank you

  230. Sandhya says:

    Thank you o so much for your help… Saved me 200 bucks

  231. Anonymous says:

    safe mode w/netowking , run new version of Malwarebytes and let remove infected files / reboot and istall 2013 AVG , scan , you should be good to good.

  232. Sud says:

    Hi Sean,
    Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
    Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?

    i tried scanning using mbam2.exe(not sure if this is same as Malwarebytes).although i got a popup saying 12 objects/trojans have been removed, issue still existed for me.
    On doing system restore i was able to restore the system back to old state. what am not sure is if the virus is completely removed or not.

    Please let me know your thoughts.


  233. Sud says:

    Hi Sean,
    Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
    Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?

  234. Anonymous says:

    I found if you remove the shortcut from the start up folder the computer won’t lock up but I can’t get the Internet to work now. Thanks to this helpful form I now know what it is now and now to kill the scam and everything with it.

  235. Anonymous says:

    Just do a system restore!!!

  236. Dwarkesh says:

    Thanks to this post, it helped me to get rid of this fraud virus FBI scam.

  237. Sylena says:

    Thank you so much!! I use this computer for home and work! SAVED MY BUTT!!!

  238. Neil Sherman says:

    Got two of ’em in the past week and a half. I see the FBI’s finally posted an official denial. What I don’t see is software designers so dedicated to artistically exploiting the schema-themes would deny us the value of a decent screen saver.

  239. Anonymous says:

    I had a feeling that this was complete bullshit. FBI cant fine you w/o court papers. Thanks for posting on how to kill it.

  240. Anonymous says:

    They make this giant virus, then I come here from first google link and remove it in 2 seconds lol.

  241. 47percenter says:

    Always remember the following. The FBI does not have the authority to fine people. This can only be done in a court of law. So the first thing you have to realize is that even even if you were looking at a video of a person having sex with an underage horse or dog or cat is that you are looking at a malware situation. Proceed accordingly most of the time you can save yourself $200 and fix the problem. Don’t forget to keep your AVG or whatever you happen to use up to date and active. Learn how to boot into safe mode. I know it’s all very frustrating but it is part of modern life. What really drives people crazy, myself included is that you really want revenge. You probably will not get it since a lot of this stuff is written in foreign countries. Do you really want to spend a couple of years draging your ass around some miserable shithole country looking for some programmer who probably would cut your throat if you actually found him/her? Your satisfaction comes from the fact that they didn’t get your $200 and you are smarter and better than they are. Good luck.

  242. Anonymous says:

    i think i got rid of it thanks alot to this website i really was about to pay the 200 tooo

  243. Anonymous says:

    I think I got rid of it…!!

  244. gr says:

    Whew! Thanks for the help! Scared me half to death when that screen popped up, haha!

  245. JW says:

    This page popped up on my screen about an hour ago and scared the hell out of me. I don’t even use my computer for anything other than schoolwork and I guess I visited an unsafe link of off some random media site. Needless to say, I was a little skeptical. This article walked me through flawlessly. Thanks a million…or two hundred at least, that’s what I saved thanks to you guys. Very appreciative of all of the guidance as I am not much of a computer wiz.

  246. MK says:

    I’m running walwarebytes right now, I managed to restore windows to a couple of days ago through safe mode with networking…I nearly soiled my pants when this popped up! Hopefully it’s fully gone, don’t want my spouse to see this…

  247. Anonymous says:

    WOW! HUGE THANKS TO STEP 4!!!! Easy steps to follow, make sure to right click on the “ctfmon” file and click delete. I about shat myself when that fake FBI popped up…swooo

  248. Anonymous says:

    LMAO!!! That person(s) took all the time to write the virus for such an easy fix. Walked my sis thru the fix via cell, and discovered that the same virus was infecting my sons acct only on a cpu, here with three accts. Gonna fix that one myself. (glad I have my own laptop) Thanks for the info!! Nice and easy!!

  249. CarlosB says:

    This is how I did it and I didn’t have to download anything nor play with Windows settings (I have an XP PC though I think in 7 it will be the same outcome). I just turned off the PC, waited a few seconds, turned on PC and while I saw the PC booting up I kept pressing several times the F8 key. This took me to a screen that presented the different ways I can start Windows. I chose Safe Booting and pressed Enter. Then I just waited for Windows to boot up. The Windows desktop is going to look strange because Safe Boot will install just the basic drivers (and includes the video drivers). Then I went to Restore from All Programs/Accessories/System Tools. I selected a date prior to when I had the MonayPak virus incident and pressed OK. The Restore command restored it to the way I had my PC on that day and thus, basically, replaced all setting that virus might had change or altered.

    Good luck

  250. atomicmonkey says:

    Thanks for the tips. I saved my kid’s bacon last night by downloading the free version of MalwareBytes onto a flash drive on a second (non infected) computer, then turning off my router and installing the anti-malware onto the infected unit. It saw it right away and zapped it. The kid had to do his homework after all. Thanks.

  251. Anonymous says:

    Thank you Sean for this excellent article. Very helpful.

  252. Anonymous says:

    I have another solution that can be added to this list!

    1. turn off your computer
    2. unplug your internet connection
    3. turn the machine back on, the virus can only open if your machine is plugged into the internet!
    4. using a flash drive, get malwarebytes from another computer and load it onto yours
    5. run a full system scan, malwarebytes will find and eradicate every file, there were 10 files altogether!
    6. restart when asked, and boom virus eradicated

  253. Jeff says:

    I WASN’T DOING ANYTHING WRONG! Was just looking at some wiring diagram images on the web for my old mustangs when this “mess” started popping up and then the FBI screen.
    Restoring my computer did the trick for me. Started up in Safe Mode and ran the restore file Rstrui.exe from the Start Menu. Selected an earlier restore point and all is good. Not sure what caused my other problem but the only side affect was that all my data files in the user, my documents folders, were gone. Finally realized that the files were present but they were all “hidden”. Had to go to View in the Folder Option and select the “show hidden files” button. Then was able to see the files and go to file properties and uncheck the attributes “hidden” box.
    THANKS so much for this site. Keep up the good work!

  254. Anonymous says:

    that scared me so bad. Option 4 did the trick. thanks so much!!!

  255. Anonymous says:

    Omg omg omg! I almost had a heart attack. I was like wtf did I do to deserve this. When it popped up and I didn’t know what to do I though to myself ” my dad is going to kill me!” Then I desided to go on my iPod and see what I could do. And man, this site helped me a lot. So I thank you very much!

  256. Anonymous says:

    Question – If I have 2 accounts, one infected and one not, and I run MalwareBytes from the non-infected account, will it kill the virus on the infected one?

  257. Khristina says:

    Thank you so much.
    I managed to do all of this without any trouble!

  258. shaun says:

    Wow, looks like MalwareBytes detected it and removed it. Impressed.

  259. Mike Chiappetta says:

    Bloody FBI virus on a Windows XP laptop. Icannot get into safemode command prompt as it demands the sys admin password and I have not worked at the company where I got computer for 3 years… in standard safemode the virus locks me out… The Task Manager button (@ alt-ctrl-del) is greyed out and does not work to allow me to stop the program. Basically I am completely locked out of my computer and cannot even get to the point where I can follow the directions above. Has anybody hit this wall and come up with a solution?

    I unplugged the ethernet cable and the virus gets hung up with the “this window may take 30 seconds to load…” but it never relinquishes the screen back to me.

    This is not my main system but I do have a number of files I do need to access that have not been backed up.

    The system I am posting from is a workplace mac (virus on personal PC). Is there something I can download to a thumb drive and force the PC to boot from the thumbdrive – allowing me to follow the cleaning instructions

    If anyone has a suggestion please forward… Thanks!

    • cook says:

      I was able to run antiviruses if i left the internet off from the start; every time I activated the wireless, it’d lock me out-so i left it off. Malware-bytes seemed to take care of it for me.

  260. Emily says:

    Thank you

  261. Anonymous says:

    I cleaned this my self. it wasn’t easy. follow the money. who stands to profit? how about all these expensive malware blockers like mcafee & norton who didn’t catch this but they want additional money to clean your pc….

  262. Anonymous says:

    thank you!!!!!

  263. Anonymous says:

    Got what appears to be a new variant – could not locate any of the files or settings in manual remove steps while looking from another account in Vista. It had disabled defender and task manager. Also could not find from safe mode except for a (random).exe that I renamed.
    Ran a system restore from safe mode with command prompt and that appears to have fixed things. Looking deep and hard for any remnants. This is a nasty virus and I would like to learn what it’s entry point is. Based on logs, it appears to exploited either flash or the java updater.

    THANK YOU!! for the guidance.

  264. Gary says:

    Saved me a great deal, thank you.

  265. T says:

    This is a good article, it was very helpful when I had to remove it from a family member’s computer. Not sure if the virus has gotten stronger or what, but whenever I booted into safe mode, none of the files for the virus showed up, not even in the registry. Even Malwarebytes didn’t pick up on. I ended up using No. 5 to get it off. Otherwise I’d have had to go with the system restore option, which would have been a pain to do.

  266. Anonymous says:

    Thank you very much that was easy to remove. Its rare to find this type of information without feeling like there’s a hidden agenda, so thank you for being one of the good guys.

  267. anno says:

    I have got this…..but I am not able to delete
    C:\Users\Ritesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ctfmon…when I delete it comes up again……the target process for this is
    %systemroot%\system32\rundll32.exe wgsdgsdgdsgsd.exe,FQ10

    I also checked other files/folders but nothing is there except few reg keys which I deleted.

    I am running MB now…..

  268. Anonymous says:

    I called the money pack people a few minutes after loading the card number into the scam site and was able to get my money refunded. They will send you a check for full amount in 7-10 days. I was able to act before the card was acted upon.

  269. Steven says:

    Thank you thank you thank you..very easy instuctions..booted in safemode and downloaded malwarebytes and i think im good to go!! nice to see people go out of there way to help you for free sometimes

    thanks steven

  270. Dave says:

    Oops, meant that it disabled the task manager and MB.

  271. Dave says:

    Caught the virus, it Task Manager, Malwarebytes, etc. Started in Safe Mode and restored to a point 6 days ago. Does performing a system restore get rid of the virus or merely allow me to get running again and it’s still embedded. Running updated MB scan to see of it’s picked up.

    Should I have uninstalled MB and downloaded a fresh version? This thing is getting nasty!

  272. Patrick says:

    Do you have to remove the virus before the 72 hour time limit?

  273. Dr Eric says:

    I have been infected with this a couple of times. The first time was a more rudimentary form, and Task Mgr worked and was able to locate and stop program. But later versions “stronger” and safe-mode followed by “FULL scan” on MB worked. Having alternate user login to work from also helps.

  274. Anonymous says:

    thanks so muych!

  275. Josh says:

    So what if I purchased a MoneyPak card and used the number to “unlock” my PC? Is the card still good or did I get scammed and lose $200

  276. Anonymous says:

    so awesome, I love you. I too had Malwarebytes free version already on my comp, followed your safe mode instructions, and BOOOM. Thanks man! Planning on buying AVG or Malwarebytes full version since you recommend it. Would Norton or Mcaffee be any better?

  277. Diana says:

    thanks you very much. I followed the directions to enter in safe mode and ran AVG and it worked. Again thanks.

  278. Anonymous says:

    Thank you very much. I used Malwarebytes to get rid of it, thank goodness it was already installed on my cpu~

  279. Anonymous says:

    Thank you!

  280. Steve says:

    Sean, your suggestions for remving this nasty annoying virus worked for me! You saved me countless hours re-building my PC, thank you so much!!!

  281. Anonymous says:

    Then you must reformat the hdd

  282. Bob says:

    How nice (and rare) is it to do a google search about a computer problem, go to a top recommended site (that’s not trying to bait-and-switch you into buying something) and actually find information that is discernible AND WORKS?!?!? It’s freakin’ SUPER AWESOME is what it is!!! Thank you Sean! You’ve been a big help to a lot of people, including me. Your Karma account is over flowing. Well Done!

  283. callme gunner says:

    Got the Department of Justice version today. Booted in Safemode and put in the start up. rebooted and it fought with the Malware and gave me access to my desktop and Virus Scan software, finally found the .exe in c:\documents and settings\username\local settings\temp , deleted it and ran a find in the registry for that filename and deleted the keys. rescanned w/ malwarebytes, so far so good filename gfhy22.exe

  284. salave says:

    muchas gracias por la informacion!!!

  285. Anonymous says:

    can Microsoft essentials get rid of this … i have used it in safe mode *without networking* and it seems to have gotten rid of it…

  286. Anonymous says:

    Thanks a lot, i was about to cry when this popped up, but a little researched lead me to this site and was able to fix the problem. Thanks again 😀

  287. Anonymous says:

    Thank you very much that was easier than i thought

  288. Anonymous says:

    Props! this would have been the hardest to remove yet for me but with this detailed help it was the easiest! thanks a ton

  289. Anonymous says:

    Thanx A Million.!.!.!

  290. Larry Hale says:

    I called the local police and FBI to make sure it was a scam. Then on my own I did exactly as indicated above. Performed a System Restore in safe mode and used Malwarebytes to remove the malware. No problems. I also checked with my bank for my transaction history.

    • Bill says:

      Dude You are the man…. I don’t think I have ever come so close to soiling myself… I’m mr do the right thing…. and though I may bend the rules here and there I try not to break any….. I got the scam and about died… my wife and I are going on vacation in a week…. I did not want to tell her I need to pay 200 dollars or go to jail…. I would have died tonight…. lol thank you thank you thank you…. never been so glad to find out I got scammed…… breathing again…. and in you debt

  291. Anonymous says:

    Thank you Malwarebytes full scan did it for us

  292. Anonymous says:

    Thank you very much

  293. thank you so much when i got this message i was almost ready to cry , being 100% honest i didn’t know what i was going to do and i got this message when i downloaded ilivid and in a way i had committed a crime and i was generally afraid id get in some serious law trouble. this article made my day and made me feel at peace

  294. Anonymous says:

    Does this work with windows vista?

  295. Anonymous says:

    so does it steals your picture by webcam??? (It was a little vague on WEBCAM Control)

  296. Anonymous says:

    can this infect external hard drives? please answer.

    • Anonymous says:

      Any virus or trojan can eventually. There’s no straight answer for that. Unplug your external hard drive if you’re worried.

  297. tom k says:

    had the cyber security virus. i removed the ctfmon link from startup so i could navigate around the computer and then downloaded the malwarebytes program…removed 2 trojans and all seems good now…good luck to anyone else unfortunate enough to experience this

  298. Anonymous says:

    Thank you soo much! I got home and my husband said he had this FBI thing show up I was like we’re not paying $200….Thank you soo much for helping us remove it!!

  299. Shannon Diem says:

    Thank you thank you thank you!!!!!

  300. GWxTreize says:

    I would like to thank this website for giving me the tools I needed to fix this myself. It was all very clear, concise info and saved me a reformat and hours of work as well as a TON of updates! As with the people before me, I’d also like to thank you for not forcing people to buy software to fix this problem, if only there were more white-hats like you out there.

  301. Anonymous says:

    Thank you sooo much!

  302. Sean Doyle says:

    I really can’t answer that for certain out of thin air, sorry. It should be though, yes.

    But… I can never say something is ever completely removed from a system, from erased images to documents, etc.

    A System Restore affects Windows system files, programs, and registry settings. A restore can also make changes to scripts, batch files, and other types of executable files which may have been placed on the system or changed by a third party without user consent.

    I recommend installing the free version of Malwarebytes if you need validation for this particular infection. You can remove Malwarebytes afterwards or continue to use it.

  303. Sean Doyle says:

    Glad to hear and thank you! Restoring your system will not remove document files (just in case others are uncertain), but it’s good to worry about it.

  304. Anonymous says:

    Thank you! I agree with others thanks for not forcing software down our throats like everyone else. Booked this site for future references because of it

  305. Anonymous says:

    thank you so much!!! i was freaking because this is my school PC and i thought all of my work had been lost. thanks for not being a typical company/person looking to make a buck preying on the naivety of people who have never seen something like this before. society as a whole can learn something from you, you restored some of my faith in people. if you’re ever in CO, i’ll buy you a round…

  306. Anonymous says:

    Thank you!!!

  307. Anonymous says:

    Thanks for this guide. I’m glad I’m not alone in having “child porn” on my computer. My heart almost stopped when I first saw this on my laptop. Luckily I figured the Sytem Restore option out on my own. I’m also fastidious in backing up my data.

    I’ve since found a program that images my entire hard drive so now when i have a problem like this blasted malware I have another weapon in my arsenal to fix it.

  308. Sean Doyle says:

    Yes you can use safe mode. Most ransomware infections have essentially the same removal steps.

    Would you mind sending me a screenshot of the infection? And more information please.

  309. Anonymous says:

    The weird thing is that mine did not say FBI mine said united states cyber security and immediately i knew it was a virus because it had the wrong ip address. I did the safe mode restart and knew about it because this has happened before to other computers in our house. Once performed i went back on youtube and continued watching my videos!

  310. Anonymous says:

    Thank you so much! this is the best article to ever happen to me.

  311. Anonymous says:

    Husband got this on his computer this morning … when he finally let me sit in his chair I restarted in safe mode and did a system restore. That allowed me to get back on his login where I have downloaded malwarebytes and am currently scanning with the free version. Thank you all for your comments and help. He is happy again.

  312. Anonymous says:

    Thank you so much!

  313. Chuck says:

    Got the FBI virus just this morning. The virus also disabled my ability to restore my PC to an earlier date. In Safe Mode with Networking, I was able to update my MalwareByte software to the latest version. When running MalwareBytes, you have to run a FULL SCAN. Quick Scan will not find or get rid of the virus.

    So, spend the time to run a full scan, restart, and you should be up and running again.

  314. Anonymous says:

    Worked for me too.. Thanks… I loved not having to downloand more stuff!

  315. Anonymous says:

    This was a big help. Thank you for the info w/o trying to get me to buy something or download a useless program. That is a definate plus and welcome relief. Thank you again it was a very pleasant experience.

  316. Anonymous says:

    These were amazingly easy instructions! Thank you so much for your help!

  317. Anonymous says:

    thank you so much for the help.:)

  318. Anonymous says:

    Thank you so much, the webcam was on my computer this am and i knew something didn’t make sense, like why couldn’t i have just used my credit card? so luckily i had my son’s laptop and googled this to find out it was a scam. I followed your instructions and my virus is gone. I cannot thank you enough for your help… coming from a person who is computer illiterate. You made it very easy.

  319. Anonymous says:

    Thanks so much, I woke up this morning and my computer webcam was on and I knew something was wrong! I tried to click away from the ransom page and it had me lock out of the rest of the computer. I knew that it was a virus or something but I was running late for work, so it had to wait until I got back. After following the instruction here I was back in business in just a few minutes. Great page and easy to follow instructions.

  320. Anonymous says:

    Thanks for the help!! The directions were simple to follow and I had my computer fixed in no time 🙂

  321. Anonymous says:

    Thank you for posting this info. What goes around comes around and you have some very good things coming your way. Thanks again.

  322. A. Quatroni says:

    Why isn’t the REAL FBI doing anything about this? I see it on my customer’s computers weekly. Oh, they’re too busy going after 12-year-olds downloading bootleg copies of Ironman because of pressure from the media companies. Darn. Good ole’ America. Follow the money!

  323. CLL says:

    If McAfee can’t prevent this, then what good is it?

  324. cros99 says:

    I caught the Virus and was amazed at how authentic it looked. By the way…if you are foolish enough to send money to the “fake FBI”, don’t count on them removing the virus for you.
    BUT…I removed it quite easily by using the FREE version of Malwarebytes Anti Malware. One quick swipe and bye bye Virus. I’m sad to say that Microsoft Security Essentials (which I like) failed me this time.

  325. Anonymous says:

    First off thanks a bunch I was gonna pay 200$ and just make it worse. When I saw this I wanted to jump off a high cliff. Now, What if when you do the manual removal and try to find the ctfmon file it’s in;C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, but there isn’t an .lnk at the end of ctfmon and when I tried to delete it it just popped up again. I went through The rest of step 2. and for now the virus seems to have gone away. But the ctfmon worries me. Does it mean that the virus is laying dormant until it has a chance to pop up again?

  326. mike says:

    if this is in you/r hard drive will it also delete or will you lose all your pictures and software that was saved in your computer

  327. Corbin says:

    My cousin got this from an email. He was stupid enough to click on a link, nothing else on it. Heheh, so later this window popped up. We were both like “Wtf?” then we read it and we were freaking out. We were on my dad’s computer and he wasn’t home. We were FREAKIN OUT!!!! I decided to do some research. I felt like an elephant got off my shoulders after I learned it was just a virus. But then the feeling came back when I saw what it could do. I was like, “We have to get rid of this. Now!” I kept researching in safe mode. I came to this page and saw that facebook post where the person used system restore. I was telling myself I was so stupid… Hahaha, after trying to delete all those system files I forgot about system restore! Well I ran system restore. That day was not my lucky day… There was 1 restore point. And guess what… IT WAS EARLIER THAT DAY!!!!! And It was a windows update finished after rebooting. The reboot is because my cousin tried to get me off by shutting the computer down. Oh my god, it was just at the right time, too. It was about an hour before he read the email. For once, him trying to prove me wrong saved our lives as we know them. NO HAXORS 4 US!!!! YESHHHHHHH!!!!!

  328. Anonymous says:

    Thank you so much for your help man, this virus had got me nervous thinkin i was having to pay 200$. I would had never known about malwarebytes but thanks to you my computer is safe!

  329. Anonymous says:

    Incredible! I love you thank you!

  330. Anonymous says:

    Thanks for your help. I did a system restore and it looks like I’m in good shape. Also ran malware bytes.

  331. Thank you, this virus was nasty but easy to remove with your help.

  332. Anonymous says:

    I don’t know anything about computers and I fixed it in 3 seconds thanks to this website. Thanks a lot!

  333. Anonymous says:

    Going into safe mode and removing ctfmon did the trick. Thanks to everyone for all the comments and info.

  334. Randy says:

    Thanks Sean Doyle, youre the man! I ended up using the safe mode system restore and it took me back quickly to better times. Follwed up with your suggested Malwarebytes and the scan indicated ‘0’ files, so if you can restore without losing too much previous downloaded info, I recommend.

  335. Kevin says:

    this website literally saved my @ss. thank you so much! i got this on my laptop, thought it was a fake popup then realized i couldnt “x” out of it. i got worried then shut down my computer and it was still there. i played around with safe mode for a while then found this website on a different computer. within 10 minutes i had restored my laptop and it runs fine now. cant thank u enough

  336. Anonymous says:

    Ended up having to restore the system… but doing a malwarebytes scan just to be safe. Thanks for the help…

  337. Bruce Nelkin LMT says:

    I got this nasty virus yesterday at 12:35pm. took me till now, 2:04am Early Saturday morning 14 hours later to finally have my machine back up and running. Thanks for all the great info and encouragement. I wish I could return the favor so all I can do is spread your link around to other people in need. Thanks for saving my butt!

  338. krys says:

    Thanks the Mister got it, he was gonna pay til he ask me……….. FYI>>>>>>>>>>>>> The FBI will not nor has ever ask you to pay money for fines that you have been on an illegal website . Anyone who thinks this is crazy, these folks will knock your door down before telling you something like that, if its illegal you will know when the FBI is involved. We done the restore thanks, and once again the woman has solved the problem at my house lol

  339. Alan says:

    Got it this morning at home, many thanks for the analysis and removal instructions and all the commenters’ inputs – lots of good suggestions. Question: has anyone checked to see if the (real) FBI cares about their name being used this way? I suppose the charge would be something like “fraud committed under color of law”? …they do have resources, probably good enough, if they were to choose to get serious about going after this.

  340. Robert says:

    This very helpful site and info saved my netbook from being tossed from a thirty-story window! Thank you so much! I used the “Safe Mode” start option and deleted the pirate from the Start Menu in All Programs. I had to start using my usual username, whereas the first attempt I made was with the Admin account. Thanks again!

  341. Lauren says:

    System restore to a previous date was the easiest for sure! Thanks for all the great options!!

  342. Earl says:

    Well it happened to me, Got scared and sent a money pak fo $200.00.
    Had a good friend that solved the situation but still lost the doe.
    Good lession

  343. Jose says:

    Thanks to this good man who wrote all this information about of this bad gus,who extorsioning to the people whose we use the computer,just for good things,no for durty activities like them,this stupid people make me have a hard time they bloked my laptop and know I dont know if will work again laike before,I am following up the instruction that this friend is giving to remove this dirty virus I hope that maybe I get it.
    I want to tell you again my friend thanks for makeme fill free of preocupation please leave this information accecible for more people like me who need orientation about of this donkey guys!! God Bless you!!

  344. Mary says:

    Brilliant thank you, I did safe mode and installed free avg and did a scan which removed some stuff and then downloaded free malwarebytes which removed other stuff but i didnt pay attention to any names it removed. Anyway it seemed to work so thanks a lot!

  345. Anonymous says:

    Thank God for these directions. What Sam’s comment says does work. It’s in the removal directions in this article so you don’t have to read the comment below though.

  346. Pete says:

    Do what Sam says it works

  347. Anonymous says:

    This morning i experienced the same ransomware from the metropolitian police e-crime unit. After following the above suggestion it worked. So please that there a fix to this. Thank you

  348. Anonymous says:

    Ah thank you! that was easy

  349. Carie says:

    I knew it was a virus. It was weird I was able to use the internet for like a few minutes each time I unplugged it. So I bought Malware Bytes instead of using the free one just so I could contact their support if thats how it wwent but it found the fbi virus right away. I didn’t even press scan.
    Thank you! 🙂

  350. Ahlita says:

    I was literally about to drown myself in my own tears!
    As you can tell I have been a victim of this awful scam and I want to thank you so much for being incredibly helpful with your multiple step-by-step instructions! It definitely took me many attempts to successfully remove the scam but nevertheless, I did it, all thanks to you! Thank you!!!

  351. Sam says:

    Remember, you can sue FBI if they did web-policing to violate your privacy.
    My simple way to fix it:
    enter safe-mode with networking.
    Pull-up “Start” menu and “All Programs” “StartUp” folder.
    Remove “ctfmon” link (or similar).

  352. Shaddic says:

    Thank you, thank you, thank you! I turned on my computer this morning and my computer was blocked, and I was freaking out that I was going to have to pay $200. Thanks for the help.

  353. omg says:

    In my case it didn’t let me enter safe mode, it just freezed when all the list of drivers appear loading. But I found that if I opened a program like Advanced System Care or CCleaner (that asks you if you let them make changes in the computer) fast enough the blocking page didn’t appear. So I opened them and avast at the same time and programmed a virus scan when rebooting. The first time after the scan the blocking page showed again, but after a second reboot it said deo0_sar.exe couldn’t start because it was a virus. I think its over now.

  354. Anonymous says:

    Malwarebytes worked like a champ!

  355. mike says:

    how far back should i restore my pc …i did it for yesterday…is that good enough

  356. Meg says:

    First of all, thanks for caring so much! I can’t believe you take the time to respond to individual troubles. Humanity exists! Haha. That being said, can you explain the registry editor process? I’m trying to enter the data in safe prompt mode, but not sure how to go about it. Do I create new values (string, binary, etc?) This is all Mandarin to me. I’m just proud I made it this far!

  357. Shetech says:

    my sister has this virus and she rebooted her computer before she called me. Her keyboard is not being recognized now. Any ideas on this?

    • Anonymous says:

      She should still be able to enter safe mode by tapping F8 during boot up.

    • Sean Doyle says:

      Well that can be a few things, but should be easily or even randomly fixed (or configured). If she is using a wireless keyboard the FBI Moneypak virus is known to interrupt recognition. If this is the case plugin a USB keyboard and check your “devices” for configuration settings.
      Sometimes, if you restart your computer but do have your keyboard plugged in it may cause your keyboard to malfunction as well.

      Hope this helps. If not and you seek more assistance please send me an email with more information and I’ll provide you with proper details.

  358. Anonymous says:

    Seems to have worked… thanks… awesome info

  359. Anonymous says:

    Thank you for this useful information. Manual worked fine. Great to see someone combating these pirates. Please keep up the good work and know it is appreciated.

  360. Anonymous says:

    Was running scared for a minute there….digital hug man.

  361. Anonymous says:

    Freakin awesome !!!!!

  362. Holly says:

    This is the best, thank you. Google needs to make this the top result not second because other articles were just terrible.

  363. Anonymous says:

    Omg…I am so glad I found this page. Stupid virus wouldn’t let me do anything. I unplugged my Internet and went into safe mode. Restored my comp to an earlier date. It seems to have worked. Hopefully it’ll stay that way. Thanks for the info 🙂

  364. Elise says:

    Wow that was easy Thank youu!

  365. mp says:

    Had the same virus mine was real tough to get rid of. Glad I found the information here. Mine would not let me open anything in safe mode. I had to keep hitting F8 and click on top and lower safe mode corners to get explorer up. Then when the explorer box came up you have only a few seconds to type explorer in the box. Remember even in safe mode you don’t have a lot of time because the virus starts back up and safe mode shuts down and goes to the virus screen. Malware did not get rid of it because after the scan I started my computer up and the virus was back. I had to start all over trying to explorer back up it took some time again so you have to have some patience not like me. I had to walk away and I got my wife to try and guess what she got to the explore screen with the restore system up. I don’t know if this is a new and harder version to get rid of. So I had to restore first then ran malware 2nd and last I ran my avira anti virus scan. So far the computer seems ok. The information on this site was great lucky I had a lap top so I could access the info. Thanks Again

  366. Anonymous says:

    This info was great, i cant belive it was so easy to remove. Could someone tell me when and where this virus originared, i red something bout europe but this scam is just beyond anything i have ever seen…

    Also can they actually see you? I did not notice the camera at the begining… Or is simply your own stream?

    Also unplugging your internet completely stops the virus from working.

  367. Anonymous says:

    Thanks for the help

  368. Wintel says:

    I got rid of the virus using AVG 2012 Anti-Virus software, and by doing a system restore afterwards. I highly recommend AVG because it is very thorough when scanning and it is so easy to configure and use.

  369. char says:

    Thank you so much for this information it worked frist try! I have been at it all day with no luck found this site and your answer tried it and its gone thank you again!

  370. Anonymous says:

    Malwarebytes took care of this problem..

  371. Anonymous says:

    Malwarebytes actually got it for me

  372. Anonymous says:

    Thank you SO much for posting this, it was a great help in manually removing this POS

  373. Lana says:

    Thank you soooo much for this instructions, I removed it in Safe Mode. It was easy to follow all the steps and I removed everything that has virus installation date and time in temp files. It installed on my work comupter and I was freaking out … You saved my day!!!

  374. A Grateful Soul says:

    Many many many many thanks to you! This was the freakiest virus every, with the webcam and all! Too obvious for any individual with a brain to fall for but a pain in the neck to get rid of. We are so grateful for the instructions, could have not gotten to a point to navigate to system restore without, you have saved the day!!!

  375. Rahul says:

    Thank you so much you saved me money wish I could donate or somethin.

  376. Greg says:

    Whenever I go to delete/open the temp folder it says I cannot do so because it is open in another program 🙁

  377. Anonymous says:

    The manual removal in safe mode with networking is what worked for me. The removal of the second part was named differently, so I simply deleted everything from that day/time. Thanks a lot for this!

  378. Anonymous says:

    This was a great help. So far so good, seems to have gotten rid of it.

  379. Dale says:

    just had to deal with this stupid virus made IE crash (thank you microsoft for easy IE crashing) to get out of that window, (i pressed control alt tab when ie crashed,) i started to restart so i could enter safe mode, had the popup of are you sure you want to lose the work on these programs with the options restart anyway or cancel, realized my webcam had turned off and hunted down and destroyed the files with a prejudice…….

  380. Dave Tuggle says:

    Booting into Safe Mode (Continually tap the F8 on boot up) will give you the option to “Restore your computer to an earlier time” as soon as Windows loads. I just did this and selected a date prior to the infection and the machine booted up after the restore without issue. Then, scanned with MalwareBytes and found nothing. Infection gone. I’m either upgrading MalwareBytes to the pay version or installing Microsoft Security Essentials.

  381. Anonymous says:

    Sorry i meant in all four corners.

  382. William says:

    Another way to remove the FBI MoneyPak virus is to use Malwarebytes Anti-Malware software. You can find it here Just make sure you do a “Full” system scan. It will take longer than a quick scan, but it will detect, and allow you to remove the trojan.ransom virus (FBI MoneyPak) virus.

  383. Randy says:

    ive got the virus now, and for me if i disable or disconnect the internet the virus doesnt run. This may help others who are having issues with the virus to at least let you get access to your computers settings. so far i have tried multiple virus scanners and malware scanners all have said they have deleted it, but as soon as i reboot and reconnect the internet the screen locks again. Good luck everyone, this one is mean. i hope this little bit of info help you to at least access your system to try and get rid of it. so again DISABLE YOUR INTERNET and you should(as i did) gain access to your systems the virus seems to require an active connection to lock you out.

  384. Anonymous says:

    System restore in safe mode did the trick, thanks lots.

  385. Anonymous says:

    guys i was freaking out…almost paid but i calmed down and looked it up luckily haha tis worked for me. the system restore i mean.

  386. Beef says:

    Thanks so much I’ve been through 4 days of hell trying to get rid of this thing

  387. Anonymous says:

    I was able to just simply restore my computer to a time earlier in the the same day that I got this ransomeware. Thanks. I was glad that I didn’t need to follow the instructions above, as am not the most computer savvy, though it doesn’t seem to painful. Thanks again.

  388. gsal99 says:

    Free version of malwarebytes worked for me.

  389. Anonymous says:

    You are a life savor. Thank you so much for this write up!!!!!!

  1. July 27, 2012

    […] How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal […]

  2. August 1, 2012

    […] virus also states on the fake FBI page that you may see jail time if a fine is not paid in time. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | __________________ "It's all Iommi's fault. I blame him entirely" A.L.S. aka Lou […]

  3. August 1, 2012

    […] virus also states on the fake FBI page that you may see jail time if a fine is not paid in time. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | __________________ It's all Iommi's fault. I blame him entirely A.L.S. aka Lou Gehrig's […]

  4. August 11, 2012

    […] it took my very computer savvy husband …. PC back to normal.  Here’s a link to the directions in case anybody’s curious.  And in that time, I had an epiphany.   The […]

  5. August 15, 2012

    […] has worked for me so far (this link details these instructions as well as other options in case this fails): put the computer into safe […]

  6. August 17, 2012

    […] FBI message? There are multiple guides online for removing this virus. Here is one of them. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | To find more guides search something along the lines of "FBI Moneypak virus removal" AVG […]

  7. August 24, 2012

    […] […]

  8. August 30, 2012

    […] os the The FBI Moneypak Ransomware Virus? The FBI Moneypak Ransomware Virus? How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | FBI Moneypak (FBI virus, Citadel Reveton) is ransomware that locks computer systems, alleges […]

  9. September 6, 2012

    […] first doing an investigation. If you, or someone you know, gets the malware and sees the pop up, follow these instructions to remove it properly. If the instructions don’t work, you’ll have to hire a professional to […]

  10. September 10, 2012

    […] If you are dealing with the FBI Moneypak and want to attempt resolving the issue yourself, look at this page by Botcrawl. […]

  11. September 26, 2012

    […] will clean it if you can get it to run (boot into safemode) Or you can delete it manually… How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | __________________ 2008 Acura TL Type-S (the daily) 2006 Yamaha R6 50th Anniversary Edition […]

  12. September 26, 2012

    […] How To Remove The FBI Moneypak Ransomware Virus – Fake FBI …How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Information And Removal Options. by Sean Doyle on Jul 5, 2012 • Ransomware, … […]

  13. September 27, 2012

    […] options worked for us, but if you need more help, there is a pretty detailed post about removing it at BotCrawl. (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) […]

  14. September 28, 2012

    […] FBI viruses are very common. They take hostage of a computer system and display a fake warning using a fake FBI screen. The FBI screen displayed by this virus makes inaccurate claims which state the computer has been used in illegal online activity, or has been neglected. […]

  15. October 2, 2012

    […] you wish to tackle this one on your own Botcrawl has a detailed write-up on the procedure as well as its variations. This entry was posted in […]

  16. October 6, 2012

    […] Here is a great starting resource it helped me a lot. […]

  17. October 11, 2012

    How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal |…

    […] What web host are you using? Can I get affiliate hyperlink in your host? I want site loaded up as quickly as yours lol[…]…

  18. October 16, 2012

    […] also offers further great details on this specific FBI Moneypak malware, including screenshots […]

  19. October 19, 2012

    […] For More Information on how to remove this scam check out- […]

  20. October 20, 2012

    […] The FBI Moneypak virus (FBI virus, Citadel Reveton) is ransomware disguised as the FBI that uses Trojans (Trojan.Ransomlock.R) to lock computer systems. The FBI virus alleges the computer has been involved in illegal activity (cyber crime) by the FBI (downloaded or distributed copyrighted material or viewed child pornography, etc.) and demands a penalty fine of $100 or $200 to be paid in order to unlock the computer system within the allotted time of 72 hours by use of Moneypak cards (and others). Green Dot Moneypak cards are the prepaid credit cards you can purchase at Walmart or Walgreens type stores (Moneypak card). Get solution here: The FBI Moneypak Virus […]

  21. October 23, 2012

    […] If you’re feeling confident and want to try some DIY options, repair suggestions are detailed here: […]

  22. November 4, 2012

    […] How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal | Botcr…. Share this:TwitterFacebookLike this:LikeBe the first to like this. This entry was posted in FBI Moneypak Ransomware and tagged FBI Moneypak Ransomeware. Bookmark the permalink. […]

  23. November 8, 2012

    […] How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal | Botcr…. […]

  24. November 10, 2012

    […] Well, it has happened, there is now malware that will take control of your webcam. I know this not because of an article, but because it happened to my father. He was surfing the web, and all of a sudden saw himself on his web cam. Next thing he knew, a message popped up claiming to be from the FBI, informing him that his computer was infected and he needed to pay money to fix the situation. I think the amount was $250. This particular piece of malware is called the FBI Moneypak Ransomware Virus. […]

  25. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  26. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  27. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  28. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  29. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  30. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  31. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  32. November 12, 2012

    […] you’re feeling confident and want to try some DIY options, repair suggestions are detailed here. Just keep in mind that many are advanced, may lead to data loss or operating system damage and […]

  33. November 13, 2012

    […] feeling confident plus like to try certain DIY choices, repair suggestions are detailed here. Simply keep in your mind which numerous are advanced, can cause information reduction or running […]

  34. November 13, 2012

    […] 2-spyware is a very bad website, don’t ever go there. Here’s the link you want to visit: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal |… Remove FBI Moneypak, removal instructions (with YouTube video guide) More or less you are […]

  35. December 16, 2012

    […] There’s a few resources for dealing with the infection. has a post here. […]

  36. February 7, 2013

    […] to lock it up. The easy fix is to restore your computer to an earlier version. How you do it: __________________ When in doubt, buy Mil-spec since they try to dummy-proof […]

  37. February 15, 2013

    […] have a clue on the tapping. There is an FBI Virus around that I just heard about.…lware-removal/ Link will explain what it is and how to remove […]

  38. February 23, 2013

    […]…lware-removal/ and my computers. What a blow to the gut. this thing is a severe severe virus. gonna have to spend coin to get this one taken care of. anyone ever been hit by one of these and if so what did you do to get your computer out of the hostage situation. that happened, and an hour later our landlord and I had a misunderstanding regarding the utilities being included in our rent, and now i am being stuck with 7 months of utilities. what a stupid day/week/year i am having. just doesnt stop. Gas was turned off so i have no heat til monday. cause i needed that as well. had to pay a ton to get them to turn it back on, and they cant get here til then. garbage garbage day.   […]

  39. March 6, 2013

    […] any event that happens outside of our governments direct control. For example, did you know that a virus has been spreading constantly on many computers throughout the world that is nearly irremovable? […]

  40. March 14, 2013

    […] Also, here is another great resource on some additional things to try:… […]

  41. March 14, 2013

    […] Also, here is another great resource on some additional things to try:… […]

  42. July 21, 2016

    […] are used to block Internet access, and an unknown login is created. Basic strains of this virus can be removed through free versions of Malwarebytes and Hitman […]

  43. July 22, 2016

    […] How to remove the FBI virus (Removal Guide) | … – This FBI virus removal guide contains easy instructions to remove FBI viruses from Windows, Mac, and affected internet browsers. Remove the FBI virus with this free … […]

  44. July 23, 2016

    […] How to remove the FBI virus (Removal Guide) | Botcrawl … – This FBI virus removal guide contains easy instructions to remove FBI viruses from Windows, Mac, and affected internet browsers. Remove the FBI virus with this free … […]

  45. August 17, 2016

    […] How to remove FBI virus (Ransomware Removal Guide … – How to remove FBI virus, malware, and fake FBI ransomware that locks … to decrypt your files for free. Aliases: FBI virus, … FBI virus removal guide contains … […]

  46. August 18, 2016

    […] are used to block Internet access, and an unknown login is created. Basic strains of this virus can be removed through free versions of Malwarebytes and Hitman […]

  47. August 17, 2017

    […] Eventhough it has a reset option you access using a paper clip . Logga in 26 Läser in … Anyway what do I need to do? Avoid Android Ransomware In The First Place If you are indiscriminate or careless about the apps you install on your Android phone or tablet, you might just find that some ransomware […]

  48. August 17, 2017

    […] FBI virus, help!2Stop ilqoxken.exe if you want to get rid of FBI virus2Fbi Green Dot Moneypak virus It was a pain, even for a seasoned vet. How To Remove Fbi Virus From Android […]

  49. August 17, 2017

    […] says: August 9, 2012 at 5:20 pm Got this virus and just about fell out of my chair. Your computer has been blocked” notification from the Federal Bureau of Investigation asking […]

  50. February 1, 2018

    […] How to remove FBI virus (Ransomware Removal Guide) | Botcrawl […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.