-1

I don't know why w64.exe files are getting generated in various location in my laptop. Quick Heal puts them in quarantine files. Are these files generated by Microsoft? How can I be sure regarding this? Or are these some sort of virus because I have been deleting such files since morning but they keep coming in different location.

enter image description here

Edit: After my conversation with @Gantendo virus-total is showing no virus but Quick Heal Paid Application shows it as a virus file.

Saaransh Garg
  • 2,596
  • 14
  • 27
Jitendra Singh
  • 84
  • 14
  • Upload one of the files to https://www.virustotal.com/gui/home/upload – Gantendo Nov 23 '21 at 08:01
  • Last time I turned PC restart then it came but now when I shut down my system and on it currently that file hasn't came. If it comes I will upload it to the website. Thanks @Gantendo – Jitendra Singh Nov 23 '21 at 08:09
  • Shows [this](https://i.stack.imgur.com/eq9Kd.png) after scanning @Gantendo – Jitendra Singh Nov 23 '21 at 08:24
  • Though virustotal is showing no virus but Quick Heal is showing it as virus [here](https://i.stack.imgur.com/Ao4Ua.jpg) (I just got to know we can see virus of quarintine files) – Jitendra Singh Nov 23 '21 at 08:26
  • I do not trust Quick Heal. I have never used it or even heard of it. Install malwarebytes from https://www.malwarebytes.com/ and let that scan the computer. Quick Heal detects it as a generic malware file so it may be a false positive. In which other locations did the `w64.exe` file show up? You have shortcuts to w64 on your desktop and it seems to be some kinda python thing. – Gantendo Nov 23 '21 at 12:19
  • “Are these files generated by Microsoft?” - Considering the file has absolutely no connection to Microsoft, Microsoft nor Windows, is generating that file. You can tell this isn’t a system file based on its location – Ramhound Nov 23 '21 at 16:18
  • @Gantendo free version of malwarebytes shows no threat – Jitendra Singh Nov 24 '21 at 02:16
  • @JitendraSingh Good news, Quick Heal was wrong. There is no virus. You should probably uninstall Quick Heal. – Gantendo Nov 24 '21 at 04:45

1 Answers1

0

From Python's Documentation for venv Module:

The venv module provides support for creating lightweight “virtual environments” with their own site directories, optionally isolated from system site directories

Now, further on the same site:

usage: venv [-h] [--system-site-packages] [--symlinks | --copies] [--clear][--upgrade] [--without-pip] [--prompt PROMPT] [--upgrade-deps] ENV_DIR [ENV_DIR ...]

Here, I wouldn't say I know exactly what's happening, but I see a certain pattern — Python's lib folder have been copied back and again to C:\users\jatin\venv and to folders having the name of the arguements like C:\users\jatin\[-h] etc. (As a matter of fact \Lib\site-packages\pip\_vendor\distlib does have a w64.exe and this is the only w64.exe in the python folder.)

Now, possibilities in order of decreasing probabilty are:

  1. One of the OP's experiment with python created these wierd looking directories instead of creating a Virtualenv — Solution for this would be to simply delete those files created in C:\users\jatin
  2. Python's programs got messed up — Solution for this would be to Reinstall python.
  3. Some wierd malware is doing wierd things for wierd purposes: Scan your computer through. (As already said this is highly improbable.)

Although I would suggest you to start with a fresh installation of python and deleting those directories, just to make sure everything works like it should.

As for QuickHeal marking it as a malware, Many antiviruses sometimes mark python files as malwares. Also, the copied versions are still signed by microsoft. Long things short, there's no reason for you to worry.

Saaransh Garg
  • 2,596
  • 14
  • 27
  • For your last paragraph yes the files are signed by Microsoft but QuickHeal does shows them virus even with their name so do I need to worry? – Jitendra Singh Nov 24 '21 at 02:20
  • Nope. To me, QuickHeal isn't reliable anymore. Rather use Malwarebytes or Bitdefender. And, they are signed by Microsoft, which actually means that they are the exact unedited copies of files present in python. – Saaransh Garg Nov 24 '21 at 03:28