Home » Blog » Cybersecurity » How to remove FBI virus (Ransomware Removal Guide)
FBI Virus

How to remove FBI virus (Ransomware Removal Guide)

In 2012 we discovered ransomware that was imitating the FBI in hopes to extort currency from unsuspecting victims. We coined the term FBI due to our findings and were the first and only website to publish information about this computer virus. Now a days, a lot has evolved with ransomware in the United States. Some ransomware will still pretend to be the FBI but the that threat of the FBI is becoming more obsolete as people are no longer tricked into believing it.

FBI Virus

The FBI virus is still around but a lot has changed. Ransomware has moved away from only restricting access to a victim’s computer to encrypting, deleting, or storing files in a password locked archive. This allows the malware authors to hold files on the computer for ransom instead of the entire machine by promising victims a way to decrypt, decode, or recover encrypted, password-locked, or deleted files.

The term FBI virus can be used to describe many variants of ransomware that uses a FBI logo or claims to be the FBI. The FBI virus is essentially a computer virus (ransomware) that locks access to a computer system, displays a message that claims to be from the FBI stating that the computer was involved in prohibited activities, and demands a payment in order to unlock the computer and avoid penalties or jail-time from the FBI. The FBI virus can also refer to ransomware that encrypts files on a computer, changes the filenames, adds a new file extension, and ultimately holds the files ransom for a hefty fee.

If your computer has been locked or encrypted by an a source that claims to be the FBI then you are infected with the FBI virus. However, do not be alarmed because the FBI did not actually lock your computer or corrupt the files on your computer. You are not in trouble with the FBI if this happens to you. This is a computer virus that is in no way, shape, or form associated with the FBI or any legitimate government agency.

If your computer is infected with the FBI virus it may become locked and a full-screen window may appear that claims to contain a message from the FBI. The fake FBI message usually claims that the computer was used illegally and in order to avoid jail-time or other consequences the computer owner must pay a fine via Greendot MoneyPak cards, UKash Vouchers, REloadit, Ultimate Gaming Cards, Bitcoins, PayPal, or other online payment or credit sources.

It is not recommended to pay ransomware authors to decrypt your files. This will only support their activities. Instead you can use programs like Shadow Explorer or Recuva to try and restore corrupted files if you were not able to decrypt your files for free.

Aliases: FBI virus, FBI ransomware, FBI MoneyPak virus

botcrawl icon FBI Virus Removal Guide

1. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.

download malwarebytes

buy now button

2. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

3. Once the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

5. Download and Install HitmanPro by Surfright to perform a second-opinion scan.

download hitmanpro

6. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

7. Once the HitmanPro scan is complete click the Next button.

8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

9. Click the Reboot button.

10. Download and Install CCleaner by Piriform to cleanup junk files, repair your registry, and manage settings that may have been changed.

download ccleaner

buy now button

11. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

12. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

13. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.


This troubleshooting guide to remove FBI ransomware contains different options to remove this infection.

Manual FBI virus removal

1. Open Windows Start Menu, type %appdata% into the search field, and press Enter.
2. Go to: Microsoft\Windows\Start Menu\Programs\Startup
App Data Start Menu
3. Remove ctfmon (ctfmon.lnk if in dos). This is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu, type %userprofile% into the search field, and press enter.
5. Go to: Appdata\Local\Temp

6. Remove rool0_pk.exe,[random].mof , and V.class


The virus files may have names other than “rool0_pk.exe” but file names should appear similar with the same style of markup. There may also be 2 files, 1 being a .mof file. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus and removal of V.class is done for safe measure.

FBI Moneypak Files:

The files listed below are a collection of what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, delete all given files if located. Keep in mind, [random] can be any sequence of numbers or letters and some files may not be found in your infection.

%Program Files%\FBI Moneypak Virus
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%UserProfile%\Desktop\FBI Moneypak Virus.lnk

End ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).


Remove Registry Values:

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.

HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

System Restore – Recovery

Below we detail 3 different instructions to restore or recover a common Window’s computer.

Windows Start Menu Rstrui.exe Restore

  1. Access Windows Start menu
  2. Type rstrui.exe into the search field and press Enter
  3. Follow instructions in Window’s Restore Wizard

Start Menu Restore

Start Menu System Restore

  1. Access Windows Start menu and click All Programs.
  2. Click and open Accessories, click System Tools, and then click System Restore.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Follow the simple instructions to Restore your computer to a date and time before infection.

Safe Mode With Command Prompt Restore

If you can not access Window’s desktop, this is the suggested step. If it is difficult to start windows in safe mode; if Windows’s brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer system. Unplug if necessary.

2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the FBI MoneyPak ransomware virus will not allow you to type anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Restore system files and settings

Safe Mode with Networking

For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

  • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.

1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.

Safe mode with networking

  • Make sure to log into an account with administrator rights.

The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners

2. There are a few different things you can do…

  • Pull-up the Start menu, enter All Programs and access the StartUp folder.
  • Remove “ctfmon” link (or similar).

This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.

Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).

3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.
How To Reset Internet Explorer Proxy Settings

  • Option 1

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

Restart Internet Explorer and then follow the steps listed previously to run the scanner

  • Option 2

Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.


4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

Flash Drive

  1. Turn off your computer system and Unplug your internet connection
  2. Turn the machine back on (In some cases the virus can only open if your machine is plugged into the internet)
  3. On another (clean) computer, download Malwarebytes or your preferred removal program and load the Mbam-Setup.exe (or similar) file onto the flash drive
  4. Remove the flash drive from the clean computer and insert it into the affected machine, proceed to install Malwarebytes (etc) using the setup file located on the flash drive.
  5. Run a full system scan, Malwarebytes will find and eradicate malicious files
  6. Restart your machine

Optical CD-R

  1. Place a blank CD-R into your CDROM drive
  2. Download and place Microsoft Defender or your prefered removal program onto the blank CD-R
  3. Restart your computer and boot from CD

“You may need an old school keyboard (not the USB, but the PC connector type) since the virus delays the USB startup. The Defender will clean your PC in totality. This virus is somehow complex, but is no match for Windows Defender. After the scan is complete, run again a full scan without a restart.”

Slave Hard Disk Drive

If you are having complications with Anti-Malware software a suggestion would be to slave your HDD, then proceed to scan. You will need a second operating computer and tools to remove your hard drive. *Please note this may be difficult for some users and there are other options to scan your hard drive during complications. This is a common practice for local computer technicians.

  1. Remove the Hard Disk Drive from your computer.
  2. On the circuit board side of your HDD set the drive to “slave”.
  3. Connect the slave drive to an unaffected computer.
  4. Scan the slave drive, and proceed to remove any malware on the drive. Make sure to scan each user account.
  5. Reconnect the HDD to your original computer.
How to stay protected against future infections

The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.

Real-time security software

Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.

download norton security
Common Online Guidelines

  • Backup your computer and personal files to an external drive or online backup service
  • Create a restore point on your computer in case you need to restore your computer to a date before infection
  • Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
  • Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
  • If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
  • Avoid torrents and P2P clients
  • Do not open email messages from senders you do not know

Lead Editor

Jared Harrison is an accomplished tech author and entrepreneur, bringing forth over 20 years of extensive expertise in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. He has made significant contributions to the industry and has been featured in multiple esteemed publications. Jared is widely recognized for his keen intellect and innovative insights, earning him a reputation as a respected figure in the tech community.

More Reading

Post navigation


  • I just go to the “task manager” and in “applications” find the the one that indicates the virus and right click it and “end”. It will close your browser. If you reopen your browser you may have the option to “restore” web pages, don’t do it. Better to reboot at this time.
    To start “task manager” press keys Ctrl, Shift and Esc. Go from there. I also use CCleaner if I don’t reboot.
    I have run Malwarebytes and other scanners after all this and I never find anything related to the ransom virus.

  • All u have to do is type in all the credit card information useing all fake numbers push send and ur device will immediately unlock!

  • Pingback: Free Malware Removal Fbi Virus | Klaxo Anti Virus
  • Pingback: How To Remove Fbi Moneypak Virus Windows Xp Manually | Klaxo Anti Virus
  • Pingback: Fbi Virus Removal Microsoft | Klaxo Anti Virus
  • Pingback: Infocaos | Ransomware: How To Identify The Threat & Protect Yourself Against It
  • This info saved my life butall I had to do was factory reset my phone that was my only option at that point I despize people who make dumb viruses and reak havoc on in knowing people

  • the moneypak virus goes full screen on my compu and won’t let me do anything at all. how did you guys get this antivirus program to load and work????

  • phew!!! The first time I saw this I tried forever to download malaware bytes but some reason my laptop wouldn’t except it. so I shut down the machine and looked at my options. I was thinking about haveing somebody just fix it for me but today the malaware bytes worked!! goodbye fbi virus…..have fun in new mexico~XD

  • What if i don’t pay it would it stay there? ….what would happen i have a tablet so it blocks everything and i cant get into anything ….can so one please help…

  • removal: in chrome/fe goto tools –> developer tools –> elements. u will see html inside head tag , right click on the script tag and delete all of them and then close the browser. Also u can try putting in any 14 digit number and click the submit button it will always work

  • Kudos to whoever wrote this. It was a pain, even for a seasoned vet.

    On an older slower machine, you have roughly 3 seconds after explorer.exe loads before the virus takes control. If your fast, you can ctrl-alt-delete and get to task manager in time to force quit explorer.exe. Closed a couple of the non critical processes, and new process explorer.exe.

    Luckily I was able to get into windows, and run malware bytes.

    7 of the malicious files were hiding out in the \windows\temp\(8 random chars).exe
    and a final in \documents and settings\(username)\local settings\temp\(18 random chars).exe

  • Thank you, it fixed my issue. Altough the method that ONLY worked for me was the command line. Easy just install malwarbyte on the flash, type explorer and you are good to go.

    Thanks again for resource.

  • Thank you so much! I used the safe mode with networking and ran the malwarebytes scan and it locate two bot files and I removed them, restarted and whalahhhh! It worked! You are awesome. Thanks for putting this information out there for us!

  • This afternoon7,June I got the FBI Trojan. I managed to remove it using the SAFE MODE RESTORE instructions you provided. Thanks for your Help. I noticed a restore point got established about the time I got the trojan. When I clicked SHOW WHAT IS REMOVED AND ADDED ther were no files in either action. It did say it was a windows update butI wonder if this was the path on how the trojan got access to my computer

  • I have been hit twice now with FBI virus and am using malwarebytes this time . I used an old Kaspersky disk first time to remove the virus, but got it again after the 30 day trial.The only way I could get the computer to clear the white screen was to tap the power button quickly then x out the close program prompt. This doesn’t remove the virus but frees up the computer till you restart or it pops up again after leaving on. System restore did not work on this version either time. I am confident this software will work but don’t want to wait at the computer for full scan to finish. I hope the”Button Tap” will help someone else. I stumbled onto the idea out of sheer frustration.

  • Just had this FBI Moneypak Virus pop up on me tonight… Logged on to my computer, and then all of a sudden I was smacked with an incredibly startling notice. I was trying to figure out what I had done wrong haha. After finding this post, I was able to start safe mode and download the Malwarebytes Anti-Malware software. It’s scanning now, and has already found 32 infected objects! I have a Lenovo Thinkpad (Windows 7), and I want to make sure this dilemma gets resolved. Is there anything else I may need to do to clear this up?

    Thanks for the assistance!

    • Just finished the Malwarebytes scan and deleted all the infected files… Thanks for your help and assistance botcrawl.com!! You guys are awesome!!!

    • I have Windows vista and did rebooted in safe mode with networking. Then did a system restore. Worked liked a charm! Thank botcrawl!

  • I had to hook my hdd up to my dad’s computer and had it scanned with MalewareBytes. My computer worked normally after that, but I did a second scan with AVG just to be sure and it caught a few more trojans. One file was named wij1b.bat and now on startup I get a RUNDLL error saying that wij1b.bat could not be found. I found a file in my documents and settings\all users\application data folder (where it said the .bat file should be) and found another file called b1jiw.pad. Are these part of the virus and how would I make RUNDLL stop trying to load it?

  • Finally got rid of this thing tonight. The newest version of this was tough. Been working on removing it for 4 days. Finally the latest update of HitManPro did the trick. I think had to fix some file extension settings after the virus was gone. I couldn’t open ANY .exe file. That was the easiest part thanks to Microsofts FIX-IT. I’ll be more careful next time. Learned a good lesson.

  • I almost fell for this!…I thought I had unknowingly stumbled on an illegal site….I about cried thinking I had to come up with 300 dollar in three days!…..

  • Amazing!!!! So glad I didn’t have to punish my brother in law…and he was too. You guys are wonderful and saved us alot of money

  • Thank you soo much for your help with this virus, This thing attacked my 13 year old sons computer. Scared the crap out of him, he thought he had done something wrong. I got his computer back by using the safe mode with command prompt restore option and am now running malware bytes and a full virus scan on it.

  • how can you remove it using remote control? I remote in to my customer’s PC but i’m unable to do anything, like CTRL ALT DEL etc. Customer does not know how to press F8 upon bootup. =/

  • Thanks for this great article! I used safe mode and restored my system and used malwarebyte to scan it through and it was OK today. Best regards!

  • i did something idk if its listed here but this was my second run-in with the virus so since I have windows8 I used some sort of reset? anyways I wiped my whole computer clean. EAT THAT YA —-ing VIRUS

  • When I first saw this I was stunned. I wasn’t looking at anything wrong, but it locked the computer up pretty good.
    I luckily logged off, and then on to my wife’s user and did the system restore just hoping. I have done this for the 4th time today, so either it is getting spread a lot or I still have it – but my point is to have everyone set-up at least one additional user account, for at least this purpose.

  • Thank you a lot! This happened to my child’s computer, and she was crying and scared! On her computer it had a different picture, but she thought it was real.

  • Stupid mugu trick. These Nigerian idiots will try anything to con you.. They figure the 419 is not working anymore. The dating scams are getting clobbered so some stupid hack come up with this. Remember no law enforcement official will ever block your computer and demand a ransom (your entitled to due process of law) If there is a real problem they will visit you personally and have to present a search warrant. (a judge will not issue that unless there is hard evidence that a crime may have been committed)

  • I don’t know if the malicious info or whatever is actually gone from my computer BUT it indeed worked! My laptop is back to normal and the FBI fake thing is now gone from my eyes.. or sight or something. I am not too sure if it’s fully gone though. I used a scan thing like for to scan for affected programs.. and then yeah.. I thought Norton still could be a little helpful, even though I had to renewal my uh membership? Anyways, thank you so much for saving my life. I could’ve done suicide.. yeah, weird but I have been teased and tortured enough. (Not like hurting others kind of torturing)


  • Your guys team was the first to investigate and publish removal instructions about this ransomware and you guys are still the best. Thanks for the hard work!

  • I know very little about computers…but this might help others. I have 2 HD with 2 OS.After infected C: drive boot, I booted with secondary F: and installed malwarebytes with thumb drive. I scanned the C drive and could not locate the virus…BUT…i did not realize when I booted with my old F: drive it reshuffled drive identifiers….so I did locate virus when I scanned the new F: drive which was the C: drive from my infected boot…….DUMB on my part…wasted several hours

  • I got hit with the FBI Moneypak virus this afternoon. I was able to do a system restore by tapping F11 on my HP Computer when the computer started up. After the system restore was done, my computer was back to normal, and I also scanned my hard drive with Norton to make sure I was OK. I was really worried that the virus was real, and the FBI were going to arrest me within 72 hours! Glad it wasn’t real after all.

  • My laptop has been hit with what I assume is another update of this virus, it claims to be from the US Dept. of Justice, it demands $450 on a moneypak within 48 hours. It’s really frightening, especially when you have no idea what you did to incur this type of intrusion

  • Pingback: fbi-virus-computer-screen-is-whiteblank/ – The IT Bros | incomeontheline.com
  • Pingback: FBI Virus - Computer Screen is White/Blank and no Safe Mode - TheITBros
  • Can they access all my information in my computer? if so, what should I do? I really don’t know anything about computer. Thanks

  • I have this virus infected my computer too. I have many important information (like bank acct and SSN on some documents) saved in my document folder. Wonder if the hacker really take all information?

  • Pingback: I hate news stations. | My blog
  • Thank you so much guys. I really appreciate this information. If it wasnt for this I would have taken a zero on an important assignment for school. Seriously thank you so much

  • Great solution,
    Got stuck with FBI virus and didn’t know what to do. This helped so much and worked like a charm the first time. I used the safe mode with command prompt. I have a windows 7 computer and used the browser C:\windows\system32\rstrui.exe. They aren’t kidding about typing in explorer as soon as it appears. May want to pay attention to see when this comes up because after 3 seconds you have to restart. To get my computer into safe mode I had to force shut down by taking the battery out of the laptop. Great trick and it is simple.

  • I had opened up my “Task Manager” and started ending processes until it went away. I started with processes that looked out of place and left the others alone (of course).
    I came upon one labeled as “euhzwbbp.exe” and when I ended that process, it disappeared.
    Hope this helps!

  • Thank you so very much for this information. I’m currently on bed rest
    and need my computer to stay connected to the outside world. This article saved my sanity.

  • Pingback: FBI Moneypak Ransomware Virus - wrecked my day. anyone have this?get it fixed?
  • If you can get to Safe Mode on your windows 7; system restore fixed it in about 10 minutes. Thanks to whomever posted all those tips, I finally got it to work after unplugging my pc for 30 mins.

  • Pingback: Strange tapping - Homesteading Today
  • I just ran into this program and boy was it a pain in the @ss. First off, it looks like the hacker has now adapted. If I go into safe mode, the computer will restart by itself soon after. Not to be defeated, I ran “windows in safe mode while opening command prompt” instead. I then went to “C:\Users\[your name]\AppData\Roaming” where I found 2 files, skype.dat and skype.ini. So, I deleted them both. I’m glad I don’t use skype since it would have blown right past me. To be on the safe side, I also went to “C:\Users\Ross Chan\AppData\Local\Temp” and did a del * there before restarting.

    Voila! Virus gone. I them proceeded to do a system restore and scan. Hope this helps for anyone else having this problem, and don’t let the hackers win!

    • Thanks a lot!! It works!! Go to “windows in safe mode while opening command prompt” and type “cd C:\Users\[your name]\AppData\Roaming”, then type “dir”, I found those 2 files, skype.dat and skype.ini. Type “del filename” and ENTER!! Restart the computer and run AVG. Everything back to normal!

  • Pingback: got a "notice" from the FBI
  • Thank You! I did the system restore and my computer is now working, am gonna scan the whole computer with AVG just to make sure everything is fine. Thanks again for all your help.

    • You all deserve a medal! Worked first time! Using avg now to make sure everything is good!
      Thanks Guys!!!!

      • thank u for all ur help, i followed ur instuctions and got rid of the fbi ransomware. i would love to find out who is putting this virus out and punish them. thasnk u again u saved me from having to reinstall windows 7

  • Thank you for the tutorial on how to get rid of the FBI ransom ware. My 17 year old son was trying to download an application on his laptop at what he thought was a Boy Scout affiliated website and got the ransom ware instead. I had heard of it at work but couldn’t remember how to get rid of it. Now I’d just like to figure out who developed it and bring them to justice by which I mean put a bullet in their worthless head. Thanks again.

  • I figured out the System Restore in Safe Mode method myself, but it’s good to see a confirmation here that it did remove the threat entirely.

  • You guys are awesome! Allready had that malware once but this time it was waay harder to get away. Thanks for all those different methods

  • Good God, you should get an award or something for this free and thorough guide. I thought I had to buy another laptop, you completely saved me. Many thanks!

  • Opening with command promt and typing explorer is what saved me. Holy crap this was a nasty bug. It forced me to shut down in regular safe mode.

  • instead of going to safe mode select System Restore. Restore it to a day+ before the problem started to occur. That worked for me.

  • Finally I am able to fix it …
    I was affected couple of days ago and it was so annoying, as I was not able to run any anti-virus, as it shows white screen and nothing can be done.

    Luckily I have 2 user accounts (admin and Guest), From guest account I provided access to admin files ..like c:/users/admin_acct/appdata and local , roaming, temp all locations as provided as solution 2 above
    Then I ran malwarebytes from guest acc, it deleted all malware in admin accoutn and I am done

  • It’s no point blaming the FBI for infecting their computer with such ransomware that disguise itself as FBI, whether it is FBI Anti-Piracy Warning or similar. The FBI has been aware for a long time, and yet it is still evolving. It’s one thing to keep the anti-malware and anti-virus solutions updated as well as operating system security updates to prevent infections.

  • How long should the system restore take after the safe mode command prompt boot up to remove this disgusting virus…

    This is the second time we got it but this time it displayed child porn thumbnail pics!!! I was having a seizure trying to get away from it!!! I hope whoever is responsible for this slop finds forgiveness a higher power – they’re not getting it in this life! So sick and tired of this hacking crap – can’t get a real job!

  • I had this virus on Windows XP and this virus did not funtion unless it was connected to the inernet. I started my AVG anti virus to download updates and then connected to the internet. AVG picked it up right away and I was able to expell it.


