The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
Thanks for the good work, very clear instructions. Got theVirus this morning, McAfee didn’t fix it , restore the system to previous point didn’t work – tried it many time. Malwarebytes could see the virus and trojans but couldn’t remove it from the system, same happend with AVG. Finally MICROSOFT SECURITY ESSENTIALS did all the job.Now my PC works very smooth.Thanks
I did not get a screen like you’ve been showing but instead a audio file that kept say “warning, FBI blah, blah, blah” over and over. So far system restore seems to have worked. Thanks for the easy instructions.
Thank You. Simplified explanations to remove this stupid virus
Best instructions to remove this stupid fbi virus on the internet. Many thanks!
Ugh, what a freakin’ pain. I’m on a laptop now while my computer is running Malwarebytes. It hasn’t found anything yet..
This FBI deal blocked Safe Mode (all forms), and it was a race against time doing the ‘ol Start Menu / Run / explorer / Computer / C / Windows / System32 / Rstrui deal. What a PAIN. I finally got it to click (on like the 30th attempt. I’m sure thats great for your computer), picked the Restore Point that was made yesterday afternoon, and I should note that I also unplugged my internet before that final successful one. it is STILL unplugged.
Now, I should be good to go with the Restore Point? There won’t be any residual stuff? Very helpful here, though the range of ways to defeat it (since some won’t work) is infuriating. I like questions that are like “Hungry?” and the answer is “eat food.” Which is what I’m going to go do now.
Thanks a bunch, and a confirmation to put my worried mind at ease would be great.
Thank you very much.
I got the virus, try to restore the sys. , I worked but when turn on the internet, the malware overtook my laptop again. Try reboot the laptop by F8, it didn’t work.I have to scratch the comp. to get the safe mode with networking, download the Malwarebite, ran program and it worked perfect. Many Thanks
This site (Sean) was instrumental in helping me (seemingly) defeat this. Thank You sir!
Just as a note to others: I used a hybrid solution wherein I downloaded MalWareBytes in safe mode and ran it. It detected a trojan. I then restarted in normal mode. I then ran XXXX to be sure. Both services are free and bless them for that.
Furthermore, before you fellow Norton subscribers decide to contact them, realize they haven’t a clue on this yet. They overtook my computer remotely for 1&1/2 hours before giving up. It took me an additional 3 hours of experimentation to (again, seemingly) beat it.
Thanks again.
Does removing using a system restore still leave some trace of the malware on your system? I checked this out with the FBI and they said even if you are able to remove it yourself there could be some lingering thing there that might record keystrokes or download personal information, credit cards etc?
How To Remove The FBI Virus (FBI Moneypak Ransomware Virus) – Fake FBI Malware Removal | http://t.co/bJd8NkSS
Other websites are copying and pasting your article just to let you know and I gave them a piece of my mind!
I got this virus last night and was going to pay bucks to get someone to take it off.(By the way, companies want between $70-160 to get rid of this virus) I found this website and saved some money. I got into the Safe Mode on my computer and went to Systems Restore in my Accessories folder and restored my computer to a point from last week. It seems to have worked. I can get on the internet with no problems. I don’t have any anti virus software so maybe its hiding somewhere but for now I’m happy.
Booted in Safe Mode and did a System Restore and that removed it. After the restart Norton Security was disabled. Clicked to restart it. Doing a full system scan now.
Had File ‘dxdgztzl.exe’ in ‘C:\Windows\’ looks like this is a random dile name.
also had startup entry for ‘dxdgztzl.exe’ showing in MSConfig Startup and the Registry for
•HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dxdgztzl.exe
Hello and thx for the info.
I did the system restore before finding this site, which reaffirmed what I did will work. However, one side affect is that it disabled my Norton. I still have the icons, but when I click on them, nothing happens. Also, the Norton icon is gone from my system tray. I’ll try re-installing Norton and see if I can get it back that way. But why did Norton let it get by in the first damn place???? I’m pretty pissed off at ymantec right about now!!!!
I succeeded in fixing my laptop, which has Windows XP Professional Service Pack 3. I use Microsoft Security Essential for my antivirus, antispyware, antimalware. When I booted up Windows, I got my desktop display minus all icons and taskbar. Since there was no Start button and putting my mouse curos in the lower left corner did nothing, I decided to use Safe Mode with Command Prompt. In my case, a black screen opened with the words Safe Mode in the four corners and a title showing my version of Windows. By waiting about 20 seconds, a command prompt window opened in the upper left corner. I typed in explorer and pressed Enter. By waiting a minute or two, the Windows Explorer window opened up. I browsed to c:\windows\system32\Restore. I clicked on the file rstrui and pressed Enter. Be patient and wait. The Restore window opened up and I restored to a system checkpoint about a month ago. Restore then restarted my laptop
and opened Windows successrully. A pop-up window displayed to state Restore finished and stated that some files were renamed. I clicked on a link to see the names of the renamed files :url.dll, urlmon.dll, and winnet.dll in the Windows/system32 folder. Since I have Microsoft Security Essentials installed and it normally runs at Windows startup, I got a error pop-up which stated it failed with error code 0x80070715. In other words, the virus corrupted Security Essential so that I could not do a scan of my computer. I tried to do Control Panel->Add/Remove Programs to uninstall Security Essential. A mostly blank window opened up with two blank buttons. I guessed the left button was Yes to do the uninstall which then ran. I had a copy of the install exec for Security Essential which I ran to install Security Essential successfully. I then ran it to do a full computer scan. It took two hours to complete and found five suspicious items : four of them were Trojans (Win32/Ransom.KF) and the fifth was labelled Exploit (Java/blacole.GD). The first two Trojans had container file in the Local Settings/Temp folder wpbt0.dll and the file was [INJECTOR_CL]->(UPX). The next two Trojans had ccntainer file in the c:\System Volume Information folder as A0121748.exe and the file was A0121748.exe->[INJECTOR_CL]->(UPX). The Java container file was in my userid folder as \.jpil_cache\jar\1.0\Pre.jar-7562F662-223071cc.zip and the file was this zip->bkwa\bkwa.class. My laptop is now running normally as far as I can tell. Also, I had Security Essential run another Full Scan, which detected no new threats.
malwarebytes saved my life! (so did the fact that i had multiple accounts) I restored to previous version before an update, and then used malwarebytes to do a full scan (around 2 hours) however once you see thst the number of mailicious objects has not increased in the past hour, feel free to abort scan and delete those files. then, run a quick scan (or a full scan) to make sure you’ve removed all.
Ok so right now I’m typing this on a iPad so I’m not sure if it will work. Right now my laptop is in safe mode with networking and norton 360 is running a full system scan .
You Guys have helped me a lot. I wanted to cry I was so mad. THANK YOU <3
Removed it with STOPzilla, worked great. People PLEASE don’t put any info into this and other rogues!
I just about had a heart attack!! Thanks for saving me from pulling my hair out. I had to restore my computer after going through the safe mode since the first option didn’t work.
Thank you, thank you, thank you!!!
awesome! Thanks for all the help!
Thanks for getting me through this nasty malware virus. I used the instructions for safemode with networking, then reset my computer to a few days prior. It looks like the virus is gone. Thanks for the help!
Thanks! Why is this not first on google, the website I went to before was terrible. Hopefully this gets bumped up on Google soon.
Sean, many thanks for your very informative blog.
It just happened to me and yes it’s quite annoying. It actually takes about 10 minutes to fix the problem and can be done with the Malwarebytes Anti-Malware software in “Safe Mode with Networking,” as mentioned above.
Some articles claim that these guys have been extorting about $50,000 per day on average. I’m shocked that the FBI (or foreign equivalent) hasn’t yet apprehended the culprits.
this is what I used as well worked great
Ya’ll are absolutely AMAZING!! Thank you sooooo much!!!
can someone but in spanish
im very scared
WARNING IF YOU GET A FBI SCREEN FREEZING YOUR COMPUTER – IT IS A VIRUS http://t.co/OnTOIl55
Thank You so much for this, it was very helpful ^^ btw does malwarebytes completely blocks the virus out?
Thanks!
The free version of Malwarebytes is just a malware scan and removal tool that will remove this infection.
The paid version of Malwarebytes gives you real time protection against intrusions.
So yes, the paid version does block this particular virus out in real time. But new variants and similar infections that have not been sampled yet can be left undetected. If that’s the case Malwarebytes offers support for such issues and will add the new variant to their next update.
1st I just wanted to say Thanks! I will be bookmarking this site and plan to join too. Like the person before me this is Great Stuff.
Easy, too lazy to do anything, just restored it. thanks for the help with FBI virus man
Safe mode, msconfig found the virus. File name was irb700..done..good stuff
I hadn’t heard of this virus before today, when my employer sent me to recover a client’s computer. When I left the client, 4 hours later, his computer seemed to be functional, but I had the uncomfortable feeling the virus might just be waiting a while before reappearing. After looking over these instructions, I can see things I needed to have done.
BitDefender 2010 CD found the Trojan and removed it, but the Trojan came back. I deleted the file that kept getting infected, then deleted the entire folder (“Pepper Flash” for Google Chrome).
System Restore to a week earlier did not stop the virus. I then set the system back 6 weeks.
Norton AV was pre-installed on the computer. When I double-clicked on the Norton icon after cleaning the infection, the virus popped up its extortion window. I tried to uninstall Norton, but nothing happened when I gave the system the command to continue removal. So, I manually deleted as much of Norton as I could find, including in the Registry. I could not remove the Norton icon from the Add/Remove Programs list, but I did get it off the toolbar. All that remains are a few references in Registry that I didn’t have time to delete.
I installed and scanned the system with avast! and SUPERAntiSpyware, removing 300+ cookies. Then, I uninstalled those programs.
I installed MS Security Essentials.
In the end, the user was able to back up his files from his computer, and the computer appeared to be functioning normally, though set back 6 weeks and without Google Chrome or Norton working.
Thank you very much for different solutions since they are all important. I installed AVG and after scanning for 3 hours it found 56 corrupted files. After removing it, the virus didn’t stop. I am not sure why. So I had to get Malwarebytes and after only 5 min of scanning it found 3 files. Removed, and the problem is gone. Thank you for providing this information and thanks to Malwarebytes.
thank you thank you very much you are a lifesaver i downloaded malwarebytes anti-virus and it works like a charm ty very much
I was able to get rid of this only after disabling my internet. I could not use Safe Mode (it would bluescreen) and it was too quick to do any of the system restores. Once I disconnected my router, I was able to come up and do a system restore. Thanks for the info. This one scared the hell out of my 18 yo son.
My laptop got hit with a nasty ransomware attack-
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
This has been going arround Windows 7 users. This scared the hell out of me because it locked me out o f my computer and wasn’t able to access malwarebytes or my Zonealarm securtity software: All this happened after i did a security update… sheesh
Thanks so much I down loaded the malwarebytes software and it worked like a charm!
Thank you so much – the Safe mode with networking option worked like a charm.
Thanks a lot for an easily followed walkthrough. Safe mode with command prompt worked great!
I did a traceback hack and sent 11,001 links to do root inline script that should keep them intertained lol.
I also sent script to homeland security ” maybe they will shut down ill got funds end for company funds procured should keep them busy.
Hack back targeting got to love it. JUST remember Hacker/s there are just as smart and Smarter other/s on this planet -_N-^e_o^
Thank you for such a thorough discussion. Once I disconnected the internet connection, it was easy to kill the virus with AVG.
thanks a thousand lots am not from the usa am from dubai i dont know how or why i got an FBI stuff but at least i searched for it and ur the only one who helped me
thank you <3!!!
Omg thank u sooooooo much that scared the crap out of me haha the mal thing work for me so I’m fine now 🙂 this helped alot thanks!!!!
damn…definitely scared at first when i saw this
safe mode command prompt instructions worked for me
tried the safe mode with networking, but as soon as i logged in, the fbi moneypak ransomeware tried loading up (a white screen with something to the effect of this page will take 30 seconds to load)
after doing system restore from safe mode command prompt, my pc is back to normal. thanks.
Phone & Internet Scams:
1) About 2 weeks ago we started getting phone calls supposedly from Microsoft & they tell us we have serious problems with our computer. Essentially they want to get onto your computer, infect it & want you to pay them to fix it. Check out this information from Microsoft at http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx
2) I just repaired an infection on my neighbors computer that appeared to be from the FBI. The computer locks up & a page pops up that appears to be officially from the FBI saying you were basically caught doing something wrong on the internet & you must pay a fine in a certain amount of time or suffer the consequences. If you disconnect your internet & reboot the computer it will go away, but once back on the internet it will come back. Check out the information from the FBI at http://www.fbi.gov/news/stories/2012/august/new-internet-scam and also at the following site for information on removing the virus http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
Thanks Sean, you rock. I was unable to even access my desktop in safe mode, or safe mode with networking. Your instructions on restoring from the safe mode with command prompt is what worked, and easy to follow!