FBI virus is a sneaky malware, which mostly gets inside its target computer undetected with a help of Trojan.LockScreen. As soon as it gets inside, this scam presents about itself for the victim as 'The FBI Federal Bureau Investigation' and shows an aggressively-designed alert that claims that computer is blocked because of the Copyright and Related Rights Law violation or other reason. However, if you find yourself blocked by a program, which tells that you have been illegally using or distributing copyrighted content, viewing or distributing pornographic content and spreading malware to other computers, you must ignore such alert first of all and remove FBI virus immediately! This program is distributed by scammers to swindle the money. Be aware that security experts expect this group of ransomware to grow and improve.
HOW CAN I GET INFECTED WITH FBI VIRUS?
This infection gets inside the system through security vulnerabilities found when user visits infected websites or downloads infected files. These security holes appear as soon as you forget to take care of your computer's security and don't use security software or don't update it. Of course, you must always think about safe browsing and avoid suspicious downloads that are actively offered on the Internet right now. The biggest issue, which is caused by this ransomware, is that similarly to its earlier versions, it completely blocks its victim's computer, 'locks' it and disables all the programs found there. In order to 'unlock' the system, FBI virus shows its warning and requires to pay the fine through MoneyPak. However, you must have already understood that you must never pay this $100 fine if you don't want to help for the scammers who are collecting these fines.
FBI VIRUS VERSIONS:
FBI Moneypak: This ransomware uses a huge alert filled with FBI and Moneypak logos, a webcam and a list of crimes victim is accused for. User is informed that he has been viewing/distributing pornographic or copyrighted content, spreading malware or doing other illegal activities. For that, he has to pay a $100 fine and enter a Moneypak code on the right side of the fake alert. This threat locks the system down completely.
FBI Green Dot Moneypak Virus: This ransomware locks the whole system down and displays a fake alert with FBI, Moneypak and McAfee logos. A miselading message, which belongs to this threat, claims that Federal Bureau of Investigation has blocked you for downloading illegal/copyrighted material and similar crimes. It requires to pay $200 fine and includes the steps explaining how you should do that.
FBI Virus Black Screen: This ransomware from the FBI group of viruses uses the same technique as its predecessors and seeks to make users pay a $200 fine. However, it also applies an audio warning, black screen and system's lock down. It will similarly claim that you have been caught for law violations and will accuse you for visiting pornographic websites, viewing files containing zoophilia, child pornography and similar.
FBI Online Agent: This ransomware also uses the name of the Federal Bureau of Investigation, but it has a newly-designed alert, which tends to accuse victim for committing various crimes and asks to pay $200 using MoneyPak. The new thing about FBI Online Agent is that it doesn't show your IP address or location but gives the name of the responsible agent, case number and other details that are clearly invented. Besides, scammers have included the promotion of the terrorism into the list of the crimes that are reported into this misleading warning.
FBI Cybercrime Division virus: That's the dangerous ransomware, which pretends to belong to the FBI's Cybercrime Division. This virus uses identical scheme while trying to steal users' money. However, this time it asks to pay $300 using Moneypak prepayment system. Be sure that its alert is not legitimte and can be safely ignored. The new version applies a newly designed alert, which is filled with more than ten different logos.
FBI PayPal virus: This is the latest ransomware, which uses the name of the Federal Bureau of Investigation. As soon as it gets inside the system, this ransomware blocks the entire desktop and disables Internet connection on its target PC. In addition, it asks paying the fine of $100 for invented online crimes, such as the use of copyrighted content or distribution of malware. Differently from earlier parasites, that use identical scheme for stealing the money, FBI PayPal virus uses PayPal for its money transactions. Please, stay away from this threat.
HOW CAN I REMOVE FBI VIRUS?
In order to remove this virus, you should unlock your computer first of all. For that, we recommend using another PC that has an Internet connection and the steps listed bellow:
1. Take another machine and use it to download SpyHunter or other reputable anti-malware program. You can also try downloading Defender Pro Ultimate Security Suite or Malwarebytes Anti Malware.
2. Update the program and put into the USB drive or simple CD.
3. In the meanwhile, reboot your infected machine to Safe Mode with command prompt and stick USB drive in it.
4. Reboot computer infected with virus once more and run a full system scan.
UPDATE: Be aware about the new versions of FBI virus, that are called FBI Green Dot Moneypak virus, FBI Virus Black Screen and FBI Online Agent. They have been clearly designed to get more money from its victims, so they show a warning asking $200, not $100, to be payed through MoneyPak prepayment system. To remove these versions completely, run a full system scan with updated anti-virus/anti-malware program. In order to unlock your PC, use the steps given above and follow additional information:
* Users infected with FBI group of viruses are allowed to access other accounts on their Windows systems. If one of such accounts has administrator rights, you should be capable to launch anti-malware program.
* Try to deny the Flash to make your ransomware stop function as intended. In order to disable the Flash, go to Macromedia support and select 'Deny': http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html. After doing that, run a full system scan with anti-malware program.
* Manual FBI virus removal:
- Reboot you infected PC to 'Safe mode with command prompt' to disable FBI virus (this should be working with all versions of this threat)
- Run Regedit
- Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe.
- Search the registry for these files you have written down and delete the registry keys referencing the files.
- Reboot and run a full system scan with updated SpyHunter to remove remaining files.
This video guide shows how to remove FBI virus. However, there might be some differences in its removal because of diffrent systems and versions of the parasite. Use the auto-removal process to remove the infection easily.
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use.
By Downloading any provided Anti-spyware software to remove FBI virus you agree to our
privacy policy and
agreement of use.
FBI virus manual removal:
Kill processes:
tpl_0_c.exe
ch810.exe
0_0u_l.exe
[random].exe
jork_0_typ_col.exe
vsdsrv32.exe
Protector-[rnd].exe
Inspector-[rnd].exe
Delete registry values:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
Unregister DLLs:wpbt0.dll
Delete files:%Program Files%\FBI Moneypak Virus
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
%AppData%\result.db
%AppData%\jork_0_typ_col.exe
%appdata%\[random].exe
%Windows%\system32\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk
%Temp%\0_0u_l.exe
%Temp%\[random].exe
%StartupFolder%\wpbt0.dll
%StartupFolder%\ctfmon.lnk
%StartupFolder%\ch810.exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
WARNING.txt
V.class
cconf.txt.enc
tpl_0_c.exe
Modern viruses are really hard to remove. They have random file names, random registry entries, they can immitale legal products and files.
Removal instructions sometimes can't Help to remove infection manually. Please take a look at our discussion where users like you share they experience in fighting the parasite:
(100 / 100)
ASK US:
HELP:
|
Follow us 
|
Like us 
1. I shut down the computer
2. disconected the internet connection
3. downloaded Malwarebytes on another CPU to a thumb drive
4. Re-booted the infected CPU
5. downloaded Malwarebytes from thumb drive (warning voice was still playing in the background)
6. install Malwarebytes
7. run Malwarebytes (quick scan)
8. prompted by Malwarebytes to re-boot
9. virus gone.
Hope this helps someone.
I did the same thing, but I did NOT buy the software, and guess what? Its back, I will be buying the program this time you can bet.
1) When you try to access the computer, DO NOT CONNECT TO THE INTERNET.
2) If you are connected, do a contol alt delete to bring up the option menu- You cannot start taskmanager so hit the logout key.
3)When you get back to a non-connected computer, do a search for all files with the date that you think the system was infected i.e. 10/01/2012
4) On my compuer, it brought up 2 items
programs: ctfmon
files: 12986228.dll
5) Right click and open properties----go to security settings and click on the edit key--- change "allow" to "deny" for all boxes. Then press "Apply"
There should also be a file that comes up when you search for the date in step 4---- repeat step 5 for this file also. If you go to details on the dll, the language is Russian and the A*Holes actually show a copyright.
Then Restart your computer. and reconnect to the web.
For me, this gave me access and now Im going to run the malware programs that are listed above.
Point of information- I was running 2012 TrendMicro Titanium and it failed. It even said it stoped an attack on 10/01/2012 (which is how I knew the date to search fo)
Last time I use trendMicro
Use the free version of Malwarebytes, update the virus definitions and do a full scan.
Also make sure you run the scan while the computer is in safe mode.
Hope this helps.
Try a system restore or run the Norton Power Eraser tool in safe mode with networking. Also please try to disable unknown start-up items from msconfig.
If you dont have Malwarebytes, try what you have. Just make sure you are off the internet, or you wont be able to get to it.
You might be able to downlaod Malwarebytes to a disc, then use on your computer offline, but, I dont know for sure. Good luck.
Its worked.. thanks a lot..
Of course you would need to have Malwarebytes installed already so Im sorry for the piss poor solution. I just hope my time spent here leaving this comment can help someone in the future. For good measure Id always keep Malwarebytes on any computer I owned or worked with just for when the day comes you need it to save your ass. It has served me greatly many times and Id recommend it 100 times over.
The dates on several directories are also using current dates: . .. Config ... Tasks
I downloaded Malwarebytes onto a flash drive but cannot access the USB port. It has disabled DOS commands to change directories.
What now?
Malwarebytes pro trial version is your best bet or combofix. Use either one in safe mode.
Upon clicking , an error message appears.
Following is lost or damaged, can not start Window
WINDOWSSYSTEM32CONFIGSYSTEM
It also prompted me to "reload" the original OS CD.
please help since I lost the original OS CD. Thanks
1. do system restore form the safe mode.
2. use spy hunter in safe mode.
3. use malwarebyte in safe mode.
4. reboot your system in normal mode.
you will never get back again this fbi virus.....
1. Go to HKLUSoftwareMicrosoftWindowsCurrentVersionRun and look for the [random}.exe
2. Delete value in key
3. Go to location that the [random].exe was pointing to (mine was in the root of C:UsersInfectedProfile)
4. Delete File(s)
5. Reboot
After login back in, I did run CrapCleaner and MalwareBytes and found the usual suspects of Malware, but the FBI virus has disappeared.
Sharing with you my successful removal of the FBI virus.
While out of town my daughter informed that while playing fairies her computer went blank screen with sound.
It turned out to be the FBI virus.
Her computer is a Dell Windows 7 laptop running Norton Antivirus 360.
To my surprise Norton did not catch it.
This is one nasty virus.
I tried all the techniques related to navigating and deleting files in the roaming or local folders.
Also, tried the restore method several times, but the virus was preventing the restore to complete successfully.
Next, I downloaded the Norton.com/NPE. It found two infections. I thought I was done but it did not work, the virus figured how to survive without those files.
Next, I downloaded Malware bytes. It found another two infections. But then again, the virus found a way to survive without those files.
I called Norton, GeekSquad etc. they wanted $100 to $200 to guide me over the phone on how to remove the virus.
At this point, I had spent more than 8 hours loading and rebooting and wondering what else to do.
A long time ago, I downloaded Avira Antivirus. It detected viruses Norton and McAffee could not detect.
Currently paying for Norton. We use it at work and I use it at home.
On another computer, I downloaded the Avira bootable rescue product for FREE.
http://www.avira.com/en/download/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system/product/avira-antivir-rescue-system
In addition, I downloaded Unetbooth.
http://unetbootin.sourceforge.net/
Unetbooth is used to “burn” a USB memory Stick as a DVD bootable drive.
You download the ISO image onto your desktop and use Unetbooth to select the avira ISO file and the location where you inserted a USB Memory stick.
It will format the USB Memory Stick with the Avira ISO bootable image.
I inserted the Memory stick into the infected Laptop and restarted it. The laptop had already the booth sequence checking he USB drive first.
It loads Linux and runs the antivirus. I clicked update to get the latest signatures and clicked on configuration to select delete file when unable to repair.
After over two hours, the Avira rescue system found 14 infected files! Ranging from java, gif, exe. Just wondering why the other antivirus could not detect them!
It could not delete some of the files. Indicating “archive scan abort”.
I restarted my laptop in Safe mode and delete those files manually (3 of them).
Then I restarted the laptop normally.
It worked!
I am switching to Avira. Those German guys make some good stuff.
once on desktop, right click and intall and run a full scan of the machine. Malewarebytes will find 3 files, one file shuts down automatic updates the the 2 other files run the FBI screen block. once malwarebytes is done, delete the 3 trojan viruses and restart the computer. upon restart connect the internet and get a full update of malwarebytes and run full scan again. this should eliminate the virus. has worked for me on a XP machine and have used to maintaine many other computers. Once a computer has malware you have to disconnect the internet connection and download malwarebytes to flash drive from a different computer and run on disconnect PC to get rid of all maleware, then determine if there is registrey damage. If registrey is damaged you will need to reload the operating system. Best of luck to all, Best Regards, The PC Guru
John
John
go into device manager and disable your web cam .. you can always enable it later if you want to use it . and in the future his little program wont work will it .
I fixed it by force shut down of my laptop (held the power button) then when it prompted me for either loading windows normally or opening in safe mode. I clicked safe mode and let my computer load. The virus did not pop up and so i went into the start menu and in the bar that says "Search Programs and Files" i typed in "System Restore" and pressed enter. It then opened up the system restore and after i clicked the Inital "Next" I had 4 for backup dates. I picked the one from the 27th and let the system restore do its job. I am now virus free and i double checked to make sure all files were removed and none could be found or located.
Step One (1) -- UNPLUG YOUR NETWORK CABLE FROM YOUR PC (or temporarily disable your wireless connection) after powering down your PC. THIS IS THE KEY STEP, since the FBI popup window the virus uses to lock up your PC cannot activate without an online connection.
Step Two (2) -- Power up your PC with the network still disabled, and boot to Windows as usual. Ignore any warnings about loss of internet/network connection.
Step Three (3) -- Go to the "System Restore" utility that comes with every Windows PC (In my Win XP system, it was under "Start", then "Programs", then "Accessories", then "System Tools", then "System Restore").
