During a recent virus scan, I saw Norton was scanning a file called c:\fauxvirus\carny ride.exe. It took no action that I could see, but I do not see that directory on my c: drive (even with hidden files on). A search of the Internet (via google and yahoo) and Experts Exchange returned nothing on "c:\fauxvirus\carny ride.exe" (or variations) in English, nor did a search of Symantec.
Does anyone know anything about "c:\fauxvirus\carny ride.exe"? Is it a danger? Is there a recommended utility I can use to see ALL directories?
Thanks
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
IndiGenus,
Thanks for your help. THe file was uploaded. Here is the ee-stuff info:
Your file has successfully been uploaded!
To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:
View all files for Question ID: 22911590
http://www.ee-stuff.com/Ex
Direct link to your file
http://www.ee-stuff.com/Ex
Interesting, nothing showing in your HJT log. And you say you cannot see that fauxvirus folder even after enabling hidden files and folders? Doesn't make sense...
I would recommend downloading and running the AVG Anti-Spyware trial version, free for 30 days. Looks like AVG cleaned this in one other log I saw when researching this.
http://www.ewido.net/en/do
Make sure to update it before running and set anything it finds to quarantine. You can also produce a report with it. You can upload that for us to check too.
>"I will try the AVG anti-virus. 2 quick questions though:"<
Just to clarify it's AVG Anti-Spyware...but I think you know what I meant.
>"1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?"<
Not really no...had to have google translate what I found for me, and that is sometimes hard to interpret because the languages don't always translate too well.
>"2) What does LOP stand for?"<
The original name comes from lop.com I believe who was the initial purveyor of this infection. It has since changed and is usually downloaded along with some other "sponsor" software. One of the more common was "Messenger Plus". And now I believe is present also with another supposedly legit program...can't remember the name. It was some kind of a compression utility though. The purveyors of "LOP" pay the sponsor program to include it in the "package". It's not really to harmful, more of an annoyance than anything, pop-ups, ect... It's usually characterized by some strange looking name in a HJT log. Like "CARNY RIDE" or some other strange group of words. Another one I saw was "HEAP ONCE WITH YOUR", I believe. That's what originally led me to believe it was LOP. But now I don't think it is.
Hope this helps. The other thing I thought of after is it could be Smitfraud, although this is a reach. Easy enough to run the check though.
http://siri.urz.free.fr/Fi
Just run option #1, the search, and upload the log to see if present. Don't run any other options at this time.
Submit that suspect file to one or both of the following sites:
http://www.virustotal.com/
http://virusscan.jotti.org
They do an online scan against a variety of engines and you can see the results within a minute or two.
(1) Make sure "Hide operating system files .." is un-checked.
(2) Do a Search on the entire drive for any file that contains "carny" as part of its name, in case you got the path slightly wrong e.g.
(3) If none of the above helps find it, do a scan with RootkitRevealer.
Download and run RootkitRevealer from: http://www.microsoft.com/t
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need this file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
Sophos Anti-Rootkit
http://www.sophos.com/prod
This one I personally like better that RKR. Plus, it has the ability to automatically remove selected items. See if that directory shows up as either "Hidden from MFT" or "Hidden from Windows API".
Please post back results...
Sorry for the delay, I had some work to do and was away:
r-k:
1) Un checked "hide Operating Files" - No Luck
2) Search for carny, resulted in noting found.
3) Here is the RootKitRevealer results. This is all there was so I'll just paste the whole thing. Nothing looks wrong to my untrained eye, but maybe to you experts....
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\PIF
HKLM\SOFTWARE\Symantec\PIF
HKLM\SOFTWARE\Symantec\Sha
HKLM\SOFTWARE\Symantec\Sha
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071024.
C:\System Volume Information\_restore{468A1
------->
JohnB6767,
I'll try your software next.
RegDelNull v1.1
http://www.microsoft.com/t
Just an aside to deal with those embedded null values in the registry....
Ok... Sophi's Anti-Root kit found absolutely nothing at all either. I guess I'll chalk this up to some bad Chinese food that gave me hallucinations or maybe a bad dream.
How ever I do believe in rewarding for effort and time served.... So I'm upping the points to 300 and splitting that among you all.
I appreciate all the thought and effort.
Lee
Thanks.
On the question of deleting Registry entries with embedded nulls, it's only something you should do if you're quite sure you don't need that entry. Various applications use those entries to store important information like license keys etc., and deleting them could cause the application to fail.
I also got here because I saw C:\FAUXVIRUS\carny ride.exe in view when Norton Internet Security was doing a weekly scan. It stopped for a LONG time on that file, but didn't make any visible note about it. I listed C:\ and it's not visibly there. I did a web search and this is the only forum discussing it. I haven't run any rootkit stuff but the above info doesn't look like that's going to turn anything up.
How do I make sure that Norton has this on its list of things to have human beings investigating?
Hi guys I have the same thing on my PC and I haven't been able to remove C:\FAUXVIRUS\carny ride.exe but I have found some interesting info on it.
Some of my observations.
1. It seems that most of the people with this problem are using some sought of Symantec Anti-virus product.
2. It does not seem to produce any symptoms of an infection apart from Norton Anti-Virus listing it as 3 potential unknown threats.
3. Norton AV shows no sign of having automatically removed this threat.
4.Rootkit revelers can't seem to find it and viewing the drive containing the infection through Ubuntu Linux does not reveal the hidden directory.
5. Deleting the directory C:\FAUXVIRUS through the command prompt does not work either. CMD claims that this directory can not be found.
Some information I found:
1. This could be the origin of the infection www.geocities.com/brandsiq
2. The official word form Symantec is that the directory C:\FAUXVIRUS\carny ride.exe shows up during the scan because Norton AV is apparently looking for it by default but I doubt that is the case. The url for this discussion is http://community.norton.co
3. I found this page, containing information about canry ride.exe written by Prevx http://spywarefiles.prevx.
4. Some Norton AV users believe that it may be a bug in the Anti-Virus program its self.
Also do not use the mirror IndiGenus provided for the SmitfraudFix.exe. This mirror actually contains spyware. I hope this helps!
@Gun_Ship
Why are you posting here? This thread is a year old. I am responding to your last comment that Smitfraudfix is spyware. This is absolutely incorrect. Smitfraudfix, like many of the specialized tools we advise, is picked up as malware by many of the Anti-Virus programs just by the nature of what it does. It is a false positive. You should do your research before posting something like that.
Regards,
Dave
Business Accounts
Answer for Membership
by: IndiGenusPosted on 2007-10-23 at 05:50:21ID: 20130487
Sounds like a LOP infection.
I suggest that you download, run, and post a HijackThis log from the link below.
http://www.trendsecure.com
NOTE: Do not fix anything with HJT at this point,
Upload the log at EE-Stuff.com please(or at any hosting sites) and only post back the link.
login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.