How to remove FBI virus (Ransomware Removal Guide)

In 2012 we discovered ransomware that was imitating the FBI in hopes to extort currency from unsuspecting victims. We coined the term FBI due to our findings and were the first and only website to publish information about this computer virus. Now a days, a lot has evolved with ransomware in the United States. Some ransomware will still pretend to be the FBI but the that threat of the FBI is becoming more obsolete as people are no longer tricked into believing it.

FBI Virus

The FBI virus is still around but a lot has changed. Ransomware has moved away from only restricting access to a victim’s computer to encrypting, deleting, or storing files in a password locked archive. This allows the malware authors to hold files on the computer for ransom instead of the entire machine by promising victims a way to decrypt, decode, or recover encrypted, password-locked, or deleted files.

The term FBI virus can be used to describe many variants of ransomware that uses a FBI logo or claims to be the FBI. The FBI virus is essentially a computer virus (ransomware) that locks access to a computer system, displays a message that claims to be from the FBI stating that the computer was involved in prohibited activities, and demands a payment in order to unlock the computer and avoid penalties or jail-time from the FBI. The FBI virus can also refer to ransomware that encrypts files on a computer, changes the filenames, adds a new file extension, and ultimately holds the files ransom for a hefty fee.

If your computer has been locked or encrypted by an a source that claims to be the FBI then you are infected with the FBI virus. However, do not be alarmed because the FBI did not actually lock your computer or corrupt the files on your computer. You are not in trouble with the FBI if this happens to you. This is a computer virus that is in no way, shape, or form associated with the FBI or any legitimate government agency.

If your computer is infected with the FBI virus it may become locked and a full-screen window may appear that claims to contain a message from the FBI. The fake FBI message usually claims that the computer was used illegally and in order to avoid jail-time or other consequences the computer owner must pay a fine via Greendot MoneyPak cards, UKash Vouchers, REloadit, Ultimate Gaming Cards, Bitcoins, PayPal, or other online payment or credit sources.

It is not recommended to pay ransomware authors to decrypt your files. This will only support their activities. Instead you can use programs like Shadow Explorer or Recuva to try and restore corrupted files if you were not able to decrypt your files for free.

Aliases: FBI virus, FBI ransomware, FBI MoneyPak virus

botcrawl icon FBI Virus Removal Guide

1. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.

download malwarebytes

buy now button

2. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

3. Once the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

5. Download and Install HitmanPro by Surfright to perform a second-opinion scan.

download hitmanpro

6. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

7. Once the HitmanPro scan is complete click the Next button.

8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

9. Click the Reboot button.

10. Download and Install CCleaner by Piriform to cleanup junk files, repair your registry, and manage settings that may have been changed.

download ccleaner

buy now button

11. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

12. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

13. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.

Troubleshooting

This troubleshooting guide to remove FBI ransomware contains different options to remove this infection.

Manual FBI virus removal

1. Open Windows Start Menu, type %appdata% into the search field, and press Enter.
%Appdata%
2. Go to: Microsoft\Windows\Start Menu\Programs\Startup
App Data Start Menu
3. Remove ctfmon (ctfmon.lnk if in dos). This is what’s calling the virus on start up. This is not ctfmon.exe.

4. Open Windows Start Menu, type %userprofile% into the search field, and press enter.
Userprofile
5. Go to: Appdata\Local\Temp

6. Remove rool0_pk.exe,[random].mof , and V.class

rool0_pk.exe

The virus files may have names other than “rool0_pk.exe” but file names should appear similar with the same style of markup. There may also be 2 files, 1 being a .mof file. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus and removal of V.class is done for safe measure.

FBI Moneypak Files:

The files listed below are a collection of what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, delete all given files if located. Keep in mind, [random] can be any sequence of numbers or letters and some files may not be found in your infection.

%Program Files%\FBI Moneypak Virus
%Appdata%\skype.dat
%Appdata%\skype.ini
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[RANDOM].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
irb700.exe
dtresfflsceez.exe
tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe

End ROGUE_NAME Processes:

Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue FBI Moneypak process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

[random].exe

Remove Registry Values:

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.
Regedit

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

System Restore – Recovery

Below we detail 3 different instructions to restore or recover a common Window’s computer.

Windows Start Menu Rstrui.exe Restore

  1. Access Windows Start menu
  2. Type rstrui.exe into the search field and press Enter
  3. Follow instructions in Window’s Restore Wizard


Start Menu Restore

Start Menu System Restore

  1. Access Windows Start menu and click All Programs.
  2. Click and open Accessories, click System Tools, and then click System Restore.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Follow the simple instructions to Restore your computer to a date and time before infection.

Safe Mode With Command Prompt Restore

If you can not access Window’s desktop, this is the suggested step. If it is difficult to start windows in safe mode; if Windows’s brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer system. Unplug if necessary.

2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the FBI MoneyPak ransomware virus will not allow you to type anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date (restore point), before infection.
Restore system files and settings

Safe Mode with Networking

For users needing access to the Internet or the network they’re connected to. This mode is helpful for when you need to be in Safe Mode to troubleshoot but also need access to the Internet for updates, drivers, removal software, or other files to help troubleshoot your issue.

  • This mode will also bypass any issues where Antivirus or Anti Malare applications have been affected/malfunctioning because of the FBI Moneypak infection’s progression.

The plan with this option is to enter your computer in “safe mode with network” and install anti-malware software. Proceed to scan, and remove  malicious files.

1. Reboot your computer in “Safe Mode with Networking”. As the computer is booting (when it reaches the manufacture’s logo) tap and hold the “F8 key” continuously to reach the correct menu. On the Advanced Boot Options screen, use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.

Safe mode with networking

  • Make sure to log into an account with administrator rights.

The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners

2. There are a few different things you can do…

  • Pull-up the Start menu, enter All Programs and access the StartUp folder.
  • Remove “ctfmon” link (or similar).

This seems to be an easy step in removing the FBI virus for many users. If you are interested in learning about ctfmon.exe please click here.

Now, move on to the next steps (which is not a necessity if you removed the file above but provides separate options for troubleshooting).

3. If you still can’t access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. These 2 separate options and following steps will reset the proxy settings in the Windows‌ registry so that you can access the Internet again.
How To Reset Internet Explorer Proxy Settings

  • Option 1

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

In Windows 7 click the Start button. In the search box type run and in the list of results click Run.

In Windows Vista click the Start button and then click Run.

In Windows XP click Start and then click Run.

Copy and paste or type the following text in the Open box in the Run dialog box and click OK:

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f

Restart Internet Explorer and then follow the steps listed previously to run the scanner

  • Option 2

Launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

LAN Tab

4. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

Flash Drive

  1. Turn off your computer system and Unplug your internet connection
  2. Turn the machine back on (In some cases the virus can only open if your machine is plugged into the internet)
  3. On another (clean) computer, download Malwarebytes or your preferred removal program and load the Mbam-Setup.exe (or similar) file onto the flash drive
  4. Remove the flash drive from the clean computer and insert it into the affected machine, proceed to install Malwarebytes (etc) using the setup file located on the flash drive.
  5. Run a full system scan, Malwarebytes will find and eradicate malicious files
  6. Restart your machine

Optical CD-R

  1. Place a blank CD-R into your CDROM drive
  2. Download and place Microsoft Defender or your prefered removal program onto the blank CD-R
  3. Restart your computer and boot from CD

“You may need an old school keyboard (not the USB, but the PC connector type) since the virus delays the USB startup. The Defender will clean your PC in totality. This virus is somehow complex, but is no match for Windows Defender. After the scan is complete, run again a full scan without a restart.”

Slave Hard Disk Drive

If you are having complications with Anti-Malware software a suggestion would be to slave your HDD, then proceed to scan. You will need a second operating computer and tools to remove your hard drive. *Please note this may be difficult for some users and there are other options to scan your hard drive during complications. This is a common practice for local computer technicians.

  1. Remove the Hard Disk Drive from your computer.
  2. On the circuit board side of your HDD set the drive to “slave”.
  3. Connect the slave drive to an unaffected computer.
  4. Scan the slave drive, and proceed to remove any malware on the drive. Make sure to scan each user account.
  5. Reconnect the HDD to your original computer.
How to stay protected against future infections

The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.

Real-time security software

Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.

download norton security
Common Online Guidelines

  • Backup your computer and personal files to an external drive or online backup service
  • Create a restore point on your computer in case you need to restore your computer to a date before infection
  • Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
  • Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
  • If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
  • Avoid torrents and P2P clients
  • Do not open email messages from senders you do not know
Gallery

Sean Doyle

http://Botcrawl.com

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.

Comments ( 536 )

  1. ReplyBart
    Thank you, it fixed my issue. Altough the method that ONLY worked for me was the command line. Easy just install malwarbyte on the flash, type explorer and you are good to go. Thanks again for resource. Bart
  2. ReplyLee Riker
    Thank you so much! I used the safe mode with networking and ran the malwarebytes scan and it locate two bot files and I removed them, restarted and whalahhhh! It worked! You are awesome. Thanks for putting this information out there for us!
  3. ReplyEmil
    This afternoon7,June I got the FBI Trojan. I managed to remove it using the SAFE MODE RESTORE instructions you provided. Thanks for your Help. I noticed a restore point got established about the time I got the trojan. When I clicked SHOW WHAT IS REMOVED AND ADDED ther were no files in either action. It did say it was a windows update butI wonder if this was the path on how the trojan got access to my computer
  4. ReplyJenna
    Thank you... This worked!!!!!!!!!!!!
  5. ReplyRodger
    I have been hit twice now with FBI virus and am using malwarebytes this time . I used an old Kaspersky disk first time to remove the virus, but got it again after the 30 day trial.The only way I could get the computer to clear the white screen was to tap the power button quickly then x out the close program prompt. This doesn't remove the virus but frees up the computer till you restart or it pops up again after leaving on. System restore did not work on this version either time. I am confident this software will work but don't want to wait at the computer for full scan to finish. I hope the"Button Tap" will help someone else. I stumbled onto the idea out of sheer frustration.
  6. ReplyShane
    Just had this FBI Moneypak Virus pop up on me tonight... Logged on to my computer, and then all of a sudden I was smacked with an incredibly startling notice. I was trying to figure out what I had done wrong haha. After finding this post, I was able to start safe mode and download the Malwarebytes Anti-Malware software. It's scanning now, and has already found 32 infected objects! I have a Lenovo Thinkpad (Windows 7), and I want to make sure this dilemma gets resolved. Is there anything else I may need to do to clear this up? Thanks for the assistance!
    • ReplyShane
      Just finished the Malwarebytes scan and deleted all the infected files... Thanks for your help and assistance botcrawl.com!! You guys are awesome!!!
    • ReplyAnonymous
      I have Windows vista and did rebooted in safe mode with networking. Then did a system restore. Worked liked a charm! Thank botcrawl!
  7. ReplyCraig
    I had to hook my hdd up to my dad's computer and had it scanned with MalewareBytes. My computer worked normally after that, but I did a second scan with AVG just to be sure and it caught a few more trojans. One file was named wij1b.bat and now on startup I get a RUNDLL error saying that wij1b.bat could not be found. I found a file in my documents and settings\all users\application data folder (where it said the .bat file should be) and found another file called b1jiw.pad. Are these part of the virus and how would I make RUNDLL stop trying to load it?
  8. ReplyBryan
    Finally got rid of this thing tonight. The newest version of this was tough. Been working on removing it for 4 days. Finally the latest update of HitManPro did the trick. I think had to fix some file extension settings after the virus was gone. I couldn't open ANY .exe file. That was the easiest part thanks to Microsofts FIX-IT. I'll be more careful next time. Learned a good lesson.
  9. ReplyAnonymous
    I almost fell for this!...I thought I had unknowingly stumbled on an illegal site....I about cried thinking I had to come up with 300 dollar in three days!.....
  10. Replyshane
    Why didnt my firewall and Mcafee antivirus stop this?
  11. ReplyAnonymous
    Amazing!!!! So glad I didn't have to punish my brother in law...and he was too. You guys are wonderful and saved us alot of money
  12. ReplyDeanna Hanson
    Thank you soo much for your help with this virus, This thing attacked my 13 year old sons computer. Scared the crap out of him, he thought he had done something wrong. I got his computer back by using the safe mode with command prompt restore option and am now running malware bytes and a full virus scan on it.
  13. ReplyAnonymous
    how can you remove it using remote control? I remote in to my customer's PC but i'm unable to do anything, like CTRL ALT DEL etc. Customer does not know how to press F8 upon bootup. =/
  14. ReplyAnonymous
    Used the safe mode restore....worked perfectly...thank you.
  15. ReplyMarc
    Thanks for this great article! I used safe mode and restored my system and used malwarebyte to scan it through and it was OK today. Best regards!
  16. ReplyAnonymous
    i did something idk if its listed here but this was my second run-in with the virus so since I have windows8 I used some sort of reset? anyways I wiped my whole computer clean. EAT THAT YA ----ing VIRUS
    • ReplyAuthorSean Doyle
      Thank you, the refresh/reset options are a great solution for Windows 8 Operating Systems: http://botcrawl.com/how-to-refresh-and-reset-windows-8-operating-systems/
    • ReplyMatt miller
      That's what I'm in the process of doing right now. This blows. I had like 4000 songs on there too:(
      • ReplyAuthorSean Doyle
        A system restore and refresh will not delete your songs. A system recovery and reset will. =)
  17. ReplySteve
    When I first saw this I was stunned. I wasn't looking at anything wrong, but it locked the computer up pretty good. I luckily logged off, and then on to my wife's user and did the system restore just hoping. I have done this for the 4th time today, so either it is getting spread a lot or I still have it - but my point is to have everyone set-up at least one additional user account, for at least this purpose.
  18. ReplyEmpower
    "Safe Mode" Worked perfectly! Ty
  19. ReplyAlex
    Thank you a lot! This happened to my child's computer, and she was crying and scared! On her computer it had a different picture, but she thought it was real.
  20. ReplyDan Lawler
    Stupid mugu trick. These Nigerian idiots will try anything to con you.. They figure the 419 is not working anymore. The dating scams are getting clobbered so some stupid hack come up with this. Remember no law enforcement official will ever block your computer and demand a ransom (your entitled to due process of law) If there is a real problem they will visit you personally and have to present a search warrant. (a judge will not issue that unless there is hard evidence that a crime may have been committed)
  21. ReplyKella
    I don't know if the malicious info or whatever is actually gone from my computer BUT it indeed worked! My laptop is back to normal and the FBI fake thing is now gone from my eyes.. or sight or something. I am not too sure if it's fully gone though. I used a scan thing like for to scan for affected programs.. and then yeah.. I thought Norton still could be a little helpful, even though I had to renewal my uh membership? Anyways, thank you so much for saving my life. I could've done suicide.. yeah, weird but I have been teased and tortured enough. (Not like hurting others kind of torturing) I MUST TELL EVERYONE I KNOW WHO HAS THIS TROJAN THING ABOUT THIS SITE NOW!
    • ReplyAnonymous
      Your life will get better if you keep working at it. No need to suicide.
  22. ReplyAnonymous
    Your guys team was the first to investigate and publish removal instructions about this ransomware and you guys are still the best. Thanks for the hard work!
  23. ReplyNathan
    Awesome guys. Thank you. Did the safe mode command prompt, thanks so much.
  24. ReplyAnonymous
    Thank you! So helpful!
  25. ReplyMarc
    I know very little about computers...but this might help others. I have 2 HD with 2 OS.After infected C: drive boot, I booted with secondary F: and installed malwarebytes with thumb drive. I scanned the C drive and could not locate the virus...BUT...i did not realize when I booted with my old F: drive it reshuffled drive identifiers....so I did locate virus when I scanned the new F: drive which was the C: drive from my infected boot.......DUMB on my part...wasted several hours
  26. ReplySam
    I got hit with the FBI Moneypak virus this afternoon. I was able to do a system restore by tapping F11 on my HP Computer when the computer started up. After the system restore was done, my computer was back to normal, and I also scanned my hard drive with Norton to make sure I was OK. I was really worried that the virus was real, and the FBI were going to arrest me within 72 hours! Glad it wasn't real after all.
    • ReplyMicaela
      right!? Jegus it was frightening!!! I was trying to get on my grandma's computer for a health project and all of a sudden: YOUR COMPUTER IS BLOCKED >_>
    • ReplyAnonymous
      Thanks...this worked!!!
  27. Replyanonymous
    My laptop has been hit with what I assume is another update of this virus, it claims to be from the US Dept. of Justice, it demands $450 on a moneypak within 48 hours. It's really frightening, especially when you have no idea what you did to incur this type of intrusion
  28. fbi-virus-computer-screen-is-whiteblank/ – The IT Bros | incomeontheline.com
    [...] Also, here is another great resource on some additional things to try: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/#option... [...]
  29. FBI Virus - Computer Screen is White/Blank and no Safe Mode - TheITBros
    [...] Also, here is another great resource on some additional things to try: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/#option... [...]
  30. ReplyAnonymous
    Wow thank you for helping me remove the virus. I think you guys did a great job explaining.
  31. ReplyAnonymous
    Thank you so much. You are a life saver
  32. ReplyAnonymous heterosexual
    ILOVE YOU !!!
  33. ReplyAnonymous
    Can they access all my information in my computer? if so, what should I do? I really don't know anything about computer. Thanks
  34. ReplyAnonymous
    I have this virus infected my computer too. I have many important information (like bank acct and SSN on some documents) saved in my document folder. Wonder if the hacker really take all information?
  35. I hate news stations. | My blog
    [...] any event that happens outside of our governments direct control. For example, did you know that a virus has been spreading constantly on many computers throughout the world that is nearly irremovable? [...]
  36. ReplyAnonymous
    Thank you so much guys. I really appreciate this information. If it wasnt for this I would have taken a zero on an important assignment for school. Seriously thank you so much
  37. ReplyAnonymous
    Great solution, Got stuck with FBI virus and didn’t know what to do. This helped so much and worked like a charm the first time. I used the safe mode with command prompt. I have a windows 7 computer and used the browser C:\windows\system32\rstrui.exe. They aren’t kidding about typing in explorer as soon as it appears. May want to pay attention to see when this comes up because after 3 seconds you have to restart. To get my computer into safe mode I had to force shut down by taking the battery out of the laptop. Great trick and it is simple.
  38. ReplyDouglas Adkins
    I had opened up my "Task Manager" and started ending processes until it went away. I started with processes that looked out of place and left the others alone (of course). I came upon one labeled as "euhzwbbp.exe" and when I ended that process, it disappeared. Hope this helps!
  39. ReplyAnonymous
    Thank you so very much for this information. I'm currently on bed rest and need my computer to stay connected to the outside world. This article saved my sanity.
    • ReplyAuthorSean Doyle
      You're very welcome. Glad we could be of help!
  40. FBI Moneypak Ransomware Virus - wrecked my day. anyone have this?get it fixed?
    [...] http://botcrawl.com/how-to-remove-th...lware-removal/ and my computers. What a blow to the gut. this thing is a severe severe virus. gonna have to spend coin to get this one taken care of. anyone ever been hit by one of these and if so what did you do to get your computer out of the hostage situation. that happened, and an hour later our landlord and I had a misunderstanding regarding the utilities being included in our rent, and now i am being stuck with 7 months of utilities. what a stupid day/week/year i am having. just doesnt stop. Gas was turned off so i have no heat til monday. cause i needed that as well. had to pay a ton to get them to turn it back on, and they cant get here til then. garbage garbage day.   [...]
  41. Replymelissa
    Thank you so much with your help I fixed my computer:-)
  42. ReplyGPaige
    If you can get to Safe Mode on your windows 7; system restore fixed it in about 10 minutes. Thanks to whomever posted all those tips, I finally got it to work after unplugging my pc for 30 mins.
  43. ReplyAnonymous
    Big thanks to the authors. Everything seems to be back to normal. Very much appreciated!
  44. Strange tapping - Homesteading Today
    [...] have a clue on the tapping. There is an FBI Virus around that I just heard about. http://botcrawl.com/how-to-remove-th...lware-removal/ Link will explain what it is and how to remove [...]
  45. ReplyAnonymous
    Coolest website in the world. Thank you so much guys!
  46. ReplyAnonymous
    I just ran into this program and boy was it a pain in the @ss. First off, it looks like the hacker has now adapted. If I go into safe mode, the computer will restart by itself soon after. Not to be defeated, I ran "windows in safe mode while opening command prompt" instead. I then went to "C:\Users\[your name]\AppData\Roaming" where I found 2 files, skype.dat and skype.ini. So, I deleted them both. I'm glad I don't use skype since it would have blown right past me. To be on the safe side, I also went to "C:\Users\Ross Chan\AppData\Local\Temp" and did a del * there before restarting. Voila! Virus gone. I them proceeded to do a system restore and scan. Hope this helps for anyone else having this problem, and don't let the hackers win!
    • ReplyAnonymous
      Thanks a lot!! It works!! Go to "windows in safe mode while opening command prompt” and type "cd C:\Users\[your name]\AppData\Roaming”, then type "dir", I found those 2 files, skype.dat and skype.ini. Type "del filename" and ENTER!! Restart the computer and run AVG. Everything back to normal!
  47. ReplyTimothy Kent
    Thank you! There should be an award for people like you
  48. ReplyAnonymous
    Thank you so much !!! The Safe Mode With Command Prompt Restore worked for me !! THANK YOU
    • ReplyAnon
      Worked for me as well. Thank you everyone!
  49. got a "notice" from the FBI
    [...] to lock it up. The easy fix is to restore your computer to an earlier version. How you do it: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ __________________ When in doubt, buy Mil-spec since they try to dummy-proof [...]
  50. ReplyJust passing by
    Thank You! I did the system restore and my computer is now working, am gonna scan the whole computer with AVG just to make sure everything is fine. Thanks again for all your help.
    • Replyrandy
      You all deserve a medal! Worked first time! Using avg now to make sure everything is good! Thanks Guys!!!!
      • Replyrichard
        thank u for all ur help, i followed ur instuctions and got rid of the fbi ransomware. i would love to find out who is putting this virus out and punish them. thasnk u again u saved me from having to reinstall windows 7