Skip to content
Monitor live humans, bots, and datacenters Botcrawl Edge Try Edge Free
Malware

How to Remove FBI Virus (Removal Guide)

The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.

FBI Virus

Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.

FBI Moneypak virus

This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.

What is the FBI Virus?

The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.

The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.

Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.

How the FBI Virus Spread

The original FBI virus spread through many of the same infection techniques used by malware today. These included:

  • Exploit kits that delivered ransomware when a victim visited an infected website
  • Malicious email attachments disguised as invoices or notices
  • Drive by downloads from compromised sites and ads
  • Fake software updates that installed ransomware instead of legitimate updates
  • Bundled installers combined with pirated software or fake media players

Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.

Symptoms of the FBI Virus

Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:

  • A full screen window displaying an FBI message
  • Loss of access to the desktop
  • Keyboard shortcuts disabled
  • Webcam activates without permission
  • New browser tabs forcing an FBI warning
  • Pop ups claiming your device is under investigation
  • Unexpected redirects to law enforcement themed pages

If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.

Modern Variants and Related Threats

Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:

  • FBI browser lockers that freeze a browser tab with a fake FBI warning
  • FBI phone scams where scammers call victims pretending to be agents
  • FBI email scams that threaten legal action unless payment is made
  • Mobile ransomware on Android that locks the screen with FBI logos
  • Fake security alerts that redirect users to tech support scams

These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.

Remove the FBI Virus with Malwarebytes (Recommended)

The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.

Follow these steps to remove the FBI virus using Malwarebytes:

mbsetup

  1. Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.

install malwarebytes

  1. Follow the on screen instructions to install Malwarebytes on your Windows device.

choose your protection type

  1. Select whether you are installing Malwarebytes for personal or business use and click Next.

malwarebytes browser guard

  1. You may be offered Malwarebytes Browser Guard. You can add it or skip this step.

malwarebytes get started

  1. Once installation is complete, open Malwarebytes and click Get Started.

malwarebytes all in one protection

  1. If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.

malwarebytes scan

  1. From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.

scanning for threats

  1. Wait for the scan to complete. This may take several minutes.

threats detected

  1. When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.

malwarebytes trusted advisor

  1. After rebooting, Malwarebytes may run additional checks to confirm your system is clean.

Manual Removal for Windows

If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.

Step 1. Uninstall suspicious programs

  1. Right click Start and select Installed apps or Apps and Features.
  2. Sort by install date to locate recent additions.
  3. Uninstall programs you do not recognize or installed around the time the lock screen appeared.

Step 2. Remove browser notifications from fake FBI sites

  • Chrome: chrome://settings/content/notifications
  • Edge: Settings > Cookies and site permissions > Notifications
  • Firefox: Settings > Privacy and Security > Permissions

Step 3. Remove unwanted browser extensions

  • Chrome: chrome://extensions
  • Edge: Settings > Extensions
  • Firefox: about:addons

Step 4. Restore your default search engine

Restore Google, DuckDuckGo, or your preferred provider.

Step 5. Reset browser settings if symptoms continue

  • Chrome: chrome://settings/reset
  • Edge: Settings > Reset settings
  • Firefox: Help > More Troubleshooting Information > Refresh Firefox

Step 6. Clear cookies and site data

Remove cached FBI scam pages and redirects by clearing cookies and browsing data.

Step 7. Delete temporary files

Remove temporary files that may contain scripts or installers.

Advanced Checks for Persistent Issues

If you still see warnings or redirects, perform these advanced checks:

Check browser shortcuts

Right click your browser shortcut and ensure the Target field only contains the browser executable path.

Check Windows hosts file

Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.

Check proxy and DNS settings

Ensure no unexpected proxies or DNS servers are configured.

Check Chrome policies

Visit chrome://policy to see if malware has enforced settings.

Review Task Scheduler

Look for tasks that launch unknown executables.

For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

540 Comments

  1. Thank you very much that was easy to remove. Its rare to find this type of information without feeling like there’s a hidden agenda, so thank you for being one of the good guys.

  2. I have got this…..but I am not able to delete
    C:\Users\Ritesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ctfmon…when I delete it comes up again……the target process for this is
    %systemroot%\system32\rundll32.exe wgsdgsdgdsgsd.exe,FQ10

    I also checked other files/folders but nothing is there except few reg keys which I deleted.

    I am running MB now…..

  3. I called the money pack people a few minutes after loading the card number into the scam site and was able to get my money refunded. They will send you a check for full amount in 7-10 days. I was able to act before the card was acted upon.

  4. Thank you thank you thank you..very easy instuctions..booted in safemode and downloaded malwarebytes and i think im good to go!! nice to see people go out of there way to help you for free sometimes

    thanks steven

  5. Caught the virus, it Task Manager, Malwarebytes, etc. Started in Safe Mode and restored to a point 6 days ago. Does performing a system restore get rid of the virus or merely allow me to get running again and it’s still embedded. Running updated MB scan to see of it’s picked up.

    Should I have uninstalled MB and downloaded a fresh version? This thing is getting nasty!

  6. I have been infected with this a couple of times. The first time was a more rudimentary form, and Task Mgr worked and was able to locate and stop program. But later versions “stronger” and safe-mode followed by “FULL scan” on MB worked. Having alternate user login to work from also helps.

  7. so awesome, I love you. I too had Malwarebytes free version already on my comp, followed your safe mode instructions, and BOOOM. Thanks man! Planning on buying AVG or Malwarebytes full version since you recommend it. Would Norton or Mcaffee be any better?

  8. […] If you are dealing with the FBI Moneypak and want to attempt resolving the issue yourself, look at this page by Botcrawl. […]

  9. How nice (and rare) is it to do a google search about a computer problem, go to a top recommended site (that’s not trying to bait-and-switch you into buying something) and actually find information that is discernible AND WORKS?!?!? It’s freakin’ SUPER AWESOME is what it is!!! Thank you Sean! You’ve been a big help to a lot of people, including me. Your Karma account is over flowing. Well Done!

  10. Got the Department of Justice version today. Booted in Safemode and put rkill.com in the start up. rebooted and it fought with the Malware and gave me access to my desktop and Virus Scan software, finally found the .exe in c:\documents and settings\username\local settings\temp , deleted it and ran a find in the registry for that filename and deleted the keys. rescanned w/ malwarebytes, so far so good filename gfhy22.exe

  11. […] first doing an investigation. If you, or someone you know, gets the malware and sees the pop up, follow these instructions to remove it properly. If the instructions don’t work, you’ll have to hire a professional to […]

  12. I called the local police and FBI to make sure it was a scam. Then on my own I did exactly as indicated above. Performed a System Restore in safe mode and used Malwarebytes to remove the malware. No problems. I also checked with my bank for my transaction history.

    • Dude You are the man…. I don’t think I have ever come so close to soiling myself… I’m mr do the right thing…. and though I may bend the rules here and there I try not to break any….. I got the scam and about died… my wife and I are going on vacation in a week…. I did not want to tell her I need to pay 200 dollars or go to jail…. I would have died tonight…. lol thank you thank you thank you…. never been so glad to find out I got scammed…… breathing again…. and in you debt

  13. thank you so much when i got this message i was almost ready to cry , being 100% honest i didn’t know what i was going to do and i got this message when i downloaded ilivid and in a way i had committed a crime and i was generally afraid id get in some serious law trouble. this article made my day and made me feel at peace

  14. had the cyber security virus. i removed the ctfmon link from startup so i could navigate around the computer and then downloaded the malwarebytes program…removed 2 trojans and all seems good now…good luck to anyone else unfortunate enough to experience this

  15. Thank you soo much! I got home and my husband said he had this FBI thing show up I was like we’re not paying $200….Thank you soo much for helping us remove it!!

  16. I would like to thank this website for giving me the tools I needed to fix this myself. It was all very clear, concise info and saved me a reformat and hours of work as well as a TON of updates! As with the people before me, I’d also like to thank you for not forcing people to buy software to fix this problem, if only there were more white-hats like you out there.

  17. I really can’t answer that for certain out of thin air, sorry. It should be though, yes.

    But… I can never say something is ever completely removed from a system, from erased images to documents, etc.

    A System Restore affects Windows system files, programs, and registry settings. A restore can also make changes to scripts, batch files, and other types of executable files which may have been placed on the system or changed by a third party without user consent.
    http://botcrawl.com/how-to-restore-microsoft-windows-vista-microsoft-windows-xp-and-microsoft-windows-7/

    I recommend installing the free version of Malwarebytes if you need validation for this particular infection. You can remove Malwarebytes afterwards or continue to use it.

  18. […] os the The FBI Moneypak Ransomware Virus? The FBI Moneypak Ransomware Virus? How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Removal | FBI Moneypak (FBI virus, Citadel Reveton) is ransomware that locks computer systems, alleges […]

  19. Thank you! I agree with others thanks for not forcing software down our throats like everyone else. Booked this site for future references because of it

  20. thank you so much!!! i was freaking because this is my school PC and i thought all of my work had been lost. thanks for not being a typical company/person looking to make a buck preying on the naivety of people who have never seen something like this before. society as a whole can learn something from you, you restored some of my faith in people. if you’re ever in CO, i’ll buy you a round…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.