Xash Virus

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Xash is a variant of Stop/DJVU. Source of claim SH can remove it.


Xash is a Ransomware virus for Windows that denies its victims access to their data. Xash uses a sophisticated encryption algorithm through which it locks the targeted files and keeps them unavailable until a ransom is paid by the victims.

The Xash ransomware will leave a _readme.txt file with instructions

This harmful computer threat has the potential to cause loss of many gigabytes of highly important data, especially if it attacks users who don’t regularly back up their most important files. Since Ransomware viruses as a whole are quite different from other, more conventional forms of malware, while at the same time being one of the most widespread forms of computer threats, being well acquainted with their abilities and characteristics is very important.

The first thing that many users may be confused about is the damage caused by this malware. The goal of infections like Xash or Gatz is to lock up the files of its victims and then force the users to pay money to the hackers in return for a unique decryption key that is different for each computer and that is supposedly the only thing that can set the files free. However, as far as the health and safety of the computer itself are concerned, most Ransomware infections do not possess the ability to damage the system. Because of this, users who don’t store sensitive or overly important files on their computers, or ones who regularly back up their data aren’t that threatened by potential Ransomware infections because they won’t have to be worried about the ransom payment.

The Xash virus

The Xash virus is a new and highly-problematic file-targeting form of malware that can block all data on your computer. The Xash virus belongs to the widespread Ransomware virus family and it typically spreads with the help of assisting Trojan horse viruses functioning as backdoors.

The Xash will encrypt your files

The fact that this Ransomware could be distributed in this way is important because it means that if you have been infected by Xash, there could also be a second piece of malware in your computer (a backdoor Trojan). Unlike Ransomware, Trojan horse threats can be used in all sorts of ways and they oftentimes have system-damaging abilities. Therefore, it is crucial that you scan your computer if there’s Ransomware in it, to see if there aren’t any additional hidden threats you don’t know about yet.

The Xash file encryption

The Xash file encryption is the method that this virus employs while locking up your files. The Xash file encryption cannot be removed from the locked files through regular means – a special key must be used to unlock the encrypted data.

Paying for this key to the hackers, however, is not something we’d advise you to do because the hackers may still refuse to give you the key even after you pay them. Instead, we recommend that you complete the removal guide from below and maybe use the tool linked there to remove the Ransomware and any other threats that may be hiding in your computer. Afterwards, you can go to the second part of the guide, where you will find some alternative suggestions on file recovery that may help you bring back at least some of your inaccessible files.


Detection Tool

anti-malware offerOFFER Read more details in the first ad on this page, EULA, Privacy Policy, and full terms for Free Remover.

*Xash is a variant of Stop/DJVU. Source of claim SH can remove it.

Remove Xash Ransomware


If you want to remove Xash effectively and without much of hassle, we recommend that you first do a bit of preparation for the smooth completion of this guide. The preparation involves clicking on the bookmark button on your browser to save this page with Xash removal instructions because you will need to get back to it several times during the removal process.

Next, once you have bookmarked the guide, follow the instructions from this link and restart your computer by entering in Safe Mode. When the computer reboots in Safe Mode successfully, get back to this page and proceed to the actual removal of the ransomware infection with step 2.



*Xash is a variant of Stop/DJVU. Source of claim SH can remove it.

It is typical for ransomware threats like Xash to run malicious processes in the background of the system, therefore, the first thing that you need to do if you get infected is to open your Task Manager (CTRL + SHIFT + ESC) and check the Processes Tab for suspicious-looking processes that consume a significant portion of your system’s resources without any particular reason. It may help to determine whether a given process is dangerous by right-clicking on it and opening its File Location folder.  


Once in that folder, scan all files stored there with a trusted antivirus program. For your convenience, you can simply drag and drop them in our powerful free online virus scanner that is available here:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    Wait for the file scanning process to complete and if there are files that are detected as dangerous after the scan, you should immediately end the process they are linked to. To do that, go to the Processes tab, right-click on the related process and select End Process to stop it. Next, go back to the File Location folder and delete the dangerous files.


    Sometimes, the ransomware infection may make changes in the Hosts file that is stored on your computer. These changes may take place without your knowledge, but you definitely need to check if something has been altered or added there in order to deal with Xash successfully.

    To do that, press Windows key and R from the keyboard together and copy the next line in the Run window that gets opened on the screen:

    notepad %windir%/system32/Drivers/etc/hosts

    Next, click the OK button.

    As soon as you do this, you should see the Hosts file open in Notepad.

    Scroll the text to find Localhost and check for any added IP addresses that look suspicious:

    hosts_opt (1)

    If anything unusual grabs your attention, copy it and leave us a comment below this post. A member of our team will take a look at it and reply you with suggestions on what to do. If you detect not changes, close the file and proceed to the next instruction.

    Click on the Start menu button and type msconfig in the windows search bar.

    Open the result and go to the Startup tab:


    In the Startup Items column, search for entries that might be related to the malicious activity of the ransomware and if you find such an entry you are sure about, remove its checkmark from the checkbox to disable it. In some cases, the ransomware may use a fake name for its startup process or simply have an Unknown Manufacturer, so keep this in mind and don’t hesitate to research online any entries that look suspicious.


    *Xash is a variant of Stop/DJVU. Source of claim SH can remove it.

    You may not be able to successfully remove Xash if the ransomware has added malicious entries in the Registry of your computer. That’s why, in this step, we will show you how to search the Registry for such entries and how to remove them. Since you will be dealing with important system files, we need to warn you that any wrong deletions may lead to a very serious corruption of the OS. That’s why you need to pay extra attention here or better use a professional removal tool to check the legitimacy of the entries that you detect before you decide to remove them.

    The easiest way to find ransomware-related entries in the Registry is to open the Registry Editor (type Regedit in the windows search field and press Enter) and then open a Find box (CTRL and F) where you need to type the name of the ransomware.

    Start a search with a click on the Find Next button and delete the results that are found with that name.

    Again, if you are not sure what needs to be deleted, better use a powerful removal tool, like the one listed on this page to remove all entries that are linked to Xash from the Registry.

    Once you are sure there are no more ransomware entries in there, go to the windows search bar in the Start menu and type each of the following:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Search each location for recently added files that could be linked to the infection.

    Once you open Temp, make sure you select everything there and delete it. This will remove any temporary files that the ransomware might have created.


    How to Decrypt Xash files

    The decryption of the files that Xash has encrypted is a separate process that requires a different set of steps and methods. Therefore, once you have removed the ransomware from the infected computer, we suggest you check the regularly updated file-decryption guide that can be found here. In it, you will learn more about the available file-recovery alternatives and the most effective methods that you can use to decrypt your files.

    New Djvu Ransomware

    STOP Djvu is a ransomware variant that is wreaking havoc by encrypting files and demanding a ransom from its victims. Attacks of this threat have been reported from all over the world, with the victims reporting that the .Xash suffix is typically added to the files encrypted by this threat. All that have lost access to their data, however, should not give in to the ransom demands because there are decryptors, like the one at the link below, that may be able to help you retrieve encrypted data, if you give it a go.


    Download the STOPDjvu executable file from the link, and ensure that you read the license agreement and any accompanying instructions before beginning the decryption process. Keep in mind, though, that this program may not be able to decode all types of encrypted data, especially those that were encrypted using unknown offline keys or online encryption algorithms.

    If you face any trouble during the removal of Xash, don’t hesitate to leave us a comment, and we will do our best to help you. If the ransomware is more persistent than expected, we recommend that you download the anti-virus program linked on this page or try our free online virus scanner to check the computer for any hidden malicious files that are preventing the threat from being removed.


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1