FBI – Your PC is Blocked

Another addition to the list of ransom software is the one that mimics Federal Bureau of Investigation (FBI). AVG uncovers this malware and believes that it is distributed through Blackhole exploit kit. This malware can enter the computer through security breaches that attackers may discover on a target computer. Once inside the system, the malware will lock the desktop and display a message that purports to be from FBI. It will proclaim legal action against the user who violates Copyright laws for illegally using or distributing copyrighted contents.

This message will demand user to pay a $100 penalty for this offense through MoneyPak. This method is a payment system that allows user to buy credit from any partner convenience store and use the value to purchase online. This process obviously reveals that FBI is not in any way connected to this fraud activity. Most of the text that lies in this ransom page is copied from previous ransom malware that belong to the same group.

Part of the message that appears on this fake copyright violation page reads:

The FBI
Federal Bureau of Investigation
Location: United States
IPS: GTS Central Europe
Your PC is blocked due to at least one of the reasons specified below.
You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section B, Clause 8, also known as the Copyright of the Criminal Code of United States of America.

It is believed that there are several variants of this FBI virus. Security experts from Symantec categorized this group as Trojan.Ransomlock.R. Thus, you may use Symantec’s removal procedure to stop FBI virus from blocking your PC.

Screenshot Image:

Image of FBI Your PC is Blocked Malware

There is a much recent version of the FBI PC Blocking virus. Its authors either added or replaced the payment method to Ultimate Game Card. Please see screenshot below.

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

How to Remove FBI – Your PC is Blocked

Option 1 : Manually deleting FBI – Your PC is Blocked files and data

Malware of this kind usually disables Internet access and prevent execution of installed programs. This is the reason why we recommend manual removal as the first option. You may however skip this step if you are worry of deleting files in the system. Accidental deletion of legitimate files may lead to Windows malfunction, so, please be very cautious with these steps.

Start Windows in Safe Mode

1. Remove all media such as floppy drive, cd, dvd, and USB devices. Then, restart the computer.

You must boot computer in Safe Mode. Please follow the guide base on your Windows version.

Boot in Safe Mode on Windows XP, Windows Vista, and Windows 7 system
a) Before Windows begins to load, press F8 on your keyboard.
b) It will display the Advanced Boot Options menu. Select Safe Mode.

Start computer in Safe Mode using Windows 8
a) Before Windows begins to load, press Shift and F8 on your keyboard.
b) On Recovery interface, click on 'See advanced repair options'.
c) Next, click on Troubleshoot option.
d) Then, select Advanced options from the list.
e) Lastly, please choose Windows Startup Settings and click on Restart. When Windows restarts, you will be send to a familiar Advanced Boot Options screen.
f) Select Safe Mode from the selections menu.

SafeMode

Delete files dropped by FBI – Your PC is Blocked

2. Go to Applications Data folder to delete files dropped by the virus. Depending on your installed operating system, follow the guide below.

Open Applications Data folder on Windows XP, Windows Vista, and Windows 7

a) Click on Start, then on 'Run' or Search 'Program and Files' field, type %appdata%.
b) Click OK or press Enter on the keyboard to open the corresponding folder.

appdata old

Access Applications Data folder on Windows 8

a) Move your mouse to the lower-right corner of the screen. Menu will slide-out.
b) Click on the Magnifying Glass icon to run search tool.
c) Under Search Apps field, type %appdata% and press Enter on your keyboard. This should open the desired folder.

search-appdata-win8

3. Next, proceed to the folder Roaming > Microsoft > Windows > Start Menu > to see the shortcut link that calls the ransom program each time you start Windows. Delete the said file.

Delete ctfmon

4. Using the same procedures above, go to User Profile folder by typing %userprofile% in the box.

userprofile

5. Proceed to folder AppData > Local > Temp . Find and delete the following files:

Delete Malware File

Remove FBI – Your PC is Blocked start-up entry with MSCONFIG of Windows

6. Using the same procedures above, please run msconfig to open System Configuration of Windows.

userprofile

7. Click on Startup tab. You will see a list of programs that runs when Windows starts. Disable the entry that belongs to the virus by removing the check mark beside the item. Click OK to save the setting. Refer to the image below.

Delete System Configuration Entry

Run Anti-malware scan to check and delete other threats

8. Download the Removal Tool and save it on your Desktop or any location on your PC.

Download Tool

9. When finished downloading, locate and double-click on the file to install the application. Windows' User Account Control will prompt at this point, please click Yes to continue installing the program.
10. Follow the prompts and install with default configuration.
11. Before the installation completes, check prompts that software will run and update on itself.
12. Click Finish. Program will run automatically and you will be prompted to update the program before doing a scan. Please download needed update.
13. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
14. Scanning may take a while. When done, click on Show Results.
15. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to FBI – Your PC is Blocked.
16. Finally, restart your computer.

Note :You may skip Option 2 if you have successfully removed the virus using the procedures above. We highly suggest you to proceed to Additional Scans below.

Option 2 : Remove FBI – Your PC is Blocked instantly with this Rescue Disk

This procedure requires a tool from Kasperky. Thus, it requires Internet access to download the files. If the virus blocks your Internet access, you have no other choice but to execute this guide from another computer.

Download Kaspersky Rescue Disk

1. Download the ISO image of Kaspersky Rescue Disk 10 (kav_rescue_10.iso) from this link.
2. Download the Kaspersky Rescue Disk Maker (rescue2usb.exe) from this link.

Create A Bootable USB Drive

3. Insert a clean USB flash drive to available slot. To record the ISO file and create a bootable USB drive, double-click on rescue2usb.exe. It will extract the files and create a folder called Kaspersky Rescue2Usb.
4. Kaspersky USB Rescue Disk Maker should run after the extraction. If not browse the Kaspersky Rescue2Usb folder and run the rescue2usb file.
5. From Kaspersky USB Rescue Disk Maker console, click on Browse and locate the file kav_rescue_10.iso.

Kaspersky Rescue Disk Maker

6. On USB Medium, select the USB drive you wanted to make as bootable Kaspersky USB Rescue Disk. This will become a bootable virus scanner.
7. Click in Start to begin the process.
8. When the process is complete, it will display a notification message. Your tool to remove FBI – Your PC is Blocked is now ready.

Rescue Disk Created

Boot The Computer From The USB Kaspersky Rescue Disk 10

9. Since FBI – Your PC is Blocked uses a rootkit Trojan that controls Windows boot functions, we need to reboot the computer and select the newly created Kaspersky USB Rescue Disk as first boot option. On most computers, it will allow you to enter the boot menu and select which device or drives you wanted to start the PC. Refer to your computer manual.
10. If you successfully enters the boot menu, choose the USB flash drive. This will boot the system on Kaspersky Rescue Disk. Press any key to enter the menu.

11. If it prompts for desired language, use arrow keys to select and then press Enter on your keyboard.
12. It will display
End User License Agreement . You need to accept this term to be able to use Kaspersky Rescue Disk 10. Press 1 to accept.
13. The tool will prompt for various start-up methods. We highly encourage you to choose Kaspersky Rescue Disk Graphic Mode.

Remove FBI – Your PC is Blocked Using Windows Unlocker

14. Once the tool is running, you need to run WindowsUnlocker in order to delete registry that belongs to FBI – Your PC is Blocked. On start menu located at bottom left corner of your screen, select the K icon or select WindowsUnlocker if it is present on the Menu.
15. Select Terminal from the list. A command prompt will open.

Run Terminal on Rescue Disc

16. Type windowsunlocker and press Enter on your keyboard.

Command for Windows Unlocker

17. From the selection, choose 1 - Unlock Windows to remove FBI – Your PC is Blocked. Use up/down arrow on keyboard to select and press Enter.

Windows Unlocker

18. This utility will start removing any components that blocking you from accessing the computer. It will display a log file containing actions performed on the infected computer like deleted infected file and removed registry entries.
19. After removing components of FBI – Your PC is Blocked. You need to scan the system using the same tool. On start menu, select Kaspersky Rescue Disk.

Kaspersky Rescue Disk Scanner

20. Be sure to update the program by going to My Update Center tab. Click on Start update.
21. After the update, go to Object Scan tab and thoroughly scan the computer to locate other files that belong to FBI – Your PC is Blocked.
22. Restart the computer normally when done.

Additional anti-virus and anti-rootkit scans

Ensure that no more files of FBI – Your PC is Blocked are left inside the computer

1. Click on the button below to download Norton Power Eraser from official web site. Save it to your desktop or any location of your choice.

NPE Download

4. Once the file is downloaded, navigate its location and double-click on the icon (NPE.exe) to launch the program.
5. Norton Power Eraser will run. If it prompts for End User License Agreement, please click on Accept.
6. On NPE main window, click on Advanced. We will attempt to remove FBI – Your PC is Blocked components without restarting the computer.

Advance Scan

9. On next window, select System Scan and click on Scan now to perform standard scan on your computer.

Scan the System

10. NPE will proceed with the scan. It will search for Trojans, viruses, and malware like FBI – Your PC is Blocked. This may take some time, depending on the number of files currently stored on the computer.

11. When scan is complete. All detected risks are listed. Remove them and restart Windows if necessary.

Remove the Rootkit Trojan that installs FBI – Your PC is Blocked

For automatic removal of rootkit Trojan using a free tool, you can refer to this guide. Download the tool and carefully follow the instruction.

1. Click on the button below to download the file FixZeroAccess.exe from official web site. A new window or tab will open containing the download link.

ZeroAccess Fix Tool

2. Close all running programs and remove any disc drives and USB devices on the computer.
3. Temporarily Disable System Restore if you are running on Windows XP). [how to]
4. Browse for the location of the file FixZeroAccess.exe.
5. Double-click on the file to run it. If User Account Control prompts for a security warning and ask if you want to run the file, please choose Run.
6. It will open a Zero Access Fix Tool End User License Agreement (EULA). You must accept this license agreement in order to proceed with rootkit removal. Please click I Accept.

7. It will display a message and prepares the computer to restart. Please click on Proceed.

FixTool

8. When it shows a message about 'Restarting System' please click on OK button.
9. After restarting the computer, the tool will display information about the identified threats. Please continue running the tool by following the prompts.
10. When it reaches the final step, the tool will show the scan result containing deleted components of FBI – Your PC is Blocked and other identified virus.

Alternative Removal Procedures for FBI – Your PC is Blocked

Option 1 : Use Windows System Restore to return Windows to previous state

During an infection, FBI – Your PC is Blocked drops various files and registry entries. The threat intentionally hides system files by setting options in the registry. With these rigid changes, the best solution is to return Windows to previous working state is through System Restore.

To verify if System Restore is active on your computer, please follow the instructions below to access this feature.

Access System Restore on Windows XP, Windows Vista, and Windows 7

a) Go to Start Menu, then under 'Run' or 'Search Program and Files' field, type rstrui.
b) Then, press Enter on the keyboard to open System Restore Settings.

rstrui-win7

Open System Restore on Windows 8

a) Hover your mouse cursor to the lower left corner of the screen and wait for the Start icon to appear.
b) Right-click on the icon and select Run from the list. This will open a Run dialog box.
c) Type rstrui on the 'Open' field and click on OK to initiate the command.

rstrui-win8

If previous restore point is saved, you may proceed with Windows System Restore. Click here to see the full procedure.

Troubleshooting Guides

Did FBI – Your PC is Blocked blocks your Internet access?

It is usual that rogue program prevents user from downloading removal tools from the Internet. Thus, infected computer may be denied to access the Internet by making changes to computer's proxy, DNS, and Hosts file. To fix Internet connection problem, follow these steps:

1. Download the free program called MiniToolBox. Click the button below to begin. Save the file on your hard drive or preferably in your Desktop.

MiniToolBox

2. Close all running Internet browser and double-click on the file to run. It opens a window showing a list of features.
3. Make sure that you have a check mark on the following items : Flush DNS, Reset IE Proxy Settings, and Reset FF Proxy Settings.

MiniToolBox

4. Click on the GO button to start the process. The program automatically closes and displays a text file for your reference.

5. If the above solution does not work, you may try other method like fixing a virus-blocked Internet access. Make sure that your hosts file is free from any malicious entries. View steps in cleaning Windows host file.

Ways to Prevent FBI – Your PC is Blocked Infection

Here are some guidelines to help defend your computer from virus attack and malware activities. Being fully protected does not have to be expensive.

Install protection software to block FBI – Your PC is Blocked and other threats

Having an effective anti-malware program is the best way to guard your computer against malware and threats. Although full version of anti-malware will cost some penny to obtain, it is still worthy to buy one. With real-time scan, it will be safer for you to browse the web, download files, and do more things online.

Get Protection Software

Keep all programs up to date

It is important to download critical update for installed programs. Software updates includes patches for security flaw that may utilize by an attacker to enter the computer. This flaw may be taken advantage by FBI – Your PC is Blocked, viruses, and malware to attack the computer. Crucial programs to watch for updates are MS Windows, MS Office, Adobe Flash, Adobe Acrobat, and Java Runtime.

Activate security features of your Internet browser

SmartScreen Filter, Phishing and Malware Protection, and Block Attack Sites are the respective security features of Internet Explorer, Google Chrome, and Mozilla Firefox. Although, it may not fully guard your computer from online attack, at least it can lessen the risk. Enabling these features also helps to secure your private data and avoid identity theft.


Be a responsible Internet user

Antivirus programs and security features of Internet browser facilitates real-time protection and monitors harmful activities online. However, it tends to malfunction for some reasons. Thus, you do not have to be fully dependent on these tools. It is always best to practice safety measures when using the Internet.

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to FBI – Your PC is Blocked payment refund or lost serial key, kindly check the FAQ for rogue program first.

31 Comments

  1. DC
    Jun 15, 2012 @ 01:56:30

    Hello,
    My computer got infected today, couple hours ago. I followed everything you’ve listed and was able to delete some Trojan viruses but still have the FBI page pop up. Is there something I missed? If you could help me out that would be great.

  2. Jack
    Jun 15, 2012 @ 02:24:56

    DC, have you run the windowsunlocker tool? What happened, did it detect some virus?

    My computer got something like this virus few weeks back. I just update my antivirus program and restart my computer is Safe Mode. I run a scan there and it found some Trojans. I remove them and restart the computer again. Next, I use System Restore and set the computer to load my latest restore points. That solved the problem.

  3. DC
    Jun 15, 2012 @ 02:49:53

    I did do the windowsunlocker but it didn’t seem to do much. I don’t think it really deleted anything.

    I did everything regarding the kaspersky program and was able to remove some Trojan viruses but still having a problem. Basically my windows still seems to be locked and the FBI Moneypak page keeps popping up every time I restart the computer normally. Perhaps I should try restoring my computer to a previous restart point.

  4. DC
    Jun 15, 2012 @ 03:29:11

    So my computer seems to be fine now! I actually followed what you did. I scanned for viruses in safe mode and it found something and I removed it. Restarted my computer and no pop ups or anything. So thank you for that. :) though I want to make sure everything is fine. Are there any antivirus programs you could recommend me? I’d really appreciate that.

  5. ron
    Jun 15, 2012 @ 14:43:25

    everyimte i try to run the program to run this virus blocker and it says the iso is corrupt . what am i doing wrong?

  6. ron
    Jun 15, 2012 @ 18:24:10

    I get to the part where you accept the agreement and then my computer just shuts off. What am I doing wrong?

  7. ron
    Jun 15, 2012 @ 19:10:30

    After i get this done do i still need too keep booting up from this flash drive or do i go back to normal boot up.

  8. DC
    Jun 15, 2012 @ 20:19:29

    Well after you’ve done all that we’re you able to remove any viruses? If so, you should still try booting into safe mode with networking and use an antivirus program to scan for any other viruses that we’re missed. After that try restarting your computer normally.

  9. DC
    Jun 15, 2012 @ 20:20:49

    You should still scan for viruses in safe mode even if you weren’t able to remove anything before.

  10. mary
    Jun 25, 2012 @ 23:16:38

    my moms Laptop got this today ! && all i did was restore her Computer & it took it off(:! So just restore it it should take it off !

  11. antjuanroy
    Jul 03, 2012 @ 18:45:35

    I followed these directions to a key and it worked perfectly. That stupid FBI thing is no longer on my computer. Thanks a lot. The only suggestion I have is to change Step 1 into- “put infected computer into safe mode in order to download the kaspersky files”. I’m not very computer savvy so it took me a while to figure this out. As a newbie I was wondering how to download the files when the FBI thing wouldn’t allow me to access the internet. But after that it was smooth sail very easy to follow. Thanks a lot for the post.

  12. Ronald
    Jul 04, 2012 @ 20:50:21

    I simply did a system restore, and everything seems fine.

  13. Von
    Jul 14, 2012 @ 00:43:31

    Malwarebytes worked for me. Boot into safe mode with networking, DL the free version + install it and run a quick scan option. Was back up & running in 30 minutes. Malwarebytes.org is the site.

    A Lot of sites want you to buy a service to remove this or go through these complicated steps. this seemed like the simplest route to go & it worked.

  14. Ricardo
    Jul 28, 2012 @ 23:35:08

    I got hit yesterday, went out and bought moneypak for $200 dollars. After all I was guilty of everything, and they said I’d get 12 years in prison for. But then I went to another computer because mine was blocked, and read all about the ransomware FBI scam. Luckily I didn’t use my moneypak card knowing I was guilty. That was yesterday, today I booted up and I wasn’t blocked and haven’t done anything to clean my pc yet. But from what I read yesterday, it’s only a matter of time before it surfaces. Do you think I should still clean it? I have Charter Security Suite protection, but it didn’t help me yesterday. The suite is an Fsecure anti everything product supposedly. That FBI thing scared me to death. Cured me from looking at stuff I shouldn’t. I plan on being an angel from here on out, Amen.

  15. Merbil
    Jul 30, 2012 @ 14:29:45

    Ricardo,
    Definitely, you should run a scan with Malwarebytes and other antivirus program. I heard that this virus can contact a home server and download other threats onto the computer. It may surface any time with much destructive effect.

  16. Dwayne Penning
    Jul 31, 2012 @ 00:00:47

    unable to boot from usb no os message..any feedback

  17. Cesar
    Jul 31, 2012 @ 08:37:26

    I got mines 1 hour ago and I’m scared to death mines just pops Out every time but whats weird mines doesn’t look like other snapshots of this scam idk I really need heelp A.S.A.P!

  18. Guntis
    Aug 02, 2012 @ 03:09:31

    Looks like this does not work with Windows 7, 64 bit

  19. findu
    Sep 01, 2012 @ 00:53:59

    Ook…mine said video recording has been activated and there was a window with pics from my webcam….crazy scary, then said IP adress has been blocked, I wasnt downloading anything…just surfing the Web!…has anyone else seen that page with a video message, nuts…I didnt read it….just closed it as fast as I could, I do have a teenage boy, but I doubt he did anything to cause that…im always in the room when he is online….

  20. Ruby
    Dec 05, 2012 @ 01:17:43

    @FINDU Yes, I saw that message one time and my web cam was turned on and not by me – I immediately did a hard shut down on PC – not sure If I should do more…..

  21. ed55
    Dec 27, 2012 @ 23:43:19

    Thanks for the suggestions. tried the manual method but could not find the virus files. I then did a restore and that worked. Happy now!!!

  22. ec55
    Jan 01, 2013 @ 15:06:58

    I got this thing a few months ago. Mine turned out to be “User” specific. Luckily, when I set up my computer I included a “Guest” access. I just signed on to it and ran my Norton. It took care of the problem and I haven’t been bothered since.

  23. jessejay
    Feb 05, 2013 @ 02:22:58

    This FBI ransom virus blocked my PC yesterday. I was able to remove it by following the instructions above. Right after the first scan, I see that my computer is unlocked from the FBI virus. To remove entire traces, I also run virus scan, which are not covered in the removal procedure from this page. Here’ what I have to share.

    Download and run Microsoft Safety Scanner. It found a bunch or threat after the test. It may or may not be relevant to FBI blocking virus, at least, it has removed hidden threats. You can download MS Safety Scanner here: http://www.microsoft.com/security/scanner/en-us/default.aspx

    Aside from Kaspersky, I also scan for rootkits using McAfee’s tool. This stand-alone utility manages to remove rootkits as well as complex Trojan. It did not find any virus, but some components are identified and removed from my computer. Get RootkitRemover from McAfee’s web site: http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

    Lastly, I did online virus scan using Avast free interface. I used it to scan some files under my UserProfile folder. It turns out that these files are harmful. Start scanning your PC with Avast Online Scanner here: http://onlinescan.avast.com/

  24. Joe M.
    Feb 14, 2013 @ 21:49:40

    My compter was blocked with the FBI logo, I powered down the computer, powered up press the F1 key, slected F8 in SAFE MODE, slected Logon with network, went to START typed system restore, ran restore with last check point. System restored to last picture. Restarted windows, after windows came up OK , restarted system again in SAFE MODE. ran Microsoft Essentials full scan runs faster in this mode. Cleaned up any virus found. Restrated Windows in normal mode.
    Created a new check point with system clean.

  25. Rocket Scientist
    Apr 28, 2013 @ 15:34:03

    I got hit with this Virus last night I opened a SPAM email with a porn sight attached I clicked the link and the FBI money pack blocked my system. I have Panda anti virus it does not work. What should I do before my wife comes home from vacation. I have Windows 7

  26. mat
    May 12, 2013 @ 22:33:20

    .I received the FBI message and I tried to restart my computer and when I do safe mode it seems like it’s starting up but then I get a white screen and after a couple of minutes I get the FBI symbol againwhat can I do to get this FBI message of my computer

  27. Kolby
    Jul 09, 2013 @ 23:03:14

    So this popped up on my computer earlier today and I went through your steps and restarted my computer in safe mode, however this stupid virus still pops up in safe mode? What am I doing wrong???

  28. antitroj
    Jul 11, 2013 @ 00:00:36

    @Kolby, in that case you should make the Kaspersky Rescue Disc from another computer. Boot from the USB to bypass the virus actions on Windows. Rescue Disc runs on Linux so there’s no way that FBI virus can interfere with. Once you boot the computer using the USB, run a full scan.

  29. Lucas
    Aug 29, 2013 @ 12:16:09

    My computer just got infected last night. I got to the safe mode part, but then the pop up came up in safe mode! I don’t know what to do, because i cant do anything with my computer now. I’m having to use another to get to this web page. Can someone please help me?

  30. morfo
    Aug 31, 2013 @ 19:36:58

    hi i the same problem but block ask me i need to respond 3 survey to unlock it but i bypass this with task manager and then apper a small window saying IE7 clone fail and thats all but everytime i start the laptop appears again

  31. greasemonkey
    Jan 26, 2014 @ 11:52:22

    i did the system restore and it worked thank you so much this was a big help

Leave a Reply

*

Disclaimer:
Read our article disclaimer about FBI – Your PC is Blocked.

privacy policy