Windows virus still does SOME damage in Linux

[vintagepen]

Anyone know how to get rid of the ActiveDiscount virus please? ClamAV doesnt seem to remove it and my experience is that none of the half dozen windows AV programs [except Zoek] can find it. I dont suppose there is a way of effectively running Zoek in linux, is there?

Ii got it by following a 2012 link on xda-developers to Android File Host

[kc1di]

Hi,
Active discount does not attack linux per sae, but attaches itself to a browser or email client. Since you did not say which browser or Client is effected.
here is a web page that tells you how to clean it out of the browser.
https://malwaretips.com/blogs/ads-by-ac ... l/#browser
follow step # 5
the example if for google chrome, of course FireFox would be diffferent but the proceedure would be the same reset your personal data.

[phd21]

Hi "vintagepen",

I just read your post and the good replies to it. Here are my thoughts on this as well.

You could create a bootable CD/DVD or USB flash drive stick of one of the reliable Anti-virus rescue discs and boot to that and run it on your whole system and any attached drives (ie: USB sticks)... Kaspersky (cd/dvd), Avira, Dr.Web, etc... It will take awhile to run.


Hope this helps ...

[Pjotr]

Don't install any antivirus for this; that's unnecessary and even decreases the security of your system. It suffices to reset Firefox to its defaults:

- Launch a terminal window (this is how to launch a terminal window);

- copy/paste this command into the terminal:

Code: Select all

rm -v -R ~/.mozilla

Press Enter.

Close Firefox and relaunch it. Done.

Same procedure for Google Chrome:

Code: Select all

rm -v -R ~/.config/google-chrome

Close & relaunch.

For Chromium:

Code: Select all

rm -v -R ~/.config/chromium

Close & relaunch.

[karlchen]

Hi, vintagepen.

Although the incorrect label virus is used in the article as well, it is still incorrect. It is a normal piece of Windows software, which has been designed and developped to do things which you may not like. Apart from the Windows executable file, which should not work on Linux Mint at all, there is a browser extension.
Browser extensions might well be able to run on Linux Firefox versions as well.
Hence you should definitely get rid of the ActiveDiscount browser extension.
I would look for it inside my browser profile, subfolder extensions, and remove it.
No idea whether the ActiveDiscount browser extension is able to pull in any further browser extensions or plugins - might be. So it is definitely worth checking.
Maybe the only really safe way, is, as has been suggested already, by renaming your $HOME/.mozilla subfolder tree (Firefox profile), and start all over with a fresh Firefox profile. In this case it would make sense, deleting the stuff inside $HOME/.cache/mozilla as well (would have to look up the exact pathname on a Linux system)

Regards,
Karl

[Pjotr]

In this case it would make sense, deleting the stuff inside $HOME/.cache/mozilla as well (would have to look up the exact pathname on a Linux system)
Karl

This should do the trick for the Firefox cache:

Code: Select all

rm -v -R ~/.cache/mozilla/*

For the cache of Google Chrome:

Code: Select all

rm -v -R ~/.cache/google-chrome/*

For the cache of Chromium:

Code: Select all

rm -v -R ~/.cache/chromium/*

[vintagepen]

Code: Select all

rm -v -R ~/.mozilla

Press Enter.

Well that was absolutely catastrophic! Though it may have got rid of the malware, - as has been pointed out to me, IF I had it.

But this is my fault because I am not sure why I followed the destructive instructions after i had refreshed firefox and that SEEMED to get rid of the problem and the (possibly hidden) extension.

The chromium and firefox instructions lost me all my passwords, configurations and over a month's worth of work, all my 20-30 carefully preserved tabs that I was working on and changed all my internet search se tti ngs to an almost completely useless search engine called yahoo, which specialises in keeping users on their site (AOL-like) and never returning any relevant results if you aren't shopping [and doing so with their preferred retailers]. Curiously I have read articles that describe this business of switching search settings to Yahoo without knowledge or consent as malware in itself!

I should have had a bit more faith in Linux's ability to resist viruses & malware.

[Moem]

Well, that's what it means to reset Firefox to its defaults. I do feel that Pjotr could have given a clearer warning than that...

[Flemur]

Code: Select all

rm -v -R ~/.mozilla

Press Enter.

Well that was absolutely catastrophic!

