The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
540 Comments
Thank you, it fixed my issue. Altough the method that ONLY worked for me was the command line. Easy just install malwarbyte on the flash, type explorer and you are good to go.
Thanks again for resource.
Bart
Thank you so much! I used the safe mode with networking and ran the malwarebytes scan and it locate two bot files and I removed them, restarted and whalahhhh! It worked! You are awesome. Thanks for putting this information out there for us!
This afternoon7,June I got the FBI Trojan. I managed to remove it using the SAFE MODE RESTORE instructions you provided. Thanks for your Help. I noticed a restore point got established about the time I got the trojan. When I clicked SHOW WHAT IS REMOVED AND ADDED ther were no files in either action. It did say it was a windows update butI wonder if this was the path on how the trojan got access to my computer
Thank you… This worked!!!!!!!!!!!!
I have been hit twice now with FBI virus and am using malwarebytes this time . I used an old Kaspersky disk first time to remove the virus, but got it again after the 30 day trial.The only way I could get the computer to clear the white screen was to tap the power button quickly then x out the close program prompt. This doesn’t remove the virus but frees up the computer till you restart or it pops up again after leaving on. System restore did not work on this version either time. I am confident this software will work but don’t want to wait at the computer for full scan to finish. I hope the”Button Tap” will help someone else. I stumbled onto the idea out of sheer frustration.
Just had this FBI Moneypak Virus pop up on me tonight… Logged on to my computer, and then all of a sudden I was smacked with an incredibly startling notice. I was trying to figure out what I had done wrong haha. After finding this post, I was able to start safe mode and download the Malwarebytes Anti-Malware software. It’s scanning now, and has already found 32 infected objects! I have a Lenovo Thinkpad (Windows 7), and I want to make sure this dilemma gets resolved. Is there anything else I may need to do to clear this up?
Thanks for the assistance!
Just finished the Malwarebytes scan and deleted all the infected files… Thanks for your help and assistance botcrawl.com!! You guys are awesome!!!
I have Windows vista and did rebooted in safe mode with networking. Then did a system restore. Worked liked a charm! Thank botcrawl!
I had to hook my hdd up to my dad’s computer and had it scanned with MalewareBytes. My computer worked normally after that, but I did a second scan with AVG just to be sure and it caught a few more trojans. One file was named wij1b.bat and now on startup I get a RUNDLL error saying that wij1b.bat could not be found. I found a file in my documents and settings\all users\application data folder (where it said the .bat file should be) and found another file called b1jiw.pad. Are these part of the virus and how would I make RUNDLL stop trying to load it?
Finally got rid of this thing tonight. The newest version of this was tough. Been working on removing it for 4 days. Finally the latest update of HitManPro did the trick. I think had to fix some file extension settings after the virus was gone. I couldn’t open ANY .exe file. That was the easiest part thanks to Microsofts FIX-IT. I’ll be more careful next time. Learned a good lesson.
I almost fell for this!…I thought I had unknowingly stumbled on an illegal site….I about cried thinking I had to come up with 300 dollar in three days!…..
Why didnt my firewall and Mcafee antivirus stop this?
Amazing!!!! So glad I didn’t have to punish my brother in law…and he was too. You guys are wonderful and saved us alot of money
Thank you soo much for your help with this virus, This thing attacked my 13 year old sons computer. Scared the crap out of him, he thought he had done something wrong. I got his computer back by using the safe mode with command prompt restore option and am now running malware bytes and a full virus scan on it.
how can you remove it using remote control? I remote in to my customer’s PC but i’m unable to do anything, like CTRL ALT DEL etc. Customer does not know how to press F8 upon bootup. =/
Used the safe mode restore….worked perfectly…thank you.
Thanks for this great article! I used safe mode and restored my system and used malwarebyte to scan it through and it was OK today. Best regards!
i did something idk if its listed here but this was my second run-in with the virus so since I have windows8 I used some sort of reset? anyways I wiped my whole computer clean. EAT THAT YA —-ing VIRUS
Thank you, the refresh/reset options are a great solution for Windows 8 Operating Systems: http://botcrawl.com/how-to-refresh-and-reset-windows-8-operating-systems/
That’s what I’m in the process of doing right now. This blows. I had like 4000 songs on there too:(
A system restore and refresh will not delete your songs. A system recovery and reset will. =)
When I first saw this I was stunned. I wasn’t looking at anything wrong, but it locked the computer up pretty good.
I luckily logged off, and then on to my wife’s user and did the system restore just hoping. I have done this for the 4th time today, so either it is getting spread a lot or I still have it – but my point is to have everyone set-up at least one additional user account, for at least this purpose.
“Safe Mode” Worked perfectly! Ty
Thank you a lot! This happened to my child’s computer, and she was crying and scared! On her computer it had a different picture, but she thought it was real.
Stupid mugu trick. These Nigerian idiots will try anything to con you.. They figure the 419 is not working anymore. The dating scams are getting clobbered so some stupid hack come up with this. Remember no law enforcement official will ever block your computer and demand a ransom (your entitled to due process of law) If there is a real problem they will visit you personally and have to present a search warrant. (a judge will not issue that unless there is hard evidence that a crime may have been committed)
I don’t know if the malicious info or whatever is actually gone from my computer BUT it indeed worked! My laptop is back to normal and the FBI fake thing is now gone from my eyes.. or sight or something. I am not too sure if it’s fully gone though. I used a scan thing like for to scan for affected programs.. and then yeah.. I thought Norton still could be a little helpful, even though I had to renewal my uh membership? Anyways, thank you so much for saving my life. I could’ve done suicide.. yeah, weird but I have been teased and tortured enough. (Not like hurting others kind of torturing)
I MUST TELL EVERYONE I KNOW WHO HAS THIS TROJAN THING ABOUT THIS SITE NOW!
Your life will get better if you keep working at it.
No need to suicide.
Your guys team was the first to investigate and publish removal instructions about this ransomware and you guys are still the best. Thanks for the hard work!
Awesome guys. Thank you. Did the safe mode command prompt, thanks so much.
Thank you! So helpful!
I know very little about computers…but this might help others. I have 2 HD with 2 OS.After infected C: drive boot, I booted with secondary F: and installed malwarebytes with thumb drive. I scanned the C drive and could not locate the virus…BUT…i did not realize when I booted with my old F: drive it reshuffled drive identifiers….so I did locate virus when I scanned the new F: drive which was the C: drive from my infected boot…….DUMB on my part…wasted several hours
I got hit with the FBI Moneypak virus this afternoon. I was able to do a system restore by tapping F11 on my HP Computer when the computer started up. After the system restore was done, my computer was back to normal, and I also scanned my hard drive with Norton to make sure I was OK. I was really worried that the virus was real, and the FBI were going to arrest me within 72 hours! Glad it wasn’t real after all.
right!? Jegus it was frightening!!! I was trying to get on my grandma’s computer for a health project and all of a sudden: YOUR COMPUTER IS BLOCKED >_>
Thanks…this worked!!!
My laptop has been hit with what I assume is another update of this virus, it claims to be from the US Dept. of Justice, it demands $450 on a moneypak within 48 hours. It’s really frightening, especially when you have no idea what you did to incur this type of intrusion
[…] Also, here is another great resource on some additional things to try: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/#option… […]
[…] Also, here is another great resource on some additional things to try: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/#option… […]
Wow thank you for helping me remove the virus. I think you guys did a great job explaining.
Thank you so much. You are a life saver
ILOVE YOU !!!
Can they access all my information in my computer? if so, what should I do? I really don’t know anything about computer. Thanks
I have this virus infected my computer too. I have many important information (like bank acct and SSN on some documents) saved in my document folder. Wonder if the hacker really take all information?
