Home / Spyware Help / .XTBL ransomware Removal Guide

.XTBL ransomware Removal Guide

by 0 Comments

Do you know what .XTBL Ransomware is?

.XTBL Ransomware refers to a number of programs that enter computers surreptitiously and encrypt user’s files. To put it simply, .xtbl is the name of the extension that the malicious programs add to the affected files. Therefore, to remove .XTBL Ransomware from your computer, you need to target the actual program that makes use of the extension. There is an entire list of ransomware applications that employ the same extension, so you may need to figure out the program first, and then look for methods to remove it. If you need any help with it, you can always contact us by leaving a comment below.

The programs that are ascribed this extension are Veglass@aol.com Ransomware, JohnyCryptor Ransomware, and GreenRay Ransomware. Computer security experts suggest that these programs were created by Indian hackers, but it should be pointed out that the infection area is not limited to India alone.

As far as Veglass@aol.com Ransomware is concerned, this application does not lock your screen. It uses the RSA-2048 encryption key to lock your files, and changes your desktop’s background. The program drops a file that is called “How to decrypt your files.txt,” and this file contains instructions on what the user is supposed to do to restore access to their files.

It is obvious that ransomware programs enter your computer to rip you off. The programs that use the .XTBL Ransomware extension are no different. The previously mentioned infection is not the only one that drops a file with instructions. All programs will tell you how to transfer the ransom payment in one way or the other.

There tends to be two types of ransomware programs. One of them will display the ransom note on your desktop, providing a lot of information about how you are supposed to pay the ransom fee, how big the fee is, and where you should transfer it. The .XTBL Ransomware applications are not so explicit. They only display a notification that shows an email address, and if you want to find out more, you need to send your infection’s ID to the given email address. The infection ID allows the criminals to identify your computer, and you can find the ID on any encrypted file because that is part of the extension, for example, Google Chrome.lnk.id-B4500913.Vegclass@aol.com.xtbl.

Computer security experts unanimously agree that users should never pay for the decryption key that is offered by the ransomware infections. For one, giving your money away is not an option. Second, there is no guarantee that the cyber criminals WOULD issue the decryption key. Ransomware programs tend have shaky connections with their command and control centers (and that is also the reason .XTBL Ransomware issue at least two different email addresses), so it would not be surprising if after having transferred the money, you would not get anything in return. Therefore, rather than following the ransomware’s orders, you should take measures to remove it.

What to do with the files affected by .XTBL Ransomware? Unfortunately, ransomware applications usually delete the Shadow Copies that would allow you to restore your data with a professional help. Therefore, the best way to get your files back is restoring them from a backup. A backup can be your external hard drive, or a lump of files saved on cloud drive. If you do not keep a backup, check your email inbox and drafts because users tend to save a lot of important files in their inboxes without even realizing it.

We would like to point out that you should remove the .XTBL Ransomware program before transferring your files back. The problem with the removal is that there are at least three programs that could use this alias, and all these three programs have different manual removal instructions.

To remove each and every program, please check out the appropriate instructions, given together with the name of the program. If you are not sure which infection is terrorizing you, check out your desktop, usually this ransomware family is very explicit about notifying you of their presence. Thus, you should find the name of the infection in the ransom note. For any other questions about ransomware and computer security, please contact us.

How to Remove .XTBL Ransomware

Vegclass@aol.com Ransomware

  1. Press Win+R and type %ALLUSERSPROFILE% into the Open box.
  2. Click OK and open the Microsoft folder.
  3. Go to Windows\Start Menu\Programs and delete a random-name .exe file.
  4. Press Win+R and type %AppData% into the Open box.
  5. Click OK and go to Microsoft\Windows\Start Menu\Programs.
  6. Locate and remove a random-name .exe file.
  7. Use the Run command (Win+R) to delete random-name .exe files in the these directories:
    %APPDATA%
    %WINDIR%\SysWOW64\
    %WINDIR%\system32\
  8. Press Win+R and type in regedit. Click OK.
  9. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop.
  10. Right-click the Wallpaper string value and select Modify.
  11. Delete the value data and click OK.
  12. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers.
  13. Right-click the BackgroundHistoryPath0 string value on the right.
  14. Delete the value data and click OK.
  15. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  16. Right-click the random-name string value with the value data C:\Windows\System32\*.exe.
  17. Delete it and look for e a string value with the value data C:\Users\user\AppData\Roaming.*exe.
  18. Right-click the value and delete it. Exit the Registry Editor and scan your computer.

JohnyCryptor Ransomware

  1. Press Win+R.
  2. Type %APPDATA% and click OK.
  3. Go to Microsoft\Windows\Start Menu\Programs\Startup.
  4. Remove the main executable file with the random name, "How to decrypt your files.jpg", and "How to decrypt your files.txt."
  5. Press Win+R and type %WINDIR%. Click OK.
  6. Go to the SysWOW64 folder (64-bit) and delete the malicious .exe file.
  7. Empty your Recycle Bin.
  8. Restart your computer.

In non-techie terms:

.XTBL Ransomware is not a genuine malware infection. It is an alias that is used by security specialists for a number of ransomware programs. To remove the ransomware program, you need to refer to the individual article on the program that resides in your computer.

Finally, you should invest in a security product that would protect you from similar intruders in the future. Also, employing safe web browsing skills would decrease the possibility of malware infection.

  • Cihan Erdem

    hi to all, i can help for your xtbl encrypted files, pls send me your few encrypted files (pdf, doc, xls files are preferable) to my email address, mcerdem82@yahoo.com,,...