The FBI Online Agent ransomware is a computer infection that locks your screen so that you are unable to access your Windows desktop, programs, or documents until you pay a ransom. This ransomware pretends to be a program from the FBI that states that unauthorized cybercrime was being committed from your computer. It then requires you to submit a $200 MoneyPak voucher code in order to unlock the screen. It also threatens that if you do not send the payment within 48 hours your computer will be permanently locked and legal action will be taken against you. Please remember that this is a computer infection and that the FBI is not locking your computer, so please do not be worried about the messages in the lock screen. This infection is detected by a variety of anti-virus vendors using the Trojan-Ransom.Win32.Dapato, Trojan:Win32/LockScreen.CO,
FBI Online Agent v.2.2 screen shot
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
When you are infected with the FBI Online Agent infection when you login to Windows you will be shown a large screen that is supposedly from the FBI instead of your normal Windows desktop. The screen will state that:
FBI Online Agent has blocked your computer for security reasons.
The work of your computer has been suspended on the grounds of unauthorized cyberactivity.
To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $200.
Exchange your cash for a MoneyPak voucher and use your voucher code in the form below.
There will then be a form where you can submit the MoneyPak voucher code in order to unlock your screen.
As this is an infection and you are not actually in trouble with the FBI, please do not send them any MoneyPak payments. Instead, please you use the removal guide below to remove the FBI Online Agent from your computer.
View FBI Online Agent files.
View FBI Online Agent Registry Information.
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - HKCU\..\Run: [dllexp] rundll32.exe "%AppData%\dllexp.dll",exp
12/17/12 - Initial guide creation
Automated Removal Instructions for FBI Online Agent using the Emsisoft Emergency Kit:
- Print out these instructions as we will need to reboot your computer into Safe mode with Networking and you may not have access to your web browser for part of this process.
- As this infection makes it so you are unable to launch any application or access your Windows desktop, we first need to reboot your computer into Safe Mode with Networking. To
do this, turn your computer off and then back on and when you
see anything on the screen, immediately start tapping the F8 key on your
keyboard. Eventually you will be brought to a menu similar to the one below:
Using the arrow keys on your keyboard, select Safe Mode with Networking
and press Enter on your keyboard. If you are having trouble
entering safe mode, then please use the following tutorial: How
to start Windows in Safe Mode
Windows will now boot into safe mode with networking and prompt you to login
as a user.
- Please login as the user that is infected with
FBI Online Agent.
- When your Windows desktop appears, start Internet Explorer or other web browser, and download and save the Emsisoft Emergency Kit to your desktop from the link below:
Once you are at the above page, please click on the Download Now button. Please note that this is a large downloaded, so please be patient while it downloads.
- Once the file has been copied, double-click on the EmsisoftEmergencyKit.exe and click on the the Accept & Extract button to install the emergency kit to the C:\EEK folder. When the program has finished extracting, the program will automatically start as shown below.
Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons.
- You will now be shown an update screen prompting you to check for an update.
Please click on the Yes button to check for any available updates. The Emergency Kit will now download and apply any available updates. When it is done, click on the Back to Security Status link.
- You will now be at the main screen for the Emsisoft Emergency Kit as shown below.
Now click on the Scan PC option in the left hand navigation menu.
- You will now be at the Scan PC screen as shown below.
Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer.
- When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen as shown in the image below.
Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program.
- Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.
- As this infection is known to exploit vulnerabilities in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the
FBI Online Agent v.2.2
infection. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
full version of Emsisoft Anti-malware to protect your computer against these types
of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Associated FBI Online Agent Files:
File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.
Associated FBI Online Agent Windows Registry Information:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "dllexp" = 'rundll32.exe "%AppData%\dllexp.dll",exp'
HKCU\Software\Microsoft\Internet Explorer\Toolbar "Locked" = 1
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.