How to remove (uninstall) DeriaLock ScreenLocker

DeriaLock ScreenLocker was discovered a few days ago, in the run up to Christmas. This virus belongs to ransomware category, subsection screen lockers, and demands a ransom of $30 for unlocking the screen.

Ransomware is the most dangerous type of viruses which are distributed over the Internet. Ransomware can be divided into two types: encrypting viruses and screen lockers. Encrypting viruses inflict the most damage to users by encrypting all data on the computer, and demanding a ransom. Dimensions of foreclosures are always different, and in some cases the amount of ransom for the average user can exceed $ 1,000 (as, for example, in the case of Cerber and Locky). These viruses do not harm the computer, but deny the user's access to his own files. Screen lockers, on the contrary, do not bind with the files on your computer, and simply do not allow the you to use the computer. Usually screen lockers put full-screen banner on the user's desktop, closing all the shortcuts, Start menu and Taskbar. DeriaLock relates to the second type of viruses.

DeriaLock’s behavior, for the most part is no different from other similar programs. The virus enters the user's computer and is installed in this folder:

C:\users\appdata\roaming\microsoft\windows\start menu\programs\startup\SystemLock.exe

Once this file is run, it will display a banner on the user's screen with a message, which tells that the system is locked, and is due to the payment method. Here is the message:

Your System has Locked!
If you try to restart you PC ALL data will delete.
If you want your data back, pay 30 USD.


Is give no other way to get you computer/data back exdcept to pay a special Key.
You can buy the Key at the following Skype account: "arizonacode".
If you contact the bellow named Skype account send him you HWID the bottom left is to be seen.
If you Spamming the skype account, you can't get you data back
After you buy the key, paste him into the textbox.

Obviously, this is a kind of inside joke of ransomware developers, which is to do as much misspellings as possible in the ransom messages. Whatever it was, the creators of DeriaLock clearly won in this competition, as their description contains a few errors in each line. In addition to the errors, the banner has two buttons, which, according to the original idea, must demonstrate a translation of the text into Spanish and German. Unfortunately, only German button works.

Among hackers, as well as among counterfeiters, it is the custom to mark their product to not to run into him. In this case DeriaLock, before infecting computer gets its MachineName identifier, and compares it with the existing value, spelled out in the code. The virus is triggered only if the values do not match. This value, obviously, belongs to the creator of a virus.

DeriaLock, like the other viruses of this type can be easily disabled and removed by running the computer in Safe mode. If you try to close the banner with the Alt+F4 keys - you will see a box that says "Nice try mate =) I think this is a bad decision". An exact manner of virus distribution is still unknown, as the method of payment preferred by fraudsters. But we can say that it’s pretty risky to contact with victims via Skype, and it may result in the capture of a criminal, but so far there’s no evidence of this. So, until it happens, you can remove DeriaLock via this method:

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware as removal tool

Removes virus fully: all files and even registry keys of malware will be deleted

Protects your system in the future

24/7 free support team

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

During the work on the user's computer DeriaLock periodically polls the main C&C Center for updates, and checks for a particular file called "unlock-everybody.txt". Based on the file name, you can assume that if the scammer wants to terminate the virus, he will only need to change the contents of this file.

DeriaLock screen locker was discovered by malware analyst Karsten Hahn on 24 December and two days later, he reported that he found samples of the virus which encrypts files, giving them .deria extension. If you are a victim of this virus, we have good news for you: one of the members of Bleepingcomputer community, Michael Gillespie, found the file decryption method. If encrypted files have the extension .deria, you can decode them by contacting Michael via his Twitter account or BleepingComputer profile.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.