The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
PS. Just wanted to say thanks Sean for the very informative and easy to follow step by step instructions you had. your leave a comment area had some issues in the name and email area so I had to reply to my original post. Thanks again, scott g.
I got the FBI ransome trojan ($200 fine ver) while clicking on a video link about justin beber and selina gomez breakup on or about 1130am 11/10/12. it locked up my pc pretty hard. good thing I have another laptop available to research the virus. found your site and did a systems restore from safe mode that brought back functionality to the infected pc. I am now running full scans with MS security essentials, spybot, and malwarebytes. It appears the virus is gone but I will keep an eye on things for a while just to be sure.
The ctfmon is saying its open in another file and I don’t know what to do help
Type Ctrl+Shift+Esc and end the ctfmon process or any processing utilizing ctfmon before removing the file.
Thank you so much you guys are awesome saved me a huge hassle
Just had the pleasure of looking at this FBI virus, didn’t have a way to look it up online so I had to find it myself, Boot to safe mode + command prompt, open regedit, navigated to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\Winlogon
(I’ve had a fake antivirus do this to me before)
Found an entry that was modified:
Name: shell
Type: REG_SZ
Changed value: explorer.exe, C:\Users\****\AppData\Local\(Random).exe
I changed the value back to explorer.exe and reboot…
For those who don’t know the registry much, this entry is the “On log on” program launcher, as soon as your user has been authenticated (either clicked or user/password is correct), windows runs what programs are specified in this entry.
If you try to manually remove the virus don’t forget to check this location
Got this virus a day ago on my Windows 7 XP version…after much searching I ran Norton NPE Crimeware virus software in Safemode. The installation required a shutdown and restart. After restart I accepted the license and ran the software. The software noted that file: dtresfflsceez.exe was running in my startup menu and was considered a virus. Engaged the removal feature and clicked continue. The file was removed successfully. Restarted my machine and ran a Quick scan and located additional tracking cookies. Removed the cookies, shutdown the machine and ran an additional full scan. All is working now…I hope this helps someone.
Thank you.
Thanks for taking the time to post this message. I followed your lead and was able to resolve my problem!
what if the ctfmon.exe file is not in the start up menu?
Hell yes this got my computer going again! Thanks a lot! I thought I was about to have to spend a lot of money on repairs! Thanks again!
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
is be careful out in Long Island my friend, also just spend over an hour removing this virus http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
This stuff is out there, be careful out there.
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
You are amazing thank you!
This virus is getting me tons of business for my PC repair side job. Though it does seem to be dying down, now I’m seeing more of the File Recovery, File Restore, etc virus.
Something like this literally can take 2 minutes to remove if you have a way to get outside windows and see the files on your PC.
Program Data, and user > App Data > Local are the main folders I find these in.
I ended up backing up my photos/videos to another hard drive in safe mode and then reformatted my harddrive. Im about to find this little pukehead who created this so called fbi virus where he’s living at.
I’m with u bro
Cut his fingers off!
Just got the virus – your web site very helpful. Used Safe Mode with Command Promp to go back two days and restore computer. thanks
Got it this morning. I rebooted and scandisk started. I deleted temp files and that seemed to take care of it. Also ran a virus scan afterwards. Nothing found
I just got hit with this virus 2 days ago. Locked up pretty bad. Older PC w/ Windows XP Pro. Could not enter safe mode of any kind so could not manually delete virus files. I have Malwarebytes(TM)but i could not get most recent updates. I did scan with older version but PC shut down before completion (MWBTS found infection but could not finish delete on restart). I disconnected router and sat there very pissed. Then I reconnected router, turned on PC normally and was able to click on MWBTS icon on desktop before FBI virus could take over. Updated MWBTS and started full scan (will take at least 2-3 hours)and as sooon as scan was running, disconnected router and deleted virus after scan. Then ran quick scan and full scan again to be sure. 0 malicious items. All seems well. Think I will stop using IEX and use Firefox from now on. I’ve read that FF w/ NoScript addon is safer. Good luck fellow surfers!
I disabled this virus by using safe mode and then typing ‘regedit’ into the bar and hitting enter. Then, I was able to find an unknown program in the Startup programs. From there, I disabled it and it does not run anymore. However, it is still there. It just doesn’t appear anymore.
wait what if we are called??? i got this and my friend got this but he was called
It is still a fake. If you can get the number from caller id or something call them back and tell them you are from MI6 or Interpol or something and that they should stay in their house and wait for the police to arrive. Be as creative as the hackers.I was once called by some Idiots claiming to be the FBI who wanted a credit card. I gave them the real phone number of the local FBI office (and a fake credit card) I would love to have seen their faces if they called. Remember, remember, the FBI, no matter what you may have heard does not collect fines. 2)This virus like many others is really a family of viruses (even if the screens look the same or similar) and like any virus it is constantly mutated. That’s why it’s so hard to stop. Get good anti virus software. Keep it up to date. Read up and learn how to cope with thse bastards. Otherwise, relax, pour yourself a nice glass of scotch and get to work.
GOT THE FBI VIRUS? Let me know. I can help.
