Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Makdonalds@india.com Virus Remove and Restore .Xtbl Files

shutterstock_223094779A ransomware threat that is a part of the many .XTBL variants has appeared, and it has begun infecting users worldwide. It uses a strong encryption algorithm to encipher the files of its victims on system startup. The aim of this virus is to get users to contact the e-mail address Makdonalds@india.com to negotiate the payoff sum to get back the files which are scrambled by this virus. In case you important documents are affected by this malware, researchers strongly advise against paying the ransom. Instead, it is recommended to read this article and learn more about how to remove Makdonalds@india.com ransomware and alternative methods to restore files encrypted by it.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Name Makdonalds@india.com
Type Ransomware
Short Description A variant of the .XTBL ransomware viruses. Encrypts files with a strong encryption and drops a ransom note with payoff for decryption instructions.
Symptoms After encryption the ransomware may steal information and appends .xtbl extension after every file.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Makdonalds@india.com

Download

Malware Removal Tool

User Experience Join our forum to Discuss Makdonalds@india.com Ransomware.

Makdonalds@india.com Ransomware – Distribution Methods

The creators of Makdonalds@india.com virus do not mess about when it comes to spreading this virus and infecting computers. They have realized that this is the most important part if they are going to make a profit out of your important data and have heavily concealed from antivirus programs the files dropped on your computer via malicious executables. Such executables may be used as e-mail attachments in so-called phishing e-mails that aim to resemble a legitimate company or a person with convincing statements in them that get users to open such attachments.

Not only this, but the malicious executable may be an Exploit Kit or a .js (JavaScript) file that pretends to be a legitimate Adobe .PDF document or a Microsoft Office document or any other file that may fool the inexperienced user into downloading and opening it.

Makdonalds@india.com Ransomware – In-Depth View

When users open the exploit kit, it may immediately connect to a remote domain and download the payload of the Makdonalds@india.com virus. Like other .XTBL ransomware viruses, it may create it’s malicious files in the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%

However, the Makdonalds@india.com virus may also create copies of an .HTML and .hta files that contain it’s ransom note together with it’s malicious executable file that encrypts the files of the compromised computer. These files are reported by researchers to be dropped in the %Strartup% folders:

C:\Users\ {User’s profile}\ AppData\ Roaming\ Microsoft\Windows\ Start Menu\Programs\ Startup\ Decryption instructions.jpg
C:\Users\ {User’s profile}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Startup\ Decryption instructions.txt
C:\Users\ {User’s profile}\ AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ {malicious payload file}.exe
C:\Windows\System32\ {malicious payload file}.exe

This is done to make these files run every time you turn on or restart your Windows computer.

Regarding file encryption, Makdonalds@india.com ransomware virus may attack the shadow copies and other backups and delete them using the vssadmin command, called delete shadows and executing it in administrative “quiet” mode so that the victim doesn’t suspect it.

After having begun to encode the files of users, Makdonalds@india.com ransomware is focused on scanning for and detecting to encrypt widely used types of files, for example:

→“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After files that have been encrypted by Makdonalds@india.com ransomware have been scrambled, the virus appends a very specific file extension to them, which includes the e-mail address, a unique identification number, and the .xtbl file extension. Encrypted files by this malware look like the following:

makdonalds@india-com-encrypted-file-xtbl-sensorstechforum

Makdonalds@india.com Ransomware – Conclusion, Removal, and Restoring .XTBL Files

For it to be fully erased from your computer, we advise using the instructions below, instead of bringing your computer to an expert who will overcharge you. They are methodologically arranged to assist with the proper deletion. However, in case you believe no all files associated with Makdonalds@india.com ransomware have been removed from your computer, malware researchers recommend using an advanced anti-malware software that will surely and swiftly take care of this threat.

If you are looking forward to reverting your files back to normal, it is advisable to avoid using direct decryption, since this procedure may break your files, because Makdonalds@india.com may have defensive mechanisms. This is why we suggest avoiding it and trying some other methods from step “3. Restore files encrypted by Makdonalds@india.com Ransomware” to restore your data. The methods there may not be 100% effective, but if you are in luck, you may restore a portion of your missing data.

Manually delete Makdonalds@india.com from your computer

Note! Substantial notification about the Makdonalds@india.com threat: Manual removal of Makdonalds@india.com requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Makdonalds@india.com files and objects
2.Find malicious files created by Makdonalds@india.com on your PC
3.Fix registry entries created by Makdonalds@india.com on your PC

Automatically remove Makdonalds@india.com by downloading an advanced anti-malware program

1. Remove Makdonalds@india.com with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Makdonalds@india.com in the future
3. Restore files encrypted by Makdonalds@india.com
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.