Malware

How to Remove FBI Virus (Removal Guide)

By Sean Doyle · July 3, 2012 · 7 min read

The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.

Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.

This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.

What is the FBI Virus?

The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.

The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.

Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.

How the FBI Virus Spread

The original FBI virus spread through many of the same infection techniques used by malware today. These included:

Exploit kits that delivered ransomware when a victim visited an infected website
Malicious email attachments disguised as invoices or notices
Drive by downloads from compromised sites and ads
Fake software updates that installed ransomware instead of legitimate updates
Bundled installers combined with pirated software or fake media players

Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.

Symptoms of the FBI Virus

Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:

A full screen window displaying an FBI message
Loss of access to the desktop
Keyboard shortcuts disabled
Webcam activates without permission
New browser tabs forcing an FBI warning
Pop ups claiming your device is under investigation
Unexpected redirects to law enforcement themed pages

If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.

Modern Variants and Related Threats

Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:

FBI browser lockers that freeze a browser tab with a fake FBI warning
FBI phone scams where scammers call victims pretending to be agents
FBI email scams that threaten legal action unless payment is made
Mobile ransomware on Android that locks the screen with FBI logos
Fake security alerts that redirect users to tech support scams

These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.

Remove the FBI Virus with Malwarebytes (Recommended)

The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.

Follow these steps to remove the FBI virus using Malwarebytes:

Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.

Follow the on screen instructions to install Malwarebytes on your Windows device.

Select whether you are installing Malwarebytes for personal or business use and click Next.

You may be offered Malwarebytes Browser Guard. You can add it or skip this step.

Once installation is complete, open Malwarebytes and click Get Started.

If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.

From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.

Wait for the scan to complete. This may take several minutes.

When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.

After rebooting, Malwarebytes may run additional checks to confirm your system is clean.

Manual Removal for Windows

If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.

Step 1. Uninstall suspicious programs

Right click Start and select Installed apps or Apps and Features.
Sort by install date to locate recent additions.
Uninstall programs you do not recognize or installed around the time the lock screen appeared.

Step 2. Remove browser notifications from fake FBI sites

Chrome: chrome://settings/content/notifications
Edge: Settings > Cookies and site permissions > Notifications
Firefox: Settings > Privacy and Security > Permissions

Step 3. Remove unwanted browser extensions

Chrome: chrome://extensions
Edge: Settings > Extensions
Firefox: about:addons

Step 4. Restore your default search engine

Restore Google, DuckDuckGo, or your preferred provider.

Step 5. Reset browser settings if symptoms continue

Chrome: chrome://settings/reset
Edge: Settings > Reset settings
Firefox: Help > More Troubleshooting Information > Refresh Firefox

Step 6. Clear cookies and site data

Remove cached FBI scam pages and redirects by clearing cookies and browsing data.

Step 7. Delete temporary files

Remove temporary files that may contain scripts or installers.

Advanced Checks for Persistent Issues

If you still see warnings or redirects, perform these advanced checks:

Check browser shortcuts

Right click your browser shortcut and ensure the Target field only contains the browser executable path.

Check Windows hosts file

Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.

Check proxy and DNS settings

Ensure no unexpected proxies or DNS servers are configured.

Check Chrome policies

Visit chrome://policy to see if malware has enforced settings.

Review Task Scheduler

Look for tasks that launch unknown executables.

For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.

Tags: Malware

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

View all posts →