Severity scale:  
  (96/100)

XData ransomware virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware
12

XData ransomware wreaks havoc in Ukraine, surpassing WannaCry’s extent

Xdata virus operates as the ransomware that encrypts files with AES encryption algorithm[1]. The malicious program seems to be attacking Ukraine mainly, although there are victims in Russia, Estonia and Germany[2]. The virus presents quite a plain design as it does not launch its specific GUI. Instead, it opens HOW_CAN_I_DECRYPT_MY_FILES.txt with the instructions how to locate ID and contact hackers via email addresses. Surprisingly, the perpetrators present even 6 of them: beqins@colocasia.org, bilbo@colocasia.org, frodo@colocasia.org, trevor@thwonderfulday.com, bob@thwonderfulday.com, bil@thwonderfulday.com. The domain names suggest that hacker was in a good mood generating the malware, however, victims of this malware experience the feeling far from joy. Not only their files now are marked with .~xdata~ file extension, but they remain locked as well. Furthermore, it seems that the malware is designed based on the trojan which has emerged several years ago – HEUR:Trojan.Win32.Generic. Furthermore, it seems that the malware uses more than 20 IP addresses to cover tracks. Until the decryption tool will be created, we recommend you to proceed to Xdata removal. For that purpose, you may find Reimage or Malwarebytes Anti Malware useful.The image displaying XData virus

The ransom note suggests that the malware employs ordinary encryption method, specifically public key to encode netizens‘ data. As a rule, in order to decrypt the files, users need to obtain a unique private key. The cyber criminals seem to be using Command and Control server to store the key. This feature also grants more flexibility to manage several registered domains and, likewise, grant more anonymity. Furthermore, the penetrators ask users to find their ID by locating the file with .key.~xdata~ file extension. Then, they should contact hackers via indicated email addresses. The ransom note left by Xdata ransomware does not present any specific amount of ransom. Such peculiarity might be explained from two perspectives: either the hackers forgot to provide it, or they are ready for negotiations. In any case, we do not recommend contacting the criminals. It is understandable if you decide to risk paying the money but note that there is no guarantee that the hackers will return the files[3]. Thus, you might want to remove Xdata completely.

Updated on May 22, 2017. After a few days since xData ransomware first emerged, researchers noticed that the virus mainly rampages in Ukraine[4]. Surprisingly, researchers report that just in one day, virus managed to infect four times more computers than the infamous WannaCry succeeded in a whole week. What’s shocking is that WannaCry was mainly acting on a global scale, while the new computer virus targets only one country mainly. There is no surprise that X Data virus managed to jump into the second position of the most active ransomware families on May 19, and the only virus that it failed to surpass was Cerber

Illegal methods used to distribute ransomware

In order to multiple the number of infected computers, the developers might be using several distribution methods. Most popular of them is targeting users with spam emails. Note that emails which report about undelivered packages, present invoices or another important documents might be fake and hide a highly troublesome virus. Thus, by opening such file, you may allow XData ransomware or another ransomware[5] to infect your computer. The ransomware starts these processes on an infected host – msaddc.exe, mscomrpc.exe, msdcom.exe, msdns.exe, mssecsvc.exe, mssql.exe and msdcom.exe. To lower the risk of infection, proper security application should be installed. If you already have one and it just quarantined one of the following detections – Trojan.Heur.TP.E72C6B, Gen:Trojan.Heur.TP.eqW@baZ37zo or Ransom_XDATA.A, you should know that XData virus just attempted to encrypt files on your system.

Xdata ransomware removal

When it comes to ransomware, users should opt for automatic Xdata removal method. Unless you are an IT security specialist yourself, it would be futile to track all malware files which are spread throughout the entire system. Only after you remove Xdata virus, you may proceed data recovery instructions. Some of them might be of use to you. Lastly, if you are about to enable new browser extensions or install new applications when UAC message pops up and asks you to enable the installation of new files, beware of the above-mentioned executable files. If the program downloaded from entertainment websites ask you to enable msaddc.exe or msdcom.exe, you should be alerted.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove XData ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall XData ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing XData ransomware virus (2017-05-23)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing XData ransomware virus (2017-05-23)
Hitman Pro
We have tested Hitman Pro's efficiency in removing XData ransomware virus (2017-05-23)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing XData ransomware virus (2017-05-23)

Manual XData virus Removal Guide:

Remove XData using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

This option should help you recover control of the device, in case the malware shuts down anti-virus tools and prevents you from terminating it any other way.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove XData

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete XData removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove XData using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of XData. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that XData removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove XData from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by XData, you can use several methods to restore them:

Data Recovery Pro option

It is promoted as a tool which is able to recover damaged files and even recover lost emails.

The benefits of ShadowExplorer

There are fair chances that you might recover your files if you use this program. It uses shadow volume copies as patterns to recreate wanted files. 

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Currently there are no known ways to decrypt files locked by XData ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from XData and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

References

Removal guides in other languages