  • THANK YOU THANK YOU THANK YOU!!! I was able to get in through safe with command and do a system restore. Should I still go back and do a check for manual removal?

  • I solved mine in a way I haven’t read about.

    In Windows 7 I wasn’t able to get into safe mode (endless boot loop), and was almost completely locked out in regular mode. I had the ransom page displayed in full screen. Ctrl+Alt+Del brought up the normal screen, but task manager would not work.

    Out of frustration I started clicking the links on the ransom page just so I could see something different (how much worse could it get?) I believe the key was clicking on the email link at the bottom of the page (you’ll see why later). I hit Ctrl+Alt+Del -> Shut Down to make my next attempt at a new strategy. When I did, the shut down hung up asking if I wanted to force Outlook to close. Apparently hitting the email link had launched Outlook in the background. I IMMEDIATELY hit CANCEL when Windows asked if I would like to force Outlook to close before Windows had a chance to close it and continue the shut down. The shutdown stopped, but the virus processes had already ended in prep for shutdown. I had my computer back, but still had to remove the virus with MalwareBytes.

    I hope this can help someone else.

  • I don’t know how to thank you. so far it worked with system restore. My malaware for some reason was off. thank you again

  • Did the restore thank you so much it’s great to have people like you for help your a lifesaver it worked great to get rid of it my uncle also thanks you since it was his computer I fixed with ur help

  • This site was a real lifesaver for us. We were able to remove the virus using the system restore suggestion. Will be getting some anti malware for sure. Thanks again…

  • I booted up with “enable VGA mode”. The FBI virus initially blocked everything. I left it running without doing anything for about 15 minutes; magically the FBI disappeared and I was able to use system restore. The screen layout was distorted but still workable. Hope this will work for you too.

  • Thanks for the guide..found this on my dad’s laptop, he really doesn’t know about computers (neither do I) but I’m on the internets a lot more and knew this was probably a virus with a quick fix. He was about to take it to the computer shop tomorrow and gave me $$ for removing it 😀

  • I must have a newer version of the malware as the version i had disabled the ability to restart in safe mode. if you tried, you get the blue screen. So here is what worked for me…

    Once i disabled my internet I was able to get on to my pc pretty easily. you have a few options here depending on how you connect. If you have a desk top, just unplug the network cable. Some laptop’s have a switch on the outside that you can just turn the network off, but others you might have to disconnect your router or modem.

    now that you no longer have an internet connection, turn on your computer and all should seem normal.it seems to be tricked some way by not having an internet connection( of i should say this was my experience).

    i went into control panel and created a new user with admin privileges. i then restarted the computer and logged in on the new account i just created. all seems to be fine. I restored the internet connection and then went to malwarebytes.org and downloaded the free version(when you install uncheck the trial of the pro version). after you install, run the update so you have the latest definition files and run a Full scan on your computer. after the scan is done, let it repair the files it has identified.

    i then turned the internet connection off again and restarted the computer. When it came back up, i logged on under the original account and ran Malware bytes that was installed from the other account( it will appear on both). it found a few more trojan’s which I removed after the scan was complete. Your computer will restart after it removes the trojan’s. Everthing seems normal now, so i deleted the second account that was created above.. good luck with this nasty malware..

  • I was able to download Malwarebytes, but now every second a notice pops up that says the program has blocked & quarantined a threat svchost.exe Trojan.Agent – does this ever stop or will the Virus continue to try and attach my computer?

  • The only way I could get rid of the virus was to start-up in safe mode with command prompt and run malwarebytes from the command line.

  • I got the virus today (Dec. 27). Perhaps it is a new/nastier version. In safe mode and safe mode w/networking, I get a blank white screen within a few seconds of windows booting up. I already have malwarebytes on my computer and can try to activate it, and believe it starts, but almost immediately the white screen comes up and I can’t do or see anything. Note that it is just a blank white screen, without the FBI scam verbage. When I power down, just before the machine turns off, the white screen disappears, and I can see my desktop.

    I can get the task manager option screen with , but no matter what option I take, it just puts me back to the blank white screen.

    I tried the system restore option via the command prompt. It did not work as expected, but eventually (somehow) I got the user interface to open and I selected a restore point from a few days ago. After a considerable amount of time running, the system restore failed due to lack of memory space (not sure if that is legit or nonsense from the virus).

    Any help is appreciated.

  • I deleted the account that had the virud and ran a scan and the virus didnt show up, am i safe?
    the virus only affects one account when i deleted the account i also deleted the files on the acoount

    • I can’t technically say yes, but you should be fine.

      Make sure you run a full-system scan with reputable Antivirus (or AM) software that has experience removing this particular infection.

  • It took me about 5 minutes to “remove” this, just got it 10 mins ago, system restore to a restore point I had made and bam. Now to see if my Empire total war saves got saved as well…

  • I was infected with yet another variant of this ransomware yesterday. Let me just say the first time I had it, I was able to remove with a system restore while in safe mode w/ networking. The next time, i had to do it w/ safe mode via command prompt. Yesterday however the command prompt didn’t even work as the ransomware kicked in before i started typing anything. (doesn’t matter if I typed in ‘explorer’ before the 2-3 seconds. I was able to to safe mode w/ networking but this time I logged in as Administrator and did a system restore. My point is every time I get this virus it is removing options to recover.

  • I was fortunate enough to have another user on my computer and downloaded the MALWAREBYTE program and it seems to have worked . since im leaving a comment from my user ya think its alright . Im not really good with computers. any input would be appreciated.

    • Run a full system scan using Malwarebytes, you can also try free Antivirus scanners suggested on this page.

      Also, search for any files listed on this page related to the infection.

      If nothing is detected or located, that’s a good sign.

      If you are using Malwarebyte’s software and would like to know more about the infection from their standpoint, feel free to contact their support team. They are always happy to assist.

  • Pingback: FBI Virus Ransomware Spreading
  • I seriously almost had a panic attack when the screen popped up. i was dead scared and didnt know what to do but as soon as i saw everyones comments here i felt so much better. It took me the longest time to find where to reset the computer to a previous time but as soon as i found it the whole thing took less than a minute. So happy for this. Really quick and easy

  • Thanks for this excellent article, it’s the best I have seen. My surfing account was infected on Dec. 11 but my admin account was not affected (never surf with admin rights!) and I was able to delete the infected account and then recreate it (using the option to keep the account’s files); this broke the virus There ws no cftmon in my case, but a random-named exe and some flash updates, all loaded into AppData\Local\Temp at the time 2:37 PM of the intrusion.

    The virus attacks immediately, which makes it vulnerable as the rogue exe can be found by searching for *.exe and then deleting it using the admin account.

    What alarms me is this. The exe inherits the privilege of the infected account. How was it able to disable McAfee? How was it able to prevent rebooting in safe mode in my case? And how was it able to prevent Restore, run from the admin account, from initializing? This suggests a (to me) unknown vulnerability in 64-bit Win-7. Fortunately, no virus so far seems to be capable of privilege escalation, but this trojan was doing more than should have been possible..

  • 1. FIRST OF ALL, let me reiterate, even though others have said it on this thread before, that the perpetrators of this virus are SCAMMERS who do NOT represent the FBI or any other government agency!!!! You should NEVER try to get rid of this virus by paying any amount of money through Moneypak as instructed by the scammers in the “FBI” popup window.
    Which brings me to…
    How To Remove The FBI Virus In Ten Minutes — Five Easy Steps (This works with any variant or version of the FBI Virus or FBI Moneypak Virus) —
    Step One (1) — UNPLUG YOUR NETWORK CABLE FROM YOUR PC (or temporarily disable your wireless connection) after powering down your PC. THIS IS THE KEY STEP, since the FBI popup window the virus uses to lock up your PC cannot activate without an online connection.
    Step Two (2) — Power up your PC with the network still disabled, and boot to Windows as usual. Ignore any warnings about loss of internet/network connection.
    Step Three (3) — Go to the “System Restore” utility that comes with every Windows PC (In my Win XP system, it was under “Start”, then “Programs”, then “Accessories”, then “System Tools”, then “System Restore”).
    Step Four (4) — In the “System Restore” utility, select “Restore My Computer To An Earlier Time”, then click “Next”. On the next screen, select the “System Checkpoint” for the day before the virus showed up on your PC. If you are not sure when the virus first showed up, select a date that is several days before you first noticed the virus. (NOTE: The PC automatically creates at least one “System Checkpoint” per calendar day.) Click Next, then click next again to confirm your selected “Restore Point”. This will delete anything that was added or altered on your PC after the selected “Restore Point”, INCLUDING ANY TRACE OF THE VIRUS!!
    Step Five (5) — As the System Restore utility reboots your PC, plug your network cable back into your PC (or restore your wireless connection). Your PC should then reboot and begin functioning as usual.

  • Downloaded malwarebytes just got virus. My computer works, But I keep getting a popup in the bottom right hand corner saying malewarebytes blocked acces to a potentially harmful webpage blah blah blah….svchost.exe. Happens every minute or so. How do i get rid of this trojan svchost.exe. I have ran a full scan. Please let me know if anyone else has had this problem and how to get rid of it.

  • Got this virus Wednesday morning. Wife called me at work and told me our son caught on her PC. When I came home that evening I read it and knew right away it was a hoax. It even had a the “FBI song” running through our speakers. I tried to reboot into safe mode without any success. I wish I would have seen this site before. But my solution was I was fortunate to have another spare hard drive available. So I unplugged the infected drive and install a complete OS on that drive.

    Once I got everything up and running I made sure I had AVG installed and Zonealarm. before I hooked up the infected drive to copy my data files. I made sure I scanned everything before I moved it over. Afterwords I just nuked the drive with a hard drive eraser.

    What concerns me was that i was running AVG 2013 (free) and Malwarebytes.

    Personally if I could find the POS that created this virus I would cut off his fingers with a pair of tin snips. (dull ones at that one at a time)

  • What I personally did to stop the FBI moneypak:
    Start computer, hit F8 in the beginning
    selected safe mode with command prompt
    waited, then signed into my account
    *then immediately entered “explorer” without quotes and hit Enter (do this within 3 seconds)
    then clicked start at the bottom left, then clicked the folders: windows, then system32, restore
    then click the rstrui file
    Choose a system restore point to a time that was before FBI moneypak

    If this worked for me it will probably work for you. Thank you for the guide.

  • ‘FBI’ vesion on my computer does not allow me to get past ‘safemode’
    and typing ‘rstrui.exe’ comes up as invalid entry.
    How can I get over this?

  • OMG so I was yes looking at fem joy.LOL I am an artist and to me its just beautiful bodys, some naked yes but my laptop went into a frenzy….started popping up porn, and bad porn that made me want to throw up.Then the FBI thing popped up, I flipped out as a mom of 6 on PTA and a gma thought Id have the FBI at my door loose my kids and go to jail. I could not get my lap top to shut down. I unplugged it, Rebotted it, in tears ….ready for this I called the local police. He said it was a virus. I told him scared the you know what out of me. I rebotted and went into safe mode. I am ok and safely on my lap top BUT NOT FUNNY!!! And I am imbarassed as all get out. Terrible virus and to think ppl probally pay this. Sad. Thank God I didnt have to pay a ton of money to a PC man, no offense to those who make a living off this I just dont have the extra money. SO thats my awful story. Yes I really thought the worst and thought I was going to jail for looking at fem joy LOL.I feel stupid…

  • Great Article. We have to remove the FBI moneypak virus all the time. this article definitely got us going in the right direction. Thanks Sean!!!

  • Maybe I was lucky, but l had what looked like the worst of the FBI Virus. Fortunately, l was able to start in Safe Mode, run CCleaner and use the Tools function to look at the Start items. There was one entitled Microsoft Update with a Russian source. I disabled it and rebooted. Windows 7 came up just fine and it looks liike my programs work normally.

  • Great information here. I actually reformatted my computer and am now having to update everything. I did try to start up in safe mode but was still unable to do anything.

  • Thank you so much. I had a really difficult one and i would have had to pay someone to fix it for me. your doing the lords work

  • Update: Once in, I ran MalwareBytes again and found an infection. So cleaned that out and still working fine. Please let me know if this worked as well for you. Thanks.

  • Thank you so much ! My son was using my computer when the virus popped up. He texted me begging me not to be mad, he so scared. Lol. I yelled and told him to stay of my CPU, but I had no idea what it said, so I finally read it tonight and flipped a lid, I was so mad at him and was actually going to pay. Then I just prayed about it, after I decided to look up moneypak to see if I can purchase one online, and thank God this website popped up. You have saved my son and me,,mainly you have saved him, lol. Thank you again. I’m sure he would thank you also.

  • And also, what will happen if it is not removed from my computer? i havent see it pop back up yet. Does that mean im good from it? Please reply.

  • How do you know if the virus is gone? I restarted my laptop and let it go through its usual start up. I dont see and hear the fbi warning anymore. Its been about an hour since it first came up. Is it gone or is it somewhere and i have to remove it still? Please help.

  • Seriously…thank you. Thanks for using your brain to do good for others than to use it to cause havoc and destruction. The virus popped up when my son was using the computer and he was terrified to tell me. You saved us both! Lol. Thanks for sharing your expertise and knowledge. Happy Thanksgiving to you and yours!

  • OMG i tried soooo many things. I can’t open safe mode so now i am about to cry. I GOT MY MOM’S COMPUTER BACK. If you can’t access safe mode then TURN OFF ETHERNET. My computer has a little switch at the bottom that turns off internet access so that it won’t connect to the internet. THATS HOW THE VIRUS SHUTS YOUR COMPUTER DOWN. Then i did step 3. Now i do daily scans for that virus to make sure it doesn’t come back. ASK ME IF YOU NEED HELP!!

  • THANK YOU SO MUCH! The system restore from safe mode worked fine. You are really awesome for doing this…very thoughtful to put these repair instructions up…not for money…just to be a good person. Thanks again

  • This totally works!!! I tried many youtube videos and have been trying for daysssssssssssss! I did followed these simple steps and it removed the virus. I had 10 in my computer that I removed. If you have a flash drive, it was the best option. It took 5 minutes.

    I’m very, very pleased!

  • WOW!! I am Amazed. Thank you for guiding me in the right direction. For I am not a computer savy person at all. Quick and easy. Very helpful, thanks again. You literall saved my life!

  • This is the second time I got this virus. First time I started in safe mode command propmt and restrored. This time it will not open in safe mode it reboots everytime I choose the safe mode option…any ideas??

  • Thanks a ton! When this got onto my computer, I was flipping out. The moment I got this I told my mom that we had to pay a fine. But being the calm person she is, she got us to this website and we fixed it. So thanks again. Where do I report the “Microsoft Employees”? Or who do I report them to?

  • Pingback: Help!! Malware has locked my pc - Tech & Computer Forums
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder - Fort Myers Web Design
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder | Sphinx Web Design Experts
  • Pingback: freelance-kid.com
  • Pingback: freelance-kid.com
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder — WebmasterDaily
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder | What do you want to rank for?
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder | The IT Chronicle
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder | eWebmaster
  • Pingback: FBI “Ransomware” Virus: A Nasty Intruder | SiteProNews: Webmaster News & Resources
  • PS. Just wanted to say thanks Sean for the very informative and easy to follow step by step instructions you had. your leave a comment area had some issues in the name and email area so I had to reply to my original post. Thanks again, scott g.

  • I got the FBI ransome trojan ($200 fine ver) while clicking on a video link about justin beber and selina gomez breakup on or about 1130am 11/10/12. it locked up my pc pretty hard. good thing I have another laptop available to research the virus. found your site and did a systems restore from safe mode that brought back functionality to the infected pc. I am now running full scans with MS security essentials, spybot, and malwarebytes. It appears the virus is gone but I will keep an eye on things for a while just to be sure.

  • Pingback: Why yes, malware can make your webcam spy on you - Jennifer Ellis, JD
  • Pingback: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal | Botcrawl.com | infotechcomputing
  • Just had the pleasure of looking at this FBI virus, didn’t have a way to look it up online so I had to find it myself, Boot to safe mode + command prompt, open regedit, navigated to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\Winlogon
    (I’ve had a fake antivirus do this to me before)

    Found an entry that was modified:
    Name: shell
    Type: REG_SZ
    Changed value: explorer.exe, C:\Users\****\AppData\Local\(Random).exe

    I changed the value back to explorer.exe and reboot…

    For those who don’t know the registry much, this entry is the “On log on” program launcher, as soon as your user has been authenticated (either clicked or user/password is correct), windows runs what programs are specified in this entry.

    If you try to manually remove the virus don’t forget to check this location

  • Pingback: How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal | Botcrawl.com | infotechcomputing
  • Got this virus a day ago on my Windows 7 XP version…after much searching I ran Norton NPE Crimeware virus software in Safemode. The installation required a shutdown and restart. After restart I accepted the license and ran the software. The software noted that file: dtresfflsceez.exe was running in my startup menu and was considered a virus. Engaged the removal feature and clicked continue. The file was removed successfully. Restarted my machine and ran a Quick scan and located additional tracking cookies. Removed the cookies, shutdown the machine and ran an additional full scan. All is working now…I hope this helps someone.

  • Hell yes this got my computer going again! Thanks a lot! I thought I was about to have to spend a lot of money on repairs! Thanks again!

  • This virus is getting me tons of business for my PC repair side job. Though it does seem to be dying down, now I’m seeing more of the File Recovery, File Restore, etc virus.

    Something like this literally can take 2 minutes to remove if you have a way to get outside windows and see the files on your PC.

    Program Data, and user > App Data > Local are the main folders I find these in.

  • I ended up backing up my photos/videos to another hard drive in safe mode and then reformatted my harddrive. Im about to find this little pukehead who created this so called fbi virus where he’s living at.

  • Pingback: Compute: Virus demands a ransom to free your computer | Trojan Removal Software
  • Just got the virus – your web site very helpful. Used Safe Mode with Command Promp to go back two days and restore computer. thanks

  • Got it this morning. I rebooted and scandisk started. I deleted temp files and that seemed to take care of it. Also ran a virus scan afterwards. Nothing found

  • I just got hit with this virus 2 days ago. Locked up pretty bad. Older PC w/ Windows XP Pro. Could not enter safe mode of any kind so could not manually delete virus files. I have Malwarebytes(TM)but i could not get most recent updates. I did scan with older version but PC shut down before completion (MWBTS found infection but could not finish delete on restart). I disconnected router and sat there very pissed. Then I reconnected router, turned on PC normally and was able to click on MWBTS icon on desktop before FBI virus could take over. Updated MWBTS and started full scan (will take at least 2-3 hours)and as sooon as scan was running, disconnected router and deleted virus after scan. Then ran quick scan and full scan again to be sure. 0 malicious items. All seems well. Think I will stop using IEX and use Firefox from now on. I’ve read that FF w/ NoScript addon is safer. Good luck fellow surfers!

  • I disabled this virus by using safe mode and then typing ‘regedit’ into the bar and hitting enter. Then, I was able to find an unknown program in the Startup programs. From there, I disabled it and it does not run anymore. However, it is still there. It just doesn’t appear anymore.

    • It is still a fake. If you can get the number from caller id or something call them back and tell them you are from MI6 or Interpol or something and that they should stay in their house and wait for the police to arrive. Be as creative as the hackers.I was once called by some Idiots claiming to be the FBI who wanted a credit card. I gave them the real phone number of the local FBI office (and a fake credit card) I would love to have seen their faces if they called. Remember, remember, the FBI, no matter what you may have heard does not collect fines. 2)This virus like many others is really a family of viruses (even if the screens look the same or similar) and like any virus it is constantly mutated. That’s why it’s so hard to stop. Get good anti virus software. Keep it up to date. Read up and learn how to cope with thse bastards. Otherwise, relax, pour yourself a nice glass of scotch and get to work.

  • Pingback: FBI Ransonware Virus | Microsoft Office Information
  • Pingback: Internet FBI Scam
  • this is helpful:) when i first saw the FBI page i litterally started crying because i really thought i had to pay $200 for my fine or i had to be sent to jail for 3 years.(i still a teen!) But till’ i went on google and searched how to Remove FBI moneypak and founded results, you wouldnt believe how happy and glad i was for google and this page! :’) tears of JOY

  • Thanks for the manual clean up instructions. I was able to find and remove the ctfmon file easily in safe mode with networking enabled. However, after a lot of trail and error with Vista, I finally found the appdate/local/temp file folder but could not find the listed files to remove in this location. I then started into a really protracted effort to do a system restart using accessories/system tools/system restart. I probably initiated restart at least a half dozen times and it always stopped with a disk error message that I assumed was caused by one of the malware files. I also was able to start and run McAfee virsus scan after removing the ctfmon file. After the virus scan was complete (it indicated no virus present) I was able to do a disk recovery operation which took overnight to complete. In the morning, I was finally able to do a system recovery going back to a date I knew for certain I did not have this malware. I hope the rotten a-holes that invented this virus do many years in jail and are banned from life from owning any further computer equipment.

    This is my second experience with malware and both times its was immediately obvious the page that popped up was bogus. The FBI would never be involved with this type of shake down regardless of what people believe about the US Government and its actions. The previous experience was with the MS Security malware. Both have been a real pain to remove.

    This site is the absolute best of the sites I looked through on removal. It had easy to follow instructions and did not require buying more conflicting software to resolve the problem. Wish the site was listed first when browsing. It would have saved a fair amount of time as other sites were selling malware software without assurance of success.

  • GONE in 30 seconds! I had only 1 user account with Norton360 and the FBI bug apparently got by that. I went with option 4 . . . removed the “ctfmon” file then restarted normally. Everything appears back to normal. Couldn’t have been easier. To be safe, I started a 2nd ADMIN log-on and downloaded and ran malwarebytes from that profile. It found 2 infected files which were removed. After mandatory restart, I switched back to normal account and ran malwarebytes again . . . all clean. Thanks, saved me a $150 geek squad fee!!!

  • I got the virus on 2 computers within minutes of eachother, all I was doing was deleting junk mail. I simply restored the Dell laptop to its birthdate and the Sony simply restored it to a few months ago. I did not have to use safe mode, just had to turn of my wireless router. Both are back to normal now. In both cases, my expired Norton anti virus pop up popped up wanting me to renew, hmmm.

  • Pingback: Ransomware – FBI Moneypak SOPA virus as samples of malware to beware of
  • So, I got hit with this piece of crap virus. BEST WAY to get rid of it…TRUST ME…First, hopefully you have a second user on your PC . Always set up a back door sign in as ADMIN. Dont use it unless you really need to….LIKE NOW !!!! Go to the web and bring down MALWARE BYTES. Its free but it is a TRIAL VERSION. Activate it through your alternate sign on, not the user that you contracted the virus under – you wont be able to anyway because of the “FBI LOCKOUT” Run the clean up twice. I bought the ultimate for $39.00 and boy was it worth it. Once you have run the complete application you can sign on as normally do. THEN RUN IT UNDER THE USER THAT ORIGINALLY GOT STUCK UP THE BUT WITH THE VIRUS. It will clean the files that are not shared as the user that was infected. Total time to fix this once you down load Malwarebytes is about 30 minutes. SO….SCREW FBI-$200.00 By the way, I didnt mention that I have Norton 360 and Windows invader running. This virus has an awfully long and thin needle

  • Thank you sooooo much!!! I freaked out when i got the FBI warning but with this instructions it was easy to remove ! I didnt have access to safe mode but to the safe mode with command prompt! Then it took me 5 minutes and the virus was gone! It seemed so easy, i hope everything is gone! But not to take any risks i guess i will reinstall windows again! Should i? Thank you again sooo much this was soooo helpful an easy!

    • Thank YOU!!! I don’t even know how to download illegal stuff. I’ve been paying for everything like a sap, so I FREAKED when this message came up. I was right in the middle of writing a 25 page paper for my Masters classes and hadn’t backed up to Dropbox. Safe mode with Command Prompt, Explorer, system restore. end of story. Awesome!!!

  • Thank you! Flash drive option wouldn’t work, but safe mode did. I was ready to chuck the whole laptop if it wasn’t for this help :O)

  • Thaks for the solutions. I tried all the manula steps but didn’t find the files as specified.Then installed Malwarebytes and it removed the virus. Thanks again for this information.

  • Thanks for the good work, very clear instructions. Got theVirus this morning, McAfee didn’t fix it , restore the system to previous point didn’t work – tried it many time. Malwarebytes could see the virus and trojans but couldn’t remove it from the system, same happend with AVG. Finally MICROSOFT SECURITY ESSENTIALS did all the job.Now my PC works very smooth.Thanks

  • I did not get a screen like you’ve been showing but instead a audio file that kept say “warning, FBI blah, blah, blah” over and over. So far system restore seems to have worked. Thanks for the easy instructions.

  • Pingback: law of attraction-the secret
  • Ugh, what a freakin’ pain. I’m on a laptop now while my computer is running Malwarebytes. It hasn’t found anything yet..

    This FBI deal blocked Safe Mode (all forms), and it was a race against time doing the ‘ol Start Menu / Run / explorer / Computer / C / Windows / System32 / Rstrui deal. What a PAIN. I finally got it to click (on like the 30th attempt. I’m sure thats great for your computer), picked the Restore Point that was made yesterday afternoon, and I should note that I also unplugged my internet before that final successful one. it is STILL unplugged.

    Now, I should be good to go with the Restore Point? There won’t be any residual stuff? Very helpful here, though the range of ways to defeat it (since some won’t work) is infuriating. I like questions that are like “Hungry?” and the answer is “eat food.” Which is what I’m going to go do now.

    Thanks a bunch, and a confirmation to put my worried mind at ease would be great.

  • Thank you very much.
    I got the virus, try to restore the sys. , I worked but when turn on the internet, the malware overtook my laptop again. Try reboot the laptop by F8, it didn’t work.I have to scratch the comp. to get the safe mode with networking, download the Malwarebite, ran program and it worked perfect. Many Thanks

  • This site (Sean) was instrumental in helping me (seemingly) defeat this. Thank You sir!

    Just as a note to others: I used a hybrid solution wherein I downloaded MalWareBytes in safe mode and ran it. It detected a trojan. I then restarted in normal mode. I then ran XXXX to be sure. Both services are free and bless them for that.

    Furthermore, before you fellow Norton subscribers decide to contact them, realize they haven’t a clue on this yet. They overtook my computer remotely for 1&1/2 hours before giving up. It took me an additional 3 hours of experimentation to (again, seemingly) beat it.

    Thanks again.

  • Does removing using a system restore still leave some trace of the malware on your system? I checked this out with the FBI and they said even if you are able to remove it yourself there could be some lingering thing there that might record keystrokes or download personal information, credit cards etc?

  • I got this virus last night and was going to pay bucks to get someone to take it off.(By the way, companies want between $70-160 to get rid of this virus) I found this website and saved some money. I got into the Safe Mode on my computer and went to Systems Restore in my Accessories folder and restored my computer to a point from last week. It seems to have worked. I can get on the internet with no problems. I don’t have any anti virus software so maybe its hiding somewhere but for now I’m happy.

  • Pingback: SkyNet is Real » FBI Moneypak Virus tips
  • Booted in Safe Mode and did a System Restore and that removed it. After the restart Norton Security was disabled. Clicked to restart it. Doing a full system scan now.

    Had File ‘dxdgztzl.exe’ in ‘C:\Windows\’ looks like this is a random dile name.
    also had startup entry for ‘dxdgztzl.exe’ showing in MSConfig Startup and the Registry for


  • Hello and thx for the info.
    I did the system restore before finding this site, which reaffirmed what I did will work. However, one side affect is that it disabled my Norton. I still have the icons, but when I click on them, nothing happens. Also, the Norton icon is gone from my system tray. I’ll try re-installing Norton and see if I can get it back that way. But why did Norton let it get by in the first damn place???? I’m pretty pissed off at ymantec right about now!!!!

  • I succeeded in fixing my laptop, which has Windows XP Professional Service Pack 3. I use Microsoft Security Essential for my antivirus, antispyware, antimalware. When I booted up Windows, I got my desktop display minus all icons and taskbar. Since there was no Start button and putting my mouse curos in the lower left corner did nothing, I decided to use Safe Mode with Command Prompt. In my case, a black screen opened with the words Safe Mode in the four corners and a title showing my version of Windows. By waiting about 20 seconds, a command prompt window opened in the upper left corner. I typed in explorer and pressed Enter. By waiting a minute or two, the Windows Explorer window opened up. I browsed to c:\windows\system32\Restore. I clicked on the file rstrui and pressed Enter. Be patient and wait. The Restore window opened up and I restored to a system checkpoint about a month ago. Restore then restarted my laptop
    and opened Windows successrully. A pop-up window displayed to state Restore finished and stated that some files were renamed. I clicked on a link to see the names of the renamed files :url.dll, urlmon.dll, and winnet.dll in the Windows/system32 folder. Since I have Microsoft Security Essentials installed and it normally runs at Windows startup, I got a error pop-up which stated it failed with error code 0x80070715. In other words, the virus corrupted Security Essential so that I could not do a scan of my computer. I tried to do Control Panel->Add/Remove Programs to uninstall Security Essential. A mostly blank window opened up with two blank buttons. I guessed the left button was Yes to do the uninstall which then ran. I had a copy of the install exec for Security Essential which I ran to install Security Essential successfully. I then ran it to do a full computer scan. It took two hours to complete and found five suspicious items : four of them were Trojans (Win32/Ransom.KF) and the fifth was labelled Exploit (Java/blacole.GD). The first two Trojans had container file in the Local Settings/Temp folder wpbt0.dll and the file was [INJECTOR_CL]->(UPX). The next two Trojans had ccntainer file in the c:\System Volume Information folder as A0121748.exe and the file was A0121748.exe->[INJECTOR_CL]->(UPX). The Java container file was in my userid folder as \.jpil_cache\jar\1.0\Pre.jar-7562F662-223071cc.zip and the file was this zip->bkwa\bkwa.class. My laptop is now running normally as far as I can tell. Also, I had Security Essential run another Full Scan, which detected no new threats.

  • malwarebytes saved my life! (so did the fact that i had multiple accounts) I restored to previous version before an update, and then used malwarebytes to do a full scan (around 2 hours) however once you see thst the number of mailicious objects has not increased in the past hour, feel free to abort scan and delete those files. then, run a quick scan (or a full scan) to make sure you’ve removed all.

  • Ok so right now I’m typing this on a iPad so I’m not sure if it will work. Right now my laptop is in safe mode with networking and norton 360 is running a full system scan .

    You Guys have helped me a lot. I wanted to cry I was so mad. THANK YOU <3

  • I just about had a heart attack!! Thanks for saving me from pulling my hair out. I had to restore my computer after going through the safe mode since the first option didn’t work.

  • Thanks for getting me through this nasty malware virus. I used the instructions for safemode with networking, then reset my computer to a few days prior. It looks like the virus is gone. Thanks for the help!

  • Thanks! Why is this not first on google, the website I went to before was terrible. Hopefully this gets bumped up on Google soon.

  • Sean, many thanks for your very informative blog.

    It just happened to me and yes it’s quite annoying. It actually takes about 10 minutes to fix the problem and can be done with the Malwarebytes Anti-Malware software in “Safe Mode with Networking,” as mentioned above.

    Some articles claim that these guys have been extorting about $50,000 per day on average. I’m shocked that the FBI (or foreign equivalent) hasn’t yet apprehended the culprits.

    • Thanks!
      The free version of Malwarebytes is just a malware scan and removal tool that will remove this infection.
      The paid version of Malwarebytes gives you real time protection against intrusions.
      So yes, the paid version does block this particular virus out in real time. But new variants and similar infections that have not been sampled yet can be left undetected. If that’s the case Malwarebytes offers support for such issues and will add the new variant to their next update.

