Severity scale:  
  (99/100)

FBI virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - -   Also known as Screen Locker | Type: Ransomware

FBI virus is a screen-locking malware that tries to extort money out of victims for the alleged illegal activities

Versions of FBI viruses
FBI virus is a type of malware that demands payment for the release of the device which can reach 500USD

Questions about FBI virus

FBI virus is a cyber-threat which belongs to ransomware[1] category. However, it does not encrypt personal data as Locky or other malware does. Instead, it locks up the screen and displays a bogus message which explains, that the user has been violating the law in one way or another. Hackers threaten victims that the computer has been locked by the FBI or CIA, and the only way to recover the control of the machine is by paying between $100 and $500 using MoneyPak or similar service. There are several versions of this cyber threat, and the various AV engines recognize if under different names.

Summary
Name FBI virus
Type Ransomware / screen-locker
Versions
Systems affected Windows computers, Android devices, iOS devices
AVs detect under these names
  • Trojan/Win32.Reveton (Microsoft Windows)
  • Win32:LockScreen (Avast!)
  • Trojan:W32/Revton (F-Secure)
  • Trojan-Ransom.Win32.Urausy (Kaspersky)
  • Win/DHADVQFVFBIA (AVG)
  • Trojan.Winlock (Panda)
Demanded payment $100-$500
Distribution Spam emails, malicious websites, torrent sites, etc.
Symptoms Locked screen or browser, demands of paying “fine,” etc.
Elimination Download and install Reimage; check other instructions below

FBI Warning Virus was firstly noticed in 2012.[2] Six years later, it keeps spreading around and poses a serious danger to PC users as well as Android and iOS users.

Just like its first versions, this sneaky malware gets into the target computer with a help of Trojan.LockScreen. As soon as it gets inside, Screen Locker locks the desktop and presents a screen with the “FBI Federal Bureau Investigation”, “CIA Special Agent”, and similar badges.

This aggressively-designed alert claims that the computer was blocked due to the Copyright and Related Rights Law violation or other reason that seems convincing. Below you can see a list of crimes that victims of the FBI Warning virus are typically accused of:

  • Attempts to access prohibited pornographic content;
  • Neglectful use of personal computer;
  • Attempts to download MP3s, movies and software illegally;
  • Bulk-spamming.

Unfortunately, if you found yourself blocked by a program which claims that you have been illegally using or distributing copyrighted content, viewing or distributing pornographic content and spreading malware, you are infected with ransomware.

Beware that it can infect Windows, iOS and Android operating systems (this version is known as Android ransomware). No matter what was declared by FBI several years ago,[3], you must ignore the alert caused by FBI ransomware and do NOT even think about paying the fine.

Keep in mind that this program belongs to hackers who are seeking just to swindle your and other people's money. If infected, remove FBI virus immediately after detection! Otherwise, you can run into further problems. Since the virus actively rampages in Germany, we invite German-speaking users to check guidelines provided on Dieviren.de[4] page.

UPDATE: Beware of the new versions of FBI virus known as FBI Green Dot Moneypak virus, FBI Virus Black Screen and FBI Department of Defense virus! They are designed to extort money from computer users, so they are asking to pay a fine while accusing the PC user of illegal activities.

FBI virus on phones
Malware can also affect Android and iOS devices

If you became a victim, keep in mind that these malicious programs only seek to scare you and that they display the same text for every user who accidentally installs malware on their computers. 

Close the common infiltration paths to keep malware away

This infection has been using various methods to infiltrate target PC systems. As we have already mentioned, it spreads with the help of Trojan.LockScreen which can get into the system using various techniques. Of course, spam is considered one of the main methods used by this Trojan horse[5] for infiltrating computers.

However, it can also infect you after downloading the illegal program (illegal game, crack, etc.) or after clicking the infected popup. Beware that the most of such popups claim that the victim needs to update the Adobe Flash Player or similar program. Make sure you ignore such offers for your own good. Otherwise, you will be forced to think about FBI virus removal.

To avoid FBI virus infiltration, you need to take care of your computer's security. If you don't use any security software or if you fail to update such software, you can increase the chances of getting infected with this.[6] Of course, you must always think about safe browsing practices.[7]

The biggest issue, which is caused by this ransomware, is that it has an ability to block the system and locks down all your programs, including anti-virus software. In order to launch it, you should try rebooting your computer to Safe Mode with Networking or try System Restore feature that could help you disable FBI virus.

According to hackers, you should pay the fine through MoneyPak or other pre-payment systems. Of course, you should never do that if you don't want to support those scammers who are collecting these fines. Instead, you should try to eliminate the virus using the instructions added at the end of this article or using special malware removal software such as Reimage (for Windows) or Plumbytes Anti-MalwareMalwarebytes Malwarebytes (for Macs and Android devices).

Malicious software using FBI theme to frighten users

FBI Moneypak: This ransomware uses a huge alert filled with FBI and Moneypak logos, a webcam and a list of crimes victim is accused for. User is informed that he has been viewing/distributing pornographic or copyrighted content, spreading malware or doing other illegal activities. For that, he has to pay a $100 fine and enter a Moneypak code on the right side of the fake alert. This threat locks the system down completely.

FBI Green Dot Moneypak Virus: This ransomware locks the whole system down and displays a fake alert with FBI, Moneypak and McAfee logos. A misleading message, which belongs to this threat, claims that Federal Bureau of Investigation has blocked you for downloading illegal/copyrighted material and similar crimes. It requires to pay $200 fine and includes the steps explaining how you should do that.

FBI Virus Black Screen: This ransomware from the FBI group of viruses uses the same technique as its predecessors and seeks to make users pay a $200 fine. However, it also applies an audio warning, black screen and system's lock down. It will similarly claim that you have been caught for law violations and will accuse you for visiting pornographic websites, viewing files containing zoophilia, child pornography and similar.

FBI Online Agent: This ransomware also uses the name of the Federal Bureau of Investigation, but it has a newly-designed alert, which tends to accuse victim for committing various crimes and asks to pay $200 using MoneyPak. The new thing about FBI Online Agent is that it doesn't show your IP address or location but gives the name of the responsible agent, case number and other details that are clearly invented. Besides, scammers have included the promotion of the terrorism into the list of the crimes that are reported into this misleading warning.

FBI Cybercrime Division virus
FBI Cybercrime Division virus demands 300USD for file release

FBI Cybercrime Division virus: That's the dangerous ransomware, which pretends to belong to the FBI's Cybercrime Division. This virus uses identical scheme while trying to steal users' money. However, this time it asks to pay $300 using Moneypak prepayment system. Be sure that its alert is not legitimte and can be safely ignored. The new version applies a newly designed alert, which is filled with more than ten different logos.

FBI PayPal virus: This ransomware is not related in any way to Federal Bureau of Investigation . As soon as it gets inside the system, this ransomware blocks the entire desktop and disables Internet connection on its target PC.

In addition, it asks paying the fine of $100 for invented online crimes, such as the use of copyrighted content or distribution of malware. Differently from earlier parasites, that use identical scheme for stealing the money, FBI PayPal virus uses PayPal for its money transactions. Please, stay away from this threat.

FBI Department of Defense virus: This is a dangerous ransomware virus, which, similarly to its predecessors, seeks to swindle $300 by convincing its victims that they have violated several laws of USA. This virus has the same ability to lock down the PC and hide every file, which is kept on the computer.

The new thing about this version of FBI virus, is that it offers using MoneyGram prepayment system for paying the fine. Please, never follow its recommendations!

FBI department of Defense virus
This version asks to pay up using MoneyGram service

White Screen FBI virus: This is a cyber infection, which is categorized as ransomware and belongs to the same group of FBI virus. If you see a white screen and a mouse cursor on your computer's desktop, that means this virus failed to load properly.

However, you may also receive a huge warning from FBI, which reports about the illegal use of videos related to child pornography or other e-crimes. Please, ignore warning that belongs to White Screen FBI virus and never pay any money or provide any personal information.

