Link to home
Start Free TrialLog in
Avatar of lrygiel
lrygielFlag for United States of America

asked on

Looking for info on c:\fauxvirus\carny ride.exe

During a recent virus scan, I saw Norton was scanning a file called c:\fauxvirus\carny ride.exe. It took no action that I could see, but I do not see that directory on my c: drive (even with hidden files on). A search of the Internet (via google and yahoo) and Experts Exchange returned nothing on "c:\fauxvirus\carny ride.exe" (or variations) in English, nor did a search of Symantec.

Does anyone know anything about "c:\fauxvirus\carny ride.exe"? Is it a danger? Is there a recommended utility I can use to see ALL directories?

Thanks
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Sounds like a LOP infection.

I suggest that you download, run, and post a HijackThis log from the link below.
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

NOTE: Do not fix anything with HJT at this point,
Upload the log at EE-Stuff.com please(or at any hosting sites) and only post back the link.
login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
Avatar of lrygiel

ASKER

IndiGenus,

Thanks for your help. THe file was uploaded. Here is the ee-stuff info:

Your file has successfully been uploaded!
To download the file, you must be logged into EE-Stuff. Here are two pages that will display your file, if logged in:

View all files for Question ID: 22911590
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt 

Direct link to your file
https://filedb.experts-exchange.com/incoming/ee-stuff/5147-hijackthis.log.txt 
Interesting, nothing showing in your HJT log. And you say you cannot see that fauxvirus folder even after enabling hidden files and folders? Doesn't make sense...

I would recommend downloading and running the AVG Anti-Spyware trial version, free for 30 days. Looks like AVG cleaned this in one other log I saw when researching this.

http://www.ewido.net/en/download/

Make sure to update it before running and set anything it finds to quarantine. You can also produce a report with it. You can upload that for us to check too.
Avatar of lrygiel

ASKER

I will try the AVG anti-virus. 2 quick questions though:

1) Did you find anything in english regarding either fauxvirus or "carny ride.exe"?
2) What does LOP stand for?

ASKER CERTIFIED SOLUTION
Avatar of IndiGenus
IndiGenus
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of r-k
r-k

Submit that suspect file to one or both of the following sites:

 http://www.virustotal.com/
 http://virusscan.jotti.org/

They do an online scan against a variety of engines and you can see the results within a minute or two.
Avatar of lrygiel

ASKER

I can't see the directory. I just happen to see the "c:\fauxvirus\carny ride.exe" when Norton AV was doing a scan. I can't even see the directory in explorer.  Even with show hidden files enabled.

Any ideas on how to even get to it?
(1) Make sure "Hide operating system files .." is un-checked.

(2) Do a Search on the entire drive for any file that contains "carny" as part of its name, in case you got the path slightly wrong e.g.

(3) If none of the above helps find it, do a scan with RootkitRevealer.

Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need this file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
Avatar of johnb6767
Sophos Anti-Rootkit
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

This one I personally like better that RKR. Plus, it has the ability to automatically remove selected items. See if that directory shows up as either "Hidden from MFT" or "Hidden from Windows API".

Please post back results...
Avatar of lrygiel

ASKER

Sorry for the delay, I had some work to do and was away:

r-k:

1)  Un checked "hide Operating Files" - No Luck
2) Search for carny, resulted in noting found.
3) Here is the RootKitRevealer results. This is all there was so I'll just paste the whole thing. Nothing looks wrong to my untrained eye, but maybe to you experts....

HKLM\SECURITY\Policy\Secrets\SAC*      10/27/2006 1:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      10/27/2006 1:02 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      10/30/2006 11:01 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C36729C6-65AB-4A6F-8B96-53FF94E3A8D2}*      10/31/2006 7:40 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C4E0FA00-475D-11D4-85D6-00105AD8842F}*      5/14/2007 12:08 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{C5ED101A-0FC6-41FF-88E4-70CC81399B6B}*      5/14/2007 12:06 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D0362CF9-9DAC-4898-8D1A-CC11034B1B68}*      10/31/2006 7:39 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{D1362CF9-9DAC-4898-8D1A-CC11034B1B68}*      10/31/2006 7:39 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Symantec\InstalledApps\NAVDefsInstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\InstalledApps\NAVDefsBinInstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\InstalledApps\VirusDefs-incr-InstallDir      10/24/2007 4:42 PM      102 bytes      Hidden from Windows API.
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\currentPollMinutes      10/24/2007 4:42 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PollManager\lastGoodTime      10/24/2007 4:42 PM      32 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\AVDEFMGR      10/23/2007 2:33 PM      104 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\SRTSP      10/23/2007 2:33 PM      104 bytes      Data mismatch between Windows API and raw hive data.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20071024.017\vscanmsx.dat      10/24/2007 5:13 PM      2.02 KB      Hidden from Windows API.
C:\System Volume Information\_restore{468A18AC-588D-4280-9E2F-D82EA8421D0D}\RP551\A0127302.ini      10/24/2007 4:48 PM      1.96 KB      Hidden from Windows API.


------->

JohnB6767,

I'll try your software next.



SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lrygiel

ASKER

Ok... Sophi's Anti-Root kit found absolutely nothing at all either. I guess I'll chalk this up to some bad Chinese food that gave me hallucinations or maybe a bad dream.

How ever I do believe in rewarding for effort and time served.... So I'm upping the points to 300 and splitting that among you all.

I appreciate all the thought and effort.

Lee
Thanks.

On the question of deleting Registry entries with embedded nulls, it's only something you should do if you're quite sure you don't need that entry. Various applications use those entries to store important information like license keys etc., and deleting them could cause the application to fail.
Avatar of lrygiel

ASKER

Thanks,

I'm not planning on deleting anything from the registry. Although I do appreciate the info, I don't have enough competency in that area to play with it. I count on utilities to do that.

Again thanks to all...

Irygiel, you did not hallucinate the FAUXVIRUS\ carny ride.exe. I was just running a scan with Norton also and I noticed the same file name. This is what brought me here. My Norton scan keeps freezing up at around 5600 items scanned so I thought this might have something to do with it.
Avatar of lrygiel

ASKER

Thanks for the Info. I still haven't found anything of substance on this issue.
I also got here because I saw C:\FAUXVIRUS\carny ride.exe in view when Norton Internet Security was doing a weekly scan.  It stopped for a LONG time on that file, but didn't make any visible note about it.  I listed C:\ and it's not visibly there.  I did a web search and this is the only forum discussing it.  I haven't run any rootkit stuff but the above info doesn't look like that's going to turn anything up.

How do I make sure that Norton has this on its list of things to have human beings investigating?
Hi guys I have the same thing on my PC and I haven't been able to remove C:\FAUXVIRUS\carny ride.exe but I have found some interesting info on it.

Some of my observations.

1. It seems that most of the people with this problem are using some sought of Symantec Anti-virus product.

2. It does not seem to produce any symptoms of an infection apart from Norton Anti-Virus listing it as 3 potential unknown threats.

3. Norton AV shows no sign of having automatically removed this threat.

4.Rootkit revelers can't seem to find it and viewing the drive containing the infection through Ubuntu Linux does not reveal the hidden directory.

5. Deleting the directory  C:\FAUXVIRUS through the command prompt does not work either.  CMD claims that this directory can not be found.

Some information I found:

1. This could be the origin of the infection www.geocities.com/brandsiq/funnyprograms.html and this site also gets listed when Google searching Canry ride.exe

2. The official word form Symantec is that the directory C:\FAUXVIRUS\carny ride.exe shows up during the scan because Norton AV is apparently looking for it by default but I doubt that is the case.  The url for this discussion is http://community.norton.com/norton/board/message?board.id=other&message.id=872

3. I found this page, containing information about canry ride.exe written by Prevx http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HFCI10495894  I haven't tried their removal tool for I don't know if it is safe to use.

4. Some Norton AV users believe that it may be a bug in the Anti-Virus program its self.

Also do not use the mirror IndiGenus provided for the SmitfraudFix.exe.  This mirror actually contains spyware.  I hope this helps!


 
@Gun_Ship

Why are you posting here? This thread is a year old. I am responding to your last comment that Smitfraudfix is spyware. This is absolutely incorrect. Smitfraudfix, like many of the specialized tools we advise, is picked up as malware by many of the Anti-Virus programs just by the nature of what it does. It is a false positive. You should do your research before posting something like that.

Regards,
Dave