The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.

Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.

This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:

- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.

- Follow the on screen instructions to install Malwarebytes on your Windows device.

- Select whether you are installing Malwarebytes for personal or business use and click Next.

- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.

- Once installation is complete, open Malwarebytes and click Get Started.

- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.

- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.

- Wait for the scan to complete. This may take several minutes.

- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.

- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
540 Comments
Leave a Reply
You must be logged in to post a comment.
Thanks for this guide. I’m glad I’m not alone in having “child porn” on my computer. My heart almost stopped when I first saw this on my laptop. Luckily I figured the Sytem Restore option out on my own. I’m also fastidious in backing up my data.
I’ve since found a program that images my entire hard drive so now when i have a problem like this blasted malware I have another weapon in my arsenal to fix it.
Yes you can use safe mode. Most ransomware infections have essentially the same removal steps.
Would you mind sending me a screenshot of the infection? And more information please. Sean@botcrawl.com
The weird thing is that mine did not say FBI mine said united states cyber security and immediately i knew it was a virus because it had the wrong ip address. I did the safe mode restart and knew about it because this has happened before to other computers in our house. Once performed i went back on youtube and continued watching my videos!
Glad to hear you were able to remove it: http://botcrawl.com/how-to-remove-the-united-states-cyber-security-ransomare-virus/
Thank you so much! this is the best article to ever happen to me.
Husband got this on his computer this morning … when he finally let me sit in his chair I restarted in safe mode and did a system restore. That allowed me to get back on his login where I have downloaded malwarebytes and am currently scanning with the free version. Thank you all for your comments and help. He is happy again.
Thank you so much!
Got the FBI virus just this morning. The virus also disabled my ability to restore my PC to an earlier date. In Safe Mode with Networking, I was able to update my MalwareByte software to the latest version. When running MalwareBytes, you have to run a FULL SCAN. Quick Scan will not find or get rid of the virus.
So, spend the time to run a full scan, restart, and you should be up and running again.
Worked for me too.. Thanks… I loved not having to downloand more stuff!
This was a big help. Thank you for the info w/o trying to get me to buy something or download a useless program. That is a definate plus and welcome relief. Thank you again it was a very pleasant experience.
These were amazingly easy instructions! Thank you so much for your help!
[…] http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ […]
thank you so much for the help.:)
Thank you so much, the webcam was on my computer this am and i knew something didn’t make sense, like why couldn’t i have just used my credit card? so luckily i had my son’s laptop and googled this to find out it was a scam. I followed your instructions and my virus is gone. I cannot thank you enough for your help… coming from a person who is computer illiterate. You made it very easy.
Thanks so much, I woke up this morning and my computer webcam was on and I knew something was wrong! I tried to click away from the ransom page and it had me lock out of the rest of the computer. I knew that it was a virus or something but I was running late for work, so it had to wait until I got back. After following the instruction here I was back in business in just a few minutes. Great page and easy to follow instructions.
Thanks for the help!! The directions were simple to follow and I had my computer fixed in no time 🙂
Thank you for posting this info. What goes around comes around and you have some very good things coming your way. Thanks again.
Why isn’t the REAL FBI doing anything about this? I see it on my customer’s computers weekly. Oh, they’re too busy going after 12-year-olds downloading bootleg copies of Ironman because of pressure from the media companies. Darn. Good ole’ America. Follow the money!
If McAfee can’t prevent this, then what good is it?
[…] FBI message? There are multiple guides online for removing this virus. Here is one of them. How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | To find more guides search something along the lines of "FBI Moneypak virus removal" AVG […]
I caught the Virus and was amazed at how authentic it looked. By the way…if you are foolish enough to send money to the “fake FBI”, don’t count on them removing the virus for you.
BUT…I removed it quite easily by using the FREE version of Malwarebytes Anti Malware. One quick swipe and bye bye Virus. I’m sad to say that Microsoft Security Essentials (which I like) failed me this time.
First off thanks a bunch I was gonna pay 200$ and just make it worse. When I saw this I wanted to jump off a high cliff. Now, What if when you do the manual removal and try to find the ctfmon file it’s in;C:\Users\[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, but there isn’t an .lnk at the end of ctfmon and when I tried to delete it it just popped up again. I went through The rest of step 2. and for now the virus seems to have gone away. But the ctfmon worries me. Does it mean that the virus is laying dormant until it has a chance to pop up again?
[…] has worked for me so far (this link details these instructions as well as other options in case this fails): put the computer into safe […]
if this is in you/r hard drive will it also delete or will you lose all your pictures and software that was saved in your computer
My cousin got this from an email. He was stupid enough to click on a link, nothing else on it. Heheh, so later this window popped up. We were both like “Wtf?” then we read it and we were freaking out. We were on my dad’s computer and he wasn’t home. We were FREAKIN OUT!!!! I decided to do some research. I felt like an elephant got off my shoulders after I learned it was just a virus. But then the feeling came back when I saw what it could do. I was like, “We have to get rid of this. Now!” I kept researching in safe mode. I came to this page and saw that facebook post where the person used system restore. I was telling myself I was so stupid… Hahaha, after trying to delete all those system files I forgot about system restore! Well I ran system restore. That day was not my lucky day… There was 1 restore point. And guess what… IT WAS EARLIER THAT DAY!!!!! And It was a windows update finished after rebooting. The reboot is because my cousin tried to get me off by shutting the computer down. Oh my god, it was just at the right time, too. It was about an hour before he read the email. For once, him trying to prove me wrong saved our lives as we know them. NO HAXORS 4 US!!!! YESHHHHHHH!!!!!
Thank you so much for your help man, this virus had got me nervous thinkin i was having to pay 200$. I would had never known about malwarebytes but thanks to you my computer is safe!
Incredible! I love you thank you!
Thanks for your help. I did a system restore and it looks like I’m in good shape. Also ran malware bytes.
Thank you, this virus was nasty but easy to remove with your help.
I don’t know anything about computers and I fixed it in 3 seconds thanks to this website. Thanks a lot!
Going into safe mode and removing ctfmon did the trick. Thanks to everyone for all the comments and info.
Thanks Sean Doyle, youre the man! I ended up using the safe mode system restore and it took me back quickly to better times. Follwed up with your suggested Malwarebytes and the scan indicated ‘0’ files, so if you can restore without losing too much previous downloaded info, I recommend.
this website literally saved my @ss. thank you so much! i got this on my laptop, thought it was a fake popup then realized i couldnt “x” out of it. i got worried then shut down my computer and it was still there. i played around with safe mode for a while then found this website on a different computer. within 10 minutes i had restored my laptop and it runs fine now. cant thank u enough
Ended up having to restore the system… but doing a malwarebytes scan just to be safe. Thanks for the help…
[…] it took my very computer savvy husband …. PC back to normal. Here’s a link to the directions in case anybody’s curious. And in that time, I had an epiphany. The […]
I got this nasty virus yesterday at 12:35pm. took me till now, 2:04am Early Saturday morning 14 hours later to finally have my machine back up and running. Thanks for all the great info and encouragement. I wish I could return the favor so all I can do is spread your link around to other people in need. Thanks for saving my butt!
Thanks the Mister got it, he was gonna pay til he ask me……….. FYI>>>>>>>>>>>>> The FBI will not nor has ever ask you to pay money for fines that you have been on an illegal website . Anyone who thinks this is crazy, these folks will knock your door down before telling you something like that, if its illegal you will know when the FBI is involved. We done the restore thanks, and once again the woman has solved the problem at my house lol
Got it this morning at home, many thanks for the analysis and removal instructions and all the commenters’ inputs – lots of good suggestions. Question: has anyone checked to see if the (real) FBI cares about their name being used this way? I suppose the charge would be something like “fraud committed under color of law”? …they do have resources, probably good enough, if they were to choose to get serious about going after this.
Ok So if anyone gets this particularly nasty FBI Money Pak Ransomware- Have this link handy. It is the only way I was able to remove it without charging a buttload of money… The kids said they were using FB and Pandora.. So it may have come from a link they clicked on. Just be cautious!
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
This very helpful site and info saved my netbook from being tossed from a thirty-story window! Thank you so much! I used the “Safe Mode” start option and deleted the pirate from the Start Menu in All Programs. I had to start using my usual username, whereas the first attempt I made was with the Admin account. Thanks again!
System restore to a previous date was the easiest for sure! Thanks for all the great options!!
Well it happened to me, Got scared and sent a money pak fo $200.00.
Had a good friend that solved the situation but still lost the doe.
Good lession
just got it this morning
Thanks to this good man who wrote all this information about of this bad gus,who extorsioning to the people whose we use the computer,just for good things,no for durty activities like them,this stupid people make me have a hard time they bloked my laptop and know I dont know if will work again laike before,I am following up the instruction that this friend is giving to remove this dirty virus I hope that maybe I get it.
I want to tell you again my friend thanks for makeme fill free of preocupation please leave this information accecible for more people like me who need orientation about of this donkey guys!! God Bless you!!
How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | – http://t.co/dzOTaq3n
How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal http://t.co/uoUaylCd via @Botcrawl
Infected by FBI Moneypak ransomware today. Eeek! The feds were after me, not http://t.co/fk5KNORt
Brilliant thank you, I did safe mode and installed free avg and did a scan which removed some stuff and then downloaded free malwarebytes which removed other stuff but i didnt pay attention to any names it removed. Anyway it seemed to work so thanks a lot!
Thank God for these directions. What Sam’s comment says does work. It’s in the removal directions in this article so you don’t have to read the comment below though.
Do what Sam says it works
This morning i experienced the same ransomware from the metropolitian police e-crime unit. After following the above suggestion it worked. So please that there a fix to this. Thank you
Ah thank you! that was easy