My system has picked up a virus and I need help to eradicate it

I was using Ardour and copied a warning phrase to paste into the Ardour online manual to learn about the Ardour warning. My browser (Firefox) gave me a warning about the Ardour online manual as possibly corrupt so I did not proceed. After closing out Ardour, I opened a document from Libre Office and when I cut and paste within that program, the clipboard from the Ardour program got pasted throughout the Libre Office document.
Can anyone give me ideas on how to proceed?

If you have clamav and freshclam installed and running you can scan to remove the virus.

If not here is how as root: (add sudo if you don’t run as root)

zypper in clamav
systemctl enable freshclam
systemctl enable clamd
systemctl start clamd
freshclam
clamscan -r /

@jdcart15:

Or, Ardour simply messed about with the GUI’s paste buffers.

  • Which GUI are you using?
  • Is there a Clipboard Manager associated with your GUI?
  • Are you using Wayland or X11?

Is that a promise?

KDE
Not using X11 or Wayland

That is impossible. You are either using X11, or Wayland.

And why do you categorize what you experience as a "virus?

It is a start - not a promise. There are pay for (and expensive) Linux Anti-Virus tools that might work - ClamAV is available in openSUSE and free.

If that does not work I would then try (if he has one) a mount of / (root) in a Windows virtual machine and running MalwareBytes. Since there is no Linux version of MalwareBytes - It might not be able to remove and delete the virus but it will say which ones are infected an where.

A BartPE would be useless as Windows does not support ext4 and btrfs partitions.

Are you really convinced there is a Linux virus on that system?
Until now I have seen no prove of that.
And I also have not seen a prove of any Linux virus (if such a thing exists) being detected by programs like clamav.
I would be very reluctant to advice to install and run such, probably bloatware, to others.

OK – you’re using KDE Plasma.

Open “KInfoCenter” – in the “Basic Information” section, on the “About this system” page, you’ll notice under “Software” an entry named “Graphics Platform” –

  • With either “X11” or “Wayland” as the value.

On your Plasma Desktop, in the System Tray, there’s a “Clipboard” widget –

  • Check the contents and then, empty it.
1 Like

Operating System: openSUSE Leap 15.5
KDE Plasma Version: 5.27.4
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8
Kernel Version: 5.14.21-150500.55.31-default (64-bit)
Graphics Platform: X11
Processors: 4 × AMD Phenom™ II X4 965 Processor
Memory: 11.4 GiB of RAM
Graphics Processor: AMD RS880

Ya, I wouldn’t say the reported behavior shows sign of malware.

However …

Linux malware absolutely exists. And yes clamav, and other, can detect it.

I am almost certain that I have a virus. What’s more is that when I run clamscan, it appears to be non ending. The scan does not resolve. It simply keeps going. It should take no more than a minute when scanning the home directory. It appears that it’s designed to make clamscan ineffective.

I dont know if this will be of any help, in helping me rid myself of this virus, but when running clamscan, it gets stuck here. Non-stop generation of the following type message.

/home/john/.cache/mozilla/firefox/0gu28jss.default-release/cache2/entries/50E44A73EDEB82AAD36DD868E9539DB83148E41E: OK

Well, clear the cache if it troubles you.

Some places to do some housekeeping – I doubt that Ardour has introduced a virus into your system but, it may well have been something else …

  1. Log out from your GUI desktop environment.
  2. Log into a VT (tty1 … tty6) [Ctrl-Alt-F1] … [Ctrl-Alt-F6].

Begin with the cache located in you Home directory – ‘~/.cache/’ –

  • You can safely remove everything there.
    DO NOT remove anything in ‘~/.mozilla/’ – your settings and bookmark backups are stored there …

Next, move over to ‘/tmp/’ –

  • Remove everything there which is owned by you except for –
/tmp/.esd-[your UID]
/tmp/hsperfdata_[your Username]
/tmp/runtime-[your Username]

Next, move over to ‘/var/tmp/’ –

  • Remove everything there which is owned by you.

Log back into your GUI Desktop Environment.


Consider installing “rkhunter” to check for any rootkit which has possibly crept into your system.

  • Install “chkrootkit” only if, you have a rescue system available …

How are you so certain, because you have given no evidence.

As for clamscan not ending or taking forever, that seems to be pretty normal and the suggestion is to use clamd/clamdscan instead as it’s much more efficient.

Are you using firefox while running the scan? It’s not surprising it gets hung up on active cache files.

But honestly, you’re not going to get a lot of help because you have given no evidence of a problem but are dead set on treating it like it is. When your scan finishes and it doesn’t report anything, you’re just going to blame clam for being crap or something.

If you really think you have malware, the only way to really fix it is to wipe the system and reinstall from scratch. It will never be trustworthy, you can never reliably clean a system. So if you really think that, you might was well just ‘solve’ the problem.

1 Like

OK. Maybe I have evidence that malware is on my machine. I cleared the firefox cache and reran clamscan. Again it goes into a loop. It doesn’t stop but I managed to capture a message while it is cycling.

/home/john/.local/shar`Preformatted text`e/akonadi/file_db_data/33/3833_r0: OK
/home/john/.local/share/akonadi/file_db_data/33/3933_r0: OK
LibClamAV info: Suspicious link found!
LibClamAV info:   Real URL:    https://l.info16.citi.com
LibClamAV info:   Displa`Preformatted text`y URL: citibank.com
/home/john/.local/share/akonadi/file_db_data/33/4033_r0: Heuristics.Phishing.Email.SpoofedDomain FOUND
/home/john/.local/share/akonadi/file_db_data/33/4333_r0: OK
/home/john/.local/share/akonadi/file_db_data/33/4433_r0: OK
/home/j

If I can get the machine clean without having to reload everything that would help me. I am not a Linux expert just a long time user. Thanks for any help.

Part of previous message was truncated. After Phishing . . .email. SpoofDomain found. should be added.

First off, you can’t, wipe is the only way.
Second, it shows, you have decided you have a problem you have no evidence for.
Third, still not evidence, that’s a false positive. A simple whois shows citi.com is indeed owned by Citibank.

Look. You most likely do not have any malware. The most common Linux malware is crypto miners followed by spam bots. Both are horrible at hiding themselves and bring a box to its knees by running the CPU at 100% with a lot of weird processes. All you have is text pasting into a box you didn’t realize had been put in your clipboard.

But if you really don’t want to listen, just go ahead and wipe the box.

1 Like

OK. I completed a clamscan in a non-graphical terminal. I don’t have the skill to copy the output summary and report it. The scan reported 12 infected files. So are you still telling me there is no malware on my machine? Thanks.