Author Topic: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp (Read 7634 times)

priyam · « **on:** August 31, 2013, 09:46:03 PM »

some virus has infected all of my files...and avast isn't detecting any virus...pls help

Secondmineboy · « **Reply #1 on:** August 31, 2013, 09:49:06 PM »

Please do what is shown in this topic and ATTACH logs: http://forum.avast.com/index.php?topic=53253.0

Run in order listed. When done malware removers will be notified.

Seems to be an file infector or something like that, really nasty will be hard to remove. Good luck.

priyam · « **Reply #2 on:** September 01, 2013, 05:46:01 PM »

adware cleaner report

# AdwCleaner v3.001 - Report created 01/09/2013 at 21:12:49
# Updated 24/08/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : vayam - VAYAM-DDFD36A9F
# Running from : C:\Documents and Settings\vayam\My Documents\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\DOCUME~1\vayam\LOCALS~1\Temp\Uninstall.exe
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\\invalidprefs.js
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\searchplugins\Babylon.xml
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\searchplugins\delta.xml
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\user.js
Folder Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\Extensions\{97A78363-B868-4B48-AC91-A783A31215AF}
Folder Found C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found C:\Documents and Settings\All Users\Application Data\DealPlyLive
Folder Found C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found C:\Documents and Settings\NetworkService\Application Data\Minibar
Folder Found C:\Documents and Settings\vayam\Application Data\Babylon
Folder Found C:\Documents and Settings\vayam\Application Data\DealPly
Folder Found C:\Documents and Settings\vayam\Application Data\DSite
Folder Found C:\Documents and Settings\vayam\Application Data\Minibar
Folder Found C:\Documents and Settings\vayam\IECompatCache
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\Bundled software uninstaller
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\Minibar
Folder Found C:\Program Files\DealPly
Folder Found C:\Program Files\DealPlyLive
Folder Found C:\Program Files\Minibar
Folder Found C:\Program Files\optimizer pro

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\BabSolution
Key Found : HKCU\Software\BI
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\dealplylive
Key Found : HKCU\Software\dsiteproducts
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{539F76FD-084E-4858-86D5-62F02F54AE86}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Found : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{539F76FD-084E-4858-86D5-62F02F54AE86}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{26E7211D-0650-43CF-8498-4C81E83AEAAA}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F13D3582-1359-4F8F-9A48-EF3AE9F5701C}
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dealplylive.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKLM\Software\Minibar
Key Found : HKLM\Software\Tarma Installer
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{539F76FD-084E-4858-86D5-62F02F54AE86}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [bProtectTabs] - hxxp://www1.delta-search.com/?babsrc=NT_ss&mntrId=805A005345000000&affID=119357&tsp=4953

-\\ Mozilla Firefox v21.0 (en-US)

[ File : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\prefs.js ]

Line Found : user_pref("extensions.delta.admin", false);
Line Found : user_pref("extensions.delta.aflt", "babsst");
Line Found : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Line Found : user_pref("extensions.delta.autoRvrt", "false");
Line Found : user_pref("extensions.delta.dfltLng", "en");
Line Found : user_pref("extensions.delta.excTlbr", false);
Line Found : user_pref("extensions.delta.ffxUnstlRst", true);
Line Found : user_pref("extensions.delta.id", "805a8653000000000000005345000000");
Line Found : user_pref("extensions.delta.instlDay", "15910");
Line Found : user_pref("extensions.delta.instlRef", "sst");
Line Found : user_pref("extensions.delta.newTab", false);
Line Found : user_pref("extensions.delta.prdct", "delta");
Line Found : user_pref("extensions.delta.prtnrId", "delta");
Line Found : user_pref("extensions.delta.rvrt", "false");
Line Found : user_pref("extensions.delta.smplGrp", "none");
Line Found : user_pref("extensions.delta.tlbrId", "base");
Line Found : user_pref("extensions.delta.tlbrSrchUrl", "");
Line Found : user_pref("extensions.delta.vrsn", "1.8.21.5");
Line Found : user_pref("extensions.delta.vrsnTs", "1.8.21.514:50:31");
Line Found : user_pref("extensions.delta.vrsni", "1.8.21.5");
Line Found : user_pref("extensions.delta_i.babExt", "");
Line Found : user_pref("extensions.delta_i.babTrack", "affID=119357&tsp=4953");
Line Found : user_pref("extensions.delta_i.srcExt", "ss");
Line Found : user_pref("extensions.kango.storage.m2_k1", "0");
Line Found : user_pref("extensions.kango.storage.m2_k2", "0");
Line Found : user_pref("extensions.kango.storage.m2_k3", "0");
Line Found : user_pref("extensions.kango.storage.m2_k4", "1378120838147");
Line Found : user_pref("extensions.kango.storage.m2_k5", "1377976857220");
Line Found : user_pref("extensions.kango.storage.minibar.config", "{\"name\":\"AppsHat\",\"description\":\"AppsHat\",\"button\":{\"tooltip\":\"Visit AppsHat.com\",\"icon\":\"hxxp://www.bigspeedpro.com/button/%affi[...]
Line Found : user_pref("extensions.kango.storage.nero_options", "\"{\\\"m1\\\":{\\\"ads\\\":{\\\"n1\\\":{\\\"url\\\":\\\"//ulayout.com/nero/hatter/google_post_results_728x90.html?aff_slug=appshat\\\",\\\"width\\\"[...]
Line Found : user_pref("extensions.kango.storage.ui.button.iconCache", "\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAYAAAByUDbMAAADlElEQVQ4jb3S3U9adxwG8F/BuooQAQscXj0cOIC8nANUPYjoHDClvqAoZ04gpqsZKmrUV[...]

-\\ Google Chrome v

[ File : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Documents and Settings\vayam\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [7850 octets] - [01/09/2013 21:12:49]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7910 octets] ##########

priyam · « **Reply #3 on:** September 01, 2013, 06:03:53 PM »

malware anti malware report

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.01.04

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
vayam :: VAYAM-DDFD36A9F [administrator]

Protection: Enabled

9/1/2013 9:26:39 PM
mbam-log-2013-09-01 (21-26-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225393
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} (PUP.WebCake) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} (PUP.WebCake) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AF6B0594-6008-4327-93E5-608AD710A6FA} (PUP.Optional.WebCake.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\DealPlyLive (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
HKCU\Software\DataMngr (PUP.Optional.DataMngr) -> Quarantined and deleted successfully.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0H1K1F1Q1E1I1N2W0T0S0RtCtA -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 13
C:\Documents and Settings\vayam\Application Data\Babylon (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update\Log (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply\UpdateProc (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Program Files\DealPlyLive (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Program Files\DealPlyLive\CrashReports (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive\CrashReports (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.

Files Detected: 18
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\My Documents\Downloads\DTLite4471-0337.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\Setup-D2502DD2B71B5.exe.0 (PUP.Optional.Yontoo) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\is1218200230\DeltaTB.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\is1218200230\dp.exe (PUP.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\Setup.exe (PUP.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\BabMaint.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\ccp.exe (PUP.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\MyDeltaTB.exe (PUP.Optional.Delta) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Optimizer_Pro.exe (PUP.Optional.PCOptimizerPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update\Log\DealPlyLive.log (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply\UpdateProc\config.dat (PUP.Optional.DealPly.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setupx.dll (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) -> Quarantined and deleted successfully.

(end)

essexboy · « **Reply #4 on:** September 01, 2013, 06:05:24 PM »

What are the files renamed to ?

priyam · « **Reply #5 on:** September 01, 2013, 06:17:05 PM »

the files are renamed having their extension
like a executable file named "file" is renamed as "file.exe"

essexboy · « **Reply #6 on:** September 01, 2013, 06:22:32 PM »

Are you sure you just haven't changed windows to show the extension ?

priyam · « **Reply #7 on:** September 01, 2013, 06:27:01 PM »

ya i m quite sure i haven't .........when i start up my window in safe mode,
then none of the files show their extension name....

priyam · « **Reply #8 on:** September 01, 2013, 06:38:39 PM »

otl log

essexboy · « **Reply #9 on:** September 01, 2013, 06:39:18 PM »

Follow the steps here http://www.wikihow.com/Disable-Hidden-File-Extensions-in-Windows-XP and let me know if there is a tick in the "Hide extensions for known file types". box

essexboy · « **Reply #10 on:** September 01, 2013, 06:42:25 PM »

Not a great deal showing

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Files
C:\WINDOWS\tasks\At*.job

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

priyam · « **Reply #11 on:** September 01, 2013, 06:54:29 PM »

ya "Hide extensions for known file types" box is ticked

essexboy · « **Reply #12 on:** September 01, 2013, 06:56:51 PM »

OK let me know if there is any change after the OTL run please

priyam · « **Reply #13 on:** September 01, 2013, 07:42:17 PM »

whenever i am trying to run fix on OTL, my system freezes....
it says"killing processes , do not interrupt"
and after some time OTL is not responding.....

priyam · « **Reply #14 on:** September 01, 2013, 08:02:22 PM »

I am using OTL 3.2.69.0

Author Topic: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp (Read 7634 times)

priyam

all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

Secondmineboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

essexboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

essexboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

essexboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

essexboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

essexboy

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

priyam

Re: all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp