fbi virus
Malware

How to Remove FBI Virus (Removal Guide)

By Sean Doyle · · 7 min read

The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.

FBI Virus

Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.

FBI Moneypak virus

This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.

What is the FBI Virus?

The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.

The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.

Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.

How the FBI Virus Spread

The original FBI virus spread through many of the same infection techniques used by malware today. These included:

  • Exploit kits that delivered ransomware when a victim visited an infected website
  • Malicious email attachments disguised as invoices or notices
  • Drive by downloads from compromised sites and ads
  • Fake software updates that installed ransomware instead of legitimate updates
  • Bundled installers combined with pirated software or fake media players

Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.

Symptoms of the FBI Virus

Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:

  • A full screen window displaying an FBI message
  • Loss of access to the desktop
  • Keyboard shortcuts disabled
  • Webcam activates without permission
  • New browser tabs forcing an FBI warning
  • Pop ups claiming your device is under investigation
  • Unexpected redirects to law enforcement themed pages

If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.

Modern Variants and Related Threats

Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:

  • FBI browser lockers that freeze a browser tab with a fake FBI warning
  • FBI phone scams where scammers call victims pretending to be agents
  • FBI email scams that threaten legal action unless payment is made
  • Mobile ransomware on Android that locks the screen with FBI logos
  • Fake security alerts that redirect users to tech support scams

These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.

Remove the FBI Virus with Malwarebytes (Recommended)

The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.

Follow these steps to remove the FBI virus using Malwarebytes:

mbsetup

  1. Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.

install malwarebytes

  1. Follow the on screen instructions to install Malwarebytes on your Windows device.

choose your protection type

  1. Select whether you are installing Malwarebytes for personal or business use and click Next.

malwarebytes browser guard

  1. You may be offered Malwarebytes Browser Guard. You can add it or skip this step.

malwarebytes get started

  1. Once installation is complete, open Malwarebytes and click Get Started.

malwarebytes all in one protection

  1. If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.

malwarebytes scan

  1. From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.

scanning for threats

  1. Wait for the scan to complete. This may take several minutes.

threats detected

  1. When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.

malwarebytes trusted advisor

  1. After rebooting, Malwarebytes may run additional checks to confirm your system is clean.

Manual Removal for Windows

If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.

Step 1. Uninstall suspicious programs

  1. Right click Start and select Installed apps or Apps and Features.
  2. Sort by install date to locate recent additions.
  3. Uninstall programs you do not recognize or installed around the time the lock screen appeared.

Step 2. Remove browser notifications from fake FBI sites

  • Chrome: chrome://settings/content/notifications
  • Edge: Settings > Cookies and site permissions > Notifications
  • Firefox: Settings > Privacy and Security > Permissions

Step 3. Remove unwanted browser extensions

  • Chrome: chrome://extensions
  • Edge: Settings > Extensions
  • Firefox: about:addons

Step 4. Restore your default search engine

Restore Google, DuckDuckGo, or your preferred provider.

Step 5. Reset browser settings if symptoms continue

  • Chrome: chrome://settings/reset
  • Edge: Settings > Reset settings
  • Firefox: Help > More Troubleshooting Information > Refresh Firefox

Step 6. Clear cookies and site data

Remove cached FBI scam pages and redirects by clearing cookies and browsing data.

Step 7. Delete temporary files

Remove temporary files that may contain scripts or installers.

Advanced Checks for Persistent Issues

If you still see warnings or redirects, perform these advanced checks:

Check browser shortcuts

Right click your browser shortcut and ensure the Target field only contains the browser executable path.

Check Windows hosts file

Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.

Check proxy and DNS settings

Ensure no unexpected proxies or DNS servers are configured.

Check Chrome policies

Visit chrome://policy to see if malware has enforced settings.

Review Task Scheduler

Look for tasks that launch unknown executables.

For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.

Tags: Malware

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

View all posts →

Related Posts

540 Comments

  1. Carie

    I knew it was a virus. It was weird I was able to use the internet for like a few minutes each time I unplugged it. So I bought Malware Bytes instead of using the free one just so I could contact their support if thats how it wwent but it found the fbi virus right away. I didn’t even press scan.
    Thank you! 🙂

  2. Ahlita

    I was literally about to drown myself in my own tears!
    As you can tell I have been a victim of this awful scam and I want to thank you so much for being incredibly helpful with your multiple step-by-step instructions! It definitely took me many attempts to successfully remove the scam but nevertheless, I did it, all thanks to you! Thank you!!!

  3. Sam

    Remember, you can sue FBI if they did web-policing to violate your privacy.
    My simple way to fix it:
    enter safe-mode with networking.
    Pull-up “Start” menu and “All Programs” “StartUp” folder.
    Remove “ctfmon” link (or similar).

  4. Shaddic

    Thank you, thank you, thank you! I turned on my computer this morning and my computer was blocked, and I was freaking out that I was going to have to pay $200. Thanks for the help.

  5. omg

    In my case it didn’t let me enter safe mode, it just freezed when all the list of drivers appear loading. But I found that if I opened a program like Advanced System Care or CCleaner (that asks you if you let them make changes in the computer) fast enough the blocking page didn’t appear. So I opened them and avast at the same time and programmed a virus scan when rebooting. The first time after the scan the blocking page showed again, but after a second reboot it said deo0_sar.exe couldn’t start because it was a virus. I think its over now.

  6. Anonymous

    Malwarebytes worked like a champ!

  7. mike

    how far back should i restore my pc …i did it for yesterday…is that good enough

    1. Sean Doyle

      Restore your computer to a date and time before it was affected with malware.

  8. Meg

    First of all, thanks for caring so much! I can’t believe you take the time to respond to individual troubles. Humanity exists! Haha. That being said, can you explain the registry editor process? I’m trying to enter the data in safe prompt mode, but not sure how to go about it. Do I create new values (string, binary, etc?) This is all Mandarin to me. I’m just proud I made it this far!

  9. Shetech

    my sister has this virus and she rebooted her computer before she called me. Her keyboard is not being recognized now. Any ideas on this?

    1. Anonymous

      She should still be able to enter safe mode by tapping F8 during boot up.

    2. Sean Doyle

      Well that can be a few things, but should be easily or even randomly fixed (or configured). If she is using a wireless keyboard the FBI Moneypak virus is known to interrupt recognition. If this is the case plugin a USB keyboard and check your “devices” for configuration settings.
      Sometimes, if you restart your computer but do have your keyboard plugged in it may cause your keyboard to malfunction as well.

      Hope this helps. If not and you seek more assistance please send me an email with more information sean@botcrawl.com and I’ll provide you with proper details.

  10. Anonymous

    Seems to have worked… thanks… awesome info

  11. Anonymous

    Thank you for this useful information. Manual worked fine. Great to see someone combating these pirates. Please keep up the good work and know it is appreciated.

  12. Anonymous

    Was running scared for a minute there….digital hug man.

  13. FBI Moneypak ransomware virus – SG Guitar Forum

    […] virus also states on the fake FBI page that you may see jail time if a fine is not paid in time. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | __________________ It's all Iommi's fault. I blame him entirely A.L.S. aka Lou Gehrig's […]

  14. FBI Moneypak ransomware virus – My Les Paul Forums

    […] virus also states on the fake FBI page that you may see jail time if a fine is not paid in time. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | __________________ "It's all Iommi's fault. I blame him entirely" A.L.S. aka Lou […]

  16. Holly

    This is the best, thank you. Google needs to make this the top result not second because other articles were just terrible.

  17. Anonymous

    Omg…I am so glad I found this page. Stupid virus wouldn’t let me do anything. I unplugged my Internet and went into safe mode. Restored my comp to an earlier date. It seems to have worked. Hopefully it’ll stay that way. Thanks for the info 🙂

  19. mp

    Had the same virus mine was real tough to get rid of. Glad I found the information here. Mine would not let me open anything in safe mode. I had to keep hitting F8 and click on top and lower safe mode corners to get explorer up. Then when the explorer box came up you have only a few seconds to type explorer in the box. Remember even in safe mode you don’t have a lot of time because the virus starts back up and safe mode shuts down and goes to the virus screen. Malware did not get rid of it because after the scan I started my computer up and the virus was back. I had to start all over trying to explorer back up it took some time again so you have to have some patience not like me. I had to walk away and I got my wife to try and guess what she got to the explore screen with the restore system up. I don’t know if this is a new and harder version to get rid of. So I had to restore first then ran malware 2nd and last I ran my avira anti virus scan. So far the computer seems ok. The information on this site was great lucky I had a lap top so I could access the info. Thanks Again

  20. Anonymous

    This info was great, i cant belive it was so easy to remove. Could someone tell me when and where this virus originared, i red something bout europe but this scam is just beyond anything i have ever seen…

    Also can they actually see you? I did not notice the camera at the begining… Or is simply your own stream?

    Also unplugging your internet completely stops the virus from working.

  22. Wintel

    I got rid of the virus using AVG 2012 Anti-Virus software, and by doing a system restore afterwards. I highly recommend AVG because it is very thorough when scanning and it is so easy to configure and use.

  23. char

    Thank you so much for this information it worked frist try! I have been at it all day with no luck found this site and your answer tried it and its gone thank you again!

  24. Anonymous

    Malwarebytes took care of this problem..

  25. Anonymous

    Malwarebytes actually got it for me

  26. Anonymous

    Thank you SO much for posting this, it was a great help in manually removing this POS

  27. Lana

    Thank you soooo much for this instructions, I removed it in Safe Mode. It was easy to follow all the steps and I removed everything that has virus installation date and time in temp files. It installed on my work comupter and I was freaking out … You saved my day!!!

  28. A Grateful Soul

    Many many many many thanks to you! This was the freakiest virus every, with the webcam and all! Too obvious for any individual with a brain to fall for but a pain in the neck to get rid of. We are so grateful for the instructions, could have not gotten to a point to navigate to system restore without, you have saved the day!!!

  29. Rahul

    Thank you so much you saved me money wish I could donate or somethin.

  30. FBI Moneypak Virus – The easiest way to remove the fake FBI virus | Sean.WPengine.com

    […] How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal […]

  31. Greg

    Whenever I go to delete/open the temp folder it says I cannot do so because it is open in another program 🙁

  32. Anonymous

    The manual removal in safe mode with networking is what worked for me. The removal of the second part was named differently, so I simply deleted everything from that day/time. Thanks a lot for this!

  33. Anonymous

    This was a great help. So far so good, seems to have gotten rid of it.

  34. Dale

    just had to deal with this stupid virus made IE crash (thank you microsoft for easy IE crashing) to get out of that window, (i pressed control alt tab when ie crashed,) i started to restart so i could enter safe mode, had the popup of are you sure you want to lose the work on these programs with the options restart anyway or cancel, realized my webcam had turned off and hunted down and destroyed the files with a prejudice…….

  35. Dave Tuggle

    Booting into Safe Mode (Continually tap the F8 on boot up) will give you the option to “Restore your computer to an earlier time” as soon as Windows loads. I just did this and selected a date prior to the infection and the machine booted up after the restore without issue. Then, scanned with MalwareBytes and found nothing. Infection gone. I’m either upgrading MalwareBytes to the pay version or installing Microsoft Security Essentials.

  36. Anonymous

    Sorry i meant in all four corners.

  37. William

    Another way to remove the FBI MoneyPak virus is to use Malwarebytes Anti-Malware software. You can find it here Malwarebytes.org. Just make sure you do a “Full” system scan. It will take longer than a quick scan, but it will detect, and allow you to remove the trojan.ransom virus (FBI MoneyPak) virus.

  38. Randy

    ive got the virus now, and for me if i disable or disconnect the internet the virus doesnt run. This may help others who are having issues with the virus to at least let you get access to your computers settings. so far i have tried multiple virus scanners and malware scanners all have said they have deleted it, but as soon as i reboot and reconnect the internet the screen locks again. Good luck everyone, this one is mean. i hope this little bit of info help you to at least access your system to try and get rid of it. so again DISABLE YOUR INTERNET and you should(as i did) gain access to your systems the virus seems to require an active connection to lock you out.
    Randy

    1. Sean Doyle

      Safe Mode With Networking is an excellent solution for such issues.

  39. Anonymous

    System restore in safe mode did the trick, thanks lots.

  40. Anonymous

    guys i was freaking out…almost paid but i calmed down and looked it up luckily haha tis worked for me. the system restore i mean.

  41. Beef

    Thanks so much I’ve been through 4 days of hell trying to get rid of this thing

  42. Anonymous

    I was able to just simply restore my computer to a time earlier in the the same day that I got this ransomeware. Thanks. I was glad that I didn’t need to follow the instructions above, as am not the most computer savvy, though it doesn’t seem to painful. Thanks again.

  43. gsal99

    Free version of malwarebytes worked for me.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.