Ransomware Removal

How to Remove Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

I crypted all your important data
I stored the crypted data in your hard disk.
If you want to become your date back, send me an email containing your ip adress.
Your ip adress: [your real IP address]
is an email address. It looks ordinary, but is far from it. Sure, the address itself is rather standard. But it’s what lurks behind it that should concern you. It renders the address as one, you’d never want to use. Ever. Yes, that sounds dramatic. But it’s true nonetheless. And, here’s why. The email address is affiliated with a ransomware infection. One with a twist, in which we’ll get into a bit later. After you become the latest in a long line of victims of cyber extortion, the criminals provide you with said email. They demand you use it to contact them. Don’t. That’s the short, concise version. Just don’t. Do NOT contact these people using If you reach out to these cyber kidnappers, you only bury yourself deeper in trouble. And, you’re already pretty deep into the abyss of disaster. Ransomware tools follow pretty specific programming. Invade. Encrypt. Extort. It’s as simple as that. The infection, you’re stuck with, follows the same rules. It infiltrated your system via slyness and finesse. It corrupted each of your files. And, is now in the process, of extorting you for money. That’s the end game for all such programs. But, here’s the thing. It’s not just money they’re after. It’s also information. And, not just the one which they encrypted. We’re talking about your personal and financial details. Do you know how they manage to get it? Well, through you. Yes, the ransomware dupes you into handing it to them yourself. That happens after you choose to contact them, and pay the ransom they request. That’s the wrong choice. Don’t make it. If you transfer the ransom payment, you allow these people into your private life. If you pay up, you have to put in your private information. And, you place it right in the hands of cyber criminals. Do NOT exchange ANYTHING with the extortionists behind the ‘’ ransomware. You WILL regret it.

How did I get infected with?

Ransomware doesn’t appear on your PC as if by magic. And, neither did the one behind the nasty email. The fact of the matter is, you agreed to allow it into your system. Yes, you. The program asked whether you consent to install it, and you did. Such tools cannot enter a system without the user’s permission. So, how do you suppose that happened? Surely, if you saw a ransomware trying to sneak in, you would have stopped it? Right? Well, somewhat right. In actuality, you weren’t really looking, so you saw nothing. Confused? Let’s explain. The infection doesn’t just come out and seek access. That way, you’ll simply refuse it. So, to avoid rejection, it asks you in the most covert way possible. It still asks, and follows programming. It just does it in a way that if you’re not careful, it sneaks in undetected. It’s a loophole. And, quite the useful one, indeed. Such programs tend to use the old but gold means of infiltration to gain entry. That includes hitching a ride with freeware, corrupted links, fake updates, spam email attachments, and so on. There are plenty of ways to deceive you. Don’t allow that to happen! Infections prey on carelessness. So, don’t grant it!


Why is dangerous?

The LoveServer ransomware, as some users have dubbed it, is a peculiar case. It’s a pretty standard ranomware, except that it’s not quite a ransomware infection. It’s more of a Trojan with encrypting capabilities. The LoveServer tool doesn’t encrypt individual files. It doesn’t do what most ransomware do.  It doesn’t follow the beaten path of encrypting each file separately. LoveServer doesn’t lock each one, individually, with an extension. Instead, the encrypting Trojan does something else. It takes all of your files and transfers it to an archive. As you’ve probably guessed by now, that archive is password-protected. It’s called ‘BACKUP DONT DELETE.’ And, it lacks any sort of extension. That vault has your data locked. The folders, which used to contain it, are still on your PC. But they are empty. The tool makes sure to give you just one place you can find your files. And, it’s the vault. To get into it, you have to pay up. That’s where the email address comes into play. If you contact the kidnappers, and follow their instructions, they promise you’ll have your data back. And, why would malicious cyber criminals, who invade your PC and extort you, lie? Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment