Remove Latest FBI MoneyPak Virus Despite Safe Mode Forced Restart

Posted February 14, 2013 by Aaron St. Clair in Windows spyware

FBI MoneyPak Virus

The FBI MoneyPak virus has been around for a while now and has had one of the highest infection rates to date. When it originally hit computers around the world, removal of the virus was very simple through safe mode. Although the latest version of FBI MoneyPak forces reboot when in safe mode, following these steps will clear your system of the malware.

The FBI MoneyPak virus is famous for scaring users into believing they have been accused of watching illegal content online.

Attention: Your computer has been locked. Your PC is blocked due to at least one of the reasons specified below…

The original virus would infect the ctfmon.exe system file which is often executed as a startup program. The original fix was to simply boot the computer into safe mode and remove ctfmon from the startup programs, then the computer could be booted and scanned for viruses. FBI MoneyPak 2.0 (as I call it) has hit the streets and now forces your computer to restart upon booting into safe mode. Originally I thought the only fix would be to hook the hard drive up to a different machine to perform the removal. However, I have managed to trick the virus once again and through these directions you can remove the virus safely.


This technique has worked for many users. I have not personally come across a version of this virus that kicks me out of all 3 safe modes. However, for some mutations of the Virus, a few users are still having issues.

If this process does not work for you, do not fret! There is an alternative method that will work, but it’s more complicated. Remove the FBI MoneyPak Virus Using Hiren’s BootCD is an alternative that works even if this article does not. So try the steps below. If they are unsuccessful, then move on to using the BootCD.

Steps for virus removal

1. Though the new FBI MoneyPak virus shuts down safe mode, it cannot shut down “Safe Mode with Command Prompt” as no programs can be started on startup with this option. Booting into “Safe Mode with Command Prompt” can be different per system, but the most common method is to tap the F8 key repeatedly as soon as you power your computer on. You may hear beeping or see “Keyboard Failure” displayed on the screen, but pay no mind to these warnings. Your computer should never make it to the boot screen for Windows, but should display a screen with options including “Safe Mode”, “Safe Mode with Networking”, “Safe Mode with Command Prompt”, “Repair your Computer”, etc. You need to select the “Safe Mode with Command Prompt” option and then hit the Enter key. This will boot the computer with minimal drivers, and no startup programs will run except cmd.exe.

2. In order to run the appropriate files needed, you may first need to know how to navigate around the command prompt. (NOTE: Many systems default to the appropriate WINDOWS/System32/ directory, but I have seen a few that do not. I’ve yet to determine what causes this default directory not to be loaded, so if yours isn’t in the directory, read on.) The directory you need to browse to is C:/WINDOWS/System32/. If you do not see this file path displayed in the command prompt then you will need to manually change to that directory. To do so, type “cd ..” until you only see “<C:/>” displayed as the current file path. The “cd ..” command is “Change Directory” and the “..” means go up one directory. Once you’re at <C:/> you need to change directory down, into Windows, and then into System32. To do so, type “cd WINDOWS”, and then “cd System32”. You should now see “<C:/WINDOWS/System32>” displayed as your current directory.

3. The file you need to run is “control.exe” which will launch the Control Panel. To do so, simply type “control.exe” and hit enter. It may take a few seconds to initiate the Control Panel, as GUI based applications generally are not started from this Command Prompt view. Once the Control Panel is open, navigate to User Accounts.

4. The overall objective is to create a new temporary user account to perform the virus removal. In the User Accounts window, click Manage Another User or Create New User. One of these two should give you an option to setup a new user account. The new user MUST be set to an Administrator. Once you have created the user account, ensure that it shows up in User Accounts before closing the window. Once you’ve done all this and verified that the account showed up in User Accounts, you can restart your computer. This time do not tap F8; instead, let the computer boot as it normally would.

5. If your computer boots directly into your user account by default, you may find yourself stuck again at the FBI MoneyPak screen. The objective is to log into the other user account, and the virus allows this, but it can be tricky to do. If you are presented with a window where you can select the new user account that you made then skip to step 6. There are two ways to get back to the login screen while at the MoneyPak screen. On all Windows platforms the key combination winkey+L will send you to the login screen. The Winkey button is the one between Ctrl and Alt keys. If you’re running Windows Vista/7/8 then you have an alternate path. Pressing Ctrl+Alt+Delete should present you with the Windows Lock Screen with the option to Switch User. Clicking Switch User should bring you to the Login screen.

6. Log into the new user account that you created in Safe Mode. You will probably see a couple screens helping you setup your new user account. After that you will be presented with a clean desktop and be able to browse around and use the computer as a new user. This account is just temporary, so do not worry if it does not appear as your normal desktop. Open a web browser and download Malwarebytes Anti-Malware. The software is excellent and you should consider purchasing it. The free version, however, will remove the virus. Download and install the program. Once it has finished installing it may need to restart the PC. After the restart you may have to repeat step 5 again to get back to your new temporary user account.

7. After you enter your temporary account after the reboot, run malwarebytes and allow it to check for updates. If it does not do so automatically, click the Update tab in the user interface and then the Check for Updates button. Now, go back to the Scanner tab and click Perform Full Scan. Quick Scan usually removes the current version of the MonkeyPak virus, but it is always better to be safe than sorry with the full scan. The scan can take anywhere from 10 minutes to 5 hours depending on the speed of your system’s hardware. Once the scan is complete, you must click the Show Results button in the lower right-hand corner of Malwarebytes. This will bring you to a new screen with a list of all infections found. Check the check box to the left of every item in the list, then click Remove Selected. You will be prompted to restart your computer. The infected files will not be removed until you restart.

8. Once the computer boots back up, your regular user account should be in proper working order. You can now go back to Control Panel then User Accounts and remove the temporary user account created.


About Aaron St. Clair

Aaron St. Clair is a tech guru studying Computer Science at Appalachian State University in Boone, North Carolina. When he's not tinkering with new gadgets, modding systems, or slaving away at the mercy of the Tech-Recipe overlords, you can find him exploring the high country.
View more articles by Aaron St. Clair

The Conversation

Follow the reactions below and share your own thoughts.

  • franciscovj

    A few notes to add:

    1. On step 6 you want to log in as Safe Mode With Networking, not just Safe Mode. Something obvious for people in IT but not for the average user.

    2. Installing programs in Safe Mode does not work by default so you either enable it on below link or save the file and restart in regular mode and install it:

    • Safe Mode and Safe Mode with Networking are both forced to shut down with the latest MoneyPak, so neither work. That’s why I’m using the Command Prompt version. Also, the instructions say to install the program after a normal boot into the new user account, so installing in safe mode shouldn’t be an issue! Thanks for the input! I’ve learned something new too. Did not know there was a way to keep installations in safe mode.

      • Ftg

        My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>

      • Tye McLoche

        > The MoneyPak virus that I have will not even allow me to start it in Safe Mode with Command Prompt. As soon as it gets to the Command Prompt, it is shutting down my computer and restarting. What is the next step? Boot from disk in MS Dos?

        • Keegan

          We at my tech company have just ran into two clients computers that have this variant on them. no safe mode at all.

        • Jason

          My friend’s computer also will not even allow you to use Safe Mode Command prompt.

          • Lisa

            > thank you… thank you… thank you… thank you… thank you…

        • Chris

          > The same is happening to my computer. Is there any way to fix it or do I need to bring it in some where?

      • Norma

        Thank you so much Aaron! None of the other safe mode instructions worked until I found your instructions with the command prompt. You are genious! Thanks again!>

      • Brian Barnes

        Hi Aaron, been fighting Spyware, Malware, Greyware, & Adware from the beginning of its inception. I have always been able to fight back and beat the bad guys. Although there are several new FBI Warning Variants in the wild now that has mutated into new FBI Warning Strains. Safe Mode does not work at all and if you even try any of the Safe Mode methods the computer will “BLUE SCREEN” of Death on you which forces you back into Normal Mode.

        I am currently working on one of my new tools that will Boot into Linux off a Flash Drive where I will then run my virus fighting attack tools to take out & kill the FBI Virus. A new thing I have noticed the virus doing is creating common program executable files under the main User Account Profile, like googleupdate.exe or skype.exe, or chrome.exe. Some type of common program .exe file that you might otherwise overlook but it doesn’t belong there in the first place. So these are just a few things I have noticed and picked up about the new FBI Warning Virus strain.

      • Fred

        > After creating the new user, and deleting the virus, I went back to the original user prompt and was directed back to the command prompt page (C:/windows/system 32). I exited that page, and am now on a completely blank black page where nothing happens. The curser doesn’t appear, and nothing can be done.
        If I use win-l, I am directed back to the login page where both account logos appear, and I am able to use the new login identity. If I use the original identity, I get the black page.
        Any ideas?

        • Marvin

          I had/have the same problem after virus removal, my new account works but I get the black screen in my original account. To get around it I now have to manually run explorer by typing explorer.exe into the command prompt window every time I restart my computer.
          Hope the same works for you,

    • Scottie

      > I just restarted my computer and it went away. Is it really gone?

  • Brent Marvich

    You can skip all the way to step 6 if you have already created a “back door” account. Something I do on all my system builds, among other things…

    I can not count the times I needed to log into a computer and the administrator account/ user account was corrupt/disabled or password was changed.

    This can be done with a simple batch file to save even more time…


    ECHO This will create the user backdoor with password backdoor!


    NET LOCALGROUP “Administrators” backdoor /ADD

    NET LOCALGROUP “Users” backdoor /DELETE

    WMIC USERACCOUNT WHERE “Name=’backdoor'” SET PasswordExpires=FALSE


    rename the text file as a .bat file instead of .txt and run it from the command prompt.

    Now this virus is nasty and I have seen a few different versions of it with varying complexities. Most of them have a rootkit associated with them which if not removed completely with come back. After running MalwareBytes Anti-malware and then logging in as your normal account, you should run MalwareBtyes Anti-rootkit just to be safe.

    • Hung Tran

      > Your instruction works fine. Thank you

    • Wendy

      > I can not work in safe mode neither can I create another account. What options do I have?

    • Rick


      I think, it is safer to create an ISO boot Disk; then add any “boot.bat” commands

      Then, download and create an ISO image on a SAFE COMPUTER is more likely a REAL ANSWER…

      to many simple minds, including mine>

      Thank you!

    • the truth

      another way that works log on admin account Ctrl alt del log on user account Ctrl salt del log off screen may pop up wait while programs close the virus screen will go away cancel log Goff run hitman pro and malware bites virus gone and easily so good luck

  • xanjabu

    Or in the case of Vista/7 (not sure about 8 as not used it yet) you don’t need to create a new account, just enabled the disabled Administrator account.

    At command prompt type net user administrator /active:yes

    Reboot and login.

    Once removed, go back to your ordinary account and bring up command prompt and shut down the administrator account (until next time…)

    net user administrator /active:no

    Thanks for the article 🙂

  • Ray

    Thank you so much!!!

    • Kevin

      > Ditto that. Thanks!

  • natalie

    I just wanted to say THANK YOU so much!!! These instructions go the virus off my computer and saved me a lot of money! I appreciate it!!!

  • natalie

    I just wanted to say THANK YOU so much!!! These instructions got the virus off my computer and saved me a lot of money! I appreciate it!!!

  • Jacob

    THANK YOU SO MUCH!!! I cant thank you enough!!! You have saved my computer…

  • frank

    Such a great help!
    Easy to follow and execute!!
    Virus is gone!!!

  • andraz

    thank you for the solution with command prompt, it works great with new versions of the scam

    when you start control.exe, you can also activate a restore point.

  • Thanks, I followed your great instructions and got back up & running! GREAT WORK!

    • I’m glad everyone has been able to remove this virus successfully! It took me a little while to dig through the CMD and different safe modes until I found a solution… Didn’t see the need for others to endure the same torment! Hopefully this has saved somebody from falling for the scam!

      • Beth

        I’m having the same problem, but when i try to open the control it tells me i don’t have persmission. Any other way around it?

  • Justin W

    Thank you for being a saint, this virus is disturbing. Scanning with Malware Bytes, hasn’t found it yet and it’s been through 50000 files. What if it doesn’t find it?

    • Ensure that you told it to do a Full Scan and not just a Quick Scan or Flash Scan. I’ve seen MBAM scan 600,000+ files before finding anything infected… Had to leave a customers house and return the next day to finish! The amount of files it scans really just depends on the programs you’re running on your computer and the amount of data you have as well. If you do work with taxes, AutoCAD, Adobe, etc. then you’ll be in the upwards of 200k before it finishes its scan. The /winsxs directory has about 50k files MBAM scans in that folder alone… So just sit tight and wait it out!

      Also, did you allow MBAM to Update before starting the scan? To make sure, click the Update tab at the top if the scan fails to find anything. Let it download the newest virus definitions then run the scan again.

      If you do manage to get through the virus scan and MBAM doesn’t find the infection, try running Trend Micro’s Housecall, Kaspersky’s TDSSKiller and your regular anti-virus scanner. All of those scans should find the FBI virus, but MBAM is my ole’ reliable when it comes to virus removal.

  • Happy user

    Thank you do much for helping me I was so scared I thought I did something wrong man you rock

  • Shannon

    Thank you very much for the detailed step by step instructions to remove that nasty FBI green dot virus.
    Furthermore your instructions for removal were very simple to understand. Most of all it worked!!!!

    THANK YOU!!!!

  • wes

    Article helped me to solve problem. Thank you very much! Nice work!

  • Karl Drumm

    Hello Aaron,
    I read your instruction on how to remove a virus from my computer but I am NOT sure if it will take care of the problem I have.See I dont really know if my machine is really infested by a virus since I do not have any problems with reading and writing e-mails.However I do have a problem with downloading adobe flash,adobe player and other programs like running Spydoctor,malwarebytes even with AVG removed.
    You see every time I try to download I will receive a security warning message and cannot get any further which means I have to cancel or if I try to go ahead another window will open and ask me if I am really sure to continue.
    If I move the first window out of the way their is another window behind it where it shows a file moving from one folder to the next.There is no information on the page where the files are changing folders.
    One other problem is occuring that after it says that download was completed that I will not receive the “INSTALL” prompt therefor I cannot install and run any programs at all.
    Some icon which I click on on my desktop will open and I can do my work others will not work.All other symptons which would indicate a virus like slow computer,pop-up,screen changes etc arenot happening.
    I tried to run this in SAFE MODE and the machine acts the same way.I really dont know what to do except clean the hard drive and start all over.I am completlely lost in the world of computerspace.Can you please help me by answering myletter.
    I would appreciate if you would be so kind.This way I could learn something from you.

    Thanks Karl

    • The fact that some programs function normally, but others do not, definitely sounds like a virus. What exactly happens when you try to run MalwareBytes? I think your first step to cleaning your computer will be to download and run rkill from Bleeping Computer. If you’re not able to download it from your computer, try doing it from at work or a friends computer. Rkill should stop any malicious processes that are running and preventing you from running programs. After running Rkill, reattempt to run Malwarebytes. Make sure you update the virus definitions before performing a full scan.

  • Lithus

    It’s great to see that despite the bad people and losers who prey on ppl
    It’s great to see someone posting helpful stuff like this to fight back.
    Hackers are the lowest form of life, a cancer diagnosis would be too good for them…

    • Heh, the moneypack virus isn’t really from hackers. It’s simply a social engineering scam.

  • Needhelp

    I tried to get into safe mode with command prompt but then it froze… maybe I was impatient but I held the power button for a hard shut down… now, I am unable to enter any safe mode… the only options available are startup repair and start windows normally… the safe mode options have not returned… help

    • Hard resetting your PC while it’s booting can cause this looping cycle to occur. You need to tell it to start normally and let it boot up as if it isn’t infected. Then, once you have the moneypack virus on the screen after a full boot, push the power button once. Don’t long-press until it shuts down. Pressing it once makes windows go through it’s regular shut down sequence and should keep you from getting the startup repair screen. As for no safe mode options, are you sure you’re pressing the correct Function key (usually F8)? The Safe Mode bootscreen should take priority over the startup repair screen you’re getting if you’re pressing the correct function key.


        Hi, Aaron!

        The FBI virus is in my laptop; a Pavillion HP, Windows XP. The F8 key works but when whatever I choose it makes a cycle ending again to the same screen. Any suggestions?

        Thanks in advance,


  • CAC1031

    Thank you! I looked at various methods posted on the internet to remove this thing without being able to get into safe mode and yours was the simplest, clearest method. At first I thought it wasn’t going to work as it never gave me a command prompt and eventually skipped to the login screen. But it worked on the second try. Thanks again.

  • Dave

    Thank you!! I spent hours on other forums with their “solutions”…Your solution was quick and easy. Great instructions.

  • Arjun

    Thank you so muck. Your instruction worked wonders. Did not take me more than 20 mins to get rid off the malware. Keep up the good work and thank you soooooooooooooooooooooooooooooooooooo very much.

  • tascha

    You rock and saved my computer. Your directions were so easy to follow. Thank you thank you

  • Thank you very much for these straight-forward and your easy instructions . I was able to remove this virus without losing any of my any documents.

  • Jeff McKeever

    I hope this works!

    • So far it has worked for everyone! I just removed another case of this virus yesterday following these instructions to the T and all went smoothly!

  • Jeff McKeever

    When I followed your instructions and got to safe mode and typed in the control.exe command I got the following window: “Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access them. The only options is “OK”. Not sure it’s important but at the top of the window there was this” {26EE0668-A00A-44D7-9371-BEB064C98683}. Any thoughts on how I should proceed?

  • George Miller

    Thank you very much, it worked

  • thanks

    THANK YOU!!!!!

  • Rocky

    Well, I think it has become bigger and better yet again. I hav tried all of the suggestions to get into safe mode with Comman Prompt… But no matter what I do, the FBI screen is there telling me to get out of safe mode and log onto the Internet. I saw the post about not hard booting and let the computer shutdown properly and then try safe mode with command prompt but it still won’t let me. I have tried all of the safe modes, I get the virus and won’t let me do anything. Please help! I see you were able to work your magic a few days ago… So I’m hoping there is still hope for me!

    • If you can’t get past it in any of the safe-modes, then you may can try using your system restore disk, and instead of telling it to install windows, choose Repair. There’s a repair option to run a Command Prompt. I’m not sure how functional that command prompt will be though… but you’re still not out of luck if that doesn’t work. The virus CAN be removed! But, if you cannot bypass it somehow on the actual machine’s it’s on the the hard drive will need to be removed and simply scanned using MalwareBytes on another computer.

      • Rocky

        Thanks for the quick response! To give you more info, I do not have administrator privileges on this laptop myself, so when it comes to doing a recovery or system restore, I don’t have a disk. So it looks like I’m down to removing the HD from this laptop and connecting it as a slave to another computer…. Or sending it in to my IT team except then all my files will be gone!

        • If you have an IT team then I’m sure somebody there knows how to copy files from one drive to another. If you put the drive from the computer in an external enclosure it really just functions like a flash drive. But, there really isn’t a need to lose any files to remove the virus. Simply plugged the drive in and point MalwareBytes to the removal disk directory instead of C.

  • Matt

    I got a version of this virus and removed it simply by holding f8 during startup, selecting “repair your computer” and selecting a restore point. Don’t know how many versions of the virus this works on, but I would recommend trying this first before going through all the steps the article describes (unless reverting to a restore point would uninstall a program you for whatever reason cannot easily re-install). Using a restore point does not delete any of your personal data (e.g. documents)- at least on Windows 7.

    • This is a viable solution to get past the screen popping up, but, as you stated, System Restore only restores system files and settings. The System Restore will remove the virus from the startup procedures, but it does not remove the malicious files from the machine. MalwareBytes would still be necessary to ensure you don’t become re-infected. This procedure is quicker than a system restore for many systems, especially older machines.

  • jack

    thank you for this; i was at my wit’s end but this worked like a charm!

  • al

    my computer got infected yesterday! 1st time was about six months ago. I fixed that using safe mode then scanne w/malwarebyte. this time: safe mode, safe mode w/networking and /command prompt are alll got error messages and have option to start windows regularly. It will reboot normally, i can have access for a lil bit while it’s loading then the moneypak screen lock kicks in. I do not have access to ‘admin’ login. Waiting for my lil brother… any suggestion…im not update w/all the computer stuffs…was pretty good at it 25 yrs ago! thanks

    • Sorry for the delayed response. The only time I’ve ever personally seen all 3 versions of safe mode not work is when the Operating System had actually been corrupted and system files were not working properly. Yes, this can be caused by a virus, but the FBI MoneyPack, to my knowledge, does not alter any system files other than the startup procedures. Your issue may be deeper than the FBI MoneyPack virus. In lieu of having to totally wipe/reload, try using the Hiren’s BootCD method that’s been added to the article.

  • GSH

    This did not work. I went into Safe Mode with command prompt and the regular desktop with the icons for each user came up. I entered into the administrator user and the computer logged off, shut down and restarted again. I’m using Windows 7

    • Did you enter into the user labeled “Administrator”? Or a user that has Administrator privileges? In any case, try using the Hiren’s BootCD method that’s been added to the article.

  • GSH

    When I go into Command Prompt, everything starts with “X:\” instead of “C:\” Tried the cd .. and it wouldn’t change that part. It started with X:\windows\system32> and I was able to change the directory, but only down to “X:\>” and then it could not find the “control.exe” when I typed it in. Said it is not recognized as an internal or external command operable program or batch file.

    • It seems like your primary hard drive is the X:/ drive instead of the C:/ drive. You should be able to follow the tutorial exactly, just replace every instance of C:/ with X:/. You said your default starting point was X:/WINDOWS/System32, which is where you need to be. So, as soon as your command prompt comes up you should be able to type control.exe without getting that error message!

  • mike

    Vista laptop, moneypak virus. ALL safe modes are dead, including command prompt. What do I need to try? Thanks.

  • Hmm. It seems like there is a newer version than when I published this. Multiple people have had an issue of all 3 safe mode’s being disabled. If all of your safe modes do not work, then you’re still not completely out of luck. There are two possible solutions from here:

    1. You can remove your hard drive from the computer and scan it with another computer… I understand this is a scary topic for many and it should only be done if you’re comfortable with your computer’s guts.

    2. For the less tech-savvy, the hard drive in your computer isn’t the only drive that your computer can “boot” into (i.e. load up Windows when you turn your computer on). Your computer can boot to a disk in the disk drive, it can boot to a flash drive, and there are other possibilities as well. This fix will involve booting to your disk drive. Download and burn Hiren’s BootCD from a work or friend’s computer. Hiren is downloaded as a .zip file and must be extracted to find the file to burn. Turn your computer on and put Hiren’s in the disk drive. Power your computer off, then back on. This time, look for something that says “F10 Boot Menu” or “Boot Menu F12”. The Boot Menu hotkey is different on many systems. If you cannot find anything telling you what key it is, you can try tapping F2, F8, F10, F12, or Del when you start your computer. One of these hotkeys should bring you to the Boot Menu when you tap it repeatedly as the computer starts. From here you can select your Disk Drive as the boot drive. This will load you into the Linux distro on Hiren’s. From here, you can update and run MalwareBytes on your C:/ drive.

    I plan to update the main tutorial soon with more detail instructions with screenshots, but finals week has me bogged down at the moment.

  • Trish

    I am so happy I found this article…you saved me from this virus!! Thank you!!

  • liam parker

    Luckily i had already made another account because this white screener keeps telling im using special characters when trying to create a new account! so they must have updated it yet again, this time to stop you creating a new account.

    • I haven’t seen the virus stop anyone else from creating a new account. You may be having other issues such as a faulty keyboard. Try using your on-screen keyboard. In XP, it’s located in All Programs > Accessories > Accessibility > On-Screen Keyboard. In anything newer, you should be able to type “keyboard” into the start menu and Windows will pop it up for you.

  • Ram

    Thanks a lot. It was enormously helpful. However, I went to restore by typing in command prompt and my system was restored without any problem. Worked perfect.

  • Steve

    I lucked out on this I opened task manager which still worked and for some reason my computer opened. Started malwarebytes. I searched through program data and found something called display switch exe which malwarebytes found shortly after and deleted

  • vernon m.

    This guy knows what he is talking about…..i had the moneypak virus a few times before and I was able to get rid of it….i am a technology guy and I didn’t know what to do this time after all of my procedures failed….i tried this procedure….pretty slick by using the cmd line to create another user acct!

  • Phil

    Thaaaaaank you soooooo much!

  • Michael

    I did all the above steps and after ful scan there were three files that shows infected my computer and it was removed and I restarted the computer. when I log in back to my account the Fbi virus is still there. what is going on

    • Is the user account that is infected an Administrator account? Standard Users may have issues removing files from Program Data and Application Data. Make sure the user account you created is an administrator.

  • Randy

    My friend got this virus and asked me for help the problem is it used a password to block access to the boot menu is there a way to get around this?

    • I’m pretty sure this virus has not magically modified your BIOS. The password screen you are being presented with is most likely a BIOS password put on by some network administrator. Is this PC a school PC or work laptop?

  • Nick St.Clair

    Control panel won’t come up to make a new user (step 3) it puts up the moneypak screen and won’t let me do anything. Any suggestions?

    • This may be a rhetorical question, but are you sure you’ve booted into Safe Mode? Instead of running “control.exe” try running “explorer.exe”. You may be prompted with a warning saying the Safe Mode with CMD is not meant to use GUI interface like explorer.exe, but ignore that. You should then be able to use your Start menu and access the Control Panel through it.

  • Z

    I got all the way to step 6, but when I log in as the newly created user, I get a blank screen, when I do it in safe mode I get the moneypak screen….any suggestions???

    • Are you sure you created the new user account as an administrator?

  • Freda

    I tried so many tutorials. I was told to pay big $$$ to fix this. I was so bummed out. Thank you!!!
    You are brilliant, seriously

  • Ted Falkowski

    control.exe not recognized in directory using Windows 8.

    Please send me instructions using a Dell laptop Windows 8 operating system.

    Thank you.

  • Marek

    When i try to use cmd prompt my regular user account password does not work ,when i use safe mode with networking it does but the FBI screen blocks everything ……stuck

  • Rick

    On an XP x64 machine, I have picked up a variant of this virus that does not allow any of the Safe Modes to run, including Safe Mode with Command Prompt.

  • Robert Klein

    I tried all safe mode choices and none of them will launch. I also tried to use Hitman Pro kickstart and it will start but will not connect to the internet. I have removed FBI money Pack on several computers, but this one is different. Unless there is something corrupt with safe mode features on this machine. The new money pack will not allow this computer to boot to safemode with command prompt. So the is no way to create a second user account too log into. any other ideas?

  • cjmshadow89

    The moneypak has evolved. I use windows vista business. When i start in safe mode with cmd it takes me to the log in screen. I log in as administrator and it restarts. Are their any new updates to this fix? Thank you.

  • Dennis

    Thanks very much! ! !

