Microsoft security software detects and removes this threat.

This threat locks your PC and displays a full-screen message, commonly called a "lock screen".

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

Typically, this threat gets on your PC when you visit a hacked webpage.

You can read more about this type on malware at the Ransom:Win32/Reveton family description or on our ransomware page.

Find out ways that malware can get on your PC.

What to do now

Microsoft doesn’t recommend you pay the fine. There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

This threat is a .DLL file that displays the lock screen used by variants of the Ransom:Win32/Reveton family.

Ransom:Win32/Reveton variants arrive on your PC with a random file name. They download this .DLL file.

The .DLL file also has a random file name with the extension pad in the folder %APPDATA% or %TEMP%. This means the threat can display the lock screen message with or without Internet access.

The message in the lock screen is tailored to you location in such a way that, for example, if, based on your IP address, you're located in the US, the lock screen appears to be a message from the FBI.

Analysis by Stefan Sellmer


Your PC might be locked with a warning pretending to be from the FBI or your national police force.


Alert level: Severe
First detected by definition: 1.155.1219.0
Latest detected by definition: 1.207.953.0 and higher
First detected on: Jul 31, 2013
This entry was first published on: Aug 13, 2013
This entry was updated on: Aug 25, 2014

This threat is also detected as:
No known aliases