How to remove Xdata (~xdata~) ransomware and restore information

The last month was marked by a huge wave of infection by ransomware, which is known as WannaCry. This virus passed through the world like a plague, infecting tens of thousands of computers of ordinary users, and networks of many large organizations. After the appearance of the virus, Microsoft released an update in which the vulnerability through which the virus penetrated computers was closed. News of this quickly spread across the Web, and many users who haven’t previously encountered ransomware decided that all such viruses were defeated with a single patch, and the computers became completely protected from any ransomware. Unfortunately, this is not true, and a new virus, called XData, which has just begun to gain strength in different countries of the world, will serve as evidence.

The XData virus is a standard ransomware and uses standard methods of penetrating computers such as spamming, malicious attachments in the mail, bundled installation, Trojan viruses and so on. The virus has a description in English and is actively distributed around the world. If you see files from this list on your computer: msaddc.exe, mscomrpc.exe, msdcom.exe, msdns.exe, mssecsvc.exe, mssql.exe – it means that the virus is already in the system. The virus can encrypt files stored in all the most popular extensions. Encryption is subject to text documents, Word documents, Excel spreadsheets, MS Office, OpenOffice, PDF, as well as all kinds of images, video recordings and audio recordings. Literally all the files on your PC will be encrypted using the AES algorithm, and you cannot decrypt them yourself. There is no fixed repurchase amount, so the amount will be calculated based on the number of files on the computer and their estimated cost.

Most of the methods that XData uses to penetrate computers aren’t based on software vulnerabilities but on the human factor. Now we will explain in detail the essence of the most popular ways of penetrating viruses to computers, and tell you how to protect yourself from them.

First of all, you should know that the only effective way to protect your data from a ransomware attack is to regularly backup them. The backup should be stored on an external storage device, disconnected from the computer or network, and in case of infection, you will be able to download the undamaged data. Naturally, you need to completely remove the virus from your computer, otherwise it can recover and encrypt backups by infecting the external media itself.

So, the most common and effective way to infect the system is to send messages to e-mail. Such messages are of different types, but all are built on the same principle. The first (text) part of the message should interest the user and show him that the contents of the message are important to him. If the virus is aimed at ordinary users, then in this part the potential victim is notified that he received a prize in the lottery, or a parcel. The letter is made using the logos of well-known companies - carriers or online stores, such as FedEx, DHL, Amazon and so on. All that is required from the user is to open the attached file and print it. If the virus is aimed at infecting entire networks, the letters are compiled in such a way that any office worker can decide that the letter has come to the address. Such letters are made in the form of bills, acts, sometimes subpoenas to the court or resumes of the applicant for a vacancy. Naturally, such letters also have attachments that need to be opened in order to get acquainted with the details.

The second most popular way is bundled installation. This method, is widely used to distribute adware. The essence of it is to create a package of programs, among which one is useful and all the others are viruses. During the installation, the user is offered two installation methods, one of which involves the installation of all programs from the bundle at once, and the second one is a selective installation. If the user does not read what is written in the pop-up windows, and quickly confirms them, then he surely will install all the viruses.

And, finally, the third most popular way is to install using the viral installer. This is a program that, having penetrated into the system, automatically downloads and installs software on the computer. Such programs can install on your PC literally anything, from adware to the most dangerous viruses. Fortunately, if you use a decent antivirus program, such viruses will be detected and removed very quickly. At the moment, the program for decrypting files infected with the XData virus has not yet been created, which means that you need to remove the virus from the computer and wait. Of course, you can pay the scammers, but there is no guarantee that after the payment of the ransom files will be returned.

How to delete Xdata Virus

Removing XData is a very important task, and we do not recommend doing it manually. Any ransomware is very carefully protected from deletion, and some of them can even "punish" the user for attempting to remove. If you can not completely remove the virus from your computer, it will recover and encrypt the files again, and maybe even delete some of them. Under this paragraph you will find detailed instructions for removing XData, provided with all necessary hints, screenshots and video for maximum convenience.

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode




This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.