  • Jesse

    Aaron – I wish I could buy you a beer. This just saved me as well.

  • mw27630

    I have this virus and tried the command prompt, but it still took me to the virus screen. There’s an error box that appears and says ‘please come out of safe mode and connect to the internet’. I’ve tried almost everything, and nothing seems to work.

  • Devin

    when i go on safe mode it just says please wait. i tried all of them but it just says please wait, i really want to get this fixed please help

  • Devin

    my safe mode wont finish loading please help me

  • Alex

    This is a Godsend! Thanks for sharing your tech savvy!

  • Sid Frasier

    Unfortunately, the process you described has now been blocked by the process that shutsdown Windows on error even in Boot to Command Prompt. You cannot disable this feature within the bios. The only work around I’ve found is a secondary boot that is clean or installing the drive in a second computer!

  • Help

    I selected Safe mode with command prompt and it still forced a reboot on me! Please help

    • Try using the Hiren’s BootCD method that’s been added to the article.

  • Dana

    None of this working for me. Whenever I try safe mode, it just reboot all over again. Please help

  • gino

    You are the best man !!!!!!!!!!!!!!!
    I tried everything and you guidlines helped me !

  • bl

    The latest FBI virus can auto shuts down “safe mode”, “safe mode with network” and “safe mode with command Prompt” on 5/14/2013, How can I do that?

  • need help!!!!

    I tried everything from rebooting my computer and tapping the f8 button, which wouldn’t allow me to get to the safe mode screen, and also trying to go through the steps from your article. I already have another account that doesn’t have the virus on that side but it still won’t allow me to get rid of the virus for the other account even when i use malwareantivirus and pc tuneup. The live advisors tell me that i need to get a microsoft tech to clean up the computer but it is kind of pricey. Any suggestions?

    • You do not need a Microsoft tech. Any technician should be able to clean this for you if you are not able to yourself. The ideal way to remove it is just pull the HDD and hook it up to a clean PC, and scan it from the clean PC. But, for you, try using the Hiren’s BootCD method that’s been added to the article.

  • Pat

    I was infected last night and ss of 5/14 it blocks all safe mode choices; any ideas on how to get past that.

  • Norm

    After probably 8 hours of trying to get rid of this thing, your directions provided the cure.
    I was not able to boot into safe mode or safe mode with networking. Only safe mode with
    command prompt. Numerous attempts to run AVG antivirus and Malwarebytes scans did not work.
    I was just about ready to re-install Windows 7 when I found your instructions.
    Thanks a lot and may the people who contrived this pos burn in hell.

  • Shequette Thompson

    1. “Safe Mode with Command Prompt” option and then hit the Enter key.
    After I get to this step my laptop load WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx
    WINDOWS/System32/ directoryxxxxxxxxxxxxxxxxxxx

    All down the page and then it tell me to please wait and then it restarts Window.
    Let me add that the virus (or scum bags have changed my user name so I can not do any of the steps you told me to do. Please help I have class and do not need to fall behind.

    • I’ve never seen this virus change a username. The WINDOWS/System32/directoryxxxxxxxxxxxxxxxxxxx text that floods the screen is normal. It’s showing you the system files that are actually being loaded. If you’re being forced to restart still, try using the Hiren’s BootCD method that’s been added to the article.

  • james

    hi, my computer has been infected and even when I tried to run under safe mode with command prompt, once I was in the safe mode and typed in the user password, the computer automatic went into auto shutdown. it seem like the virus creator has outsmarted the system.. I am stuck now =(

  • SM


  • Attaboy

    Thank you so much sir. You are a gentleman and a scholar

  • Nanar

    there is a newer version of the virus, which shuts down even safe mode with command prompt, which is my case

  • Cynthia

    I thank you so much!!!! My safemode took me right into the virus and I did not know what to do. I had a back door account already and did not know I could use it until I read your article. This was so helpful. God bless you!

  • Cynthia

    Thanks so much!!! You really helped me a great deal. I tried safe mode but it took me directly in instead of a prompt. I already had a back door account thank goodness and was able to use it and do a scan. Even a quick scan worked. I was able to go back and get into my original account finally. Thanks again you smart person you!!!

  • cristo

    this method no longer works. i have windows 7 and it would not go into safe with command prompt.
    i took a rescue disk and restarted, f8, repair, chose system resore option and picked the last restore date.
    it said “an unspecified error occured during system restore. (0x8000ffff)”
    even if i somehow get back onto my computer, i’ll still reformat it.
    i’m have a hard time believing we don’t know where this virus comes from and where the payments go.
    wouldn’t it just be easier to take out the hackers with a few 50 cent bullets from a few hundred yards than for them to subject the world to this crap? all we need to know is who and where they are

  • cristo

    after the botched restore with error using the disk, i was then able to access safe mode with command prompt and carry out the rest. when i logged on, i got a message that restore was successful and my documents were not effected. my wall paper is different and desktop icons from the other account are different under the other admin account and forgot whether that was normal. when i log back in under the other account i’ll see. you just need to update this article to reflect that safe with command prompt no longer is possibe with the newest version of the virus.

  • mark

    I have managed to get rid of the malware by doing as you said and setting up a new user, but I still cant log in using my usual login, its just a black screen with the prompt c:\windows\system32)

    Can you help.

    • I

      > I got the virus yesterday. Somehow pressing F8, F10 or F12 wouldn’t get me anywhere but the Windows Boot Manager giving me a choice of Windows 7 (I have Window XP) or Diagnostics. Selecting Windows 7 starts XP and doesn’t go anywhere. I’ve tried everything including Ctl Alt Del as well as hard powered off while XP is starting. I have the XP disk…should I try rebooting from it? Then what? Please help as I need my computer badly and Microsoft Support charges money I don’t have.

      • What is your computer model number? I would need to look up your motherboard to determine what your Function key would be.

    • It sounds like you’re still booting into safe mode. Make sure you do a normal boot.

  • Ronald Norman

    I have tried what you said to do and I was able to get into the control panel and change the user. Everytime I go into safe mode I still can not get into the new user I created. I tried it in safe mode and safe mode with networking, same thing.

    I have the FBI Ransom Virus and running Windows 7. I know only some of the command lines and only did one or two patch file years ago. Could you please get me some better options?

    I am not sure when you wrote this article but today is May 19, 2013 and I need some help.

    Ronald Norman

    • So you have already created a new user in Safe Mode? Once you have created the new user, you are done with safe mode. You should do a normal boot and then select the newly created user once you’re presented with the User screen at startup.

  • vinnie prado

    dude, that was awsome, the only problem I found was that after I did all that you said, every time I logged in I would see the command prompt and no desktop at all. So logged in with my temp. account I deleted the user profile of my real account and I was golden. Thanks a lot!

  • Jeb

    My windows 7 laptop will not start up even in safe mode with command prompt, it still just shuts down. I don’t know all this technical talk, how do I remove the virus?

    • Try using the Hiren’s BootCD method that’s been added to the article.

  • Jerry W

    It might be good to note to use “shutdown/r” for a safe shutdown from cmd. Also, as a side note, this virus is stored in your temp files so if you delete all the temp files to remove the virus (and check the start up to disable or remove unwanted items that are related to this program). You can do all this from the cmd or along the same way as shown above. I use a free program called Ccleaner and keep it loaded on all my computers. It was how I removed the virus. It is also good to check under the uninstall programs for any programs installed during the time your computer got the virus.

  • TinaJ

    Thank YOU!!! Your time and help is much appreciated by me and my family!!! God Bless!!

  • Marvin

    Thanks, this worked great! Malwarebytes did not find the Trojan but AVG did and seems to have removed it; however explorer.exe still does not run on my usual account (no “FBI” screen though) so I have to run it manually 🙁 any suggestions to fix this?

  • shamuboo

    In the below list I am not seeing a responses as to how to proceed when all safe modes are locked out. Each one is just restarting my computer each time. I only have 1 user account as well. Is there anything I can do to fix that?

  • Charlie Brasher

    This worked for me:
    1.Boot in safe mode with command prompt
    2.navigate to windows/system32
    3.type control.exe to open control panel
    4.Insert flash drive, with the latest Malwarebytes
    5.Install and do a full scan.

    Thank you very much for all your help!!

    • Roger

      I have done this, ran MWBytes, and my pc shuts down? Any thoughts? Thanks>

  • Lance

    Thanks very much, Aaron. Your solution to ridding my computer of the FBI MoneyPack virus did the trick. This was after trying several other methods that failed. Thanks again!

  • Steve EZ

    One of the computers in my house got this virus somehow, and despite many other forum/website advice to kill the virus, this article was the only one that was proved effective at my knowledge of computers (which is above the average person, but still limited). I recommend following these instructions if this “FBI” virus happens to you.

    Thanks to the author(s)

  • Vpb12345

    Thank you so much, I got worried after it scanned for 5 hours, but it finally ended and I’m virus-free

    • Heh, I’ve had MBAM scan for 12hours 43 minutes on a customers computer. Granted, I scanned 3 drives, but programs such as AutoCAD or SolidWorks have bookoos of files to scan through.

  • Bob

    Hi Aaron, Thanks for the help in getting arround the ‘reboot’ in safe mode and normal mode. Curing this problem enabled me to get to safemode and then I used the ‘old standby’ the ’emsisoft Emergency Kit’ to do the scanning and removing. After that I loaded Malwarebytes Anti-malware and did another scan just to be sure the problem was gone and CURED. Thanks for the help

  • christina

    I have this awful police virus. My computer will not let me do anything. I cant get into any mode and it will not allow me to type. It just goes to the welcome screen and then shuts itself down. Not a computer genius at all but if i have some simple instructions i maybe able to sort it out. I have a normal desktop computer thats ok but not sure how to make discs etc. Hope you can help? Many thanks Christina

    • Manpreet Singh

      Hi Christina First thing to do is if its windows 7 or windows vista manully turn of the computer 2-3 times .After that when you would turn on the computer it will automatically give you the option of Startup repair.Select that option and see if that works or not,if it does not work then in startup repair there is option of system restore. Select that option and restore the computer back to earlier date and see if that works or not. If it works do let me know otherwise i can provide you multiple options.>

      • System Restore will not remove temporary files, as they are not system files. This virus hides within these files so that System Restore can only hide the virus and not remove the malicious files. After performing a System Restore, you will still have to scan to remove the virus.

  • Manpreet Singh

    The best thing to do is start the computer by tapping the F8 and select safe mode with command prompt if you are not able to go to normal safe mode or safe mode with networking. Once the computer is started in safe mode with command prompt type the command rstrui.exe by typing this command system restore would open up. Restore the system back to earlier date when the FBI Virus was not coming up. Once the system restore is completed download and install REMOVED DUE TO SPAM it will completely remove the virus.

    • Do NOT download “Spy Hunter”. Spy Hunter by Enigma Software offers a free *scan* (no fix) with exaggerated results to scare the user into buying it. There are several better FREE programs which remove the *real* infections which they find for free. Hence the use of Malwarebytes’ Anti-Malware.

      Not only that, but if you buy SpyHunter from any link posted in an answer here, the poster will get paid a commission from Enigma for tricking users into the software.

  • Roger

    So I recently got the Virus, got all the way to Step 6, loaded and ran Malwarebytes, but the PC shuts down after 3-5 minutes? Any thoughts?

    • Is this a laptop or a desktop? Does it go through the entire “Windows is Shutting Down, Please Wait” process or does it just go black and die? Are you running MBAM in Safe Mode or regular mode? Try having MBAM do a quick scan.

      • Roger

        Aaron, Thank you. It is an HP laptop w/ Windows 7 Home. The screen goes black and does not restart. I created another user id via safe mode with command prompt, restarted into safe mode with networking, loaded up and started to run MWBytes and it goes black screen several minutes into the full scan.>

        • Aaron St. Clair

          Don’t boot back into safe mode in the new account, boot as you normally would, but select the new user account when prompted. If it goes directly to your regular account, quickly hit the Windows key + L. This will bring you to the login screen

          • Roger

            I will give it a shot. To clarify, I should run the MWBytes software in the new userid in regular stratup?>

  • Daniel N

    Thank you for your article. Using a temp account seems to work well. One thing I would modify is to use Hitman Pro instead of Malware bytes Full scan although I love malwarebytes software. hitman pro will get the job done much quicker.. Just my 2cents.

  • twiztedmannix

    I’ve used Hitman Pro to remove it first time around, once going through the process it’ll reboot and find back all the lost files it claimed it encrypted it and it’ll start up like normal. It keeps coming back, it uses Java and internet Explorer (the white screen is a window of IE, so i disabled it). I raised up the security on Java but kept coming back, disabled IE and so far seems quiet. It’s really annoying imma have to set up more logins if it ever comes back, it bypass the blocking windows/Java does on programs (allow/deny.)

  • Elise

    I have to say, I love the way you’ve explained eveything, really made me save my pc. THANK YOU SO MUCH!!! You’re a PC God. Keep up the good workd. I love you!

  • Pete Mekesa

    Aaron, thanks!!!! You’re information was spot on.

  • MikeB


  • Aleksandra Ward

    Hi. I was able to remove the virus, but everytime I go online, open Firefox or Internet explorer it comes back. How can I fix it?

  • daren

    i got hit really hard this time with the fbi 2013 one. the only way was your way ………ps i LOVE you p

  • daren

    could you please find a way to backfire the scam back at them i have 2 pc willing to use 1 for bait and once again thankyou so much

  • daren

    forgot to say the create new user account worked for me

  • Mike B

    Thanks, Aaron! I’m not a computer dummy, but sometimes, this electronic monster gets the best of me. I reviewed a number of sites and solutions, but your’s made the most sense. MalWareBytes has fixed problems before for me, but this is the first time that I’ve been totally locked out by a virus. I’m scanning now and will let it run through the night if necessary. Just wanted you to know that I appreciate you taking the time to help the ‘little guy’. Keep up the good work!!

  • Mike

    Thank you, Aaron. You da man!

  • R. Tyrone

    Thanks Aaron, worked like a charm. Took 2hrs running XP pro. But…got er done!

  • Matt

    I went to safe mode command prompt and it loaded the windows files an says please wait… its been there for 30 minutes.. is it suppose to take that long?…

  • Izaha

    You truly helped me out the most. I didn’t know what to do when I didn’t have another user account to log into. You’re a life saver and a real Technomancer. lol. Thank you, so much.

  • Tammy

    You are AWESOME!! I followed your instructions to the word and this worked perfectly. Thank you so much!!

  • Jose Martins

    I got a similar virus and followed these instructions – the best I found!

    strange problem: Malwarebytes says “no malware found” after the deep scan!

    any clues?

    • What is the virus that you have? Are you sure you created an administrator account? You can use archive scan to just scan the user folder of your regular account located at C:\Users

      • Jose Martins

        > My virus is a portuguese version of FBI named “PSP”. I had the problems described by you and could only login in safe mode with command prompt. The virus would otherwise shut down the pc after login.

        I created a new administrator account, loaded Malwarebytes, updated and ran it – no restart was requested…
        I was surprised to see a zero malware count after a deep scan, but that’s what I got!
        I restarted and open the normal account: no problem!
        Downloaded Malwarebytes and ran it again: zero malware!

        could the virus somehow “hide and duck” in the presence of Malwarebytes?!?!?

      • Jose Martins

        > correction: in the normal account I didn’t download Malwarebytes, it was already available.

        • Aaron St. Clair

          Hmm, that’s odd. Download and run CCleaner on your regular account. CCleaner should remove the virus as well since it hides within Application Data as a temporary file. This is just a safety precaution to ensure the virus is actually removed and not hiding.

      • Jose Martins

        > more details: I also performed on the new account, after running Malwarebytes, an on-line scan using it found some adware that I chose to eliminate, but nothing else…

      • Jose Martins

        > I used Ccleaner: very nice software! cleaned 936MB of temporary files spreaded around the PC. I also cleaned some startup files like skype and then the empty space. There is a file in the “Schedule tasks” using the brandname of microsoft with a long name with numbers and letters (looks like a software password): this is the strangest thing. I read somewhere about these virus using these long names with numbers and letters… Shall I kill it?

  • Kingpablo

    I am just finishing up battling a Windows 7 64 machine right now that has this no safe mode variant at all. Command prompt was even rebooting. I thought for sure I’d have to pull the drive.

    Watching it reboot a few times, i saw the shutdown screen for just a fraction of a second and saw a lag in the timing.

    I was able to get safe mode to “Stick” by hitting CTRL+ALT+Delete immediately after entering the password. I just hit it like a fiend once I hit enter. After a few tries, I nailed it. It finally hung the system.

    Once I had that I was able to pop open task manager. Once in Task Manager, I was able to open a command prompt. I then was able to install Malwarebytes from a USB stick.

    I would guess that the new user method works great.

  • Jennifer

    Thanks so much !!!! Worked perfect. You are a rock star!!

  • Scott Silva

    You should never recommend using illegal software on a public website… Hiren’s is full of software that is supposed to be paid for… There are many Linux based boot CD’s that are free and legal.

  • Ali Najem

    I had my office computer infected by CTFMON.exe, and friend of mine told me to remove the hard disk and plug it to a computer with Malwarebytes Pro. and scan it and it will remove it!
    I have McAfee on my computer should I remove and install the Malwarebytes Pro. or it won’t conflict.

    Sure the Malwarebytes Pro. will remove the CTFMON.exe..

    Please I need your help..


    • Malwarebytes is not an antivirus suite, simply a removal tool. The pro version is comparable to an AV but its still not the same. Thus said, there’s no need to remove McAfee. Also, the only time you may have to pull out the hard drive is if you can’t get this tutorial to work with safe mode.

  • manpreet singh

    if you can go in safe mode with command prompt try system restore instead new a/c by rstrui.exe and then restart the computer will be in your a/c then use emsisoft emergency kit free software

  • Valerie

    Thank you!!!! I tried so many other ways and until i found yours it helped. Thank you times a million!!!!!

    • joe

      The problem I keep running into is my computer will not connect to the internet after all steps so I cannot update malwarebytes. Any suggestion?

  • mp

    Thank you!!!!

  • Paula Andrese

    Thank you! Yours was the ONLY page that provided the info needed to download the fix.

  • Mary

    THANK YOU…Thank you. I have tried every site out there to fix the FBI malware but nothing worked….UNTIL
    I found tech-recipes and followed your directions. It worked beautifully

  • Michelle

    Thank you sooooooooooooooo much!! You helped me be a hero for my Dad whose computer was recently seized by the FBI MoneyPak Virus……I really appreciate it!! You’re the BEST!!

  • Samantha Lee

    RE: ICE Virus. I followed all of the instructions, except I have one problem. Windows is loading the cmd.exe prompt box, I have to type explorer.exe to run my xp. Can you help?


    • Until today I’d never seen this happen, but I’ve ran across the problem myself, and I’ve yet to fix it. It’s for a customer, so I’ll be working on it shortly and should be able to give you an answer soon!

  • santosh

    My computer is shutting down in every type of safe mode. Is there another way of removing the virus?>

  • Ken King

    This worked great for me

  • DA

    Hi , wen i gave control.exe in command prompt it didnt work..still goes to the moneypak page

    • Are you sure you’re in “Safe Mode with Command Prompt” ? I’ve never seen the virus pop up in that version of safe mode.

  • Barb

    After many, many attempts I was able to get through #5 (creating an admin account in safe mode), but unfortunately login into that account brought the virus page. The commend prompt version, on the other hand, brings up a list of C:/WINDOWS/System32 (partitions) with no cursor/arrow keys control. I’m not sure what to try next. Any ideas?

    • I’m not entirely sure what you mean… You said you made it through step 5, so you’ve created a new administrator account using the CMD method in the tutorial? Are you logging back into “Safe Mode with Command Prompt” as the new administrator? The virus should not infect a newly created account… Did you name the new account “Administrator” ? If so, name it “Susie” or “BillyBob”, or whatever. There is already a default account on the machine named “Administrator” that can be enabled/disabled. I think you may have just enabled that account?

  • Nicole

    I love you so much right now Aaron. I’ve been fighting with my laptop for weeks with this virus, and following your steps I was able to remove it. You’re the best! Thank you!

  • Jessica

    so i have windows vista and i got the ice infection earlier today. i have tried the safe mode options…all of them but each time it takes me to login and then my computer restarts. there is no option for “repair you computer” and im at a dead end. what should i do?

    • I’ve recently ran into the ICE version too. I was at a customers house, so I didn’t have all of the tools in my normal repertoire, so I had to hook up their HDD to my laptop to remove the virus. Only problem is that method broke their startup. I’ve yet to have a chance to follow up on the machine to figure out a fix, but I will soon.

  • adrian geter

    This Sam Virus Has Brought A Blue Screen To My Compueter and Denies My System From Restoring.. But I’ve Snuck My Wasy To Command Prompt By Letting It Fail Restore Then Clicking One Of Two Sentences That Let’s You Explore 10 Other Ways To Fix Ur Cpu.. start up repair, system restor, etc

  • Dan

    You are my hero! Worked perfectly!

  • ed dormer

    followed your instructions , purchased Malware Bytes Pro, restarted, ran full scan and found 1 item, not sure what it was but deleted. restarted normally and signed into my user account. However my user account is still the black screen with the command prompt c windows system 32 that i used to get to the control panel.
    what next- how do i get back to my account

    also, how to remove “conduit” virus from another pc, malware bytes pro and hitman pro do nothing
    your help is really appreciated – i’m novice level

    • Your computer may have got caught in a system resume loop. I’ve seen it happen a few times before. Try holding down the power button for 15+ seconds until the machine fully turns off. Then, unplug it from power, and remove the battery for 15 seconds. Then hook everything back up. What this did is ensure the computer is completely dead so you can get a clean boot. Now, turn it back on, and you may get prompt to run startup repair. If you do, go ahead and run it.

      As for Conduit, it’s not really a virus. It’s more of a toolbar. You should be able to remove Conduit via Add/Remove programs

  • Walt McNally

    This was amazing. Thank you for all your hard work. I followed the instructions exactly and now I can finally use my computer. Thank you once again

  • mike

    WORKED LIKE A CHARM!!!! T H A N K Y O U ! ! !
    Getting in to SAFE MODE took a couple attempts. But after getting in to SAFE MODE, everything flowed exactly as described above. Great stuff. Thanks.

  • Jasmine


  • Kaylee

    Thank you so much.! This is the only site that actually helped me.! You are a life saver.! Thank you so much idk what i would’ve done without this site.!

  • M. Caulfield

    Instructions worked great, Thank You, Thank you, Thank You!!!

  • Steve

    None of the below options work for me. I am unable to open my pc in any Safe Mode and now I cannot get it to start at all without receiving a blue screen. I have tried to download the anti-virus files to a stick drive, but I cannot get the infected pc to boot to the external drive. I do not have a CD burner option.

    Any other thoughts.

  • Steve

    I do have a SATA drive to put the infected hard drive into, but the drive will not completely load, it stops at about 95-98% and then just sits there.

  • kevin s

    Thank you for the command prompt method. It would not boot into safemode with networking. Thanks so much for your work and for sharing with the less knowledgable! You’re awesome

  • Jared

    Thank you so much. I was losing hope and getting ready to take it somewhere to get fixed.

  • dan

    I can’t thank you enough. your solution worked perfectly.

  • dnl

    I can’t thank you enough, your solution rked perfectly.

  • Dan

    Top shelf instructions. Wifes ‘puter is back up and running. This is the second time in two months. First time I was able to just boot to safe mode…not this time.

  • Anonymous

    Thank you so much! It worked perfectly

  • greg

    Thankssomuch for this!

  • bellamrao

    Very useful. I suggest a small change to start with.
    using Ctrl+Alt+Delete, first log out from your current account.
    In case there is already one more Admin account in the computer, simply switch the user (Admin).
    Thanks for the advise

  • Marty

    Thank you SOOOOO much. Your instructions were clear, easy to follow and spot on. I did get hit with the earlier version, years ago, and agree this one was a challenge I needed help with.

  • Josh

    Thank you so much, but I wanted to know if I could still get into my last user account??

  • Fletcher

    I don’t know if this help for the one that evolved to block command prompt safe mode but before i found this I managed to get to my desktop by logging off and onto my only user account till it lags and asks if you want to wait for the program to respond or log off now i hit cancel and the fbi virus doesnt restart till i log off or reboot, able to use internet explorer although slowly. I have vista by the way and i fix most things by hitting it with a rock but if this info helps at all awesome

  • Darren

    Seems like i just ran system restore in my guest account, and everything works instead. Though i didn’t go through any of the steps but actually went to system repair mode but ended up canceling it cause it was too long.

  • Beth

    Thank you for this information. I was not able to get into my safe modes but through safe mode with command prompt only and making a new account user. I am now running my Malwarebytes and it has picked up 9 viruses so far. Very informative info. Again thank you. 🙂

  • Dennis

    Followed your steps and cleared my computer. Thought it wasn’t possible as nothing was working in safe mode. I could get to command prompt but had no idea what to do once there. I’m old…(not old school, just old) and lost around these things. Say hello to fellow Appalachian State hero Eustace Conway if you see him…and thanks again. Don’t know how virus creators can sleep at night.

  • Laura

    Does this work for Windows7?

  • Seank97

    I had a variation of this theme to remove on a corporate pc this week, the fix for me was to make a Bootable Jump-Drive with Kaspersky, I was unsuccessful removing it manually on a Win-7 Pro machine on our network even though Safe-Mode/Command Prompt did work. I suspect it could also be removed with the most recent version of Hirens Boot CD and removing it from “outside” of windows itself.

  • Bill

    Thank you very much for taking the time to help us all out. I followed your instructions and I am now up and running again. Thank YOU!

  • Sean

    Thanks Aaron worked perfect for me good stuff

  • Scottie

    So I got it too. But I just restarted my computer and it went away. Is it gone? Reply please. Thanks.

    • If all you did was restart, and not a restore or scan then I advise running Malwarebytes to make sure.

  • Richi

    An other way to do this is after you type in “control.exe” is to go over and click on Recovery and then just do a system recovery to a later date before you got the virus. Bam no virus.

    I used this method with the first version and it worked several different times on several different computers.

    Though you will lose pretty much everything that you have worked on since the system saved a recovery point. But if you keep back ups of everything on a separate drive, such as myself, then this is not an issue or if you just don’t have anything of importance saved in the past few days.

    This way is much easier for those who aren’t amazing with computers…such as myself.

    • Again, a System Restore can sometimes move the virus out of your way from starting when your PC starts, but it does not remove the infection from the machine. You must remove the files that are infected. System Restore only restores system files and those files that were modified by a System service process during the time frame chosen. This virus is not one of those files. So, even if you perform a system restore, you still need to scan for the virus.

  • Hannah

    My gawd the best help I’ve gotten anywhere- you know how many times I’ve googled?!?! Great work, Aaron- it’s the ONLY help I’ve found. And it’s EASY~ wonderful, just wonderful. Thank you a million times over!!!¡

  • Hannah

    :O the best and ONLY help I’ve really gotten- its amazing and thank you so much~ not only was it quick but it was easy and painless!¡!¡ lots of help for someone not so tech savvy.

    Wonderful, thank you a million times over

  • Red

    Hi Aaron ,
    First of all , tnx a lot for the explanation and the help to all of us that got that horrible virus
    I wish to share my related problem with you ( if it is ok ) and ask for your experience and help , and hopefully it will help others in the same situation:

    My desktop at home is being used only by my kids ( Win 7, 64 BIT ).
    I got one of the versions of that FBI Virus a month ago and Googled it and found another site that gave kind of the same solution you gave ( mainly , using Malware bytes ). a week afterward I got it again , and was able to fix it again the same way ( In these versions I was not able to go to the safe mode b/c it kept restarting and coming back to that malware screen , so I had to do system restore, and once got my desktop back , run the software ).

    Today , my son came to me crying and said it came back again , at first I did not understand why he cried but when I came to the desktop I understood why : this time it was blocked by a different version , that showed pictures of nude KIDS !!!! . I was shocked !!!.

    I spoke with my son and he admitted searching for nude pics , but he did that through regular search on Google ( as probably millions around the world do every day…. )

    could it be that whenever I am cleaning the computer I am kind of leaving that virus core and it wakes up every time again?

    Is there anything I can do to stop it from happening ?
    I even thought of reinstalling the operating system , if I will have no other choice , but do not know if it will help .

    I am very sorry for the long letter , but hope you will understand my frustration and can help me ( and I believe I am not the only one that encountered this problem ).

    Tnx a lot in advance


    • Reinstalling the OS would definitely fix the infection, as long as you did a clean install and not an upgrade or overlay install. That said, reinstalling the OS may not solve your problem. I’ve had 4-5 repeat infections at my day job (service technician), including one customer who got the virus 5 times in the course of 3 months. Your timeframe of the infections matches his. I pretty much narrowed him down to getting the infection through email. I asked him to check his email for me, and low-and-behold he literally clicked every link in every email, even the ones that he was unsure of the sender. I put a stop to that real quick. Opening emails to read them cannot infect your machine. An attachment or link has to be clicked to give the network permission to receive the file, which hides and runs in the background. Email isn’t the only way this virus spreads though.

      Every boy has done exactly what he did. When you’re in the mindset of looking up nude pictures, you aren’t going to be paying much attention to what seems legitimate and what should be passed off as sketchy. Porn sites make a lot of their money through linking services, which means you click a link on their website, it redirects you through other websites, gives you popups, etc.

      My advice to you is to look into the built-in parental controls that Windows 7 has to offer. Microsoft has a small article about how to activate parental controls here, but it’s not very instructional. A simple google search can lead you to blocking websites, blocking meta-data of websites (i.e. pornographic websites in general), setting time limits and even logging activity. Granted, parental controls can’t stop all access to pornographic material, as googling “pen island” can give you results you did not intend.

      What solved the issue of the infection returning for my customer was to purchase the full version of MalwareBytes Pro. It acts somewhat as an anti-virus, and is a real-time scanner of files going in and out of your system. I cannot guarantee that purchasing the software will stop the infections, but I’ve seen it work before.

  • aPoorGamer

    I don’t need to go on Safe Mode to use my PC. Although when I go on Safe Mode it does shut down, so here’s what I do: When I start the PC I just wait normally and when I get the FBI virus screen I press Ctrl + ALT + Del and start up Windows Task Manager, after that I know there’s a program running on the background, so I press Ctrl + ALT + Del and click on Logoff, after that the I see my background normally and usually it will say “Wait for programs to shut down” I take advantage of that and click on ‘Cancel’ as fast as possible, 90% of the times it works for me. I still have the virus and I have no way of removing it. Is there a program (fast way) of removing this annoying virus? It’s making my ping higher and higher in games, pff.

    • aPoorGamer

      Ops, I was too lazy to read all those 8 steps, I just considered reading it and I found out about this antivirus thingy. Trying it right now, I hope it works, although I’m just gonna install it on the normal user and when it asks for reboot I’ll do my trick and hopefully it’ll get solved. ;)>

  • Khosro

    I had this virus and I couldn’t go to any of safe mode options. After a few times try to start computer suddenly it started and I could run different anti virus and spy hunters to try to clean the computer. But still after 2 months cmd is not starting. I mean it starts and ends in the same time. I have been trying to fix this problem with no success. I replaced the cmd.exe file with a new one through winsrx and even copied the file from another computer with system 7. I have scanned the computer with spyhunter4 and tried with Norton antivirus and avg and windows essential to find what is wrong with no success. non of these programs is finding any virus. help will be appreciated.


  • Paul Flores

    Hi…this was almost working- I created a new admin user name…but didn’t see how to create a password for it, so I didn’t- THIS WAS MY FATAL MOVE. Then when i had a chance to sign on with the new name- it didn’t work (no password)(this should be clarified- You have to clic on the newly created Icon to create a password)
    SOO..I saw an opening to hit “system restore to an earlier date” – and unfortunately I tried it (even though I have the new bad fbi virus and I’m all locked up).. and so the system restore seemed like it wasn’t going to work… lots of time past… SO I got out/ shut down etc.. AND NOW – I cannot get into a windows screen- I CAN get into a bootup/ DOS screen….but that’s it…I’m screwed….. System repair disc will not work/ and system recovery discs…IF they worked would wipe out my trapped 18,000 songs that i need as a DJ…and TONS of pictures and documents…..AGH…..
    So does anybody have a “workaround” for this prob? like how to get the system repair disc to work?
    This is a toshiba L655 satellite laptop.. Disaster scene, Paul in Bend, Or

  • Paul Flores

    Part 2….the thing is…We have a really nice PAID FOR Webroot anti virus that has been 100 effective… but this FBI son of a thing got past it…
    and lastly— If this fix worked I was going to praise “Aaron St. Clair” to anyone who would listen…but for now…I’m screwed-ish.. P

  • Emily

    Thank you for saving my computer!

  • Todd

    FBI virus. I get to the c:windowssystem32> point, type control.exe and I get a window that pops up and says the file doesnt have a program associated with it for performing this action. Error 26ee0668-a00a-44d7-9371-beb064c98683

  • Steve

    Aaron, Thank YOU! This was by far the easiest solution to the problem I’ve found on the Internet and my problem with this damn virus is now solved!

    You made a really difficult problem easy and I commend you for posting this solution.

    Thanks Again, S

  • Sean

    I feel the easiest method is downloading a tool called autoruns. Have it on a flash drive.
    Boot into safe mode with command prompt. and then CTRL + shift + escape to bring up task manager and go to file new task run… select autoruns… Locate the virus on the startup list, and uncheck any bad keys. reboot into safe mode with networking… update antivirus and remove… 2 scans that have never failed is FULL SCAN malwarebytes ( update definitions ) and then follow up with a hitman pro second opinion scan. ( also in safemode with networking) These have givin me a 100% success rate thus far. Also doing some manual work in autoruns to be sure.

  • Gene

    Thank you SOOOOOOO much. This was a tough one. Couldn’t have done it without you.

  • cb

    Thank you so much!!!!!

  • Joseph

    here is the easiest way. while restarting the computer press F8. then when you see safe mode with command prompt. type “control.exe” go find where you can back up your computer to an earlier date and do it. then you will be free of all your worries.when it is completed, when you get back to normal, download your malwarebytes anti-Malware. free version will do it. or pay for it.
    this worked for me.

  • pj an jane

    THANK YOU! 🙂 :*

  • Jerry

    So I got this virus earlier today. I’ve had experience on the whole “safe mode with networking” technique. But the virus made the whole screen blank. I was able to trick the virus by pressing Alt+Ctrl+Del then pres restart, but then cancel the restart right when it asks you to “force restart”. I ran Malwarebytes for over an hour got 100+ viruses and was able to delete them. At this point I read this article so I went and made another user just in case. Restarted the computer and FBI virus came back. I changed to the new user and was able to run Makwarebytes again and found 2 more threats. Erased them restarted the computer. Crossing my fingers. But the virus still came back. I need help.

  • Jake

    Thank you so much!

  • Cindy

    Got to the point of creating a new user downloaded Malbytes. Had just started running this download and virus too over this user. I seem to have only so much time before it “finds” me because previously I was trying fixes using the Guest account, but then that became unusable.

  • David

    Hi Aaron;

    Thanks for the article. It got my foot in the door. I follwed the steps and left Malesrebytes scanning while I stepped away for a few minutes. When I returned, the virus screen was up on my new account! When I went to shut down, though, Malwarebytes reported it was still scanning? So I am letting it run for awhile and in the meantime I am updating AV on all my other computers. I,ll let you know how it turns out.

  • frank

    I’m running vista and I don’t get a blank screen in all 3 system modes and when I clicked on change user it would only let me pick owner, there wasn’t any other options. Any ideas?

  • Jim

    You are a lifesaver and an excellent communicator of IT to those of us hobbled by a liberal arts degree. Thanks a million!

  • colin

    Thank you so much! This thing really freaked me out!

  • Jeff

    Thanks for the article. I had two machines with this. One would also not allow Safe Mode w/ Command Prompt either. Machine was very flaky in booting to Safe Mode. I removed HDD and scanned it with another machine removing a Sirefef Trojan. Once I replaced the HDD, I was able to follow the instructions you posted. Maybe on Line 6 you could state to reboot into Safe Mode, great instructions regardless.

  • Peter Daniels

    My son dl this virus off an infected progrm he borrowed from a friend…!! Thanks for the procedure, will try it as soon as I get by laptop back home (I’m out of town and it’s a spare computer..)

    Thank You for mall the other out there who don’t bother saying it.

  • Bo

    F8 does not work for me. If I select safe mode with command prompt I get a screen to enter my password. However, the laptop does not recognize the correct password and does nothing. Suggestions?

  • Cameron

    I’m not sure if it was just by sheer luck or not, but I created a new admin account and it didn’t work long enough to get the download. However; I hit ctrl alt del and just switched to my main admin account. I’m not sire how or why but upon doing that I can navigate myusual admin account with no problem. I just finished downloading malware bytes and am praying it works. This is the second time I’ve been hit by this vorus and this one has definitely been harder to kill.

  • Jack

    I am trying to remove the FBI MoneyPak. Using the command line i have created 2 different user accounts with admim but before I can get a scan started the virus appears. Any additional advice? Thx

  • Frank

    Thanks for the tips. Command prompt booted properly, and got into control panel okay. The only things I noticed was the new account I created did not appear under “User Accounts” which freaked me out a bit. Also, I could not give these new accounts administrator privileges until I made my original login user account a standard account –only then did it allowed me to make the new temporary account with admin rights, but the account still did not appear under “under accounts.” So I restarted the computer, held my breath and thankfully, I was able to boot up normally to run Malwarebytes and remove every trace of this SOB virus.

    Thanks young fella!

  • Patrick

    What do you do if when I restart my computer in safe mode with command promt my screen is only black and windows does not open, Then open task manager and start a new task for command prompt, and it tells me that it is not working. So I cannot access any windows or the command prompt. What do I do without sending it to a tech and spending $300 on my old 2005 HP?

  • Andrew Myers

    I just read this blog and when to my desktop, but when I got on my PC and logged in the virus didn’t start up! Right away I did a system restart and now it is progress! (Before I logged on, I started my computer and forced shutdown about 10 times :p) STILL, I am thankful for seeing this website. I was really convinced I did something bad -_-. So thanks!!!

  • Jarod

    Hey guys, I have been trying to fix a friends Pc which has a virus hidden as an Antivirus program. You cant access, Task Manager, Cmd, Safe Mode, Safe Mode with Networking and Safe Mode with cmd. I can’t remove it because it blocks every .exe Any Help would be appreciated. It came with Antivirus Security Pro.

  • Bob

    For those who can’t get in regardless of which safe mode you use, here’s how I got around it:

    Download the Kaspersky Rescue 10 iso image (google it).

    Burn it onto a DVD using something like CDBurnerXP.

    Pop it into the infected machine (must have a network cable plugged in)

    Start it and go into the Boot menu (normally F12 or F2), choose to boot of CD/DVD.

    Kaspersky will start, select your language and enter graphics mode if possible.

    Once its fully loaded you must click the “Update” button, allow it to update. This can take quite awhile

    Run a scan

    This should pick up the virus and ask you what you want to do, I just click “delete” to all virus infected files

    After that reboot and you should be able to get into your machine

    Run malwarebytes to double check it.

  • Rich

    Cheers Aaron! Quality advice, this sorted my Moneypak problems out in 5 minutes after Ive been looking for days for a resolution. Something as simple as creating a new user account, by way of the command prompt, is not so easy to find out if ur as PC illiterate as me.

    Thanks again!

  • Eddie

    THANK YOU THANK YOU THANK YOU!!! Just performed this on my computer which I thought was gone. Saved me tons of money and my files!! Awesome, and easy to follow for those of us who really don’t know anything about computers.

  • jhn tokay

    Yes it worked! I have windows 7, no idea where this virus came from, but your step by step worked. Thank you!

  • Dave

    This looks like it’s working. Thanks, Dude.

  • N Philips

    This article fix was spot on and even works with with the uk equivilent virus (says the met police ilo fbi)

    Uk based user

    Many thanks

  • Dave

    Dude you’re the man! Worked like a charm.

  • Neil

    Spot on. Many, many thanks

  • Sam

    U are a computer Guru. Thanx so much!!!

  • Jacques

    I have a diffenrent version of this problem. My virus was introduce by a Sudo Microsoft helpdesk that offer my brother to fix his computer! Right !
    Now the problem is a fake login window that appear in every mode safe mode and regular mode. This is not the Window logon but a Fake that ask for password only. So creating a backdoor user does not help is this case.
    The Sudo Helpdesk was asking 200$ to unlock the computer.

    The virus even prevent loading from the DVD I try window defender and Kavensky Hitman. It always pop the fake login window.

    This is a Vista version and of course we do not have recover or original Window DVD and we need to recover some data on the disk.

    I have try every trick in my bag and runnig out of ideas. Any suggestion?

    Thanks in advance

    • I have not run across the particular virus you are describing, but I can imagine it.

      Does this password scree show up when you try to boot into “Safe Mode with Command Prompt”? If not, download rkill from bleepingcomputer onto a USB Flash Drive, plug the drive in, and boot your PC to Safe Mode with Command Prompt. Then use the cd command as described earlier to change to the flash drive. I would recommend trying “cd e:/”, “cd f:/”, or “cd g:/” as these are the common default directories for flash drives.

      If it blocks you in command prompt, there are still ways to remove it. One would be trying to use Hiren’s BootCD as described here:

      This method may not work, as your network drivers must natively recognized in MiniXP, and many aren’t.

      Another option would be to remove the HDD from your machine, hook it up via USB to another machine (you can get these adapters pretty cheap, or if you have access to a PC with e-sata you can get a hard drive dock), and use MalwareBytes to scan the drive. Just point MalwareBytes to the USB drive when you select Full Scan.

      Finally, if you are unable to remove the virus yourself, a local PC repair shop should be able to remove the virus for much less than the $200 the rogue helpdesk requested. They will pull your HDD and scan it the way I described (via USB), but if you’re weary about taking parts out of your PC I would recommending taking it to the professionals.

      If, somehow, they are not able to remove the virus without wiping the drive and reloading the operating system, they will atleast be able to recover whatever data you need.

      • Jacques

        > Thanks for your reply. And Ideas Not I can’t get to command line I have that login window popping all the time
        I’m trying Hirens boot but for some reason It does NOT load on the machine. Work on other PC but when I try on this machine it always goes to the loading menu (safe mode and other) but it never ask to load from DVD. I have check BIOS and it’s fine. Strange it detect my Microsoft Window 7.

        I think my last resort is to get a Sata cable and try to connect that drive to another PC 🙂

        Thanks again will get you posted

  • Garrisn J

    You da man Aaron!!!

  • ivan

    I recently had the exact same virus, but did not allow to boot into safe mode or safe mode with cmd… my solution was creating a live disc. I used Kaspersky rescue disc iso and burned the image disc. Booted from the disc updated the latest definitions and ran a full scan fixed the problem for me.
    Live discs are/Will be your best friend if you cannot start safe mode.

  • donna ellison

    love you, love you, love you….2 days of numerous failed attempts at getting into safe mode after getting the FBI virus, I found this site and fixed it. first try….thank you

  • Conrad

    Hi, I followed these steps and it worked BUT, when I reloaded my account I was getting small error messages of corrupt files not loading one from windows, one from chrome… So I went into system restore to the closest date (3 days before infection) , restored it and then on the reboot I got the white FBI screen again. So the malwarebytes didn’t completely remove it, and now trying these steps again, using the second account in safe mode with networking, malwarebytes won’t find any infections. I even tried malwarebytes rootkit and it also didn’t find anything, but my main account still loads the FBI page. Any recommendations?

  • Jourdan

    THANK YOU SOOOOO MUCH!! The problem was it kept shutting my computer down whenever I’d enter safe mode. You helped me get my computer back and I am soo grateful. Thank You Thank You Thank You!!!

  • O.Cinelli

    Your safe mode with command advice worked, needless to say I am very grateful for your help. Thank-you Sir.

  • RG

    I just got the FBI money pak , but was able to restart to a clean screen. Is my computer OK? I’m running anti-malware and it doesn’t seem to be finding anything. I was running Chrome in incognito mode, not sure that is relevant, but maybe it is.

  • Linda

    My computer (running windows Vista home pro) will not run in any safe mode, including command prompt. I tried “repair my computer” but since the computer is several years old, I cannot remember my admin password, or even if I ever had one. What do I do now???

  • rick

    I was able to run malware and remove everything but every time I run malware again, 2 files still pop up as Trojan infected. I’ve removed then twice but still keep coming back. What do I do?

  • Victor Flange

    Latest versions block ALL safe modes, need to boot from CD or USB with AV removal software on it.

  • John Yuda

    Where do I get av removal and how does it work