VirLock Ransomware Removal Guide

Do you know what VirLock Ransomware is?

It is high time we overview a ransomware called VirLock Ransomware. This new infection is quite dangerous, and you have to remove it as soon as possible. However, it must be said that it is configured to encrypt the files on your computer, so you might not be able to get them back after you have deleted this infection. To date, there is no third-party decryption tool that could crack this ransomware’s encryption. Also, from the outset, we want to warn you that its developers use scare tactics such as claiming that you have downloaded pirated material and that you have to pay a fine, or you will be prosecuted. In actuality, this program asks you to pay a ransom which you should not pay under any circumstances because you might not get the promised decryption key for your files.

Typically of ransomware, this particular program is disseminated around the web using malicious emails that contain attachments. In this case, the attachment carries VirLock Ransomware’s executables, three of them to be exact, and you have to erase all three to eliminate the threat completely. We have received information saying that the attachment can be disguised as an invoice or receipt for a legitimate global company. Typically, ransomware developers try to make the emails look as if they were sent from airlines, shipping companies and so on. So keep an eye on that inbox because you might accidentally open a fake email and get your computer infected with ransomware.VirLock Ransomware screenshot
Scroll down for full removal instructions

The cyber criminals behind this ransomware had done an outstanding job when it came to scare tactics. Even though their technique is not new, not many ransomware developers use it. In this case, this ransomware is set to impersonate US-based government agencies, such as the Department of Justice, The National Intellectual Property Rights Coordination Center, and Homeland Security. The ransomware locks the desktop and prevents you from accessing the Task Manager, Start menu, and at it also blocks Run.exe, which can be used to launch applications. Furthermore, it encrypts your personal files with a secure encryption algorithm. All of this is done on the ground that you have downloaded pirated material. We want to assure you that this infection has nothing to do with aforementioned government agencies.

Regardless, VirLock Ransomware wants you to pay a 0.652 BTC (438 USD) “fine” which is nothing short of a ransom. The cyber criminals try to scare you by stating that copyright infringement is a federal crime which carries penalties of up to five years in prison or a 250, 000 USD fine. They say that if you pay the smaller fine, then the ransomware will decrypt the files and unlock the screen, but you should not trust them. There is a way to bypass the lock screen, and all you have to do is press Alt+Tab to close its interface and proceed with the removal.

Our malware researchers have tested VirLock Ransomware and found a way to delete it manually. In short, you have to boot your computer in Safe Mode (preferably Safe Mode with Networking if you want to download an antimalware program) and then go to the locations where this ransomware has dropped its files and delete them. You should also remove the registry keys in Windows Registry. However, we want to note that its three executables are named randomly using upper case and lower case characters. Therefore, if you cannot locate them, then download SpyHunter because it can find and eliminate those files.

VirLock Ransomware Removal

Windows XP

1. Restart the computer.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
4. Log on to your computer.

Windows 7 & Vista

1. Click the Start button click the arrow next to the Shut Down button, and then click Restart.
2. Press and hold the F8 key as your computer restarts.
3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
4. Log on to your computer with a user account that has administrator rights.

Windows 8 & 8.1

1. Hold down the Windows+C keys, and then click Settings.
2. Click Power, hold down Shift on your keyboard and click Restart.
3. Click Troubleshoot.
4. Select Advanced options, and select Startup Settings.
5. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 10

1. Press the Start button and then the Power button.
2. Hold down the Shift key and select Restart.
3. In the resulting, full-screen menu, select Troubleshoot.
4. Select Advanced options and click Startup Settings.
5. In the Startup Settings screen, press Restart.
6. The PC will reboot and bring you to a Startup Settings screen.
7. Select Enable Safe Mode with Networking.

Delete this ransowmare’s executables

1. Hold down the Windows+E keys.
2. In the File Explorer’s address bar, enter the following locations.
   • %ALLUSERSPROFILE%\dekAoYQc\
   • %ALLUSERSPROFILE%\mcMUcIAk\
   • %USERPROFILE%\nWUwAokA\
3. Find and delete this ransowmare’s executables (e.g. tOEQMwww.exe, TOgggoow.exe, tEwkkIIo.exe)

Delete the registry keys

1. Hold down the Windows+R keys.
2. Type regedit in the box and click OK.
3. Go to the key the following key depending on your OS’s architecture.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run (Win 32-bit)
• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Win 64-bit)

1. Find the randomly named executable (e.g. tOEQMwww.exe)
2. Right-click it and click Delete.

In non-techie terms:

VirLock Ransomware is not your average ransomware-type infection because it is set to impersonate US federal law agencies and demand that you pay a “fine” which is a ransomware payment to get the decryption key to decrypt your files and get back control of your PC. This ransomware is easy to delete. Just follow the guide above, but if you have trouble location its files, then use our recommended antimalware program.