  • 1st I just wanted to say Thanks! I will be bookmarking this site and plan to join too. Like the person before me this is Great Stuff.

  • I hadn’t heard of this virus before today, when my employer sent me to recover a client’s computer. When I left the client, 4 hours later, his computer seemed to be functional, but I had the uncomfortable feeling the virus might just be waiting a while before reappearing. After looking over these instructions, I can see things I needed to have done.

    BitDefender 2010 CD found the Trojan and removed it, but the Trojan came back. I deleted the file that kept getting infected, then deleted the entire folder (“Pepper Flash” for Google Chrome).

    System Restore to a week earlier did not stop the virus. I then set the system back 6 weeks.

    Norton AV was pre-installed on the computer. When I double-clicked on the Norton icon after cleaning the infection, the virus popped up its extortion window. I tried to uninstall Norton, but nothing happened when I gave the system the command to continue removal. So, I manually deleted as much of Norton as I could find, including in the Registry. I could not remove the Norton icon from the Add/Remove Programs list, but I did get it off the toolbar. All that remains are a few references in Registry that I didn’t have time to delete.

    I installed and scanned the system with avast! and SUPERAntiSpyware, removing 300+ cookies. Then, I uninstalled those programs.

    I installed MS Security Essentials.

    In the end, the user was able to back up his files from his computer, and the computer appeared to be functioning normally, though set back 6 weeks and without Google Chrome or Norton working.

  • Thank you very much for different solutions since they are all important. I installed AVG and after scanning for 3 hours it found 56 corrupted files. After removing it, the virus didn’t stop. I am not sure why. So I had to get Malwarebytes and after only 5 min of scanning it found 3 files. Removed, and the problem is gone. Thank you for providing this information and thanks to Malwarebytes.

  • thank you thank you very much you are a lifesaver i downloaded malwarebytes anti-virus and it works like a charm ty very much

  • I was able to get rid of this only after disabling my internet. I could not use Safe Mode (it would bluescreen) and it was too quick to do any of the system restores. Once I disconnected my router, I was able to come up and do a system restore. Thanks for the info. This one scared the hell out of my 18 yo son.

  • Pingback: FBI Virus Removal Guidelines « Voted Best Malware Blog of 2012
  • I did a traceback hack and sent 11,001 links to do root inline script that should keep them intertained lol.
    I also sent script to homeland security ” maybe they will shut down ill got funds end for company funds procured should keep them busy.
    Hack back targeting got to love it. JUST remember Hacker/s there are just as smart and Smarter other/s on this planet -_N-^e_o^

  • Thank you for such a thorough discussion. Once I disconnected the internet connection, it was easy to kill the virus with AVG.

  • thanks a thousand lots am not from the usa am from dubai i dont know how or why i got an FBI stuff but at least i searched for it and ur the only one who helped me

    thank you <3!!!

  • Omg thank u sooooooo much that scared the crap out of me haha the mal thing work for me so I’m fine now 🙂 this helped alot thanks!!!!

  • damn…definitely scared at first when i saw this

    safe mode command prompt instructions worked for me

    tried the safe mode with networking, but as soon as i logged in, the fbi moneypak ransomeware tried loading up (a white screen with something to the effect of this page will take 30 seconds to load)

    after doing system restore from safe mode command prompt, my pc is back to normal. thanks.

  • Thanks Sean, you rock. I was unable to even access my desktop in safe mode, or safe mode with networking. Your instructions on restoring from the safe mode with command prompt is what worked, and easy to follow!

  • Pingback: How to Remove FBI MoneyPak Virus — Technipages
  • The easiest way around the program starting up is to completely remove Internet access to your computer. Tried removing the files manually, but it sucks on Windows 7. Easier to just do a system restore. Your computer manually sets a restore point pretty often (mine was done at noon today and another one was done 4 days ago).

    • If you do a system restore, would you lose anything like progress made on a written document or something, or does it only restore files, and leaves anything manually saved?

  • Pingback: Moneypack info | Cheapdiningout
  • Pingback: FBI Moneypak Computer Virus
  • safe mode w/netowking , run new version of Malwarebytes and let remove infected files / reboot and istall 2013 AVG , scan , you should be good to good.

  • Hi Sean,
    Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
    Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?

    i tried scanning using mbam2.exe(not sure if this is same as Malwarebytes).although i got a popup saying 12 objects/trojans have been removed, issue still existed for me.
    On doing system restore i was able to restore the system back to old state. what am not sure is if the virus is completely removed or not.

    Please let me know your thoughts.


  • Hi Sean,
    Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
    Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?

  • I found if you remove the shortcut from the start up folder the computer won’t lock up but I can’t get the Internet to work now. Thanks to this helpful form I now know what it is now and now to kill the scam and everything with it.

  • Got two of ’em in the past week and a half. I see the FBI’s finally posted an official denial. What I don’t see is software designers so dedicated to artistically exploiting the schema-themes would deny us the value of a decent screen saver.

  • I had a feeling that this was complete bullshit. FBI cant fine you w/o court papers. Thanks for posting on how to kill it.

  • Always remember the following. The FBI does not have the authority to fine people. This can only be done in a court of law. So the first thing you have to realize is that even even if you were looking at a video of a person having sex with an underage horse or dog or cat is that you are looking at a malware situation. Proceed accordingly most of the time you can save yourself $200 and fix the problem. Don’t forget to keep your AVG or whatever you happen to use up to date and active. Learn how to boot into safe mode. I know it’s all very frustrating but it is part of modern life. What really drives people crazy, myself included is that you really want revenge. You probably will not get it since a lot of this stuff is written in foreign countries. Do you really want to spend a couple of years draging your ass around some miserable shithole country looking for some programmer who probably would cut your throat if you actually found him/her? Your satisfaction comes from the fact that they didn’t get your $200 and you are smarter and better than they are. Good luck.

  • This page popped up on my screen about an hour ago and scared the hell out of me. I don’t even use my computer for anything other than schoolwork and I guess I visited an unsafe link of off some random media site. Needless to say, I was a little skeptical. This article walked me through flawlessly. Thanks a million…or two hundred at least, that’s what I saved thanks to you guys. Very appreciative of all of the guidance as I am not much of a computer wiz.

  • I’m running walwarebytes right now, I managed to restore windows to a couple of days ago through safe mode with networking…I nearly soiled my pants when this popped up! Hopefully it’s fully gone, don’t want my spouse to see this…

  • WOW! HUGE THANKS TO STEP 4!!!! Easy steps to follow, make sure to right click on the “ctfmon” file and click delete. I about shat myself when that fake FBI popped up…swooo

  • LMAO!!! That person(s) took all the time to write the virus for such an easy fix. Walked my sis thru the fix via cell, and discovered that the same virus was infecting my sons acct only on a cpu, here with three accts. Gonna fix that one myself. (glad I have my own laptop) Thanks for the info!! Nice and easy!!

  • This is how I did it and I didn’t have to download anything nor play with Windows settings (I have an XP PC though I think in 7 it will be the same outcome). I just turned off the PC, waited a few seconds, turned on PC and while I saw the PC booting up I kept pressing several times the F8 key. This took me to a screen that presented the different ways I can start Windows. I chose Safe Booting and pressed Enter. Then I just waited for Windows to boot up. The Windows desktop is going to look strange because Safe Boot will install just the basic drivers (and includes the video drivers). Then I went to Restore from All Programs/Accessories/System Tools. I selected a date prior to when I had the MonayPak virus incident and pressed OK. The Restore command restored it to the way I had my PC on that day and thus, basically, replaced all setting that virus might had change or altered.

    Good luck

  • Thanks for the tips. I saved my kid’s bacon last night by downloading the free version of MalwareBytes onto a flash drive on a second (non infected) computer, then turning off my router and installing the anti-malware onto the infected unit. It saw it right away and zapped it. The kid had to do his homework after all. Thanks.

  • I have another solution that can be added to this list!

    1. turn off your computer
    2. unplug your internet connection
    3. turn the machine back on, the virus can only open if your machine is plugged into the internet!
    4. using a flash drive, get malwarebytes from another computer and load it onto yours
    5. run a full system scan, malwarebytes will find and eradicate every file, there were 10 files altogether!
    6. restart when asked, and boom virus eradicated

  • I WASN’T DOING ANYTHING WRONG! Was just looking at some wiring diagram images on the web for my old mustangs when this “mess” started popping up and then the FBI screen.
    Restoring my computer did the trick for me. Started up in Safe Mode and ran the restore file Rstrui.exe from the Start Menu. Selected an earlier restore point and all is good. Not sure what caused my other problem but the only side affect was that all my data files in the user, my documents folders, were gone. Finally realized that the files were present but they were all “hidden”. Had to go to View in the Folder Option and select the “show hidden files” button. Then was able to see the files and go to file properties and uncheck the attributes “hidden” box.
    THANKS so much for this site. Keep up the good work!

  • Omg omg omg! I almost had a heart attack. I was like wtf did I do to deserve this. When it popped up and I didn’t know what to do I though to myself ” my dad is going to kill me!” Then I desided to go on my iPod and see what I could do. And man, this site helped me a lot. So I thank you very much!

  • Question – If I have 2 accounts, one infected and one not, and I run MalwareBytes from the non-infected account, will it kill the virus on the infected one?

  • Bloody FBI virus on a Windows XP laptop. Icannot get into safemode command prompt as it demands the sys admin password and I have not worked at the company where I got computer for 3 years… in standard safemode the virus locks me out… The Task Manager button (@ alt-ctrl-del) is greyed out and does not work to allow me to stop the program. Basically I am completely locked out of my computer and cannot even get to the point where I can follow the directions above. Has anybody hit this wall and come up with a solution?

    I unplugged the ethernet cable and the virus gets hung up with the “this window may take 30 seconds to load…” but it never relinquishes the screen back to me.

    This is not my main system but I do have a number of files I do need to access that have not been backed up.

    The system I am posting from is a workplace mac (virus on personal PC). Is there something I can download to a thumb drive and force the PC to boot from the thumbdrive – allowing me to follow the cleaning instructions

    If anyone has a suggestion please forward… Thanks!

    • I was able to run antiviruses if i left the internet off from the start; every time I activated the wireless, it’d lock me out-so i left it off. Malware-bytes seemed to take care of it for me.

  • I cleaned this my self. it wasn’t easy. follow the money. who stands to profit? how about all these expensive malware blockers like mcafee & norton who didn’t catch this but they want additional money to clean your pc….

  • Got what appears to be a new variant – could not locate any of the files or settings in manual remove steps while looking from another account in Vista. It had disabled defender and task manager. Also could not find from safe mode except for a (random).exe that I renamed.
    Ran a system restore from safe mode with command prompt and that appears to have fixed things. Looking deep and hard for any remnants. This is a nasty virus and I would like to learn what it’s entry point is. Based on logs, it appears to exploited either flash or the java updater.

    THANK YOU!! for the guidance.

  • This is a good article, it was very helpful when I had to remove it from a family member’s computer. Not sure if the virus has gotten stronger or what, but whenever I booted into safe mode, none of the files for the virus showed up, not even in the registry. Even Malwarebytes didn’t pick up on. I ended up using No. 5 to get it off. Otherwise I’d have had to go with the system restore option, which would have been a pain to do.

  • Thank you very much that was easy to remove. Its rare to find this type of information without feeling like there’s a hidden agenda, so thank you for being one of the good guys.

  • I have got this…..but I am not able to delete
    C:\Users\Ritesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ctfmon…when I delete it comes up again……the target process for this is
    %systemroot%\system32\rundll32.exe wgsdgsdgdsgsd.exe,FQ10

    I also checked other files/folders but nothing is there except few reg keys which I deleted.

    I am running MB now…..

  • I called the money pack people a few minutes after loading the card number into the scam site and was able to get my money refunded. They will send you a check for full amount in 7-10 days. I was able to act before the card was acted upon.

  • Thank you thank you thank you..very easy instuctions..booted in safemode and downloaded malwarebytes and i think im good to go!! nice to see people go out of there way to help you for free sometimes

    thanks steven

  • Caught the virus, it Task Manager, Malwarebytes, etc. Started in Safe Mode and restored to a point 6 days ago. Does performing a system restore get rid of the virus or merely allow me to get running again and it’s still embedded. Running updated MB scan to see of it’s picked up.

    Should I have uninstalled MB and downloaded a fresh version? This thing is getting nasty!

  • I have been infected with this a couple of times. The first time was a more rudimentary form, and Task Mgr worked and was able to locate and stop program. But later versions “stronger” and safe-mode followed by “FULL scan” on MB worked. Having alternate user login to work from also helps.

  • So what if I purchased a MoneyPak card and used the number to “unlock” my PC? Is the card still good or did I get scammed and lose $200

  • so awesome, I love you. I too had Malwarebytes free version already on my comp, followed your safe mode instructions, and BOOOM. Thanks man! Planning on buying AVG or Malwarebytes full version since you recommend it. Would Norton or Mcaffee be any better?

  • Pingback: FBI Moneypak and other popups cause infections. | Vallarta Computer Consulting
  • Sean, your suggestions for remving this nasty annoying virus worked for me! You saved me countless hours re-building my PC, thank you so much!!!

  • How nice (and rare) is it to do a google search about a computer problem, go to a top recommended site (that’s not trying to bait-and-switch you into buying something) and actually find information that is discernible AND WORKS?!?!? It’s freakin’ SUPER AWESOME is what it is!!! Thank you Sean! You’ve been a big help to a lot of people, including me. Your Karma account is over flowing. Well Done!

  • Got the Department of Justice version today. Booted in Safemode and put rkill.com in the start up. rebooted and it fought with the Malware and gave me access to my desktop and Virus Scan software, finally found the .exe in c:\documents and settings\username\local settings\temp , deleted it and ran a find in the registry for that filename and deleted the keys. rescanned w/ malwarebytes, so far so good filename gfhy22.exe

  • Pingback: Scam Alert: Malware Posing as FBI | AllClear ID
  • can Microsoft essentials get rid of this … i have used it in safe mode *without networking* and it seems to have gotten rid of it…

  • Thanks a lot, i was about to cry when this popped up, but a little researched lead me to this site and was able to fix the problem. Thanks again 😀

  • Props! this would have been the hardest to remove yet for me but with this detailed help it was the easiest! thanks a ton

  • I called the local police and FBI to make sure it was a scam. Then on my own I did exactly as indicated above. Performed a System Restore in safe mode and used Malwarebytes to remove the malware. No problems. I also checked with my bank for my transaction history.

    • Dude You are the man…. I don’t think I have ever come so close to soiling myself… I’m mr do the right thing…. and though I may bend the rules here and there I try not to break any….. I got the scam and about died… my wife and I are going on vacation in a week…. I did not want to tell her I need to pay 200 dollars or go to jail…. I would have died tonight…. lol thank you thank you thank you…. never been so glad to find out I got scammed…… breathing again…. and in you debt

  • thank you so much when i got this message i was almost ready to cry , being 100% honest i didn’t know what i was going to do and i got this message when i downloaded ilivid and in a way i had committed a crime and i was generally afraid id get in some serious law trouble. this article made my day and made me feel at peace

    • Any virus or trojan can eventually. There’s no straight answer for that. Unplug your external hard drive if you’re worried.

  • had the cyber security virus. i removed the ctfmon link from startup so i could navigate around the computer and then downloaded the malwarebytes program…removed 2 trojans and all seems good now…good luck to anyone else unfortunate enough to experience this

  • Thank you soo much! I got home and my husband said he had this FBI thing show up I was like we’re not paying $200….Thank you soo much for helping us remove it!!

  • I would like to thank this website for giving me the tools I needed to fix this myself. It was all very clear, concise info and saved me a reformat and hours of work as well as a TON of updates! As with the people before me, I’d also like to thank you for not forcing people to buy software to fix this problem, if only there were more white-hats like you out there.

  • I really can’t answer that for certain out of thin air, sorry. It should be though, yes.

    But… I can never say something is ever completely removed from a system, from erased images to documents, etc.

    A System Restore affects Windows system files, programs, and registry settings. A restore can also make changes to scripts, batch files, and other types of executable files which may have been placed on the system or changed by a third party without user consent.

    I recommend installing the free version of Malwarebytes if you need validation for this particular infection. You can remove Malwarebytes afterwards or continue to use it.

  • Pingback: Beware os the The FBI Moneypak Ransomware Virus?
  • Thank you! I agree with others thanks for not forcing software down our throats like everyone else. Booked this site for future references because of it

  • thank you so much!!! i was freaking because this is my school PC and i thought all of my work had been lost. thanks for not being a typical company/person looking to make a buck preying on the naivety of people who have never seen something like this before. society as a whole can learn something from you, you restored some of my faith in people. if you’re ever in CO, i’ll buy you a round…

  • Thanks for this guide. I’m glad I’m not alone in having “child porn” on my computer. My heart almost stopped when I first saw this on my laptop. Luckily I figured the Sytem Restore option out on my own. I’m also fastidious in backing up my data.

    I’ve since found a program that images my entire hard drive so now when i have a problem like this blasted malware I have another weapon in my arsenal to fix it.

  • The weird thing is that mine did not say FBI mine said united states cyber security and immediately i knew it was a virus because it had the wrong ip address. I did the safe mode restart and knew about it because this has happened before to other computers in our house. Once performed i went back on youtube and continued watching my videos!

  • Husband got this on his computer this morning … when he finally let me sit in his chair I restarted in safe mode and did a system restore. That allowed me to get back on his login where I have downloaded malwarebytes and am currently scanning with the free version. Thank you all for your comments and help. He is happy again.

  • Got the FBI virus just this morning. The virus also disabled my ability to restore my PC to an earlier date. In Safe Mode with Networking, I was able to update my MalwareByte software to the latest version. When running MalwareBytes, you have to run a FULL SCAN. Quick Scan will not find or get rid of the virus.

    So, spend the time to run a full scan, restart, and you should be up and running again.

  • This was a big help. Thank you for the info w/o trying to get me to buy something or download a useless program. That is a definate plus and welcome relief. Thank you again it was a very pleasant experience.

  • Pingback: The FBI Moneypak Ransomware Virus - Sampsonics Computer | Sampsonics Computer
  • Thank you so much, the webcam was on my computer this am and i knew something didn’t make sense, like why couldn’t i have just used my credit card? so luckily i had my son’s laptop and googled this to find out it was a scam. I followed your instructions and my virus is gone. I cannot thank you enough for your help… coming from a person who is computer illiterate. You made it very easy.

  • Thanks so much, I woke up this morning and my computer webcam was on and I knew something was wrong! I tried to click away from the ransom page and it had me lock out of the rest of the computer. I knew that it was a virus or something but I was running late for work, so it had to wait until I got back. After following the instruction here I was back in business in just a few minutes. Great page and easy to follow instructions.

  • Thank you for posting this info. What goes around comes around and you have some very good things coming your way. Thanks again.

  • Why isn’t the REAL FBI doing anything about this? I see it on my customer’s computers weekly. Oh, they’re too busy going after 12-year-olds downloading bootleg copies of Ironman because of pressure from the media companies. Darn. Good ole’ America. Follow the money!

  • Pingback: How to remove FBI message?
  • I caught the Virus and was amazed at how authentic it looked. By the way…if you are foolish enough to send money to the “fake FBI”, don’t count on them removing the virus for you.
    BUT…I removed it quite easily by using the FREE version of Malwarebytes Anti Malware. One quick swipe and bye bye Virus. I’m sad to say that Microsoft Security Essentials (which I like) failed me this time.

  • First off thanks a bunch I was gonna pay 200$ and just make it worse. When I saw this I wanted to jump off a high cliff. Now, What if when you do the manual removal and try to find the ctfmon file it’s in;C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, but there isn’t an .lnk at the end of ctfmon and when I tried to delete it it just popped up again. I went through The rest of step 2. and for now the virus seems to have gone away. But the ctfmon worries me. Does it mean that the virus is laying dormant until it has a chance to pop up again?

  • Pingback: Scary Yankee Chick | FBI lock out virus or “OMG YOU DID SOMETHING BAD PAY US MONEY” virus
  • if this is in you/r hard drive will it also delete or will you lose all your pictures and software that was saved in your computer

  • My cousin got this from an email. He was stupid enough to click on a link, nothing else on it. Heheh, so later this window popped up. We were both like “Wtf?” then we read it and we were freaking out. We were on my dad’s computer and he wasn’t home. We were FREAKIN OUT!!!! I decided to do some research. I felt like an elephant got off my shoulders after I learned it was just a virus. But then the feeling came back when I saw what it could do. I was like, “We have to get rid of this. Now!” I kept researching in safe mode. I came to this page and saw that facebook post where the person used system restore. I was telling myself I was so stupid… Hahaha, after trying to delete all those system files I forgot about system restore! Well I ran system restore. That day was not my lucky day… There was 1 restore point. And guess what… IT WAS EARLIER THAT DAY!!!!! And It was a windows update finished after rebooting. The reboot is because my cousin tried to get me off by shutting the computer down. Oh my god, it was just at the right time, too. It was about an hour before he read the email. For once, him trying to prove me wrong saved our lives as we know them. NO HAXORS 4 US!!!! YESHHHHHHH!!!!!

  • Thank you so much for your help man, this virus had got me nervous thinkin i was having to pay 200$. I would had never known about malwarebytes but thanks to you my computer is safe!

  • Going into safe mode and removing ctfmon did the trick. Thanks to everyone for all the comments and info.

  • Thanks Sean Doyle, youre the man! I ended up using the safe mode system restore and it took me back quickly to better times. Follwed up with your suggested Malwarebytes and the scan indicated ‘0’ files, so if you can restore without losing too much previous downloaded info, I recommend.

  • this website literally saved my @ss. thank you so much! i got this on my laptop, thought it was a fake popup then realized i couldnt “x” out of it. i got worried then shut down my computer and it was still there. i played around with safe mode for a while then found this website on a different computer. within 10 minutes i had restored my laptop and it runs fine now. cant thank u enough

  • Ended up having to restore the system… but doing a malwarebytes scan just to be safe. Thanks for the help…

  • Pingback: Ransom | Writing Secrets of 7 Scribes
  • I got this nasty virus yesterday at 12:35pm. took me till now, 2:04am Early Saturday morning 14 hours later to finally have my machine back up and running. Thanks for all the great info and encouragement. I wish I could return the favor so all I can do is spread your link around to other people in need. Thanks for saving my butt!

  • Thanks the Mister got it, he was gonna pay til he ask me……….. FYI>>>>>>>>>>>>> The FBI will not nor has ever ask you to pay money for fines that you have been on an illegal website . Anyone who thinks this is crazy, these folks will knock your door down before telling you something like that, if its illegal you will know when the FBI is involved. We done the restore thanks, and once again the woman has solved the problem at my house lol

  • Got it this morning at home, many thanks for the analysis and removal instructions and all the commenters’ inputs – lots of good suggestions. Question: has anyone checked to see if the (real) FBI cares about their name being used this way? I suppose the charge would be something like “fraud committed under color of law”? …they do have resources, probably good enough, if they were to choose to get serious about going after this.

  • This very helpful site and info saved my netbook from being tossed from a thirty-story window! Thank you so much! I used the “Safe Mode” start option and deleted the pirate from the Start Menu in All Programs. I had to start using my usual username, whereas the first attempt I made was with the Admin account. Thanks again!

  • Well it happened to me, Got scared and sent a money pak fo $200.00.
    Had a good friend that solved the situation but still lost the doe.
    Good lession

  • Thanks to this good man who wrote all this information about of this bad gus,who extorsioning to the people whose we use the computer,just for good things,no for durty activities like them,this stupid people make me have a hard time they bloked my laptop and know I dont know if will work again laike before,I am following up the instruction that this friend is giving to remove this dirty virus I hope that maybe I get it.
    I want to tell you again my friend thanks for makeme fill free of preocupation please leave this information accecible for more people like me who need orientation about of this donkey guys!! God Bless you!!

  • Brilliant thank you, I did safe mode and installed free avg and did a scan which removed some stuff and then downloaded free malwarebytes which removed other stuff but i didnt pay attention to any names it removed. Anyway it seemed to work so thanks a lot!

  • Thank God for these directions. What Sam’s comment says does work. It’s in the removal directions in this article so you don’t have to read the comment below though.

  • This morning i experienced the same ransomware from the metropolitian police e-crime unit. After following the above suggestion it worked. So please that there a fix to this. Thank you

  • I knew it was a virus. It was weird I was able to use the internet for like a few minutes each time I unplugged it. So I bought Malware Bytes instead of using the free one just so I could contact their support if thats how it wwent but it found the fbi virus right away. I didn’t even press scan.
    Thank you! 🙂

  • I was literally about to drown myself in my own tears!
    As you can tell I have been a victim of this awful scam and I want to thank you so much for being incredibly helpful with your multiple step-by-step instructions! It definitely took me many attempts to successfully remove the scam but nevertheless, I did it, all thanks to you! Thank you!!!

  • Remember, you can sue FBI if they did web-policing to violate your privacy.
    My simple way to fix it:
    enter safe-mode with networking.
    Pull-up “Start” menu and “All Programs” “StartUp” folder.
    Remove “ctfmon” link (or similar).

  • Thank you, thank you, thank you! I turned on my computer this morning and my computer was blocked, and I was freaking out that I was going to have to pay $200. Thanks for the help.

  • In my case it didn’t let me enter safe mode, it just freezed when all the list of drivers appear loading. But I found that if I opened a program like Advanced System Care or CCleaner (that asks you if you let them make changes in the computer) fast enough the blocking page didn’t appear. So I opened them and avast at the same time and programmed a virus scan when rebooting. The first time after the scan the blocking page showed again, but after a second reboot it said deo0_sar.exe couldn’t start because it was a virus. I think its over now.

  • First of all, thanks for caring so much! I can’t believe you take the time to respond to individual troubles. Humanity exists! Haha. That being said, can you explain the registry editor process? I’m trying to enter the data in safe prompt mode, but not sure how to go about it. Do I create new values (string, binary, etc?) This is all Mandarin to me. I’m just proud I made it this far!

  • my sister has this virus and she rebooted her computer before she called me. Her keyboard is not being recognized now. Any ideas on this?

    • Well that can be a few things, but should be easily or even randomly fixed (or configured). If she is using a wireless keyboard the FBI Moneypak virus is known to interrupt recognition. If this is the case plugin a USB keyboard and check your “devices” for configuration settings.
      Sometimes, if you restart your computer but do have your keyboard plugged in it may cause your keyboard to malfunction as well.

      Hope this helps. If not and you seek more assistance please send me an email with more information sean@botcrawl.com and I’ll provide you with proper details.

  • Thank you for this useful information. Manual worked fine. Great to see someone combating these pirates. Please keep up the good work and know it is appreciated.

  • Pingback: FBI Moneypak ransomware virus - SG Guitar Forum
  • Pingback: FBI Moneypak ransomware virus - My Les Paul Forums
  • This is the best, thank you. Google needs to make this the top result not second because other articles were just terrible.

  • Omg…I am so glad I found this page. Stupid virus wouldn’t let me do anything. I unplugged my Internet and went into safe mode. Restored my comp to an earlier date. It seems to have worked. Hopefully it’ll stay that way. Thanks for the info 🙂

  • Had the same virus mine was real tough to get rid of. Glad I found the information here. Mine would not let me open anything in safe mode. I had to keep hitting F8 and click on top and lower safe mode corners to get explorer up. Then when the explorer box came up you have only a few seconds to type explorer in the box. Remember even in safe mode you don’t have a lot of time because the virus starts back up and safe mode shuts down and goes to the virus screen. Malware did not get rid of it because after the scan I started my computer up and the virus was back. I had to start all over trying to explorer back up it took some time again so you have to have some patience not like me. I had to walk away and I got my wife to try and guess what she got to the explore screen with the restore system up. I don’t know if this is a new and harder version to get rid of. So I had to restore first then ran malware 2nd and last I ran my avira anti virus scan. So far the computer seems ok. The information on this site was great lucky I had a lap top so I could access the info. Thanks Again

  • This info was great, i cant belive it was so easy to remove. Could someone tell me when and where this virus originared, i red something bout europe but this scam is just beyond anything i have ever seen…

    Also can they actually see you? I did not notice the camera at the begining… Or is simply your own stream?

    Also unplugging your internet completely stops the virus from working.

  • I got rid of the virus using AVG 2012 Anti-Virus software, and by doing a system restore afterwards. I highly recommend AVG because it is very thorough when scanning and it is so easy to configure and use.

  • Thank you so much for this information it worked frist try! I have been at it all day with no luck found this site and your answer tried it and its gone thank you again!

  • Thank you soooo much for this instructions, I removed it in Safe Mode. It was easy to follow all the steps and I removed everything that has virus installation date and time in temp files. It installed on my work comupter and I was freaking out … You saved my day!!!

  • Many many many many thanks to you! This was the freakiest virus every, with the webcam and all! Too obvious for any individual with a brain to fall for but a pain in the neck to get rid of. We are so grateful for the instructions, could have not gotten to a point to navigate to system restore without, you have saved the day!!!

  • Pingback: FBI Moneypak Virus - The easiest way to remove the fake FBI virus | Sean.WPengine.com
  • Whenever I go to delete/open the temp folder it says I cannot do so because it is open in another program 🙁

  • The manual removal in safe mode with networking is what worked for me. The removal of the second part was named differently, so I simply deleted everything from that day/time. Thanks a lot for this!

  • just had to deal with this stupid virus made IE crash (thank you microsoft for easy IE crashing) to get out of that window, (i pressed control alt tab when ie crashed,) i started to restart so i could enter safe mode, had the popup of are you sure you want to lose the work on these programs with the options restart anyway or cancel, realized my webcam had turned off and hunted down and destroyed the files with a prejudice…….

  • Booting into Safe Mode (Continually tap the F8 on boot up) will give you the option to “Restore your computer to an earlier time” as soon as Windows loads. I just did this and selected a date prior to the infection and the machine booted up after the restore without issue. Then, scanned with MalwareBytes and found nothing. Infection gone. I’m either upgrading MalwareBytes to the pay version or installing Microsoft Security Essentials.

  • Another way to remove the FBI MoneyPak virus is to use Malwarebytes Anti-Malware software. You can find it here Malwarebytes.org. Just make sure you do a “Full” system scan. It will take longer than a quick scan, but it will detect, and allow you to remove the trojan.ransom virus (FBI MoneyPak) virus.

  • ive got the virus now, and for me if i disable or disconnect the internet the virus doesnt run. This may help others who are having issues with the virus to at least let you get access to your computers settings. so far i have tried multiple virus scanners and malware scanners all have said they have deleted it, but as soon as i reboot and reconnect the internet the screen locks again. Good luck everyone, this one is mean. i hope this little bit of info help you to at least access your system to try and get rid of it. so again DISABLE YOUR INTERNET and you should(as i did) gain access to your systems the virus seems to require an active connection to lock you out.

  • guys i was freaking out…almost paid but i calmed down and looked it up luckily haha tis worked for me. the system restore i mean.

  • I was able to just simply restore my computer to a time earlier in the the same day that I got this ransomeware. Thanks. I was glad that I didn’t need to follow the instructions above, as am not the most computer savvy, though it doesn’t seem to painful. Thanks again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to remove armadilo1 virus (Ransomware)

How To Remove The Sabam Virus – Fake Sabam Ransomware Removal Instructions (Sabam Malware)

How to remove DCry virus (Ransomware Removal)