How to Remove XData Virus and Restore .xdata Files

Xdata virus is a malware of unknown origin that exhibits typical ransomware features – it encrypts target user data and extorts the victims for a fee to restore their files. XData ransomware virus marks all affected data with the .xdata extension and it can make malicious changes to the affected computers. The victims can remove the XData Virus by using one of the following methods:

Manual Removal Guide
Recover .xdata Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD XDATA Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

XData Virus – All Before and After This Event

The XData ransomware virus has been recently detected by the security analysts. The collected samples associated with it show that XData is not related to any of the famous malware families. The identity of the hacker (or hacker collective) is also unknown.

Upon infection the XData virus immediately starts its encryption engine. Like other similar threats it uses a predefined list of target file type extensions. Based on the predefined targets it can be configured to encrypt the most popular files: videos, archives, music, photos, databases, configuration files and etc.

All affected files are marked with the .xdata extension. The users are shown a ransomware note in a HOW_CAN_I_DECRYPT_MY_FILES.txt file. Its contents read the following:

Your important files were encrypted on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with ‘.key.~xdata~’ extension.
Depending on your operation system version and personal settings, you can find it in:
‘C:/’,
‘C:/ProgramData’,
‘C:/Documents and settings/All Users/Application Data’,
‘Your Desktop’
folders (eg. ‘C:/PC-TTT54M#45CD.key.~xdata~’).
Then send it to one of following email addresses:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Your ID: ******
Do not worry if you did not find key file, anyway contact for support.

XData virus ransomware note image

The XData ransomware virus uses the AES encryption cipher to process the compromised user data using a private decryption key. It is uploaded to the remote server operated by the criminals.

The ransomware note instructs the victims to locate the public key from their computer and send it to one of the designated email addresses, all of them use counterfeit names including characters from the Lord of the Rings.

As usual the Xdata ransomware virus engine assigns a unique infection ID to the compromised machines. Malware such as this one use harvested system information from the computers to calculate this. This means that the XData virus is able to download user data such as stored account credentials, sensitive files, passwords and settings, as well as transmit them to the hackers.

XData Virus Distribution Tactics

The XData virus masquerades as legitimate Microsoft Windows files and components. The captured malware samples include the following fake copies:

  • msdtc.exe – Part of the Microsoft Distributed Transaction Coordinator.
  • mscomrpc.exe – Poses as a legitimate Microsoft Windows file.
  • msdcom.exe – Fake Microsoft Windows component.
  • msdns.exe – Poses as a DNS utility.
  • mssecsvc.exe – A malicious application that delivers various malware to the infected hosts.
  • mssql.exe – Poses as a Microsoft SQL Server application.

The XData virus can be distributed using different infection methods. One of the most popular ones is the use of email spam campaigns. The hackers behind the Xdata virus use social engineering tricks to make the targets infect themselves with the virus. It is directly attached as a file or linked somewhere in the body contents. Infected documents that include malicious scripts can also lead to a Xdata virus infection.

Other methods of infection include the use of software installers that bundle the XData virus. The hackers modify the original binaries and distribute it on hacker-controlled sites and P2P networks.

Web scripts and criminal ad networks can also redirect to the download sites tat deliver the XData virus. Malicious web browser add-ons, also known as browser hijackers, are another popular source of infections. They not only change the default home page, new tabs and search engine settings to point to a hacker-controlled site. The browser hijackers can retrieve the stored passwords, stored account credentials, web history, bookmarks and settings.

Related: Thundercrypt Ransomware Virus

Remove XData Virus and Restore Encrypted Files

WARNING! Manual removal of the XData ransomware virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

DOWNLOAD Anti-Malware Tool

 
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

XData Virus – Manual Removal Steps

Start the PC in Safe Mode with Network

This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

1. Hit the WIN Key + R

2. A Run window will appear. In it, write msconfig and then press Enter

3. A Configuration box shall appear. In it Choose the tab named Boot

4. Mark Safe Boot option and then go to Network under it to tick it too

5. Apply -> OK

Show Hidden Files

Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

1. Open My Computer/This PC

2. Windows 7

    – Click on Organize button
    – Select Folder and search options
    – Select the View tab
    – Go under Hidden files and folders and mark Show hidden files and folders option

3. Windows 8/ 10

    – Open View tab
    – Mark Hidden items option

how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

4. Click Apply and then OK button

Enter Windows Task Manager and Stop Malicious Processes

1. Hit the following key combination: CTRL+SHIFT+ESC

2. Get over to Processes

3. When you find suspicious process right click on it and select Open File Location

4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

5. Next, you should go folder where the malicious file is located and delete it

Repair Windows Registry

1. Again type simultaneously the WIN Key + R key combination

2. In the box, write regedit and hit Enter

3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Click for more information about Windows Registry and further repair help

Recover .xdata Files

WARNING! All files and objects associated with XData file virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

1. Use present backups

2. Use professional data recovery software

Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

3. Using System Restore Point

    – Hit WIN Key
    – Select “Open System Restore” and follow the steps

restore-files-using-windows-system-restore-point

4. Restore your personal files using File History

    – Hit WIN Key
    – Type restore your files in the search box
    – Select Restore your files with File History
    – Choose a folder or type the name of the file in the search bar
    – Hit the “Restore” button

Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • Author : Martin Beltov

    Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


    Related Posts