The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
Thank you very much that was easy to remove. Its rare to find this type of information without feeling like there’s a hidden agenda, so thank you for being one of the good guys.
I have got this…..but I am not able to delete
C:\Users\Ritesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ctfmon…when I delete it comes up again……the target process for this is
%systemroot%\system32\rundll32.exe wgsdgsdgdsgsd.exe,FQ10
I also checked other files/folders but nothing is there except few reg keys which I deleted.
I am running MB now…..
I called the money pack people a few minutes after loading the card number into the scam site and was able to get my money refunded. They will send you a check for full amount in 7-10 days. I was able to act before the card was acted upon.
Thank you thank you thank you..very easy instuctions..booted in safemode and downloaded malwarebytes and i think im good to go!! nice to see people go out of there way to help you for free sometimes
thanks steven
Oops, meant that it disabled the task manager and MB.
Caught the virus, it Task Manager, Malwarebytes, etc. Started in Safe Mode and restored to a point 6 days ago. Does performing a system restore get rid of the virus or merely allow me to get running again and it’s still embedded. Running updated MB scan to see of it’s picked up.
Should I have uninstalled MB and downloaded a fresh version? This thing is getting nasty!
@devon0 here is the site. do #4!! Pay attention and don’t give up!! http://t.co/62mbzlQB
Do you have to remove the virus before the 72 hour time limit?
No, but you should remove it as soon as possible.
Thank you. Will it change names after 72 hours?
Also, will it somehow get reported to the FBI as a fake message?
I have been infected with this a couple of times. The first time was a more rudimentary form, and Task Mgr worked and was able to locate and stop program. But later versions “stronger” and safe-mode followed by “FULL scan” on MB worked. Having alternate user login to work from also helps.
thanks so muych!
So what if I purchased a MoneyPak card and used the number to “unlock” my PC? Is the card still good or did I get scammed and lose $200
Unfortunately, you lost $200.
so awesome, I love you. I too had Malwarebytes free version already on my comp, followed your safe mode instructions, and BOOOM. Thanks man! Planning on buying AVG or Malwarebytes full version since you recommend it. Would Norton or Mcaffee be any better?
thanks you very much. I followed the directions to enter in safe mode and ran AVG and it worked. Again thanks.
Thank you very much. I used Malwarebytes to get rid of it, thank goodness it was already installed on my cpu~
Thank you!
Guys be careful of this… http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
http://t.co/HuiMnyFK New virus: Fake FBI warning
Sean, your suggestions for remving this nasty annoying virus worked for me! You saved me countless hours re-building my PC, thank you so much!!!
Then you must reformat the hdd
How nice (and rare) is it to do a google search about a computer problem, go to a top recommended site (that’s not trying to bait-and-switch you into buying something) and actually find information that is discernible AND WORKS?!?!? It’s freakin’ SUPER AWESOME is what it is!!! Thank you Sean! You’ve been a big help to a lot of people, including me. Your Karma account is over flowing. Well Done!
Got the Department of Justice version today. Booted in Safemode and put rkill.com in the start up. rebooted and it fought with the Malware and gave me access to my desktop and Virus Scan software, finally found the .exe in c:\documents and settings\username\local settings\temp , deleted it and ran a find in the registry for that filename and deleted the keys. rescanned w/ malwarebytes, so far so good filename gfhy22.exe
RT @boltyboy: Check your Firefox plugins here now http://t.co/CUCAhgsD old java plugin lets in a NASTY hijack virus http://t.co/OwBAh94E
muchas gracias por la informacion!!!
can Microsoft essentials get rid of this … i have used it in safe mode *without networking* and it seems to have gotten rid of it…
FBI MoneyPak working removal steps -> http://t.co/k1L52Why
How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | http://t.co/KHXw7i4I
Thanks a lot, i was about to cry when this popped up, but a little researched lead me to this site and was able to fix the problem. Thanks again 😀
Thank you very much that was easier than i thought
Props! this would have been the hardest to remove yet for me but with this detailed help it was the easiest! thanks a ton
Thanx A Million.!.!.!
I called the local police and FBI to make sure it was a scam. Then on my own I did exactly as indicated above. Performed a System Restore in safe mode and used Malwarebytes to remove the malware. No problems. I also checked with my bank for my transaction history.
Dude You are the man…. I don’t think I have ever come so close to soiling myself… I’m mr do the right thing…. and though I may bend the rules here and there I try not to break any….. I got the scam and about died… my wife and I are going on vacation in a week…. I did not want to tell her I need to pay 200 dollars or go to jail…. I would have died tonight…. lol thank you thank you thank you…. never been so glad to find out I got scammed…… breathing again…. and in you debt
The Safe Mode With Networking worked great for me. It was very easy. Thanks.
Thank you Malwarebytes full scan did it for us
Thank you very much
thank you so much when i got this message i was almost ready to cry , being 100% honest i didn’t know what i was going to do and i got this message when i downloaded ilivid and in a way i had committed a crime and i was generally afraid id get in some serious law trouble. this article made my day and made me feel at peace
Does this work with windows vista?
so does it steals your picture by webcam??? (It was a little vague on WEBCAM Control)
It can, yes. You may notice a power light on your webcam, or in some cases your webcam stream is displayed live on the screen.
can this infect external hard drives? please answer.
Any virus or trojan can eventually. There’s no straight answer for that. Unplug your external hard drive if you’re worried.
had the cyber security virus. i removed the ctfmon link from startup so i could navigate around the computer and then downloaded the malwarebytes program…removed 2 trojans and all seems good now…good luck to anyone else unfortunate enough to experience this
Thank you soo much! I got home and my husband said he had this FBI thing show up I was like we’re not paying $200….Thank you soo much for helping us remove it!!
Thank you thank you thank you!!!!!
I would like to thank this website for giving me the tools I needed to fix this myself. It was all very clear, concise info and saved me a reformat and hours of work as well as a TON of updates! As with the people before me, I’d also like to thank you for not forcing people to buy software to fix this problem, if only there were more white-hats like you out there.
Thank you sooo much!
I really can’t answer that for certain out of thin air, sorry. It should be though, yes.
But… I can never say something is ever completely removed from a system, from erased images to documents, etc.
A System Restore affects Windows system files, programs, and registry settings. A restore can also make changes to scripts, batch files, and other types of executable files which may have been placed on the system or changed by a third party without user consent.
http://botcrawl.com/how-to-restore-microsoft-windows-vista-microsoft-windows-xp-and-microsoft-windows-7/
I recommend installing the free version of Malwarebytes if you need validation for this particular infection. You can remove Malwarebytes afterwards or continue to use it.
Glad to hear and thank you! Restoring your system will not remove document files (just in case others are uncertain), but it’s good to worry about it.
Thank you! I agree with others thanks for not forcing software down our throats like everyone else. Booked this site for future references because of it
thank you so much!!! i was freaking because this is my school PC and i thought all of my work had been lost. thanks for not being a typical company/person looking to make a buck preying on the naivety of people who have never seen something like this before. society as a whole can learn something from you, you restored some of my faith in people. if you’re ever in CO, i’ll buy you a round…
Thank you!!!