Cannot escape hijacker/intruder/virus/malware

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
User avatar
csann
Level 1
Level 1
Posts: 2
Joined: Sat Oct 01, 2022 8:18 pm
Location: Fort Smith, Arkansas
Contact:

Cannot escape hijacker/intruder/virus/malware

Post by csann »

I ran GParted Live, from Memory, last night and utilized nwipe for my main/only HDD. It took about 12-13 hours and was finished this afternoon. Then, I installed Linux Mint, with all new passwords that I created in a notepad, on paper, and rebooted to what seemed like a normal Linux Mint (fresh) desktop.

When I first ran RKhunter, it said it found a possible 3 rootkits...so I removed those files, then I ran the command "sudo rkhunter -c" again and it found a possible 7 rootkits! After doing a full update, as I was on a fresh install, I tried again and got this error message:

Code: Select all

ksann@ksann-HP:~$ sudo rkhunter -c
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/ldd
So I removed rkhunter all-together, sudo apt updated, reinstalled rkhunter, and I still get the same message as above.
But, to make a long story short, I did not escape the malware/virus/possible intruder. It seems to have something to do with pipewire...here is my output from running the command "inxi -Fxz":

--BEGIN PASTED OUTPUT--

Code: Select all

ksann@ksann-HP:~$ inxi -Fxz
System:
  Kernel: 5.15.0-41-generic x86_64 bits: 64 compiler: gcc v: 11.2.0
    Desktop: Cinnamon 5.4.12 Distro: Linux Mint 21 Vanessa
    base: Ubuntu 22.04 jammy
Machine:
  Type: Laptop System: HP product: HP Laptop 15-db0xxx
    v: Type1ProductConfigId serial: <superuser required>
  Mobo: HP model: 84AE v: 86.32 serial: <superuser required> UEFI: Insyde
    v: F.38 date: 03/10/2022
Battery:
  ID-1: BAT1 charge: 31.7 Wh (100.0%) condition: 31.7/42.1 Wh (75.4%)
    volts: 12.8 min: 11.6 model: Hewlett-Packard PABAS0241231 status: Full
CPU:
  Info: dual core model: AMD Ryzen 3 2200U with Radeon Vega Mobile Gfx
    bits: 64 type: MT MCP arch: Zen rev: 0 cache: L1: 192 KiB L2: 1024 KiB
    L3: 4 MiB
  Speed (MHz): avg: 1366 high: 1416 min/max: 1600/2500 boost: enabled
    cores: 1: 1365 2: 1402 3: 1281 4: 1416 bogomips: 19962
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Graphics:
  Device-1: AMD Raven Ridge [Radeon Vega Series / Radeon Mobile Series]
    vendor: Hewlett-Packard driver: amdgpu v: kernel bus-ID: 03:00.0
  Display: x11 server: X.Org v: 1.21.1.3 driver: X: loaded: amdgpu,ati
    unloaded: fbdev,modesetting,vesa gpu: amdgpu resolution: 1366x768~60Hz
  OpenGL: renderer: AMD RAVEN (LLVM 13.0.1 DRM 3.42 5.15.0-41-generic)
    v: 4.6 Mesa 22.0.5 direct render: Yes
Audio:
  Device-1: AMD Raven/Raven2/Fenghuang HDMI/DP Audio vendor: Hewlett-Packard
    driver: snd_hda_intel v: kernel bus-ID: 03:00.1
  Device-2: AMD Raven/Raven2/FireFlight/Renoir Audio Processor
    vendor: Hewlett-Packard driver: snd_pci_acp3x v: kernel bus-ID: 03:00.5
  Device-3: AMD Family 17h HD Audio vendor: Hewlett-Packard
    driver: snd_hda_intel v: kernel bus-ID: 03:00.6
  Sound Server-1: ALSA v: k5.15.0-41-generic running: yes
  Sound Server-2: PulseAudio v: 15.99.1 running: yes
  Sound Server-3: PipeWire v: 0.3.48 running: yes
Network:
  Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
    vendor: Hewlett-Packard driver: r8169 v: kernel port: 2000 bus-ID: 02:00.0
  IF: eno1 state: up speed: 100 Mbps duplex: full mac: <filter>
Drives:
  Local Storage: total: 931.51 GiB used: 44.43 GiB (4.8%)
  ID-1: /dev/sda vendor: HGST (Hitachi) model: HTS541010B7E610
    size: 931.51 GiB
Partition:
  ID-1: / size: 915.32 GiB used: 22.21 GiB (2.4%) fs: ext4 dev: /dev/sda2
  ID-2: /boot/efi size: 511 MiB used: 5.2 MiB (1.0%) fs: vfat
    dev: /dev/sda1
Swap:
  ID-1: swap-1 type: file size: 2 GiB used: 564.3 MiB (27.6%) file: /swapfile
Sensors:
  System Temperatures: cpu: 44.0 C mobo: 20.0 C gpu: amdgpu temp: 44.0 C
  Fan Speeds (RPM): N/A
Info:
  Processes: 268 Uptime: 3h 15m Memory: 3.25 GiB used: 1.63 GiB (50.3%)
  Init: systemd Compilers: gcc: 11.2.0 Packages: 2137 Shell: Bash v: 5.1.16
  inxi: 3.3.13
I haven't been able to keep a LInux OS/Windows OS running for more than a couple hours for about 3 months now. Finally, though, last night I was able to get GParted and run nwipe (just using the default preset-configuration) on my main/only HDD. It took around 12-13 hours and it did seem to help as before, when I'd attempt to load into a Live ISO via USB, I'd either get the first-splash screen of said Linux OS looping, (when I'd select "Install/Try or similar" it would just refresh the screen after a couple of seconds) and other times, when I COULD install a Linux distro like Mint, ElemOS, Manjaro, etc, I would get the system installed, (by the way, this current Linux Mint OS I'm running was installed without any networking being configured...at least configured by ME) and after the installation process I'd boot, login, and either find that my password isn't working or it works but I have absolutely no eno1/ethernet adapter showing in ifconfig/systemd/etc and therefore unable to connect to the internet/update/anything.

When I've run sudo systemctl stop/disable ModemManager today, it doesn't actually do either. I can run sudo systemctl stop ModemManager over and over and over and each time it doesn't prompt me, alerting that it has already been stopped/disabled/or just isn't running but say I run the same commands on NetworkManager, once I run stop NetworkManager and then do it again, it tells me like "Hey it's not running" or if I've disabled it then it's like "Hey can't find NetworkManager" or whatnot.

I'm sorry if this is difficult/not very comprehensive, as I'm trying to type and post it ASAP before my internet crashes or something else super weird happens that disables my ability to ask for help like this. Please, if anyone can help me get to the bottom of this, I would appreciate it with all my heart...i could even donate a few bucks for the support/help, too!

Oh, also, after installing clamtk, etc, I can run via Terminal the clamscan --remove --infected command but it comes back saying it's scanned one file. So I tried pointing it to root by using "clamscan --remove --infected /" and again...scanned one file. I tried other directories like "clamscan.... /usr, clamscan..... /usr/" and it found 2 whole files that it scanned...am I not using this command correctly? I finally noticed that in the file manager, after right-clicking, I have the option to scan for threats but it found no threats in a matter of seconds when using it on the root directory. So I tried to update freshclam by stopping it with systemctl, then sudo freshclam, and the update process went from a couple of minutes to 288 hours, at 500-600kbps...so that didn't seem remotely right and I cancelled/purged/removed the program, for now.

Again, anyone that can help...it would be epic, any advice at all...I would be so forever grateful! Thank you for your time!

(Just in case it's helpful, I'm also including OUTPUT from running "ps aux" in terminal. It's very LONG, just a heads-up, and if it's only making my issue more complicated then please just feel free to ignore this...but I thought the more info I can provide, that I see people telling others to do in situations similar to mine, the better...hopefully.) Thank you!

--BEGIN PASTED OUTPUT--

Code: Select all

ksann@ksann-HP:~$ ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.2 167696  7728 ?        Ss   15:55   0:09 /lib/systemd/
root           2  0.0  0.0      0     0 ?        S    15:55   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   15:55   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   15:55   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   15:55   0:00 [netns]
root           7  0.0  0.0      0     0 ?        I<   15:55   0:00 [kworker/0:0H
root          10  0.0  0.0      0     0 ?        I<   15:55   0:00 [mm_percpu_wq
root          11  0.0  0.0      0     0 ?        S    15:55   0:00 [rcu_tasks_ru
root          12  0.0  0.0      0     0 ?        S    15:55   0:00 [rcu_tasks_tr
root          13  0.0  0.0      0     0 ?        S    15:55   0:01 [ksoftirqd/0]
root          14  0.0  0.0      0     0 ?        I    15:55   0:12 [rcu_sched]
root          15  0.0  0.0      0     0 ?        S    15:55   0:00 [migration/0]
root          16  0.0  0.0      0     0 ?        S    15:55   0:00 [idle_inject/
root          17  0.0  0.0      0     0 ?        S    15:55   0:00 [cpuhp/0]
root          18  0.0  0.0      0     0 ?        S    15:55   0:00 [cpuhp/1]
root          19  0.0  0.0      0     0 ?        S    15:55   0:00 [idle_inject/
root          20  0.0  0.0      0     0 ?        S    15:55   0:00 [migration/1]
root          21  0.0  0.0      0     0 ?        S    15:55   0:01 [ksoftirqd/1]
root          23  0.0  0.0      0     0 ?        I<   15:55   0:00 [kworker/1:0H
root          24  0.0  0.0      0     0 ?        S    15:55   0:00 [cpuhp/2]
root          25  0.0  0.0      0     0 ?        S    15:55   0:00 [idle_inject/
root          26  0.0  0.0      0     0 ?        S    15:55   0:00 [migration/2]
root          27  0.0  0.0      0     0 ?        S    15:55   0:01 [ksoftirqd/2]
root          29  0.0  0.0      0     0 ?        I<   15:55   0:00 [kworker/2:0H
root          30  0.0  0.0      0     0 ?        S    15:55   0:00 [cpuhp/3]
root          31  0.0  0.0      0     0 ?        S    15:55   0:00 [idle_inject/
root          32  0.0  0.0      0     0 ?        S    15:55   0:00 [migration/3]
root          33  0.0  0.0      0     0 ?        S    15:55   0:02 [ksoftirqd/3]
root          35  0.0  0.0      0     0 ?        I<   15:55   0:00 [kworker/3:0H
root          36  0.0  0.0      0     0 ?        S    15:55   0:00 [kdevtmpfs]
root          37  0.0  0.0      0     0 ?        I<   15:55   0:00 [inet_frag_wq
root          38  0.0  0.0      0     0 ?        S    15:55   0:00 [kauditd]
root          39  0.0  0.0      0     0 ?        S    15:55   0:00 [khungtaskd]
root          40  0.0  0.0      0     0 ?        S    15:55   0:00 [oom_reaper]
root          41  0.0  0.0      0     0 ?        I<   15:55   0:00 [writeback]
root          42  0.1  0.0      0     0 ?        S    15:55   0:26 [kcompactd0]
root          43  0.0  0.0      0     0 ?        SN   15:55   0:00 [ksmd]
root          44  0.0  0.0      0     0 ?        SN   15:55   0:00 [khugepaged]
root          91  0.0  0.0      0     0 ?        I<   15:55   0:00 [kintegrityd]
root          92  0.0  0.0      0     0 ?        I<   15:55   0:00 [kblockd]
root          93  0.0  0.0      0     0 ?        I<   15:55   0:00 [blkcg_punt_b
root          94  0.0  0.0      0     0 ?        I<   15:55   0:00 [tpm_dev_wq]
root          95  0.0  0.0      0     0 ?        I<   15:55   0:00 [ata_sff]
root          96  0.0  0.0      0     0 ?        I<   15:55   0:00 [md]
root          97  0.0  0.0      0     0 ?        I<   15:55   0:00 [edac-poller]
root          98  0.0  0.0      0     0 ?        I<   15:55   0:00 [devfreq_wq]
root          99  0.0  0.0      0     0 ?        S    15:55   0:00 [watchdogd]
root         101  0.0  0.0      0     0 ?        I<   15:55   0:01 [kworker/0:1H
root         102  0.0  0.0      0     0 ?        S    15:55   0:00 [irq/25-AMD-V
root         105  0.2  0.0      0     0 ?        S    15:55   0:31 [kswapd0]
root         106  0.0  0.0      0     0 ?        S    15:55   0:00 [ecryptfs-kth
root         108  0.0  0.0      0     0 ?        I<   15:55   0:00 [kthrotld]
root         109  0.0  0.0      0     0 ?        S    15:55   0:00 [irq/26-aerdr
root         110  0.0  0.0      0     0 ?        S    15:55   0:00 [irq/26-pcieh
root         111  0.0  0.0      0     0 ?        S    15:55   0:00 [irq/27-aerdr
root         112  0.0  0.0      0     0 ?        S    15:55   0:00 [irq/29-aerdr
root         114  0.0  0.0      0     0 ?        I<   15:55   0:00 [acpi_thermal
root         117  0.0  0.0      0     0 ?        I<   15:55   0:00 [vfio-irqfd-c
root         118  0.0  0.0      0     0 ?        I<   15:55   0:00 [mld]
root         119  0.0  0.0      0     0 ?        I<   15:55   0:00 [ipv6_addrcon
root         122  0.0  0.0      0     0 ?        I<   15:55   0:03 [kworker/2:1H
root         130  0.0  0.0      0     0 ?        I<   15:55   0:00 [kstrp]
root         133  0.0  0.0      0     0 ?        I<   15:55   0:00 [zswap-shrink
root         134  0.0  0.0      0     0 ?        I<   15:55   0:00 [kworker/u33:
root         141  0.0  0.0      0     0 ?        I<   15:55   0:00 [charger_mana
root         181  0.0  0.0      0     0 ?        I<   15:55   0:01 [kworker/3:1H
root         200  0.0  0.0      0     0 ?        S    15:55   0:00 [scsi_eh_0]
root         201  0.0  0.0      0     0 ?        I<   15:55   0:01 [kworker/1:1H
root         204  0.0  0.0      0     0 ?        I<   15:55   0:00 [scsi_tmf_0]
root         205  0.0  0.0      0     0 ?        I<   15:55   0:00 [cryptd]
root         230  0.0  0.0      0     0 ?        I<   15:55   0:00 [amd_iommu_v2
root         232  0.2  0.0      0     0 ?        S    15:55   0:33 [gfx]
root         233  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.0.0]
root         234  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.1.0]
root         235  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.2.0]
root         236  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.3.0]
root         237  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.0.1]
root         238  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.1.1]
root         239  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.2.1]
root         240  0.0  0.0      0     0 ?        S    15:55   0:00 [comp_1.3.1]
root         241  0.0  0.0      0     0 ?        S    15:55   0:00 [sdma0]
root         242  0.0  0.0      0     0 ?        S    15:55   0:00 [vcn_dec]
root         243  0.0  0.0      0     0 ?        S    15:55   0:00 [vcn_enc0]
root         244  0.0  0.0      0     0 ?        S    15:55   0:00 [vcn_enc1]
root         245  0.0  0.0      0     0 ?        S    15:55   0:00 [jpeg_dec]
root         248  0.0  0.0      0     0 ?        I<   15:55   0:00 [dm_vblank_co
root         249  0.0  0.0      0     0 ?        S    15:55   0:00 [card0-crtc0]
root         250  0.0  0.0      0     0 ?        S    15:55   0:00 [card0-crtc1]
root         251  0.0  0.0      0     0 ?        S    15:55   0:00 [card0-crtc2]
root         310  0.0  0.0      0     0 ?        S    15:55   0:05 [jbd2/sda2-8]
root         312  0.0  0.0      0     0 ?        I<   15:55   0:00 [ext4-rsv-con
root         376  0.0  0.0      0     0 ?        S    15:55   0:00 [ext4lazyinit
root         400  0.0  0.0      0     0 ?        I<   15:55   0:00 [ipmi-msghand
root         446  0.0  0.0      0     0 ?        S    15:55   0:00 [ccp-1-q2]
root         447  0.0  0.0      0     0 ?        S    15:55   0:00 [ccp-1-q3]
root         448  0.0  0.0      0     0 ?        S    15:55   0:00 [ccp-1-q4]
root         600  0.0  0.0      0     0 ?        S<   15:55   0:00 [spl_system_t
root         601  0.0  0.0      0     0 ?        S<   15:55   0:00 [spl_delay_ta
root         602  0.0  0.0      0     0 ?        S<   15:55   0:00 [spl_dynamic_
root         603  0.0  0.0      0     0 ?        S<   15:55   0:00 [spl_kmem_cac
root         604  0.0  0.0      0     0 ?        S<   15:55   0:00 [zvol]
root         605  0.0  0.0      0     0 ?        S    15:55   0:00 [arc_prune]
root         606  0.0  0.0      0     0 ?        S    15:55   0:00 [arc_evict]
root         607  0.0  0.0      0     0 ?        SN   15:55   0:00 [arc_reap]
root         608  0.0  0.0      0     0 ?        S    15:55   0:00 [dbu_evict]
root         609  0.0  0.0      0     0 ?        SN   15:55   0:00 [dbuf_evict]
root         610  0.0  0.0      0     0 ?        SN   15:55   0:00 [z_vdev_file]
root         611  0.0  0.0      0     0 ?        S    15:55   0:00 [l2arc_feed]
root         657  0.0  0.1 239968  4956 ?        Ssl  15:55   0:01 /usr/libexec/
root         658  0.0  0.0   2812   536 ?        Ss   15:55   0:01 /usr/sbin/acp
avahi        661  0.0  0.0   7628  2192 ?        Ss   15:55   0:00 avahi-daemon:
root         664  0.0  0.0   9492  1764 ?        Ss   15:55   0:00 /usr/sbin/cro
message+     665  0.0  0.1  10256  4604 ?        Ss   15:55   0:05 @dbus-daemon 
root         672  0.0  0.0  82796  2536 ?        Ssl  15:55   0:00 /usr/sbin/irq
root         690  0.0  0.1  41048  5464 ?        Ss   15:55   0:00 /usr/bin/pyth
root         693  0.0  0.3 245344 10764 ?        Ssl  15:55   0:05 /usr/libexec/
root         699  0.0  0.0  48164  3100 ?        Ss   15:55   0:00 /lib/systemd/
root         702  0.0  0.2 392720  7104 ?        Ssl  15:55   0:02 /usr/libexec/
root         703  0.0  0.0  16492  2432 ?        Ss   15:55   0:00 /sbin/wpa_sup
root         705  0.0  0.0 101264  2428 ?        Ssl  15:55   0:00 /usr/sbin/zed
avahi        710  0.0  0.0   7440   304 ?        S    15:55   0:00 avahi-daemon:
root         795  0.0  0.1  73004  5316 ?        Ss   15:55   0:00 /usr/sbin/cup
root         806  0.0  0.1 306768  3548 ?        SLsl 15:55   0:00 /usr/sbin/lig
root         831  3.0  1.1 1000224 39364 tty7    Rsl+ 15:55   6:47 /usr/lib/xorg
root         833  0.0  0.0   8772   384 tty1     Ss+  15:55   0:00 /sbin/agetty 
root         879  0.0  0.1 172744  6312 ?        Ssl  15:55   0:00 /usr/sbin/cup
kernoops     881  0.0  0.0  13080  1904 ?        Ss   15:56   0:00 /usr/sbin/ker
kernoops     883  0.0  0.0  13080  2096 ?        Ss   15:56   0:00 /usr/sbin/ker
rtkit        918  0.0  0.0 154000   508 ?        SNsl 15:56   0:00 /usr/libexec/
root         968  0.0  0.1 242328  5084 ?        Ssl  15:56   0:00 /usr/libexec/
root         981  0.0  0.1 164920  3996 ?        Sl   15:56   0:00 lightdm --ses
ksann       1006  0.0  0.1  17372  5624 ?        Ss   15:56   0:00 /lib/systemd/
ksann       1013  0.0  0.0 171028  1152 ?        S    15:56   0:00 (sd-pam)
ksann       1020  0.0  0.0  39284  2972 ?        S<sl 15:56   0:00 /usr/bin/pipe
ksann       1021  0.0  0.2 1422704 9264 ?        S<sl 15:56   0:04 /usr/bin/puls
ksann       1022  0.0  0.1   9616  3904 ?        Ss   15:56   0:01 /usr/bin/dbus
ksann       1027  0.0  0.1 240908  3580 ?        Sl   15:56   0:00 /usr/bin/gnom
ksann       1037  0.0  0.2 524488  8708 ?        Ssl  15:56   0:00 cinnamon-sess
ksann       1044  0.0  0.1 240632  4176 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1053  0.0  0.1 380884  3496 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1253  0.0  0.1 309704  4028 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1259  0.0  0.0   8692  2636 ?        S    15:56   0:00 /usr/bin/dbus
ksann       1262  0.0  0.1 162744  4204 ?        Sl   15:56   0:01 /usr/libexec/
ksann       1280  0.0  0.2 301592  7272 ?        Sl   15:56   0:00 csd-screensav
ksann       1282  0.0  0.2 387296  7448 ?        Sl   15:56   0:00 csd-wacom
ksann       1283  0.0  0.2 641836  8400 ?        Sl   15:56   0:00 csd-media-key
ksann       1289  0.0  0.2 451392  7560 ?        Sl   15:56   0:00 csd-color
ksann       1292  0.0  0.2 451548  9092 ?        Sl   15:56   0:00 csd-backgroun
ksann       1295  0.0  0.2 375824  7932 ?        Sl   15:56   0:03 csd-keyboard
ksann       1298  0.0  0.2 375708  7316 ?        Sl   15:56   0:00 csd-a11y-sett
ksann       1303  0.0  0.2 376284  7268 ?        Sl   15:56   0:00 csd-xsettings
ksann       1310  0.0  0.2 526232  9816 ?        Sl   15:56   0:00 csd-power
ksann       1311  0.0  0.2 375724  7396 ?        Sl   15:56   0:00 csd-housekeep
ksann       1314  0.0  0.2 449872  8012 ?        Sl   15:56   0:00 csd-automount
ksann       1322  0.0  0.2 301588  7464 ?        Sl   15:56   0:00 csd-clipboard
ksann       1325  0.0  0.2 310352  8016 ?        Sl   15:56   0:00 csd-print-not
ksann       1342  0.0  0.1 157104  4104 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1356  0.0  0.1 342344  3708 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1364  0.0  0.1 389832  5396 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1372  0.0  0.1 315192  4752 ?        Ssl  15:56   0:00 /usr/libexec/
colord      1377  0.0  0.2 860208  6872 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1379  0.0  0.1 237532  4604 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1386  0.0  0.1 236448  4284 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1393  0.0  0.1 236624  4220 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1397  0.0  0.1 561328  5488 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1418  0.0  0.1 338388  4552 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1446  0.0  0.2 376028  7144 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1460  0.0  0.0 237108  2496 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1461  0.0  0.2 725312  8668 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1480  0.0  0.2 407764  9304 ?        Sl   15:56   0:00 /usr/bin/pyth
ksann       1485  0.0  0.8 1179764 27828 ?       Sl   15:56   0:09 nemo-desktop
ksann       1486  0.0  0.4 530796 14768 ?        Sl   15:56   0:02 /usr/lib/poli
ksann       1489  0.0  0.3 474276 11496 ?        Sl   15:56   0:01 nm-applet
ksann       1494  0.0  0.1 392452  6664 ?        Sl   15:56   0:00 cinnamon-kill
ksann       1557  0.0  0.2 1072308 8368 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1574  0.0  0.0  46956  2552 ?        Ss   15:56   0:00 /usr/lib/blue
ksann       1588  0.0  0.2 1381248 7964 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1593  0.0  0.0 314724  3344 ?        Sl   15:56   0:00 /usr/libexec/
ksann       1606  0.0  0.1 163184  4132 ?        Ssl  15:56   0:00 /usr/libexec/
ksann       1627  0.0  0.2 746032  7308 ?        Ssl  15:57   0:00 /usr/libexec/
ksann       1678  2.8  2.3 4823488 79308 ?       Sl   15:57   6:29 cinnamon --re
ksann       1807  0.0  0.1  59956  5884 ?        S    15:57   0:00 /usr/bin/pyth
ksann       1859  0.0  0.2 480436  8636 ?        Sl   15:57   0:07 mintreport-tr
root        2096  0.0  0.1 372184  6640 ?        Ssl  15:59   0:00 /usr/libexec/
ksann       2114  0.3  0.7 629432 27236 ?        Dsl  15:59   0:49 /usr/libexec/
ksann       2925  0.0  0.1 388804  4780 ?        Sl   16:04   0:00 /usr/libexec/
ksann       2945  0.0  0.1 316812  4260 ?        Sl   16:04   0:00 /usr/libexec/
root        2966  0.0  0.0   8312   340 ?        S    16:04   0:00 dbus-launch -
root        2967  0.0  0.0   8552  2144 ?        Ss   16:04   0:00 /usr/bin/dbus
root        2970  0.0  0.1 393336  4952 ?        Sl   16:04   0:00 /usr/libexec/
root        2975  0.0  0.1 463160  3644 ?        Sl   16:04   0:00 /usr/libexec/
root        2979  0.0  0.0 236140  2820 ?        Sl   16:04   0:00 /usr/libexec/
root        2985  0.0  0.0   2792   488 ?        Ss   16:04   0:00 fusermount3 -
root        2989  0.0  0.2 413468  9388 ?        Sl   16:04   0:00 /usr/libexec/
root        2993  0.0  0.1 240632  3824 ?        Sl   16:04   0:00 /usr/libexec/
root        2999  0.0  0.0 380884  2896 ?        Sl   16:04   0:00 /usr/libexec/
root        3011  0.0  0.1 240752  3412 ?        Sl   16:04   0:00 /usr/bin/gnom
root        3026  0.0  0.1 156984  3432 ?        Sl   16:04   0:00 /usr/libexec/
ksann       3425  0.0  0.1 402776  5804 ?        Ssl  16:07   0:00 /usr/libexec/
ksann       3431  0.0  0.1 463168  4392 ?        Ssl  16:07   0:00 /usr/libexec/
ksann       3434  0.0  0.0 236140  3100 ?        Ssl  16:07   0:00 /usr/libexec/
root        3440  0.0  0.0   2792   412 ?        Ss   16:07   0:00 fusermount3 -
ksann       3445  0.0  0.3 449400 11932 ?        Ssl  16:07   0:00 /usr/libexec/
ksann       3452  0.0  0.0   2888   536 ?        S    16:07   0:00 sh -c /usr/li
ksann       3453  0.0  0.0 233272  3264 ?        Sl   16:07   0:00 /usr/lib/x86_
syslog     14720  0.0  0.0 222428  2228 ?        Ssl  16:23   0:00 /usr/sbin/rsy
ksann     103489  0.0  0.0  11004  2472 pts/6    Ss+  16:27   0:00 bash
root      203065  0.0  0.1 317012  6028 ?        Ssl  16:33   0:00 /usr/sbin/Mod
root      205659  0.0  0.0      0     0 ?        I    16:46   0:08 [kworker/u32:
root      333987  0.0  0.0      0     0 ?        I<   17:04   0:00 [uas]
root      335796  0.0  0.2 335352  7936 ?        Ssl  17:08   0:01 /usr/sbin/Net
ksann     336747  0.0  1.1 962488 37896 ?        Sl   17:10   0:04 mintUpdate
root      336886  0.0  0.0      0     0 ?        I    17:15   0:01 [kworker/0:1-
ksann     338420  4.3  6.9 2670104 235332 ?      SLl  17:17   6:15 /usr/lib/chro
ksann     338423  0.0  0.0  78544  1196 ?        Sl   17:17   0:00 /usr/lib/chro
ksann     338425  0.0  0.0   4796     0 ?        S    17:17   0:00 /usr/lib/chro
ksann     338429  0.0  0.4 246564 15868 ?        S    17:17   0:00 /usr/lib/chro
ksann     338430  0.0  0.5 246556 18184 ?        S    17:17   0:00 /usr/lib/chro
ksann     338432  0.0  0.2 246584  6884 ?        S    17:17   0:00 /usr/lib/chro
ksann     338457  3.8  4.6 1875420 157984 ?      Sl   17:17   5:33 /usr/lib/chro
ksann     338458  3.3  1.7 1509016 58388 ?       Sl   17:17   4:54 /usr/lib/chro
ksann     338477  0.0  0.9 691740 31628 ?        Sl   17:17   0:00 /usr/lib/chro
ksann     338789  0.0  0.7 1102284 25940 ?       Sl   17:19   0:01 /usr/lib/chro
root      340961  0.0  0.1  25924  3420 ?        Ss   17:28   0:00 /lib/systemd/
systemd+  341045  0.0  0.1  25656  5540 ?        Ss   17:29   0:00 /lib/systemd/
root      341049  0.0  0.3  64192 11480 ?        S<s  17:29   0:00 /lib/systemd/
systemd+  341112  0.0  0.0  89376  3056 ?        Ssl  17:29   0:00 /lib/systemd/
ksann     366302  0.6  2.8 1184726660 96588 ?    Sl   17:36   0:45 /usr/lib/chro
root      501935  0.2  0.0 239108  1548 ?        Ssl  18:06   0:14 adb -L tcp:50
ksann     514705  0.0  0.1  11136  3812 pts/2    Ss+  18:39   0:00 bash
root      539690  0.1  0.0      0     0 ?        I    18:53   0:03 [kworker/u32:
root      570007  0.0  0.0      0     0 ?        I    19:01   0:00 [kworker/2:2-
root      570013  0.0  0.0      0     0 ?        I    19:01   0:01 [kworker/1:1-
root      570465  0.0  0.0      0     0 ?        I    19:04   0:00 [kworker/3:1-
ksann     570475  0.0  0.1  11004  4052 pts/7    Ss+  19:05   0:00 bash
ksann     576835  0.0  0.1  11004  4044 pts/1    Ss+  19:07   0:00 bash
ksann     610187  0.5  3.8 1184664912 132692 ?   Sl   19:08   0:12 /usr/lib/chro
ksann     610258  0.6  3.1 1185147428 108900 ?   Sl   19:08   0:12 /usr/lib/chro
ksann     619725  0.7  3.5 1184809616 121348 ?   Sl   19:09   0:14 /usr/lib/chro
ksann     622067  0.0  2.3 1184663148 80952 ?    Sl   19:09   0:00 /usr/lib/chro
ksann     625193  0.4  3.0 1184727824 105440 ?   Sl   19:09   0:07 /usr/lib/chro
ksann     627212  4.2  4.4 1184750176 152764 ?   Sl   19:10   1:22 /usr/lib/chro
ksann     627353  0.0  2.7 1184730336 94652 ?    Sl   19:11   0:01 /usr/lib/chro
ksann     627377  0.6  4.3 1185562880 147532 ?   Sl   19:11   0:11 /usr/lib/chro
ksann     627391  0.0  2.1 1184647420 73080 ?    Sl   19:11   0:00 /usr/lib/chro
ksann     627413  0.0  2.1 1184646500 71544 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627414  0.0  2.2 1184647336 77344 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627418  0.0  2.0 1184646500 69064 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627419  0.0  1.9 1184646504 67636 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627435  0.0  2.1 1184646232 71952 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627483  0.0  1.9 1184646488 67232 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627493  0.0  2.1 1184646644 72116 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627505  0.0  2.0 1184646404 69888 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627508  0.0  2.0 1184646404 69640 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627558  0.0  2.0 1184646504 69180 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627580  0.1  3.2 1184723144 110968 ?   Sl   19:12   0:02 /usr/lib/chro
ksann     627594  0.6  3.4 1184724876 118096 ?   Sl   19:12   0:11 /usr/lib/chro
ksann     627616  0.0  2.1 1184646516 73048 ?    Sl   19:12   0:00 /usr/lib/chro
ksann     627629  0.0  2.0 1184646500 70364 ?    Sl   19:12   0:00 /usr/lib/chro
root      629337  0.0  0.0      0     0 ?        I    19:13   0:00 [kworker/2:0-
ksann     642595  0.4  2.8 1184659612 98416 ?    Sl   19:15   0:07 /usr/lib/chro
ksann     642728  0.0  2.2 1184646648 75460 ?    Sl   19:18   0:00 /usr/lib/chro
root      642801  0.0  0.0      0     0 ?        I    19:18   0:00 [kworker/0:0-
root      642842  0.0  0.0      0     0 ?        I    19:19   0:01 [kworker/u32:
ksann     647800  0.8  4.3 1184806212 147204 ?   Sl   19:20   0:10 /usr/lib/chro
ksann     657680  0.0  2.0 1184646224 70480 ?    Sl   19:21   0:00 /usr/lib/chro
root      657791  0.0  0.0      0     0 ?        I    19:28   0:00 [kworker/u32:
root      687852  0.0  0.0      0     0 ?        I    19:33   0:00 [kworker/1:2-
root      687856  0.0  0.0      0     0 ?        I    19:34   0:00 [kworker/3:2-
root      687878  0.0  0.0      0     0 ?        I    19:39   0:00 [kworker/3:0-
ksann     687886  0.0  0.1  11004  5092 pts/0    Ss   19:41   0:00 bash
root      687895  0.1  0.0      0     0 ?        I    19:41   0:00 [kworker/u32:
ksann     687906  0.0  0.1  12668  3428 pts/0    R+   19:42   0:00 ps aux
**Just to give some helpful facts, I removed my WiFi/Bluetooth card physically when this nonsense started so I only have one LAN port, Realtek. My system is AMD Ryzen and I'm not using any sort of fancy multimedia or dedicated peripherials at all as this is an HP laptop, 15 series, about 5 years old.**
Last edited by SMG on Sat Oct 01, 2022 9:00 pm, edited 1 time in total.
Reason: Placed code output in code tags to retain its formatting and place it in neat, scrollable boxes. Made long paragraphs into smaller ones so they are easier to read.
User avatar
MikeNovember
Level 6
Level 6
Posts: 1121
Joined: Fri Feb 28, 2020 7:37 am
Location: Nice, Paris, France

Re: Cannot escape hijacker/intruder/virus/malware

Post by MikeNovember »

Hi,

- 1st download an ISO of Linux Mint, the one you want to install; check that its checksum is the same as the one indicated on the website for this ISO: this will guarantee that the ISO has not been damaged during download.

- Make a DVD or live USB with this ISO.

- Boot on this DVD or USB and install Linux Mint (my advice: install "/" and "/home" in different partitions, and a swap one); when the partitions are created, any trace of previous malware (and other files) are deleted.

- Once installed, update your installation (this will be done from Linux Mint and Ubuntu trusted sources, no malware risk). Copy your home files (documents, videos, images etc.).

- Now, improve the security of your installed Linux Mint:

1) Launch uncomplicated firewall from the control center, and block all incoming connections, this will prevent attempts of connections to your system.

2) Use sandboxed versions of internet connecting applications (browser, mail client, ftp client etc.), this will reduce the risk of privileges escalation; you can use flatpaks, snaps, or firejail (my advice is for flatpaks, you have a tutorial here viewtopic.php?f=42&t=368501);

3) Add system level IP filter address; the '/etc/hosts' file can be used as an IP address filter; for that :
* Copy your '/etc/hosts' file to your home '/home/$USERNAME' where $USERNAME is your username.
* Rename the copied file to "hosts_base.txt".
* Launch a text editor, for example xed, and copy the following code into it:

Code: Select all

#!/bin/bash
# anti malware, anti spam and anti cryptominers hosts file
# system wide connections
sudo mv /etc/hosts /etc/hosts.bak
# malware lists
wget "https://raw.githubusercontent.com/davidonzo/Threat-Intel/master/lists/latestdomains.piHole.txt" -O hosts1.txt
wget "https://urlhaus.abuse.ch/downloads/hostfile/" -O hosts2.txt
wget "https://curben.gitlab.io/malware-filter/urlhaus-filter-hosts.txt" -O hosts3.txt
# spam list
wget "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" -O hosts4.txt
# no coin lists
wget "https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt" -O hosts5.txt
wget "https://raw.githubusercontent.com/greatis/Anti-WebMiner/master/hosts" -O hosts6.txt
# merge in one file
cat hosts_base.txt hosts1.txt hosts2.txt hosts3.txt hosts4.txt hosts5.txt hosts6.txt > hosts
sudo mv hosts /etc/hosts
rm hosts1.txt
rm hosts2.txt
rm hosts3.txt
rm hosts4.txt
rm hosts5.txt
rm hosts6.txt
# DNS cache flush
sudo systemd-resolve --flush-caches
read -s -n1 -p "Press any key to continue..."; echo
* Save the file in your '/home/$USERNAME' and name it "update_hosts.sh".
* With your file manager, select the file, right click, properties, permissions and make it executable.
=> When you will run this file, it will update your '/etc/hosts' file.

4) Use browser extensions to improve your security / anonymity; here is a list for Chrome family (Google Chrome, Chromium, Ungooggled-Chromium, Edge etc.):
* Block Ads for Social Networks, Block Facebook™ ads in your Chrome,
* Decentraleyes, Protects from tracking linked to "free", centralized content distributors,
* HTTPS everywhere, Encrypt the Web! Automatically use HTTPS security with many sites,
* Privacy Badger, Privacy Badger automatically learns to block invisible trackers,
* NoScript, Allows the use of javascript only on web sites you choose,
* uBlock Origin,malware, advertisements and anti-tracking filter. Configure it the following way:
Parameters page, select the following: "Hide space reserved to blocked elements"; "Use contextual menu if possible"; "Activate advanced functionalities"; "Inactivate actions prediction on the network"; "Inactivate hyperlink audit"; "Block CSP reports".
Filters Lists page:select the following:
* "Update the lists of filters selected automatically",
* "In addition, use the aesthetic rules",
* in "Integrated" check the 5 lists,
* in "Advertising" check "AdGuard base", "EasyList"
* in "Confidentiality" check the 4 lists,
* in "Malicious domains" check "Phishing URL Blocklist" and "PUP Domains Blocklist"
* in "Nuisances" check "Fanboy's Annoyances"
* in "Regions, languages" check the list corresponding to your language / country
* add the following two specific lists:
. "Fanboy's Enhanced Tracking List", https://secure.fanboy.co.nz/enhancedstats.txt
. "StevenBlack / hosts", https://raw.githubusercontent.com/Steve ... ster/hosts
. "No Coin Adblock List", https://raw.githubusercontent.com/hoshs ... nocoin.txt
. "Spam 404 List", https://github.com/Spam404/lists/blob/m ... k-list.txt
NB: The lists defined above are complementary to those in the hosts file.

5) If you want to install extra software programs, be careful in the choice of your sources:
* PPAs are "untrusted" by default, except some "official ones" (mentioned on the developer website) or "semi-official ones" (maintained by software developers).
* Download soiftware from official website (Mozilla, LibreOffice, FreeFileSync, XnView etc.) and NOT from another website.

6) If you have some doubts about a web page or downloaded file or mail attachment, use VirusTotal (free).

7) If you are afraid of physical intrusions on your computer:
* Use physical protection: with a laptop, put it in a safe after use; with a desktop, use removable caddies for your disks and put caddies and keyboard in a safe after use.
* Use software protection: password protect your boot; password protect your GRUB menu (see https://fostips.com/password-protect-gr ... enu-linux/; use Veracrypt to encrypt your most sensitive files.

Eight) Keep your system updated (kernel, GNU, applications).

9) Use some intrusion detection and prevention; the 1st (and minimal) step is to use Tripwire, an intrusion detection application, see a tutorial here viewtopic.php?f=42&t=374056

10) Be prepared to the worst with safeguard measures:
* Prepare tools (use Ventoy to create a live USB key allowing to choose at boot what ISO you will launch; once the key is created, copy on it the ISOs of Linux Mint, Foxclone and System Rescue).
* Have an external USB disk for backups and system snapshots.
* Make system backups (your "/' partition) with Foxclone, every two weeks.
* Make system snapshots with Timeshift, on a daily basis or every two days.
* Make home files backups with FreeFileSync (install it), on a daily basis or every two days; it is a differential backup software: the 1st time it will backup all your home files, next times it will backup only the changes.

=> this will allow to restore your system: from a full backup with Foxclone, from a snapshot with Timeshift (launched from a functioning system, or launched from LinuxMint ISO); to repair your system (with System Rescue); to restore your home files (with FreeFileSync of file manager).

You know now what to do! Do it.

Regards,

MN
Last edited by MikeNovember on Sun Oct 02, 2022 5:42 am, edited 1 time in total.
_____________________________
Linux Mint 20.3 Mate host with 5.4 kernel, Windows 10 Pro guest, ASUS G74SX (i7-2670QM, 16 GB RAM, GTX560M with 3GB RAM, 1TB SSD)
User avatar
Pjotr
Level 23
Level 23
Posts: 18104
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Cannot escape hijacker/intruder/virus/malware

Post by Pjotr »

Good God. There's absolutely no need to be paranoid about security in Linux. :shock:

Snake oil like AV and anti-rootkit junk won't help you one bit. In fact, such digital trash can even ruin a fine system. I recommend to read this article that I've written about security in Linux Mint:
https://easylinuxtipsproject.blogspot.c ... urity.html
Tip: 10 things to do after installing Linux Mint 21 Vanessa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Cosmo.
Level 24
Level 24
Posts: 22064
Joined: Sat Dec 06, 2014 7:34 am

Re: Cannot escape hijacker/intruder/virus/malware

Post by Cosmo. »

The starting post leaves one question open: Why do trust in such stuff?
Gotcha!
cliffcoggin
Level 8
Level 8
Posts: 2238
Joined: Sat Sep 17, 2016 6:40 pm
Location: England

Re: Cannot escape hijacker/intruder/virus/malware

Post by cliffcoggin »

csann wrote:
Sat Oct 01, 2022 8:49 pm

Again, anyone that can help...it would be epic, any advice at all...I would be so forever grateful! Thank you for your time!
Wipe the computer and install a fresh verified copy of Mint. Do not install rootkit hunters, ClamAV, or similiar so-called anti-virus software. Do not install any PPAs. Do not install any extraneous software. Install only the basic operating system then immediately make a Timeshift snapshot. Test your computer and let the forum know of any problems before making changes.
Last edited by SMG on Sun Oct 02, 2022 2:54 pm, edited 1 time in total.
Reason: Edited to comply with forum rules.
Cliff Coggin
Hoser Rob
Level 19
Level 19
Posts: 9398
Joined: Sat Dec 15, 2012 8:57 am

Re: Cannot escape hijacker/intruder/virus/malware

Post by Hoser Rob »

Linux rootkit hunters are tools made for pros, and are almost guaranteed to generate false positives and befuddle newbies.
User avatar
SMG
Level 23
Level 23
Posts: 18698
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: Cannot escape hijacker/intruder/virus/malware

Post by SMG »

Moderator note: Post removed for violating forum rules.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
User avatar
csann
Level 1
Level 1
Posts: 2
Joined: Sat Oct 01, 2022 8:18 pm
Location: Fort Smith, Arkansas
Contact:

Re: Cannot escape hijacker/intruder/virus/malware

Post by csann »

I apologize. I'm not being sarcastic but very genuine; what rule did I break? I received a couple of smart replies but alas, a couple of replies with very helpful information, most notably the first. I did not mean to break any rules and I apologize in advance...I am only asking what I did so that, should I choose to make any sort of post in the future, I do not make the mistake again. :)

Thank you,
Clint
User avatar
SMG
Level 23
Level 23
Posts: 18698
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: Cannot escape hijacker/intruder/virus/malware

Post by SMG »

csann wrote:
Mon Oct 03, 2022 7:57 pm
what rule did I break?
You did not break any rules. The person whose post I removed broke a rule (which is why the post was removed).

Glad to hear you are finding the advice here helpful. :)
Image
A woman typing on a laptop with LM20.3 Cinnamon.
User avatar
Schultz
Level 9
Level 9
Posts: 2685
Joined: Thu Feb 25, 2016 8:57 pm

Re: Cannot escape hijacker/intruder/virus/malware

Post by Schultz »

csann wrote:
Mon Oct 03, 2022 7:57 pm
I received a couple of smart replies but alas, a couple of replies with very helpful information, most notably the first.
Yeah, no. You need to listen to Cosmo., Pjotr, and Hoser Rob. They know what they're talking about. You probably broke your system yourself deleting false positives.
Post Reply

Return to “Software & Applications”