LowLevel04 ransomware / virus (Improved Guide)

LowLevel04 virus Removal Guide

What is LowLevel04 ransomware virus?

What can we expect from the LowLevel04 revival?

LowLevel04 virus is a relatively old cyber infection which has been first spotted over a year ago — back in October 2015. According to the user reports, it then targeted computers located in Bulgaria and Greece but didn’t seem to have grown into anything bigger. However, recently, after months of silence, the virus distribution began picking up speed again, and new reports about LowLevel04 attacks are now becoming increasingly more frequent. Interestingly enough, the virus does not seem to have undergone any improvements or modifications during the silent period. It still targets Remote Desktop or Terminal Services and brute forces its way to the device by cracking their weak passwords. It has also been reported that apart from attacking individual computers, LowLevel04 also aims at servers. This makes the virus a great risk not only to the private users but to some larger companies as well. Thus, you should always let professional antivirus software like, for instance, FortectIntego keep an eye on your PC for you.

Image of the LowLevel04 ransomware virus

So, how does LowLevel04 actually work? Well, first of all, it is a ransomware-type virus, so its main purpose is to encrypt the files located on the infected computer and demand their owners to buy them out. The files are usually encrypted with a complex AES algorithm which is virtually impossible to decrypt, so the regular users are simply forced to follow the extortionists’ demands if they ever want to access their files again. Besides, the virus also leaves no choice of recovering these files from backup or Dropbox since it encrypts files on these platforms as well. The only way that is still valid and can be used for the data recovery is Shadow Volume Copies. The virus does not delete them. You can learn how to recover your important documents from these backup files in the tutorial just below the LowLevel04 removal instructions.

In other aspects, LowLevel04 ransomware does not seem to differ from other programs of the same category. Once it encrypts the predetermined files on the infected computer, it renames them by adding a oorr. at the beginning of every file title. The virus also drops a ransom note called Help recover files.txt in which the hackers explain what happened to victim’s computer and introduce conditions which have to be met in order to receive the file decryption key. They begin the note with the mocking “Good day, isn’t it?” and continue by demanding 4 Bitcoin for the data decryption. The note also contains two email addresses entry122717@gmail.com and entry123488@india.com for the victims to contact the criminals directly. Unfortunately, users report that this “support” email is only active until you pay the ransom. As soon as the money is transferred, the criminals simply disappear without a trace. Thus, we strongly recommend not to follow the criminals demands if you ever get infected either and hurry to remove LowLevel04 from the computer instead.

How does this virus access computers?

As we have mentioned, LowLevel04 usually gets installed on the computers directly by the criminals who exploit Remote Desktop or Terminal Services access. When they manage to crack the targeted computer’s password, the hackers can then download the malicious payload to the system undetected. To prevent such an intrusion, you should make sure your network is protected with a powerful password, and that is protection is backed-up by a reputable antivirus utility. Also, keep in mind that direct installation is the least effective and most risky way to spread ransomware around, so it is possible that LowLevel04 creators also employ other system infiltrations techniques, for instance, malicious spam campaigns or corrupt software update notifications.

LowLevel04 removal strategies:

As a disclaimer, we want to emphasize that LowLevel04 removal instructions which we provide below should only be used if the virus is blocking your antivirus from scanning the system. These steps only help decontaminate the LowLevel04 virus, but they do not eliminate the infection. To remove the virus, you should use reputable and professional antivirus tools. It is also recommended that you remove LowLevel04 using Windows Safe Mode without networking, because the virus is mostly controlled via the web, so, blocking this access you have significantly greater virus elimination chances.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of LowLevel04 virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove LowLevel04 using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LowLevel04. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that LowLevel04 removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LowLevel04 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by LowLevel04, you can use several methods to restore them:

Data Recovery Pro method

Data Recovery Pro is an automatic data recovery software that can be used by professionals and by less experienced users alike. To learn how to use this tool, please read the instructions below.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LowLevel04 ransomware;
  • Restore them.

Windows Previous Versions feature method

Using this method, you will not recover your whole system, but you might be able to retrieve individual files. If you have a couple of documents that you desperately need to get back, follow the guidelines below.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer method

This technique is probably your best option with the LowLevel04 virus, since it does not destroy Volume Shadow Copies which are needed for the data recovery. To learn how use Shadow Explorer properly, follow the steps indicated below.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LowLevel04 and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions