c:\FAUXVIRUS\carney_ride.exe

Discussion in 'malware problems & news' started by Oswald2, Jan 9, 2008.

Thread Status:
Not open for further replies.
  1. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    I was watching my wife's laptop (Windows XP SP2) run through Norton's scan a couple of days ago, I saw it take a long time to scan a file c:\FAUXVIRUS\carney_ride.exe, and I thought that it was a peculiar path and file name. Norton's finished and reported that it found nothing. I tried to do research on this file, but only found this and this. I had a copy of Prevx on the network share, so I ran it, and Prevx didn't find anything. So I came here and started with the "General Cleaning Instructions." Everything goes fine until I get to step 18 (running AdAware under safe mode), and I get the following message "Exception EAccessViolation in module Ad-Aware2007.exe at 001c852c. Access violation at address 005c852c in module 'Ad-Aware2007.exe'. Read of address 00000414."

    What's up with that?
     
  2. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    According to the 2nd link you posted this file is a rootkit. This means that this infection is hard to detect and remove because it may be hidden from anti-virus software. It is unlikely Ad-Aware will remove it so you can skip that step.

    I suggest:

    Scan the file using Jotti or Virus Total.

    Now find a virus scanner on the list that detects it properly. It should say something like rootkit.haxdoor. You need to temporarily remove Norton and install a different anti-virus that will detect the infection successfully.

    Go to the website of that antivirus company and download a free trial of their software. Install, Update and run a full system scan. The infection should be removed.

    Let me know how you go!

    This is a good way to remove a malware because anti-virus companies often have specialized cleaning methods to remove a specific type of malware.

    EDITED: Further Information
     
  3. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
  4. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Here you will find a discussion of the different Haxdoor-Variants. All discussed Variants can be fixed with the HaxFix-tool. You can download this tool from this website.


    Chato
     
  5. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Thanks for the heads up there regarding that software. How can I determine exactly what variant I have based on that post you referenced? Are those O20 lines from HijackThis? Do I have to confirm that this is an actual Haxdoor infection before using the tool referenced in that post?
     
  6. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Thanks for the tips. I ran both with no detections.
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    To verify if carney_ride.exe is really malicious, email it to Kaspersky Labs for analysis. Put the file in a password-protected zip and email it to:

    newvirus@kaspersky.com

    Please include the password in the email body. In the mean time do not delete carney_ride.exe.

    thanatos
     
  8. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    I'm sorry, I guess I didn't mention the fact that, much like the people in the links I posted, I too cannot see the file when I look for it. I only see the path and file name come by it when I watch Norton's scan. If I try to find it myself, I cannot find the directory or file.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Use IceSword,s file explorer to find the file.

    Also u can boot from a linux CD to make sure that the file really exists.
     
  10. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Boot up a live CD and get the file onto a usb stick.
     
  11. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Since scanning Oswald, have you checked for the file in quarantine?
    Advice; Go get help from the expert's - http://z13.invisionfree.com/BFC_Computer_Help/index.php?showtopic=323

    Should you choose to omit any of the suggested step's prior to post, let the folk's there know. ;)

    *PS - System restore enabled? Disable, reboot, re-enable. Re-scan before proceeding.


    GF
     
    Last edited: Jan 11, 2008
  12. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Maybe the folder FAUXVIRUS containing carney_ride.exe is hidden. Do this.

    thanatos
     
  13. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Thanks for the idea. Booted in Knoppix and it's not there. So, does that mean it's not there?
     
  14. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Does anyone know if Knoppix Linux pays attention to any hidden Windows file attributes?

    As an aside: Last year I had a particularly nasty piece of malware on a computer at work. The user had clicked on something they shouldn't and there was something Symantec Antivirus Corporate Edition would detect but not remove or quarantine. I could see it when booted in XP, but it wouldn't let me delete it. When booted in safe mode or from a live Linux CD, the file and directory were gone. I finally deleted the file using some utility (FileAssassin?) and that did it. For that file, I could see it but not delete it. For the current situation, I can't even see it. I wouldn't even have known it was there except Norton's spent several minutes scanning it and I could see it in the progress screen where Norton's lists the current item being scanned.
     
  15. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    I just did. I don't see it in there, but there does seem to be a Haxdoor infection from May of 2007. Perhaps what I'm seeing are the remnants of an old infection that wasn't completely removed by Norton's?

    How are they exactly experts? I've gotten pretty good response here at Wilders in the past and also at CastleCops.

    Yes, I disabled System Restore at the start of the process. It was step 11 of the General Cleaning Instructions. I only posted here when I got stuck when AdAware 2007 will not run while in Safe Mode.
     
  16. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    What I'm saying is if you're unsure as to the result's you've received running these various scanner's, my suggestion is to post an hjt if you haven't already done so. BFC? Just another site accepting logfile's, perhap's not as busy as CC's. Should you feel someone here can help you out with those error's, I wish you the best of luck.

    GF
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Now I am not sure.o_O Do u have NTFS or FAT32. Some linux distros might not read NTFS. I have Ubuntu that has NTFS support. I am no expert but I think if live CD can read NTFS, it will never miss windows files.

    Let,s ask Mrkvonic!
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u do one thing more? Download latest gmer beta from here.

    http://www2.gmer.net/beta/

    Download IceSword and RootKit UnHooker( RKU).

    Use file explorer of gmer and IceSword to see if there is FAUXVIRUS\carney_ride.exe in C:\. Also run a hidden file scan with RKU.

    Do u still see this file in symantec scan BTW?

    If u find the file by any of these utilities, don,t forget to grab a copy of it brfore deleting!

    16.56.38- 76.jpg
    16.45.26- 74.jpg
    16.52.10- 75.jpg
     
  19. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Hmmm. As a test, I ran gmer.exe on my own computer just to see what it would do and when I clicked on 'scan,' I got "The exception uknown software exception (0xc0000409) occurred in the application at location 0x72013668." :eek:

    Should I try the non-beta?
     
  20. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    Now that's a problem, too. It takes many minutes to scan the drive, and I don't know when it will pop up among all those files that are listed. :mad: So at this point, I don't know if Norton's still finds it when it scans.
     
  21. Oswald2

    Oswald2 Registered Member

    Joined:
    Oct 3, 2006
    Posts:
    63
    gmer beta crashes when I run it.

    gmer 1.0.13 does not have a files tab.

    Rootkit Unhooker does not reveal the file or path, and neither does IceSword.
     
  22. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Use this application. Move carney_ride.exe to a different folder (Eg: C:\New Folder) then zip that folder. Using your archiver view the contents of the zip. I am not sure if this will work though.

    thanatos
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    If it can,t see the file, it can,t move!
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Oswald2! Seems the file is not there. But U can never be sure.

    I will suggest u to post at sysinternals forums.
     
  25. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    He will type the path of the file (C:\FAUXVIRUS\carney_ride.exe) to be moved, not browse it. There is no harm in trying.

    thanatos
     
Thread Status:
Not open for further replies.