lrygiel
asked on
Looking for info on c:\fauxvirus\carny ride.exe
During a recent virus scan, I saw Norton was scanning a file called c:\fauxvirus\carny ride.exe. It took no action that I could see, but I do not see that directory on my c: drive (even with hidden files on). A search of the Internet (via google and yahoo) and Experts Exchange returned nothing on "c:\fauxvirus\carny ride.exe" (or variations) in English, nor did a search of Symantec.
Does anyone know anything about "c:\fauxvirus\carny ride.exe"? Is it a danger? Is there a recommended utility I can use to see ALL directories?
Thanks
Does anyone know anything about "c:\fauxvirus\carny ride.exe"? Is it a danger? Is there a recommended utility I can use to see ALL directories?
Thanks
ASKER
IndiGenus,
Thanks for your help. THe file was uploaded. Here is the ee-stuff info:
Your file has successfully been uploaded!
To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:
View all files for Question ID: 22911590
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt
Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt
Thanks for your help. THe file was uploaded. Here is the ee-stuff info:
Your file has successfully been uploaded!
To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:
View all files for Question ID: 22911590
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt
Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt
Interesting, nothing showing in your HJT log. And you say you cannot see that fauxvirus folder even after enabling hidden files and folders? Doesn't make sense...
I would recommend downloading and running the AVG Anti-Spyware trial version, free for 30 days. Looks like AVG cleaned this in one other log I saw when researching this.
http://www.ewido.net/en/download/
Make sure to update it before running and set anything it finds to quarantine. You can also produce a report with it. You can upload that for us to check too.
I would recommend downloading and running the AVG Anti-Spyware trial version, free for 30 days. Looks like AVG cleaned this in one other log I saw when researching this.
http://www.ewido.net/en/download/
Make sure to update it before running and set anything it finds to quarantine. You can also produce a report with it. You can upload that for us to check too.
ASKER
I will try the AVG anti-virus. 2 quick questions though:
1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?
2) What does LOP stand for?
1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?
2) What does LOP stand for?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Submit that suspect file to one or both of the following sites:
http://www.virustotal.com/
http://virusscan.jotti.org/
They do an online scan against a variety of engines and you can see the results within a minute or two.
http://www.virustotal.com/
http://virusscan.jotti.org/
They do an online scan against a variety of engines and you can see the results within a minute or two.
ASKER
I can't see the directory. I just happen to see the "c:\fauxvirus\carny ride.exe" when Norton AV was doing a scan. I can't even see the directory in explorer. Even with show hidden files enabled.
Any ideas on how to even get to it?
Any ideas on how to even get to it?
(1) Make sure "Hide operating system files .." is un-checked.
(2) Do a Search on the entire drive for any file that contains "carny" as part of its name, in case you got the path slightly wrong e.g.
(3) If none of the above helps find it, do a scan with RootkitRevealer.
Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need this file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
(2) Do a Search on the entire drive for any file that contains "carny" as part of its name, in case you got the path slightly wrong e.g.
(3) If none of the above helps find it, do a scan with RootkitRevealer.
Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need this file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
This one I personally like better that RKR. Plus, it has the ability to automatically remove selected items. See if that directory shows up as either "Hidden from MFT" or "Hidden from Windows API".
Please post back results...
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
This one I personally like better that RKR. Plus, it has the ability to automatically remove selected items. See if that directory shows up as either "Hidden from MFT" or "Hidden from Windows API".
Please post back results...
ASKER
Sorry for the delay, I had some work to do and was away:
r-k:
1) Un checked "hide Operating Files" - No Luck
2) Search for carny, resulted in noting found.
3) Here is the RootKitRevealer results. This is all there was so I'll just paste the whole thing. Nothing looks wrong to my untrained eye, but maybe to you experts....
HKLM\SECURITY\Policy\Secre ts\SAC* 10/27/2006 1:02 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SAI* 10/27/2006 1:02 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{3D 14228D-FBE 1-11D0-995 D-00C04FD9 19C1}* 10/30/2006 11:01 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{C3 6729C6-65A B-4A6F-8B9 6-53FF94E3 A8D2}* 10/31/2006 7:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{C4 E0FA00-475 D-11D4-85D 6-00105AD8 842F}* 5/14/2007 12:08 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{C5 ED101A-0FC 6-41FF-88E 4-70CC8139 9B6B}* 5/14/2007 12:06 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{D0 362CF9-9DA C-4898-8D1 A-CC11034B 1B68}* 10/31/2006 7:39 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secre ts\SCM:{D1 362CF9-9DA C-4898-8D1 A-CC11034B 1B68}* 10/31/2006 7:39 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Symantec\Ins talledApps \NAVDefsIn stallDir 10/24/2007 4:42 PM 102 bytes Hidden from Windows API.
HKLM\SOFTWARE\Symantec\Ins talledApps \NAVDefsBi nInstallDi r 10/24/2007 4:42 PM 102 bytes Hidden from Windows API.
HKLM\SOFTWARE\Symantec\Ins talledApps \VirusDefs -incr-Inst allDir 10/24/2007 4:42 PM 102 bytes Hidden from Windows API.
HKLM\SOFTWARE\Symantec\PIF \{B8E1DD85 -8582-4c61 -B58F-2F22 7FCA9A08}\ PollManage r\currentP ollMinutes 10/24/2007 4:42 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\PIF \{B8E1DD85 -8582-4c61 -B58F-2F22 7FCA9A08}\ PollManage r\lastGood Time 10/24/2007 4:42 PM 32 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\Sha redDefs\AV DEFMGR 10/23/2007 2:33 PM 104 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\Sha redDefs\SR TSP 10/23/2007 2:33 PM 104 bytes Data mismatch between Windows API and raw hive data.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071024. 017\vscanm sx.dat 10/24/2007 5:13 PM 2.02 KB Hidden from Windows API.
C:\System Volume Information\_restore{468A1 8AC-588D-4 280-9E2F-D 82EA8421D0 D}\RP551\A 0127302.in i 10/24/2007 4:48 PM 1.96 KB Hidden from Windows API.
------->
JohnB6767,
I'll try your software next.
r-k:
1) Un checked "hide Operating Files" - No Luck
2) Search for carny, resulted in noting found.
3) Here is the RootKitRevealer results. This is all there was so I'll just paste the whole thing. Nothing looks wrong to my untrained eye, but maybe to you experts....
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\Ins
HKLM\SOFTWARE\Symantec\PIF
HKLM\SOFTWARE\Symantec\PIF
HKLM\SOFTWARE\Symantec\Sha
HKLM\SOFTWARE\Symantec\Sha
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071024.
C:\System Volume Information\_restore{468A1
------->
JohnB6767,
I'll try your software next.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok... Sophi's Anti-Root kit found absolutely nothing at all either. I guess I'll chalk this up to some bad Chinese food that gave me hallucinations or maybe a bad dream.
How ever I do believe in rewarding for effort and time served.... So I'm upping the points to 300 and splitting that among you all.
I appreciate all the thought and effort.
Lee
How ever I do believe in rewarding for effort and time served.... So I'm upping the points to 300 and splitting that among you all.
I appreciate all the thought and effort.
Lee
Thanks.
On the question of deleting Registry entries with embedded nulls, it's only something you should do if you're quite sure you don't need that entry. Various applications use those entries to store important information like license keys etc., and deleting them could cause the application to fail.
On the question of deleting Registry entries with embedded nulls, it's only something you should do if you're quite sure you don't need that entry. Various applications use those entries to store important information like license keys etc., and deleting them could cause the application to fail.
ASKER
Thanks,
I'm not planning on deleting anything from the registry. Although I do appreciate the info, I don't have enough competency in that area to play with it. I count on utilities to do that.
Again thanks to all...
I'm not planning on deleting anything from the registry. Although I do appreciate the info, I don't have enough competency in that area to play with it. I count on utilities to do that.
Again thanks to all...
Irygiel, you did not hallucinate the FAUXVIRUS\ carny ride.exe. I was just running a scan with Norton also and I noticed the same file name. This is what brought me here. My Norton scan keeps freezing up at around 5600 items scanned so I thought this might have something to do with it.
ASKER
Thanks for the Info. I still haven't found anything of substance on this issue.
I also got here because I saw C:\FAUXVIRUS\carny ride.exe in view when Norton Internet Security was doing a weekly scan. It stopped for a LONG time on that file, but didn't make any visible note about it. I listed C:\ and it's not visibly there. I did a web search and this is the only forum discussing it. I haven't run any rootkit stuff but the above info doesn't look like that's going to turn anything up.
How do I make sure that Norton has this on its list of things to have human beings investigating?
How do I make sure that Norton has this on its list of things to have human beings investigating?
Hi guys I have the same thing on my PC and I haven't been able to remove C:\FAUXVIRUS\carny ride.exe but I have found some interesting info on it.
Some of my observations.
1. It seems that most of the people with this problem are using some sought of Symantec Anti-virus product.
2. It does not seem to produce any symptoms of an infection apart from Norton Anti-Virus listing it as 3 potential unknown threats.
3. Norton AV shows no sign of having automatically removed this threat.
4.Rootkit revelers can't seem to find it and viewing the drive containing the infection through Ubuntu Linux does not reveal the hidden directory.
5. Deleting the directory C:\FAUXVIRUS through the command prompt does not work either. CMD claims that this directory can not be found.
Some information I found:
1. This could be the origin of the infection www.geocities.com/brandsiq/funnyprograms.html and this site also gets listed when Google searching Canry ride.exe
2. The official word form Symantec is that the directory C:\FAUXVIRUS\carny ride.exe shows up during the scan because Norton AV is apparently looking for it by default but I doubt that is the case. The url for this discussion is http://community.norton.com/norton/board/message?board.id=other&message.id=872
3. I found this page, containing information about canry ride.exe written by Prevx http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HFCI10495894 I haven't tried their removal tool for I don't know if it is safe to use.
4. Some Norton AV users believe that it may be a bug in the Anti-Virus program its self.
Also do not use the mirror IndiGenus provided for the SmitfraudFix.exe. This mirror actually contains spyware. I hope this helps!
Some of my observations.
1. It seems that most of the people with this problem are using some sought of Symantec Anti-virus product.
2. It does not seem to produce any symptoms of an infection apart from Norton Anti-Virus listing it as 3 potential unknown threats.
3. Norton AV shows no sign of having automatically removed this threat.
4.Rootkit revelers can't seem to find it and viewing the drive containing the infection through Ubuntu Linux does not reveal the hidden directory.
5. Deleting the directory C:\FAUXVIRUS through the command prompt does not work either. CMD claims that this directory can not be found.
Some information I found:
1. This could be the origin of the infection www.geocities.com/brandsiq/funnyprograms.html and this site also gets listed when Google searching Canry ride.exe
2. The official word form Symantec is that the directory C:\FAUXVIRUS\carny ride.exe shows up during the scan because Norton AV is apparently looking for it by default but I doubt that is the case. The url for this discussion is http://community.norton.com/norton/board/message?board.id=other&message.id=872
3. I found this page, containing information about canry ride.exe written by Prevx http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HFCI10495894 I haven't tried their removal tool for I don't know if it is safe to use.
4. Some Norton AV users believe that it may be a bug in the Anti-Virus program its self.
Also do not use the mirror IndiGenus provided for the SmitfraudFix.exe. This mirror actually contains spyware. I hope this helps!
@Gun_Ship
Why are you posting here? This thread is a year old. I am responding to your last comment that Smitfraudfix is spyware. This is absolutely incorrect. Smitfraudfix, like many of the specialized tools we advise, is picked up as malware by many of the Anti-Virus programs just by the nature of what it does. It is a false positive. You should do your research before posting something like that.
Regards,
Dave
Why are you posting here? This thread is a year old. I am responding to your last comment that Smitfraudfix is spyware. This is absolutely incorrect. Smitfraudfix, like many of the specialized tools we advise, is picked up as malware by many of the Anti-Virus programs just by the nature of what it does. It is a false positive. You should do your research before posting something like that.
Regards,
Dave
I suggest that you download, run, and post a HijackThis log from the link below.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
NOTE: Do not fix anything with HJT at this point,
Upload the log at EE-Stuff.com please(or at any hosting sites) and only post back the link.
login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.