FBI Computer Crime and Intellectual Property Section virus: This is a dangerous ransomware that occupies entire computer as soon as it infects it. Instead of the desktop, it shows a huge alert stating that 'computer is locked by Internet Service Provider' for several different reasons.

Just like previous versions, it claims that computer's owner was noticed watching and spreading copyrighted content and doing other activities that clearly violate some laws of USA. This FBI virus version asks to pay a fine of $200. Please, never follow this requirement.

FBI System Failure virus: FBI System Failure virus is a serious ransomware threat, which blocks computers with its fake warning saying: 'All Activities of this computer has been recorded. All your files are encrypted. Don’t try to unlock your computer!'. Just like previous its versions, this virus seeks to make its victims pay an invented fine.

This version is used to swindle $300, for that it asks using REloadit prepayment system. If you see such warning, you must ignore it and use anti-malware software to remove malicious files from the system.

Fake Pornhub App ransomware virus. The malicious software was first discovered by a researcher Michael Gillespie. The screen-locking virus disguised itself as a fake Pornhub app, and as a consequence, people looking for erotic visual content were tricked into installing malware instead of the popular adult-content app. Once installed, this version of Android ransomware quickly locks the device, preventing the user from using it.

Considering that the victim just installed an app for adults, the message displayed on the screen might appear more scary and realistic than it actually is. The message states that “Federal Bureau of Investigation, Department of Justice” scanned the device and detected suspicious files as well as attempts to enter forbidden websites. As a consequence, the user has to pay $500 fine within three days.

Clearly, it is a scam. You should remove pornhub.apk as soon as possible. The researcher who discovered the virus suggests that the victim might have to reset the device entirely and restore it from a backup in order to continue using it.

Remove FBI virus from a compromised computer

In order to remove FBI virus from your computer, you should firstly unlock it. Depending on the type of your virus (you can be infected with Crypto-malware, ScreenLocker, ransomware, etc.), you should try methods that are provided below. Almost in all cases it is required to reboot the device into Safe Mode with Networking. Of course, the first step that you should make is trying to launch your security software. If you don't have such, we highly recommend installing Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes for FBI virus removal. 

If you want to remove FBI Warning virus without entering Safe Mode, you can use System Restore function instead (as explained below).

Remove FBI virus from Android, iPhone or iPad

FBI virus has been updated – several years ago it started blocking Android devices and has already attacked LG Smart TV.[8] It acts just like Windows version: FBI android virus locks the screen of the device and displays a fake warning message asking people to pay a fine for their illegal online activities. Please, do NOT pay this fine!

In addition, scammers started to release versions for iPhone users, so we have also prepared a guide on how to remove the virus from iOS devices.

If your Android phone was blocked, you should follow these steps. The following directions also explain how to get rid of FBI virus on tablet. 

Instructions on how to remove FBI virus from Android

1. Reboot your Android device into Safe Mode:

  1. Find the power button and press it for a couple of seconds until you see a menu. Tap the Power off.
  2. Once you see a dialog window that offers you to reboot your Android to Safe Mode, select this option and OK.

If this failed to work for you, just turn off your device and then turn it on. Once it becomes active, try pressing and holding Menu, Volume Down, Volume Up or Volume Down and Volume Up together to see Safe Mode.

2. Uninstall malicious app (FBI Android virus may hide under BaDoink, Video Player, Network Driver System, Video Render, ScarePakage and other suspicious names):

  1. When in Safe Mode, go to Settings. Once there, click on Apps or Application manager (this may differ depending on your device).
  2. Here, look for previously mentioned malicious app(s) and uninstall all of them.

If this failed, enter a random, 15 digit length, code of imaginary MoneyPak xpress Packed voucher that is asked by FBI android virus or follow these steps:

  1. Go to Settings -> Security. Here, select Device administrators.
  2. Here, look for previously mentioned malicious app(s) and uncheck it
  3. In order to finish the removal of FBI Android virus, select Deactivate and OK.

Remove FBI virus from iPhone or iPad

FBI virus on iPhone? Not a problem. If you encountered a fake police warning on iPhone, follow these instructions to clean your device:

  1. Go to Settings. Here, find Safari app and tap on it.
  2. Scroll to the bottom of Safari settings panel and tap Advanced.
  3. Select Website Data, then scroll to the bottom again and select Remove All Website Data.
  4. Tap again to confirm the removal of website data. Your iPhone or tablet should be FBI virus-free.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

FBI virus manual removal:

Kill processes:
tpl_0_c.exe

ch810.exe

0_0u_l.exe

[random].exe

jork_0_typ_col.exe

vsdsrv32.exe

Protector-[rnd].exe

Inspector-[rnd].exe

Delete registry values:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun[random].exe

HKEY_LOCAL_MACHINESOFTWAREFBI Moneypak Virus

HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem ‘DisableRegistryTools’ = 0

HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem ‘EnableLUA’ = 0

HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionInternet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0

HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem ‘DisableRegedit’= 0

HKEY_CURRENT_USERSoftwareFBI Moneypak Virus

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun ‘Inspector’

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallFBI Moneypak Virus

HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem ‘DisableTaskMgr’ = 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsprotector.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunInspector %AppData%Protector-[rnd].exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsWarnOnHTTPSToHTTPRedirect 0

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettingsID 4

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettingsUID [rnd]

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettingsnet [date of installation]

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemConsentPromptBehaviorAdmin 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemConsentPromptBehaviorUser 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystemEnableLUA 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAAWTray.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAAWTray.exeDebugger svchost.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAVCare.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAVCare.exeDebugger svchost.exe

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAVENGINE.EXE

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAVENGINE.EXEDebugger svchost.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableRegistryTools” = 0

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “ConsentPromptBehaviorAdmin” = 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “ConsentPromptBehaviorUser” = 0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “EnableLUA” = 0

Unregister DLLs:
wpbt0.dll

Delete files:
%Program Files%FBI Moneypak Virus

%AppData%Protector-[rnd].exe

%AppData%Inspector-[rnd].exe

%AppData%vsdsrv32.exe

%AppData%result.db

%AppData%jork_0_typ_col.exe

%appdata%[random].exe

%Windows%system32[random].exe

%Documents and Settings%[UserName]Application Data[random].exe

%Documents and Settings%[UserName]Desktop[random].lnk

%Documents and Settings%All UsersApplication DataFBI Moneypak Virus

%CommonStartMenu%ProgramsFBI Moneypak Virus.lnk

%Temp%_0u_l.exe

%Temp%[random].exe

%StartupFolder%wpbt0.dll

%StartupFolder%ctfmon.lnk

%StartupFolder%ch810.exe

%UserProfile%DesktopFBI Moneypak Virus.lnk

WARNING.txt

V.class

cconf.txt.enc

tpl_0_c.exe

To remove FBI virus, follow these steps:

Remove FBI using Safe Mode with Networking

If FBI virus infected your Windows OS, you can unlock your computer with the help of methods that are given below. If they do not help you, try rebooting your PC to Safe Mode with Networking (see instructions with explanatory screenshots below).

  • Users infected with FBI virus are allowed to access other accounts on their Windows systems. If one of such accounts has administrator rights, you should be capable of launching anti-malware program.
  • Try to deny the Flash to make your ransomware stop. In order to disable the Flash, go to Macromedia support page and select “Deny”: See how to do it here. After doing that, run a full system scan with anti-malware program.

Manual FBI virus removal:

  1. Reboot your infected PC to “Safe mode with command prompt” to disable FBI virus (this should be working with all versions of this threat);
  2. Run Regedit;
  3. Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe;
  4. Search the registry for these files you have written down and delete the registry keys referencing the files;
  5. Reboot and run a full system scan with updated Reimage to remove remaining files.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove FBI

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete FBI removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove FBI using System Restore

To disable FBI virus, you can use System Restore method as well. For that, you need to follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of FBI. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that FBI removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from FBI and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References

Removal guides in other languages