finding .exe files on each drive in each folder

emann · Feb 2, 2014

Hi,

My first post here....system is win7 ultimate 64 bit.

As described, I m having malwarebytes (bought and activated) finding a number of .exe files in all drives and folders at any random time. I would like to ask what type of virus, worm, Trojan is this and steps to clear my computer once and for all....should I try the steps of the malware removal guide or any other ideas please.

Let me know if you require other details.

tks
emann

TwinHeadedEagle · Feb 2, 2014

Hi,

Follow this topic and attach reports so we can see what is it about.

emann · Feb 2, 2014

hi there...what reports should I attach pls?

TwinHeadedEagle · Feb 2, 2014

Sorry, this one

http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/

emann · Feb 3, 2014

Hi...ran the programs and attaching the files as requested.

I will wait for your further instructions.

tks for now.

TwinHeadedEagle · Feb 3, 2014

1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guidehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.htmlthis or this Instruction.

Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

emann · Feb 4, 2014

Dear Sir,

following your help, ran ComboFix and attached is report.

Will wait for the next step.

tks

TwinHeadedEagle · Feb 4, 2014

PC seems clean, how is the situation now?

emann · Feb 4, 2014

Dear Sir,

will have to check later on at home. Shall i just browse in the folders to see if there are any exe files and how can i confirm that this will not reoccur.....I left the computer on at home in case I would have to do other reports considering that this Combofix seemed quite a delicate scanner....can i switch it off now, start it again and check for these files....please advise

thank you for your help

TwinHeadedEagle · Feb 4, 2014

You said that you performed scan with various scanners and that they found malware. Can you see what is the name of detections?

From my point of view, PC is clean, there is no active malware.

emann · Feb 4, 2014

ok..i will check later on...will turn on malware bytes again (turned it off following combofix instructions), switch off computer and on again and then check for any new exe files and report if any. A question; the combofix has scanned all drives of my computer or just the C: drive of the operating system?

tks

TwinHeadedEagle · Feb 4, 2014

ComboFix scans only system partition and vital places that malware could hide...

emann · Feb 4, 2014

Hi, just checked now and as at the moment cannot find any .exe files...will continue monitoring and advise you back when i start using the pc normally again.

in the meantime, i am noting that when i came now to switch off pc after the combo scan, the computer is not switching off...i mean i go to start-switch off...the computer is restarting instead...i tried this over 5 times now and it just restarts...i have to switch off the power supply unit to avoid it restarting...any help on this please.

tks

emann · Feb 4, 2014

hi there,

just finished a full scan with malware bytes and unfortunately, I got over 13000 detections

it is too long to list all files found but please note some of them in the different drives:

C:\Qoobox\Quarantine\C\Users\user\Documents\new folder.exe.vir (Spyware.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\Users\user\Videos\My Videos.exe.vir (Spyware.Agent) -> No action taken.
C:\Qoobox\Quarantine\E\New Folder.exe.vir (Spyware.Agent) -> No action taken.
C:\Users\user\AppData\Local\AivlaSoft\New Folder.exe (Spyware.Agent) -> No action taken.
C:\Users\user\AppData\Local\AivlaSoft\SCVHOST.exe (Spyware.Agent) -> No action taken.
C:\Users\user\AppData\Local\AivlaSoft\EFB\EFB.exe (Spyware.Agent) -> No action taken.
C:\Users\user\AppData\Local\AivlaSoft\EFB\AivlaSoft.Efb.DataProvider\AivlaSoft.Efb.DataProvider.exe (Spyware.Agent) -> No action taken.
C:\Users\user\AppData\Local\AivlaSoft\EFB\AivlaSoft.Efb.DisplayUnit\AivlaSoft.Efb.DisplayUnit.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Airbus_321\Checklists\Arrival\Arrival.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Airbus_321\Checklists\Departure\Departure.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Airbus_321\Checklists\Enroute\Enroute.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\FSX_Boeing_737_800.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\Checklists\Checklists.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\Checklists\Abnormals\Abnormals.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\Checklists\Arrival\Arrival.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\Checklists\Departure\Departure.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Boeing_737_800\Checklists\Enroute\Enroute.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\FSX_Cessna_172.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\Checklists\Checklists.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\Checklists\Abnormals\Abnormals.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\Checklists\Arrival\Arrival.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\Checklists\Departure\Departure.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Cessna_172\Checklists\Enroute\Enroute.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Mooney_Bravo\FSX_Mooney_Bravo.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Mooney_Bravo\Checklists\Checklists.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\AivlaSoft\EFB\UserData\Aircrafts\FSX_Mooney_Bravo\Checklists\Abnormals\Abnormals.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Received Files\My Received Files.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\My Scans.exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2010-04 (Apr)\2010-04 (Apr).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2010-08 (Aug)\2010-08 (Aug).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2010-12 (Dec)\2010-12 (Dec).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2011-02 (Feb)\2011-02 (Feb).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2011-05 (May)\2011-05 (May).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2011-06 (Jun)\2011-06 (Jun).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2011-10 (Oct)\2011-10 (Oct).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2011-12 (Dec)\2011-12 (Dec).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2012-04 (Apr)\2012-04 (Apr).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2012-09 (Sep)\2012-09 (Sep).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2012-10 (Oct)\2012-10 (Oct).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2012-12 (Dec)\2012-12 (Dec).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2013-01 (Jan)\2013-01 (Jan).exe (Spyware.Agent) -> No action taken.
C:\Users\user\Documents\My Scans\2013-05 (May)\2013-05 (May).exe (Spyware.Agent) -> No action taken.

E:\FSX\Addon Scenery\FlyTampa-Vienna\Doc\Doc.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\FlyTampa-Vienna\scenery\scenery.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\FlyTampa-Vienna\texture\texture.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\KJFK_Photo_Real\KJFK_Photo_Real.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\KJFK_Photo_Real\SCENERY\SCENERY.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\KJFK_Photo_Real\Texture\Texture.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\LatinVFR\LatinVFR.exe (Spyware.Agent) -> No action taken.
E:\FSX\Addon Scenery\LatinVFR\Miami_KMIA\Miami_KMIA.exe (Spyware.Agent) -> No action taken.
E:\FSX\AivlaSoft\SIDSTARS\SIDSTARS.exe (Spyware.Agent) -> No action taken.
E:\FSX\Autogen\Autogen.exe (Spyware.Agent) -> No action taken.
E:\FSX\Categories\Categories.exe (Spyware.Agent) -> No action taken.
E:\FSX\charts\charts.exe (Spyware.Agent) -> No action taken.
E:\FSX\charts\Lessons\Lessons.exe (Spyware.Agent) -> No action taken.
E:\FSX\Flight One Software\Super80Pro\NavData\Proc\Proc.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\advancedflyingskills\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\Aircraft\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\Aircraft\images\icons\icons.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\Aircraft\images\large\large.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\AirTrafficControl\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\AirTrafficControl\images\icons\icons.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\AirTrafficControl\images\large\large.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\Flights\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\FlightSimExtreme\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\images\highlights\highlights.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\Options\images\icons\icons.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\partners\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\FSWeb\LearningCenter\partners\images\cesna\cesna.exe (Spyware.Agent) -> No action taken.
E:\FSX\messages\student\student.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Amsterdam\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Amsterdam\Sound\Sound.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Caribbean\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Caribbean\Sound\Sound.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Monsoon\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Monsoon\Sound\Sound.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Quito\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\Quito\Sound\Sound.exe (Spyware.Agent) -> No action taken.
E:\FSX\Missions\Airline Pilot\RomeNaples\images\images.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\11\11.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\12\12.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.1\Halo.1.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.2\Halo.2.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.3\Halo.3.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.4\Halo.4.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.5\Halo.5.exe (Spyware.Agent) -> No action taken.
E:\FSX\ORBX\Scripts\Lights\Halo.6\Halo.6.exe (Spyware.Agent) -> No action taken.

Well...it goes on like this...I hope you now have a clear picture of the type of object that is running in my system....and finally the computer is now also just restarting whenever I try to switch off and I am switching it off from the power supply...

Please help me out with this.

tks

TwinHeadedEagle · Feb 4, 2014

Did you updated MalwareBytes before scanning? This looks like one giant False Positive detection...

emann · Feb 4, 2014

yes sir...malware has automatic updates and the last one was just on the restart of the pc before doing the scan...

what does false positive mean please and also any idea what type of thing is this that is creating all these exe files?

any other options I might have pls..

tks

TwinHeadedEagle · Feb 4, 2014

I wrote that malwarebytes had a false positive (wrong) detection over this software.

Microsoft Flight Simulator is legit software, so this is False Positive detection.

I think you should scan your PC with ESET Online scanner

http://www.eset.com/us/online-scanner/

And see is everything ok.

But before that let's remove used software.

Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools
Create registry backup
Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

> I don't need DelFix log report.

emann · Feb 4, 2014

Just to be 100% sure first I run DelFix....can you please advise which programs does this software remove?

after this is complete I should then run ESET?

pls confirm
tks

TwinHeadedEagle · Feb 4, 2014

Delfix removes software we used here...

emann · Feb 5, 2014

Dear Sir,

this one seems to start nailing down the situation....found 13 threats out of which 9 are deleted. It seems that the autorun worm has been deleted however there still seems to be this susplibload that remains on the computer... now it is asking me if i shall delete the quarantined files...pls advise...also what can I use to clear the computer from this susplibload that ESET says could not clean....

finally the computer is still restarting only and does not want to shut down as yet!!

look forward for your further instructions.

tks

finding .exe files on each drive in each folder

New Member

Level 41

New Member

Level 41

New Member

Attachments

Level 41

New Member

Attachments

Level 41

New Member

Level 41

New Member

Level 41

New Member

New Member

Level 41

New Member

Level 41

New Member

Level 41

New Member

Attachments

Similar threads