How to remove XData virus and restore encrypted files

Xdata is a new ransomware that appeared few days ago and in some Ukraine it has already infected more computers than WannaCry ransomware. It is very strange because WannaCry used the breach in Windows OS and spread automatically. We still don’t know how Xdata spreads itself. Actually it’s very little known about Xdata, but we will try to give you the full picture of the situation.


XData ransomware virus


Xdata has been discovered by security researcher MalwareHunter. Actually the virus sample was submitted on his resource for ransomware victims, that is called ID-ransomware. We know that the virus uses AES encryption algorithm to encrypt victim’s files, and we know the names of processes that it runs when performs the encryption. If you’ll see these processes in your task manager you should immediately shut down the PC and boot it in the safe mode to clean it from virus: mssql.exe, msdns.exe, msdcom.exe, mscomrpc.exe. There is no information about the amount of ransom, so we can suppose that scammers determine the sum of ransom separately for each victim. This also tells us that virus somehow interacts with C&C server of hackers, to transmit them the information about the quantity of files on user’s PC and their estimated cost. The encrypted files have new extensions: ~xdata~ or new.~xdata~.


XData ransomware virus


For now, most of Xdata victims are from Ukraine, but there are reports from Russia, Germany and other countries around the world. There are no 100% effective ways to recover your files, and no reports about successful recovery after the payment of ransom, so there are not many options for Xdata victim. We advise you to remove the virus from the system, to be able to act freely and download new files without losing them. After that you should just wait until there will be the decent decryptor developed. Of course, you can pay the ransom, but you should realize that you might be tricked again, and scammers can’t decrypt the files, or won’t do this and ask for more money. Here are the instructions to remove Xdata from the system, and below them you’ll find few tips about possible ways of data recovery.

How to remove XData Virus


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by XData

As we said earlier, there is no way to decrypt files, encrypted by Xdata. But you can restore them using few ways. The first and the most decent way is to load the backups. If you have no backups it becomes more complicated, because other ways might not work and their efficiency depends on your system settings and personal attentiveness. The first method is to recover the data from shadow copies. Shadow Copies Service is an in-built Windows system that allows you to recover the deleted or changed data. All modern ransomware viruses can delete shadow copies, but this action requires the administrator rights. When virus tries to do this, you see the dialogue window with simple question: “Do you allow this program to apply changes to the system?”. If you answered “yes” and confirmed the changes – you won’t be able to recover the files in this way. There are also other recovery ways with help of Recuva or ShadowExplorer recovery tools. You can see all needed instructions and download these programs on the official websites of their developers.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience