c:\FAUXVIRUS\carney_ride.exe

Still I am sure, it will not work! I even think that there is no such file.
But as u said no harm in trying.

BTW I will do a reformat in this case.

 

Did you try Prevx2.0 or Prevx CSI?

If you haven't already, I'd give CSI a go - as I heard recently that it now has rootkit detection enabled. The scan literally takes about 2 mins on my PC so may well be worth trying if it helps locate the offending file.

 

I would start the machine with Knoppix and look for the file.

 

Here's what's up with this, you're "initial" reason for posting.

GF

 

U misssed a post.

 

Wondering when you did the initial scan 1st time and found the file was the computer actively online to the net?

 

ops. sorry.

 

You mean when I saw the file the first time? Yes, it was a normally scheduled scan for Norton's. It was on the side table, and while I was watching TV, when I looked over at it, it was scanning the file c:\FAUXVIRUS\carney_ride.exe for a long time, and that's what caught my eye. Yes, it was connected to the Internet.

 

It was PrevxCSIFree.exe, and it didn't find it.

 

Hi,

Sorry for me posting so late...

The easiest way is to remove the infected hard disk from the PC and install it as a secondary disk in another (Clean and secured PC), and perform the scans from outside the Infected OS.

Preferably use an external USB Hard disk device to load the Hard disk into the clean OS, and scan it from there. (much easier that way) Root kits or any other infections need to load at boot up via registry entries or other boot loaders or they are simple passive executable waiting to be called or activated...

As a precaution Do not boot the system with the USB Disk hooked up and turned on. Wait for the Host OS to be fully loaded and secured then turn on the USB Device and do your thing: Being a secondary disk that did not activate during initial boot up will exclude your root kit from loading thus rendering it armless...

Then you will find all you seek!

P.S. Do not activate the rootkit when you find it or you will infect your clean pc as well...

I know this is a bit of a hassle but it will save you a lot of time and streamline your investigation... Not to mention substantially increase your chance of success...

 

He tried Linux live CD to locate the file, it,s almost almost same as he already knew file/ folder name and location!

 

Ok. I have the same issue.

Only a handful of Google articles on this thing. I had exact same experience, saw the name of the file flash at the end of a Norton scan. Norton seems to mis-identify it as adware; and attempts to clean it, but on every successive reboot there are another 40 infected files or so. I too cannot locate the file displayed by Norton: c:\FAUXVIRUS\carney_ride.exe.

This infection is on an XP Pro machine at work. Seems an employee defeated the Antivirus software to download Torrent or something.

Did the first poster ever successfully remove this malware?

 

netgroover, you can ask help at one of the forums listed here (with the approval of your IT administrator since we are talking about a work/office PC).

thanatos

 

Did u try to find the file via IceSword, gmer, RKU or from a linux boot CD?

 

Hi everybody!
I have the same problem with :
c:\FAUXVIRUS\carny_ride.exe (and not c:\FAUXVIRUS\carnEy_ride.exe; that's why my Google research did not gave much...)
I can confirm that nor did GMER, nor IceSword saw anything. I have also tried several "easy to use rootkit detectors", like AVG Anti-Rootkit, McAfee - Rootkit Detective, Sophos... but they did not see anything either. In fact the only visible thing comes during a Norton scan, as mentioned at the beginning of the topic.
I am not specialised on this kind of things (and not specialist in English either!) but I am very interested about any new ideas…
I find this forum very instructive! Thanks.

 

Welcome Gregorius,

My question: If you disable system restore (xp), reboot, then re-scan, are the result's identical?


GF

 

Have you lot considered contacting Norton Support?
I know they're not the quickest replying, but if their product is detecting it, you should consult them about it... they'll advise you further. It may also be a problem with the product and nothing may even be there.

 

It might be a bug in Norton. I wish if some one can write to their support.

 

I don't use system restore. Some other things I forgot to say: I have run all the software I mentioned in safe mode, when it was possible (plus Super Antispyware)
I have just sent the following message to Symantec:
"Is c:\FAUXVIRUS\carny_ride.exe a false positive or a real rootkit?
Please see the Wilder Security forum at:
http://www.wilderssecurity.com/showthread.php?t=197064&page=2"
Wait and see…

 

This is the answer of Symantec: it does not help much...

~Private communication removed per the Terms Of Service - Ron~

 

Thank's for the get back and bringing us up to speed on Symantec's stance Gregorius. No direct explanation noted.
PS - It's ok to "in your own word's" summarize, not post, such private correspondence as may be contained in email.

GF

 

Ron - Sorry for having misunderstood all of the Terms of Service.

 

It's cool. You've done better than most to have acknowledged it.

GF

 

your system has been compromised - if you upto the job it best you backup your important data files and then wipe it. it probably be less hassle in the end. rootkits are really nasty and alot more worse things can be on your pc as well as the rootkit as the rootkit an open door to your pc and alot of default security settings could of been turned off. so better to wipe it especially if you unsure on what you doing. you can't 100% trust rootkit detection software as some rootkits are undetected.

 

So is this haxdoor variant or SpySherriff?

GregoriusVII care to distill the core of the Symantec reply or give a link to their analysis?

Interesting that Symantec detected this above others
Kudos to them.