all my files are renamed with suffix .exe/.txt/.mp4 on my windows xp

some virus has infected all of my files…and avast isn’t detecting any virus…pls help

Please do what is shown in this topic and ATTACH logs: http://forum.avast.com/index.php?topic=53253.0

Run in order listed. When done malware removers will be notified.

Seems to be an file infector or something like that, really nasty will be hard to remove. Good luck. :wink:

adware cleaner report

AdwCleaner v3.001 - Report created 01/09/2013 at 21:12:49

Updated 24/08/2013 by Xplode

Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

Username : vayam - VAYAM-DDFD36A9F

Running from : C:\Documents and Settings\vayam\My Documents\Downloads\adwcleaner.exe

Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\DOCUME~1\vayam\LOCALS~1\Temp\Uninstall.exe
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\invalidprefs.js
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\searchplugins\Babylon.xml
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\searchplugins\delta.xml
File Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\user.js
Folder Found : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\Extensions{97A78363-B868-4B48-AC91-A783A31215AF}
Folder Found C:\Documents and Settings\All Users\Application Data\Babylon
Folder Found C:\Documents and Settings\All Users\Application Data\DealPlyLive
Folder Found C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Found C:\Documents and Settings\NetworkService\Application Data\Minibar
Folder Found C:\Documents and Settings\vayam\Application Data\Babylon
Folder Found C:\Documents and Settings\vayam\Application Data\DealPly
Folder Found C:\Documents and Settings\vayam\Application Data\DSite
Folder Found C:\Documents and Settings\vayam\Application Data\Minibar
Folder Found C:\Documents and Settings\vayam\IECompatCache
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\Bundled software uninstaller
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive
Folder Found C:\Documents and Settings\vayam\Local Settings\Application Data\Minibar
Folder Found C:\Program Files\DealPly
Folder Found C:\Program Files\DealPlyLive
Folder Found C:\Program Files\Minibar
Folder Found C:\Program Files\optimizer pro

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\BabSolution
Key Found : HKCU\Software\BI
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\dealplylive
Key Found : HKCU\Software\dsiteproducts
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{539F76FD-084E-4858-86D5-62F02F54AE86}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Found : HKLM\SOFTWARE\Classes\AppID{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Found : HKLM\SOFTWARE\Classes\CLSID{539F76FD-084E-4858-86D5-62F02F54AE86}
Key Found : HKLM\SOFTWARE\Classes\CLSID{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKLM\SOFTWARE\Classes\CLSID{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKLM\SOFTWARE\Classes\CLSID{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Found : HKLM\SOFTWARE\Classes\Interface{26E7211D-0650-43CF-8498-4C81E83AEAAA}
Key Found : HKLM\SOFTWARE\Classes\Prod.cap
Key Found : HKLM\SOFTWARE\Classes\TypeLib{F13D3582-1359-4F8F-9A48-EF3AE9F5701C}
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions{AAA38851-3CFF-475F-B5E0-720D3645E4A5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dealplylive.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{AA74D58F-ACD0-450D-A85E-6C04B171C044}
Key Found : HKLM\Software\Minibar
Key Found : HKLM\Software\Tarma Installer
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{539F76FD-084E-4858-86D5-62F02F54AE86}]

***** [ Browsers ] *****

-\ Internet Explorer v8.0.6001.18702

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [bProtectTabs] - hxxp://www1.delta-search.com/?babsrc=NT_ss&mntrId=805A005345000000&affID=119357&tsp=4953

-\ Mozilla Firefox v21.0 (en-US)

[ File : C:\Documents and Settings\vayam\Application Data\Mozilla\Firefox\Profiles\zczrtre4.default\prefs.js ]

Line Found : user_pref(“extensions.delta.admin”, false);
Line Found : user_pref(“extensions.delta.aflt”, “babsst”);
Line Found : user_pref(“extensions.delta.appId”, “{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}”);
Line Found : user_pref(“extensions.delta.autoRvrt”, “false”);
Line Found : user_pref(“extensions.delta.dfltLng”, “en”);
Line Found : user_pref(“extensions.delta.excTlbr”, false);
Line Found : user_pref(“extensions.delta.ffxUnstlRst”, true);
Line Found : user_pref(“extensions.delta.id”, “805a8653000000000000005345000000”);
Line Found : user_pref(“extensions.delta.instlDay”, “15910”);
Line Found : user_pref(“extensions.delta.instlRef”, “sst”);
Line Found : user_pref(“extensions.delta.newTab”, false);
Line Found : user_pref(“extensions.delta.prdct”, “delta”);
Line Found : user_pref(“extensions.delta.prtnrId”, “delta”);
Line Found : user_pref(“extensions.delta.rvrt”, “false”);
Line Found : user_pref(“extensions.delta.smplGrp”, “none”);
Line Found : user_pref(“extensions.delta.tlbrId”, “base”);
Line Found : user_pref(“extensions.delta.tlbrSrchUrl”, “”);
Line Found : user_pref(“extensions.delta.vrsn”, “1.8.21.5”);
Line Found : user_pref(“extensions.delta.vrsnTs”, “1.8.21.514:50:31”);
Line Found : user_pref(“extensions.delta.vrsni”, “1.8.21.5”);
Line Found : user_pref(“extensions.delta_i.babExt”, “”);
Line Found : user_pref(“extensions.delta_i.babTrack”, “affID=119357&tsp=4953”);
Line Found : user_pref(“extensions.delta_i.srcExt”, “ss”);
Line Found : user_pref(“extensions.kango.storage.m2_k1”, “0”);
Line Found : user_pref(“extensions.kango.storage.m2_k2”, “0”);
Line Found : user_pref(“extensions.kango.storage.m2_k3”, “0”);
Line Found : user_pref(“extensions.kango.storage.m2_k4”, “1378120838147”);
Line Found : user_pref(“extensions.kango.storage.m2_k5”, “1377976857220”);
Line Found : user_pref(“extensions.kango.storage.minibar.config”, "{"name":"AppsHat","description":"AppsHat","button":{"tooltip":"Visit AppsHat.com","icon":"hxxp://www.bigspeedpro.com/button/%affi[…]
Line Found : user_pref(“extensions.kango.storage.nero_options”, ""{\"m1\":{\"ads\":{\"n1\":{\"url\":\"//ulayout.com/nero/hatter/google_post_results_728x90.html?aff_slug=appshat\",\"width\"[…]
Line Found : user_pref(“extensions.kango.storage.ui.button.iconCache”, ""data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABMAAAATCAYAAAByUDbMAAADlElEQVQ4jb3S3U9adxwG8F/BuooQAQscXj0cOIC8nANUPYjoHDClvqAoZ04gpqsZKmrUV[…]

-\ Google Chrome v

[ File : C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Documents and Settings\vayam\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


AdwCleaner[R0].txt - [7850 octets] - [01/09/2013 21:12:49]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7910 octets] ##########

malware anti malware report

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.01.04

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
vayam :: VAYAM-DDFD36A9F [administrator]

Protection: Enabled

9/1/2013 9:26:39 PM
mbam-log-2013-09-01 (21-26-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225393
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\AppID{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3} (PUP.Optional.Delta.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} (PUP.WebCake) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{2A5A2A90-3B30-4E6E-A955-2F232C6EF517} (PUP.WebCake) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{AF6B0594-6008-4327-93E5-608AD710A6FA} (PUP.Optional.WebCake.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\DealPlyLive (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
HKCU\Software\DataMngr (PUP.Optional.DataMngr) → Quarantined and deleted successfully.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) → Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) → Data: 0H1K1F1Q1E1I1N2W0T0S0RtCtA → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 13
C:\Documents and Settings\vayam\Application Data\Babylon (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update\Log (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply\UpdateProc (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Program Files\DealPlyLive (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Program Files\DealPlyLive\CrashReports (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504} (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}\Cache (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Application Data\DealPlyLive\CrashReports (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.

Files Detected: 18
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\My Documents\Downloads\DTLite4471-0337.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\OptimizerPro.exe (PUP.Optional.OptimizePro.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\Setup-D2502DD2B71B5.exe.0 (PUP.Optional.Yontoo) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\is1218200230\DeltaTB.exe (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\is1218200230\dp.exe (PUP.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\Setup.exe (PUP.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\BabMaint.exe (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\ccp.exe (PUP.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Local Settings\Temp\AD12E0FB-BAB0-7891-8C25-1853FD475D09\Latest\MyDeltaTB.exe (PUP.Optional.Delta) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\Optimizer_Pro.exe (PUP.Optional.PCOptimizerPro) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Babylon\log_file.txt (PUP.Optional.Babylon.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\DealPlyLive\Update\Log\DealPlyLive.log (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\vayam\Application Data\Dealply\UpdateProc\config.dat (PUP.Optional.DealPly.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}_Setup.dll (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}_Setupx.dll (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Tarma Installer{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat (PUP.Optional.Tarma.A) → Quarantined and deleted successfully.

(end)

What are the files renamed to ?

the files are renamed having their extension
like a executable file named “file” is renamed as “file.exe”

Are you sure you just haven’t changed windows to show the extension ?

ya i m quite sure i haven’t …when i start up my window in safe mode,
then none of the files show their extension name…

otl log

Follow the steps here http://www.wikihow.com/Disable-Hidden-File-Extensions-in-Windows-XP and let me know if there is a tick in the “Hide extensions for known file types”. box

Not a great deal showing

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Files
C:\WINDOWS\tasks\At*.job

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

ya “Hide extensions for known file types” box is ticked

OK let me know if there is any change after the OTL run please

whenever i am trying to run fix on OTL, my system freezes…
it says"killing processes , do not interrupt"
and after some time OTL is not responding…

I am using OTL 3.2.69.0

aswmbr

MBAM is causing OTL to freeze, could you temporarily uninstall MBAM and run the fix please

should i click tha “clean up” button in OTL

otl log

NO … clean up button will uninstall OTL. :wink:

you should follow the instructions Essexboy gave you in reply #10