GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I ran clamscan on the windows partition of my laptop. I got this:
/media/pedro/52144CA3144C8C43/ProgramData/alipay/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/miser_rule.zip: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/Users/Administrator/AppData/Roaming/360se6/Application/7.1.1.326/appsbin/se/ExtBank/bankhelper.exe: Win.Worm.Chir-865 FOUND
/media/pedro/52144CA3144C8C43/Users/Administrator/AppData/Roaming/TaobaoProtect/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 3687410
Engine version: 0.98.1
Scanned directories: 20431
Scanned files: 126953
Infected files: 5
Data scanned: 16720.81 MB
Data read: 24503.85 MB (ratio 0.68:1)
Time: 7800.612 sec (130 m 0 s)
Alipay is a kind of Chinese Paypal, a big company, soon to go public on the American stock market I believe.
Taobao is a big online shopping mall, you can buy anything.
Even more worrying was this, my online bank, ICBC
/media/pedro/52144CA3144C8C43/Program Files/ICBCEbankTools/netting/Uninstall000.exe: Trojan.Spy.Banker-5405 FOUND
/media/pedro/52144CA3144C8C43/Program Files/ICBCEbankTools/netting/Uninstall000.exe: Removed.
Is there any way that these worms or trojans could actually be from the companies concerned?
I don't use Win much, but my online bank only works with IE and Win, so when I want to pay online, I have to use Win.
I have a program called 360, a Chinese antivirus. But it didn't get the above bugs, or it deliberately ignored them.
If you AV is catching these, it's highly unlikely they are legit. As an aside, which AV are you using?
Have you check your AV company's site: the larger antivirus providers maintain cyclogedia describing the various viruses and other malware they know about.
The AV is a Chinese one called 360. That's the problem, the AV did not find these. clamscan did, operating from Ubuntu, with the Win partition mounted. I started checking after I got repeated problems with my usb stick when using the office win computer. But these bugs were on my computer!
Is there any way that these worms or trojans could actually be from the companies concerned?
You might download and unpack (without installation) that company's installation bundle (setup or whatever) and test it.
I didn't use 360 AV, but I'd suggest Kaspersky Virus Removal Tool. It is free, doesn't require installation and there is English version.
I downloaded AVG Antivirus and ran it on my Win Partition. Then I started Ubuntu and ran clanscan on the same Win partition. I got this, which is worrying. Why is AVG loading Win trojans onto my computer? Why didn't it find the other bugs??
/media/pedro/52144CA3144C8C43/Program Files/AVG/AVG2015/Tuneup/RegistryCleaner.dll: Win.Trojan.Agent-769359 FOUND
/media/pedro/52144CA3144C8C43/Program Files/AVG/AVG2015/Tuneup/RegistryCleaner.dll: Removed.
/media/pedro/52144CA3144C8C43/Program Files/Microsoft Games/FreeCell/FreeCell.exe: Win.Worm.Chir-1277 FOUND
/media/pedro/52144CA3144C8C43/Program Files/Microsoft Games/FreeCell/FreeCell.exe: Removed.
/media/pedro/52144CA3144C8C43/ProgramData/alipay/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/alipay/TaobaoProtect.exe: Removed.
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/miser_rule.zip: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/miser_rule.zip: Removed.
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/alipay/tmp/miser_rule/TaobaoProtect.exe: Removed.
/media/pedro/52144CA3144C8C43/ProgramData/AVG2015/SetupBackup/TuneUpx.cab: Win.Trojan.Agent-769359 FOUND
/media/pedro/52144CA3144C8C43/ProgramData/AVG2015/SetupBackup/TuneUpx.cab: Removed.
/media/pedro/52144CA3144C8C43/Users/Administrator/AppData/Roaming/TaobaoProtect/TaobaoProtect.exe: Win.Worm.Chir-858 FOUND
/media/pedro/52144CA3144C8C43/Users/Administrator/AppData/Roaming/TaobaoProtect/TaobaoProtect.exe: Removed.
/media/pedro/52144CA3144C8C43/Windows/winsxs/x86_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_58481bbdfe2e6164/FreeCell.exe: Win.Worm.Chir-1277 FOUND
/media/pedro/52144CA3144C8C43/Windows/winsxs/x86_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_58481bbdfe2e6164/FreeCell.exe: Removed.
----------- SCAN SUMMARY -----------
Known viruses: 3696503
Engine version: 0.98.5
Scanned directories: 20467
Scanned files: 102639
Infected files: 8
Data scanned: 15840.88 MB
Data read: 29594.67 MB (ratio 0.54:1)
Time: 7251.428 sec (120 m 51 s)
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824
Rep:
if u have compromised win box and download anti-virus to it those viruses could attach (and infect) themselves to legit programs or ur anti-virus. i believe they do it to compromise the anti-virus so it doesnt recognize and cant remove the infection. if i were u i would upload the viruses to virustotal.com to see if other anti-virus programs find an infection.
Malware, viruses and worms are getting more difficult these days to remove completely as they can disguise themselves as legitimate programs, recreate themselves, and/or spawn off newer threats. It's even more difficult trying to remove them while windows is running.
Even if you ran an antivirus program, it's hard to know for sure if it got everything as some of these threats can avoid detection or recreate themselves.
If I were security conscious, I would backup my personal files, run an AV on my backup and then do a reinstall.
This is China! I think all Win computers here are infected. I ran clamscan from a usbstick on our office computer. It fand lots of things that AVG did not find.
Can't upload the file now, clanscan has /dev/zeroed it!
Don't trust Win or Antivirus programs.
Would the result above worry you? What do these things do?
I would still recommend antivirus I have mentioned above.
It is the best tool with one only disadvantage - it isn't supposed to be used for permanent monitoring, just to perform scanning "on demand". It's bases are always actual, and it cannot be infected like AVG can. I think you'll find another few viruses that was overlooked by clamscan.
This is China! I think all Win computers here are infected. I ran clamscan from a usbstick on our office computer. It fand lots of things that AVG did not find.
Can't upload the file now, clanscan has /dev/zeroed it!
Don't trust Win or Antivirus programs.
Would the result above worry you? What do these things do?
Sure. The idea of not knowing what these viruses, worms are doing behind the scenes would worry anyone. They could be keyloggers, botnets, backdoors, etc.
You can be proactive all you want and run any anti-whatever program, but if you visit a bad site, it can run malicious code or download stuff to your computer even without your knowledge.
In your case, your clamscan reports worms. Worms are different from viruses. Viruses requires human interaction to infect a system or files by running an infected exe file.
A worm can be initiated and replicated without human interaction. Somewhere and some how a worm has reached your system.
I use NuScript which is firefox addon. NuScript prevents malicious codes or scripts from executing. It's not an end all, be all security tool, but it's good to have in case a site is compromised or is designed to infect visitors.
Install Malwarebytes free, update it, disconnect that machine from the network, and run a full scan.
Note that there are such things as false alerts. Different AV programs do not coexist nicely on the same system. Have only one active at a time; there a potential that they will misidentify some of each other's components as malicious, when, in fact, they are not.
Thanks for the replies, I'll do that!
I really don't use Win much, but crazily enough, my online bank only works with Win and IE! Sometimes I need Win when I want to pay for things online!
The only other thing I use is Abbyy Fine Reader to scan pages of books when I need a page or two! Best OCR program ever, shame it doesn't work in Linux!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.