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
http://t.co/xYv6OXx9
Feleted CTFMON on sset up file, worked
thanks soooooo much
@clintendo64 It’s most definitely a scam. Here’s a link to some removal instructions http://t.co/qs8Vkebg
Thank you so much!!!!! Purchased the full version of Malwarebytes so hopefully it doesn’t happen again….
@iSTEALBRAS 100% sure. http://t.co/t8inZdpN
Thank you so much. I promise to pray for you everyday. You honestly saved me!
thank you soooo much!
this is helpful:) when i first saw the FBI page i litterally started crying because i really thought i had to pay $200 for my fine or i had to be sent to jail for 3 years.(i still a teen!) But till’ i went on google and searched how to Remove FBI moneypak and founded results, you wouldnt believe how happy and glad i was for google and this page! :’) tears of JOY
Thanks for the manual clean up instructions. I was able to find and remove the ctfmon file easily in safe mode with networking enabled. However, after a lot of trail and error with Vista, I finally found the appdate/local/temp file folder but could not find the listed files to remove in this location. I then started into a really protracted effort to do a system restart using accessories/system tools/system restart. I probably initiated restart at least a half dozen times and it always stopped with a disk error message that I assumed was caused by one of the malware files. I also was able to start and run McAfee virsus scan after removing the ctfmon file. After the virus scan was complete (it indicated no virus present) I was able to do a disk recovery operation which took overnight to complete. In the morning, I was finally able to do a system recovery going back to a date I knew for certain I did not have this malware. I hope the rotten a-holes that invented this virus do many years in jail and are banned from life from owning any further computer equipment.
This is my second experience with malware and both times its was immediately obvious the page that popped up was bogus. The FBI would never be involved with this type of shake down regardless of what people believe about the US Government and its actions. The previous experience was with the MS Security malware. Both have been a real pain to remove.
This site is the absolute best of the sites I looked through on removal. It had easy to follow instructions and did not require buying more conflicting software to resolve the problem. Wish the site was listed first when browsing. It would have saved a fair amount of time as other sites were selling malware software without assurance of success.
This was the best, thanks!
Thank You Guys for all You Have Done to Help Me and other Panicked People Out There!
Thank you for the tip it was really helpful
Thanks for the detailed analysis.
GONE in 30 seconds! I had only 1 user account with Norton360 and the FBI bug apparently got by that. I went with option 4 . . . removed the “ctfmon” file then restarted normally. Everything appears back to normal. Couldn’t have been easier. To be safe, I started a 2nd ADMIN log-on and downloaded and ran malwarebytes from that profile. It found 2 infected files which were removed. After mandatory restart, I switched back to normal account and ran malwarebytes again . . . all clean. Thanks, saved me a $150 geek squad fee!!!
I got the virus on 2 computers within minutes of eachother, all I was doing was deleting junk mail. I simply restored the Dell laptop to its birthdate and the Sony simply restored it to a few months ago. I did not have to use safe mode, just had to turn of my wireless router. Both are back to normal now. In both cases, my expired Norton anti virus pop up popped up wanting me to renew, hmmm.
Thanks for the help on this great work!
So, I got hit with this piece of crap virus. BEST WAY to get rid of it…TRUST ME…First, hopefully you have a second user on your PC . Always set up a back door sign in as ADMIN. Dont use it unless you really need to….LIKE NOW !!!! Go to the web and bring down MALWARE BYTES. Its free but it is a TRIAL VERSION. Activate it through your alternate sign on, not the user that you contracted the virus under – you wont be able to anyway because of the “FBI LOCKOUT” Run the clean up twice. I bought the ultimate for $39.00 and boy was it worth it. Once you have run the complete application you can sign on as normally do. THEN RUN IT UNDER THE USER THAT ORIGINALLY GOT STUCK UP THE BUT WITH THE VIRUS. It will clean the files that are not shared as the user that was infected. Total time to fix this once you down load Malwarebytes is about 30 minutes. SO….SCREW FBI-$200.00 By the way, I didnt mention that I have Norton 360 and Windows invader running. This virus has an awfully long and thin needle
Thank you very much. This page loads fast for all the cotnent on it btw. =)
Thank you sooooo much!!! I freaked out when i got the FBI warning but with this instructions it was easy to remove ! I didnt have access to safe mode but to the safe mode with command prompt! Then it took me 5 minutes and the virus was gone! It seemed so easy, i hope everything is gone! But not to take any risks i guess i will reinstall windows again! Should i? Thank you again sooo much this was soooo helpful an easy!
Thank YOU!!! I don’t even know how to download illegal stuff. I’ve been paying for everything like a sap, so I FREAKED when this message came up. I was right in the middle of writing a 25 page paper for my Masters classes and hadn’t backed up to Dropbox. Safe mode with Command Prompt, Explorer, system restore. end of story. Awesome!!!
Thank you! Flash drive option wouldn’t work, but safe mode did. I was ready to chuck the whole laptop if it wasn’t for this help :O)
Thaks for the solutions. I tried all the manula steps but didn’t find the files as specified.Then installed Malwarebytes and it removed the virus. Thanks again for this information.