Solved

Problems with c:\fauxvirus\carny ride.exe

Posted on 2008-10-08
4
1,150 Views
Last Modified: 2013-11-22
my computer is infected with c:\fauxvirus\carny ride.exe and I don't knoe how to get rid of it.
0
Comment
Question by:TonyRosa
  • 2
4 Comments
 
LVL 15

Accepted Solution

by:
hewittg earned 250 total points
ID: 22674997
Tony,

Seems this is an issue.  Below is the website to look for malware/spyware



http://community.norton.com/norton/board/message?board.id=Announcements&thread.id=9&jump=true

United StatesAsia Pacific - English
Australia & New Zealand
Austria
Belgium - Dutch
Brazil
Canada - English
Canada - French
China - Simplified Chinese
Czech Republic
Denmark
Finland
France
Germany
Greece
Hong Kong - English
Hungary
India - English
Indonesia - English
Israel
Italy
Japan
Korea
Latin America
Luxembourg - French
Malaysia - English
Mexico
Middle East & Africa - English
The Netherlands
Norway
Philippines - English
Poland
Russia
Singapore - English
Spain
Sweden
Switzerland - German
Taiwan - Traditional Chinese
Thailand - English
Turkey
United Kingdom & Ireland
United States
ShoppingView Cart
 For HomeShop for Norton Products
Upgrades
Renewals
Special Promotions
Order Status / Download

 For BusinessContact Sales
Buy Online
Renew Online
Find A Reseller
Purchase List
 Norton|Business|Partners|Store|About SymantecWelcomeProducts & Services
View All Products
Compare Our Products
Competitive Info
Premium Services
Product Selector
Article LibraryViruses & Risks
Secure Your Email
Browse the Web Safely
Safeguard Your IM
File Sharing Protection
24x7 Protection With Norton
Threat Explorer
Virus Definitions
Removal Tools for Top ThreatsSupport
Technical Support
Customer Service
Spyware & Virus Removal
Norton Update CenterDownloadsCommunity
Forums
Protection Blog
Security Response Blog
Family Resources
Family Safety Blog
Norton TodayStore
10 Second Guide
Shop Norton Products
Upgrades
Renewals
Special Promotions
Bundle & Save
Order Status
Announcements   Go To....  -- boards --About This Community == Norton Users Discussion Forum  BETA ==-- boards --AnnouncementsNorton Internet Security / Norton AntiVirusNorton 360Other Norton ProductsForum Feedback == Norton Public Beta Forum ==-- boards --Norton Safe Web Public Beta == Norton Protection Blog ==-- boards --Norton Protection Blog == Ask Marian ==-- boards --Ask Marian == Norton Labs ==-- boards --Vista User Access ControlNorton Security Inspector  
 
Register  ·  Sign In  ·  Help  
 
 
Norton Community : Norton Users Discussion Forum  BETA : Announcements : How to troubleshoot a suspected Malware infection  
 
 
              User Search  ·  Advanced    

 
 
       Reply    
   
    Thread Options        
 
  Mark Thread as New  
 Mark Thread as Read  
 
 
 Float this Thread to the Top  
 Add this Thread to My Bookmarks  
 Add this Thread to My Subscriptions  
 
 
 Subscribe to this Thread's RSS Feed  
 
 
 Printer Friendly Page  
 
 
          Message Listing    
   
        Previous Thread    
   
    Next Thread        
 
 
Jump to Page:   1  
 
  How to troubleshoot a suspected Malware infection   [ Edited ]  Options      
 
 Tony_Weiss
Administrator
Posts: 2102
Registered: 04-07-2008



Message 1 of 1

Viewed 6,598 times

 
 Please follow the below steps if you suspect that you may be infected with a threat which your Symantec product isnt detecting:

-    Ensure you have the latest virus definitions by running LiveUpdate.
-    Run a full system scan, removing any malicious files which are detected.

If, after following the above steps, no threat is found, check for any recently created or suspicious files in the following locations:

-  C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-  C:\Documents and Settings\[user name]\Start Menu\Programs\Startup
-  C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
-  C:\Documents and Settings\Default User\Start Menu\Programs\Startup
-  C:\WinNT\Profiles\All Users\Start Menu\Programs\Startup
-  C:\WinNT\Profiles\[user name]\Start Menu\Programs\Startup
-  C:\WinNT\Profiles\Administrator\Start Menu\Programs\Startup
-  C:\WinNT\Profiles\Default User\Start Menu\Programs\Startup
-  C:\Windows\Start Menu\Programs\Startup
-  C:\Windows\All Users\Start Menu\Programs\Startup

Check the common loading points for any suspicious files using the msconfig utility:

For Windows 98/Me
-  Click Start, and click Run. The Run window appears.
-  In the Open box, type msconfig and click OK. The System Configuration Utility appears.
-  Click the Startup tab.
-  Scroll through the list of files.
-  If you see a suspicious file, then note the name.
-  Click the Win.ini tab and then clear the checkbox in front of [windows]. Look for any entries in the Load= or Run= lines. Note any files that you see.
-  Click the System.ini tab and then clear the checkbox in front of [boot]. You should see an entry Shell=Explorer.exe. Check to see if there is another file name to the right of Explorer.exe. If there is, then note the file name.
-  Click Cancel to close the System Configuration Utility.

For Windows XP
-  Click Start, and click Run. The Run window appears.
-  In the Open box, type msconfig and then click OK. The System Configuration Utility appears.
-  Click the General tab.
-  Click Selective Startup.
-  Click the Startup tab.
-  Scroll through the list of files.
-  If you see a suspicious file, then note the name.
-  When you are finished, click Cancel to close the System Configuration Utility.

Check registry load points:

-  Click Start, and click Run. The Run window appears.
-  In the Open box, type regedit and then click OK. The Registry Editor appears.
-  Browse to the following registry keys and note any suspicious file names in the right hand pane.

HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runonce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runservices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\currentversion\runservicesonce

HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\windowsnt\currentversion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\runonceex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runservices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\runservicesonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windowsnt\currentversion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\windowsnt\currentversion\Windows\appinit_dlls
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Explorer\sharedtaskscheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\SharedTools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\Software\Microsoft\SharedTools\MSConfig\startupreg

Check for any suspicious processes running in task manager:

-  Press Ctrl+Shift+Esc to open the Task Manager.
-  Click the Process tab.
-  Click "Image Name" twice to sort the processes.
-  Look through the list for possible threats and take a note of the file name.

Submit suspicious files for analysis:

Any suspicious files identified in the above steps should be submitted to Symantec Security Response for analysis:

-  Go to https://submit.symantec.com/retail
-  Locate the files identified above and submit for analysis following the instructions provided
-  An email with a tracking number one will sent once the submission has been received.
-  A closing email will be sent once submissions have been processed with the results of the analysis
-  For files which are determined to be malicious, details of the definition versions which provide detection will be included in the email.
Message Edited by Tony_Weiss on 09-05-2008 12:45 PM

 
Tony Weiss
Norton Forums Administrator
Symantec Corporation
 
 
06-27-2008 05:49 PM    

Report Abuse to a Moderator  
 
  Add this Message to My Bookmarks  
 Add this Message to My Subscriptions  
 
 
 Subscribe to this message's RSS Feed  
 Highlight this Message  
 Print This Message  
 E-Mail this Message to a Friend  
 Report Abuse to a Moderator  
 
 
 

 
Jump to Page:   1  
 
         Message Listing    
   
        Previous Thread    
   
    Next Thread        
 
 

 
   
 

 
 

--------------------------------------------------------------------------------
©1995 - 2008 Symantec CorporationSite Map |Legal Notices |Privacy Policy |Site Feedback |Norton Support
Business Support
Business Sales
Corporate Information
Contact Us |
Global Sites |License Agreements

 
0
 
LVL 23

Expert Comment

by:phototropic
ID: 22676393
This has been looked at before:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_22911590.html#a20131371
http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/Q_23162035.html#a20891942

After some digging on the net, there appear to be two schools of thought:

1) It is a false positive from Norton:

http://www.wilderssecurity.com/showthread.php?t=197064&page=3

http://norton.lithium.com/norton/board/message?board.id=other&thread.id=803&view=by_date_ascending&page=2

Are you using Norton 360, or some other Norton product?

2) It is a haxdoor variant:

http://spywarefiles.prevx.com/spywarefiles.asp?FXC=HFCI10495894

I usually use Unhackme to get rid of rootkits:

http://www.greatis.com/unhackme/download.htm

Specific instructions:

http://www.greatis.com/unhackme/haxdoor_removal.htm

What makes you believe you are infected?  What av/symptoms?


0
 
LVL 23

Expert Comment

by:phototropic
ID: 22696708
TonyRosa,

Glad to hear your problem is resolved.
Please could you briefly outline what steps you took to resolve this issue, so that others can refer to this solution if they are similarly affected.

Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now