[…] any event that happens outside of our governments direct control. For example, did you know that a virus has been spreading constantly on many computers throughout the world that is nearly irremovable? […]
Thank you so much guys. I really appreciate this information. If it wasnt for this I would have taken a zero on an important assignment for school. Seriously thank you so much
Great solution,
Got stuck with FBI virus and didn’t know what to do. This helped so much and worked like a charm the first time. I used the safe mode with command prompt. I have a windows 7 computer and used the browser C:\windows\system32\rstrui.exe. They aren’t kidding about typing in explorer as soon as it appears. May want to pay attention to see when this comes up because after 3 seconds you have to restart. To get my computer into safe mode I had to force shut down by taking the battery out of the laptop. Great trick and it is simple.
I had opened up my “Task Manager” and started ending processes until it went away. I started with processes that looked out of place and left the others alone (of course).
I came upon one labeled as “euhzwbbp.exe” and when I ended that process, it disappeared.
Hope this helps!
Thank you so very much for this information. I’m currently on bed rest
and need my computer to stay connected to the outside world. This article saved my sanity.
You’re very welcome. Glad we could be of help!
[…] http://botcrawl.com/how-to-remove-th…lware-removal/ and my computers. What a blow to the gut. this thing is a severe severe virus. gonna have to spend coin to get this one taken care of. anyone ever been hit by one of these and if so what did you do to get your computer out of the hostage situation. that happened, and an hour later our landlord and I had a misunderstanding regarding the utilities being included in our rent, and now i am being stuck with 7 months of utilities. what a stupid day/week/year i am having. just doesnt stop. Gas was turned off so i have no heat til monday. cause i needed that as well. had to pay a ton to get them to turn it back on, and they cant get here til then. garbage garbage day. […]
Thank you so much with your help I fixed my computer:-)
If you can get to Safe Mode on your windows 7; system restore fixed it in about 10 minutes. Thanks to whomever posted all those tips, I finally got it to work after unplugging my pc for 30 mins.
Big thanks to the authors. Everything seems to be back to normal. Very much appreciated!
[…] have a clue on the tapping. There is an FBI Virus around that I just heard about. http://botcrawl.com/how-to-remove-th…lware-removal/ Link will explain what it is and how to remove […]
Coolest website in the world. Thank you so much guys!
I just ran into this program and boy was it a pain in the @ss. First off, it looks like the hacker has now adapted. If I go into safe mode, the computer will restart by itself soon after. Not to be defeated, I ran “windows in safe mode while opening command prompt” instead. I then went to “C:\Users\[your name]\AppData\Roaming” where I found 2 files, skype.dat and skype.ini. So, I deleted them both. I’m glad I don’t use skype since it would have blown right past me. To be on the safe side, I also went to “C:\Users\Ross Chan\AppData\Local\Temp” and did a del * there before restarting.
Voila! Virus gone. I them proceeded to do a system restore and scan. Hope this helps for anyone else having this problem, and don’t let the hackers win!
Thanks a lot!! It works!! Go to “windows in safe mode while opening command prompt” and type “cd C:\Users\[your name]\AppData\Roaming”, then type “dir”, I found those 2 files, skype.dat and skype.ini. Type “del filename” and ENTER!! Restart the computer and run AVG. Everything back to normal!
Thank you! There should be an award for people like you
Thank you so much !!! The Safe Mode With Command Prompt Restore worked for me !! THANK YOU
Worked for me as well. Thank you everyone!
[…] to lock it up. The easy fix is to restore your computer to an earlier version. How you do it: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/ __________________ When in doubt, buy Mil-spec since they try to dummy-proof […]
Thank You! I did the system restore and my computer is now working, am gonna scan the whole computer with AVG just to make sure everything is fine. Thanks again for all your help.
You all deserve a medal! Worked first time! Using avg now to make sure everything is good!
Thanks Guys!!!!
thank u for all ur help, i followed ur instuctions and got rid of the fbi ransomware. i would love to find out who is putting this virus out and punish them. thasnk u again u saved me from having to reinstall windows 7