Step Four (4) -- In the "System Restore" utility, select "Restore My Computer To An Earlier Time", then click "Next". On the next screen, select the "System Checkpoint" for the day before the virus showed up on your PC. If you are not sure when the virus first showed up, select a date that is several days before you first noticed the virus. (NOTE: The PC automatically creates at least one "System Checkpoint" per calendar day.) Click Next, then click next again to confirm your selected "Restore Point". This will delete anything that was added or altered on your PC after the selected "Restore Point", INCLUDING ANY TRACE OF THE VIRUS!!
Step Five (5) -- As the System Restore utility reboots your PC, plug your network cable back into your PC (or restore your wireless connection). Your PC should then reboot and begin functioning as usual.
Hope this helps.
Please help :(
Easy way to remove FBI or so as to any Malwares (When you havent done anything stupid)
1. Shutdown the PC
2. F8 - Advance windows Options- Choose Safe mode with networking
3. Ignore anything pops up... launch IE or go to ftp to download mozilla firefox (ftp.mozilla.org)
4. Download Malwarebytes, Super antispyware, trojan remover, hitman pro
5. Install and run the scans
6. Launch msconfig look for alphanumeric entry or anything which looks weird, now launch registry (regedit) as could get the entry, right click on the entry and delete it.
7. By now all the applications downloaded and installed should have detected the infections, delete.
8. Boot your PC to normal mode.
9. All Above the rest.... It may happen that integrity and attributes of the windows files are changed.
10. You may try to do perform to do repair install getting into recovery console if you have the OS disc or you may contact your respective manufacturer.
Its foolish to pay the scammers... innocent people open your eyes.
Switch user to other account (if you have one, needs to be admin) and system restore.
I always wonder if people are actually stupid enough to pay people on these scams though….
1. First, copy and print these instructions into a Word document and print out, or make sure you stay on this page and dont leave until finished.
2. Disconnect your internet connection. Very important.
3. Turn off infected computer and boot up. While booting up, continue hitting F8 key to get to Safe mode. Choose Repair Computer option.
4. You are then going to do a System Restore at previous point. Go back to a previous point that you feel the computer was fine. I had to do this a couple of times to earlier dates, because it said it wasnt able to do it. IMPORTANT: It said that it wasnt able to do it, but continue on. It will still work.
5. Re-start computer and you should be in Safe Mode. Remember, you are still not connected to the internet.
6. VERY IMPORTANT!!! Now go to My Computer and open up System Properties, and then Remote Settings and then un-check the Remote Assistance, hit Apply, OK This is why you are unable to get online, because this box is checked.
7. Now plug your internet connection back in after you unchecked the Remote Assistance from the previous step.
8. Reboot and you should now be able to get online. You are not done yet because the Trojan virus is still on your computer.
9. Go to Control Panel, Uninstall programs, highlight Java if you have it and uninstall. Get Java off your computer. This can be a problem.
10. I used to use AVG Security but that started giving me problems. I went online and installed the free version of Microsoft Security Essentials (free download). Make sure you uninstall any prior virus protection before installing new virus protection.
11. Whatever virus protection you are using, run a quick scan. There is a good chance it will pick up the virus. Get rid of any quarrantined viruses that your scan picks up.
12. This is also VERY IMPORTANT! Next, go to Malwarebytes.org and download the free version of this. This picked up one more of the Trojan virus that was left on my computer. I did some research before I downloaded Malwarebytes software and felt comfortable with doing this. I am not trying to have anyone download anything bad or any viruses. I am unemployed and could not afford to pay someone like Geek Squad to fix this. This worked for me and I hope it will help others. This took me about an hour and a half doing the downloads and figuring how to get to Safe mode. My computer is now fixed and running well. I will now be using Malwarebytes to help prevent this form of bad virusus from infecting my computer in the future. Good luck!
Has anyone else had this happen to them and, if so, were you able to get a fix?
Thanks
A HUGE thanks for your solution. I could not enter Safe Mode until I read your post.
After system restore ran the computer rebooted itself and Wiindows started properly. I was then able to run Malewarebytes which detected and removed the remaining virus.
Thanks again!
When confronted with the FBI locked screen press cntrl, alt, and delete simultaneously and hold until the screen turns blue with a short list.
Click on the little red button in the corner and select restart
Keep pressing F8 button repeatedly until you see the windows advanced option menu
Click on repair computer
Choose your preferred language
Choose your administrator account and password and press "ok" to continue
For Windows Vista or 7 click on system restore option
At the next screen click next
At the next screen choose a restore point before your computer was infected and choose next
At the next screen confirm, then click finish
Wait for system restore process to finish
Click restart computer
Update antivirus and run a FULL scan immediately
Done
Post Comment: