Question

Looking for info on c:\fauxvirus\carny ride.exe

Asked by: lrygiel

During a recent virus scan, I saw Norton was scanning a file called c:\fauxvirus\carny ride.exe. It took no action that I could see, but I do not see that directory on my c: drive (even with hidden files on). A search of the Internet (via google and yahoo) and Experts Exchange returned nothing on "c:\fauxvirus\carny ride.exe" (or variations) in English, nor did a search of Symantec.

Does anyone know anything about "c:\fauxvirus\carny ride.exe"? Is it a danger? Is there a recommended utility I can use to see ALL directories?

Thanks

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-10-23 at 05:45:14ID22911590
Tags

fauxvirus

,

carny

Topics

Anti-Virus

,

Windows Network Security

,

Networking Security Vulnerabilities

Participating Experts
6
Points
300
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. can't remove 7 viruses that norton finds
    ok i posted this before, but i think i did something wrong- so i am posting a new one. norton finds 7 viruses and fails to delete them every time. i tried doing it in safe mode, still to no avail. i have run adaware and spysubtrace still can't get rid of them. mainly alchem.e...
  2. Where do Norton/Symantec licenses hide?
    Hi, I am re-installing Norton Internet Security 2005 after removing all traces of the Norton and Symantec using the uninstall procedure and several aftermartket registry cleaners, but Norton still backdates today's installation to the installation 3 weeks ago - EVEN WITH A NE...
  3. Dangerous Shortcut Keys?
    I've read that shortcut key strokes (such as Control+A, Cntl+F6, Cntl+Plus(+)) can be dangerous, and should be trapped via the AutoKeys macro if you really want to make your database bulletproof. However, I use User Level Security for my databases, and users only have access ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: IndiGenusPosted on 2007-10-23 at 05:50:21ID: 20130487

Sounds like a LOP infection.

I suggest that you download, run, and post a HijackThis log from the link below.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

NOTE: Do not fix anything with HJT at this point,
Upload the log at EE-Stuff.com please(or at any hosting sites) and only post back the link.
login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

 

by: lrygielPosted on 2007-10-23 at 06:20:28ID: 20130695

IndiGenus,

Thanks for your help. THe file was uploaded. Here is the ee-stuff info:

Your file has successfully been uploaded!
To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:

View all files for Question ID: 22911590
http://www.ee-stuff.com/Expert/Upload/viewFilesQuestion.php?qid=22911590

Direct link to your file
http://www.ee-stuff.com/Expert/Upload/getFile.php?fid=5147

 

by: IndiGenusPosted on 2007-10-23 at 07:03:51ID: 20131063

Interesting, nothing showing in your HJT log. And you say you cannot see that fauxvirus folder even after enabling hidden files and folders? Doesn't make sense...

I would recommend downloading and running the AVG Anti-Spyware trial version, free for 30 days. Looks like AVG cleaned this in one other log I saw when researching this.

http://www.ewido.net/en/download/

Make sure to update it before running and set anything it finds to quarantine. You can also produce a report with it. You can upload that for us to check too.

 

by: lrygielPosted on 2007-10-23 at 07:22:32ID: 20131239

I will try the AVG anti-virus. 2 quick questions though:

1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?
2) What does LOP stand for?

 

by: IndiGenusPosted on 2007-10-23 at 07:39:13ID: 20131371

>"I will try the AVG anti-virus. 2 quick questions though:"<
Just to clarify it's AVG Anti-Spyware...but I think you know what I meant.

>"1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?"<
Not really no...had to have google translate what I found for me, and that is sometimes hard to interpret because the languages don't always translate too well.

>"2) What does LOP stand for?"<
The original name comes from lop.com I believe who was the initial purveyor of this infection. It has since changed and is usually downloaded along with some other "sponsor" software. One of the more common was "Messenger Plus". And now I believe is present also with another supposedly legit program...can't remember the name. It was some kind of a compression utility though. The purveyors of "LOP" pay the sponsor program to include it in the "package". It's not really to harmful, more of an annoyance than anything, pop-ups, ect...   It's usually characterized by some strange looking name in a HJT log. Like "CARNY RIDE" or some other strange group of words. Another one I saw was "HEAP ONCE WITH YOUR", I believe. That's what originally led me to believe it was LOP. But now I don't think it is.

Hope this helps. The other thing I thought of after is it could be Smitfraud, although this is a reach. Easy enough to run the check though.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Just run option #1, the search, and upload the log to see if present. Don't run any other options at this time.

 

by: r-kPosted on 2007-10-23 at 08:21:40ID: 20131707

Submit that suspect file to one or both of the following sites:

 http://www.virustotal.com/
 http://virusscan.jotti.org/

They do an online scan against a variety of engines and you can see the results within a minute or two.

 

by: lrygielPosted on 2007-10-23 at 08:27:26ID: 20131765

I can't see the directory. I just happen to see the "c:\fauxvirus\carny ride.exe" when Norton AV was doing a scan. I can't even see the directory in explorer.  Even with show hidden files enabled.

Any ideas on how to even get to it?

 

by: r-kPosted on 2007-10-23 at 08:50:36ID: 20131968

(1) Make sure "Hide operating system files .." is un-checked.

(2) Do a Search on the entire drive for any file that contains "carny" as part of its name, in case you got the path slightly wrong e.g.

(3) If none of the above helps find it, do a scan with RootkitRevealer.

Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need this file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.

 

by: johnb6767Posted on 2007-10-24 at 10:26:05ID: 20141002

Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

This one I personally like better that RKR. Plus, it has the ability to automatically remove selected items. See if that directory shows up as either "Hidden from MFT" or "Hidden from Windows API".

Please post back results...

 

by: lrygielPosted on 2007-10-25 at 11:11:56ID: 20149825

Sorry for the delay, I had some work to do and was away:

r-k:

1)  Un checked "hide Operating Files" - No Luck
2) Search for carny, resulted in noting found.
3) Here is the RootKitRevealer results. This is all there was so I'll just paste the whole thing. Nothing looks wrong to my untrained eye, but maybe to you experts....

HKLM\SECURITY\Policy\Secrets\SAC*      10/27/2006 1:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      10/27/2006 1:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      10/30/2006 11:01 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C36729C6-65AB-4A6F-8B96-53FF94E3A8D2}*      10/31/2006 7:40 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C4E0FA00-475D-11D4-85D6-00105AD8842F}*      5/14/2007 12:08 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C5ED101A-0FC6-41FF-88E4-70CC81399B6B}*      5/14/2007 12:06 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D0362CF9-9DAC-4898-8D1A-CC11034B1B68}*      10/31/2006 7:39 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D1362CF9-9DAC-4898-8D1A-CC11034B1B68}*      10/31/2006 7:39 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Symantec\InstalledApps\NAVDefsInstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\InstalledApps\NAVDefsBinInstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\InstalledApps\VirusDefs-incr-InstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\currentPollMinutes      10/24/2007 4:42 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\lastGoodTime      10/24/2007 4:42 PM      32 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\AVDEFMGR      10/23/2007 2:33 PM      104 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\SRTSP      10/23/2007 2:33 PM      104 bytes      Data mismatch between Windows API and raw hive data.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071024.017\vscanmsx.dat      10/24/2007 5:13 PM      2.02 KB      Hidden from Windows API.
C:\System Volume Information\_restore{468A18AC-588D-4280-9E2F-D82EA8421D0D}\RP551\A0127302.ini      10/24/2007 4:48 PM      1.96 KB      Hidden from Windows API.


------->

JohnB6767,

I'll try your software next.



 

by: r-kPosted on 2007-10-25 at 11:50:53ID: 20150195

Hmm... You're right, there is no rootkit, and no hidden files shown by RootkitRevealer.

It's possible that Norton removed that file automatically during the scan. You may want to view the Quarantine (from within Norton) and see which files are in quarantine.

 

by: johnb6767Posted on 2007-10-25 at 11:54:23ID: 20150226

RegDelNull v1.1
http://www.microsoft.com/technet/sysinternals/Utilities/RegDelNull.mspx

Just an aside to deal with those embedded null values in the registry....

 

by: lrygielPosted on 2007-10-25 at 12:17:41ID: 20150455

Ok... Sophi's Anti-Root kit found absolutely nothing at all either. I guess I'll chalk this up to some bad Chinese food that gave me hallucinations or maybe a bad dream.

How ever I do believe in rewarding for effort and time served.... So I'm upping the points to 300 and splitting that among you all.

I appreciate all the thought and effort.

Lee

 

by: r-kPosted on 2007-10-25 at 12:27:34ID: 20150551

Thanks.

On the question of deleting Registry entries with embedded nulls, it's only something you should do if you're quite sure you don't need that entry. Various applications use those entries to store important information like license keys etc., and deleting them could cause the application to fail.

 

by: lrygielPosted on 2007-10-25 at 14:08:04ID: 20151490

Thanks,

I'm not planning on deleting anything from the registry. Although I do appreciate the info, I don't have enough competency in that area to play with it. I count on utilities to do that.

Again thanks to all...

 

by: myrubi04Posted on 2007-11-03 at 14:33:33ID: 20208163

Irygiel, you did not hallucinate the FAUXVIRUS\ carny ride.exe. I was just running a scan with Norton also and I noticed the same file name. This is what brought me here. My Norton scan keeps freezing up at around 5600 items scanned so I thought this might have something to do with it.

 

by: lrygielPosted on 2007-11-05 at 05:13:00ID: 20215569

Thanks for the Info. I still haven't found anything of substance on this issue.

 

by: netsettlerPosted on 2008-05-04 at 09:46:03ID: 21496188

I also got here because I saw C:\FAUXVIRUS\carny ride.exe in view when Norton Internet Security was doing a weekly scan.  It stopped for a LONG time on that file, but didn't make any visible note about it.  I listed C:\ and it's not visibly there.  I did a web search and this is the only forum discussing it.  I haven't run any rootkit stuff but the above info doesn't look like that's going to turn anything up.

How do I make sure that Norton has this on its list of things to have human beings investigating?

 

by: Gun_ShipPosted on 2008-10-23 at 00:21:52ID: 22783736

Hi guys I have the same thing on my PC and I haven't been able to remove C:\FAUXVIRUS\carny ride.exe but I have found some interesting info on it.

Some of my observations.

1. It seems that most of the people with this problem are using some sought of Symantec Anti-virus product.

2. It does not seem to produce any symptoms of an infection apart from Norton Anti-Virus listing it as 3 potential unknown threats.

3. Norton AV shows no sign of having automatically removed this threat.

4.Rootkit revelers can't seem to find it and viewing the drive containing the infection through Ubuntu Linux does not reveal the hidden directory.

5. Deleting the directory  C:\FAUXVIRUS through the command prompt does not work either.  CMD claims that this directory can not be found.

Some information I found:

1. This could be the origin of the infection www.geocities.com/brandsiq/funnyprograms.html and this site also gets listed when Google searching Canry ride.exe

2. The official word form Symantec is that the directory C:\FAUXVIRUS\carny ride.exe shows up during the scan because Norton AV is apparently looking for it by default but I doubt that is the case.  The url for this discussion is http://community.norton.com/norton/board/message?board.id=other&message.id=872

3. I found this page, containing information about canry ride.exe written by Prevx http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HFCI10495894  I haven't tried their removal tool for I don't know if it is safe to use.

4. Some Norton AV users believe that it may be a bug in the Anti-Virus program its self.

Also do not use the mirror IndiGenus provided for the SmitfraudFix.exe.  This mirror actually contains spyware.  I hope this helps!


 

 

by: IndiGenusPosted on 2008-10-23 at 03:34:17ID: 22784645

@Gun_Ship

Why are you posting here? This thread is a year old. I am responding to your last comment that Smitfraudfix is spyware. This is absolutely incorrect. Smitfraudfix, like many of the specialized tools we advise, is picked up as malware by many of the Anti-Virus programs just by the nature of what it does. It is a false positive. You should do your research before posting something like that.

Regards,
Dave

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...