Without a big "YOU'LL LOSE ALL YOUR BOOKMARKS AND ADDONS ETC" it was terrible advice.

I should have had a bit more faith in Linux's ability to resist viruses & malware.

It's actually a browser problem.
You might want to find the URL that supplies this bogus addon (or whatever it is) and add it to your /etc/hosts file so it can't be accessed again.

But! You DO BACKUPS, RIGHT?!?!?

So you can restore your ~/.mozilla directory from it....right?

[Pjotr]

Well that was absolutely catastrophic! Though it may have got rid of the malware, - as has been pointed out to me, IF I had it.

But this is my fault because I am not sure why I followed the destructive instructions after i had refreshed firefox and that SEEMED to get rid of the problem and the (possibly hidden) extension.

The chromium and firefox instructions lost me all my passwords, configurations and over a month's worth of work, all my 20-30 carefully preserved tabs that I was working on

It *is* your fault. I clearly stated that it would reset Firefox (and Chromium) to its defaults. Missed that line?

Sometimes I'm a bit surprised by the amount of hand-holding that some people apparently expect....

[vintagepen]

Yes, it does appear to be necessary to explain that resetting firefox to defaults includes losing all work, tabs, passwords, configurations and introducing Yahoo malware into my computer: Heck, even gmail now has a screwed up, completely alien and totally non-intuitive look which seems to have been designed by Yahoo to stop users using gmail!

Especially where 'refreshing firefox' may have cured the problem (though not curing activediscount abusing memory/processing power by trying constantly to infect the non-existent registry?) yet doesn't do any of this.

[Pjotr]

Yes, it does appear to be necessary to explain that resetting firefox to defaults includes losing all work, tabs, passwords, configurations and introducing Yahoo malware into my computer: Heck, even gmail now has a screwed up, completely alien and totally non-intuitive look which seems to have been designed by Yahoo to stop users using gmail!

Especially where 'refreshing firefox' may have cured the problem (though not curing activediscount abusing memory/processing power by trying constantly to infect the non-existent registry?) yet doesn't do any of this.

Don't shout. And assume responsibility for your own clear mistake. I'm not a babysitter.

[vintagepen]

Don't shout.

Sorry for that, - and I do acknowledge that your advice was correct

[karlchen]

Hello, vintagepen.

Others have already stated that a warning might have been appropriate, emphasizing that removing the Firefox profile folder would of course remove all your bookmarks, your saved login credentials, your Firefox settings, your addons and a few things more. On the one hand.
On the other hand, I admit that if I had given the advice of removing the Firefox profile, I might also have made the mistake of assuming that a forum user, who joined more than 5.5 years ago, might be aware of what removing the Firefox profile will do.

This very likely is the reason, why user Cosmo. had made it a habit to instruct users of renaming the Firefox profile folder instead.

Code: Select all

mv $HOME/.mozilla $HOME/.mozilla.bak

And only if all problems had been sorted out, he told to remove the renamed folder.
This gave users the chance of reverting or selectively restoring particular files from the renamed profile folder to the new profile folder.

Also, please, keep in mind, that not giving the warning would have had no ill side effects, provided you did regular backups of your data. Apparently you do not do so. And this is something which you cannot blame Pjotr for.

This story once again illustrates that it always takes more than one mistake to make a catastrophe.

Best regards,
Karl

[Penn]

Don't shout. And assume responsibility for your own clear mistake. I'm not a babysitter.

This seems out of character for you. What makes your site so good is you include detailed step by step instructions on how to do things coupled with easy to understand but informative explanations of why take those steps and what they mean in the eyes of those who don't understand such terminology as "reset your browser".

The in this thread went so far as to "correct" karlchen who I feel gave the better advice. The only thing he didn't do that I have seen others do is explain that after a fresh profile was established you could use the renamed folder to get back some of you old profile.

However, maybe the way it happened can be a learning experience for the OP. Back up your bookmarks and other personal data you may want. Personally, I say DON'T let the browser remember your passwords. Over time such security measures as encryption and salting have gotten better but I do remember a time when people could steal all your saved passwords when you connected to their site (or false ad). It wouldn't surprise me if some hackers figured out how to do that again, present or future, though currently I haven't heard about that type of exploit existing.

[Pjotr]

Don't shout. And assume responsibility for your own clear mistake. I'm not a babysitter.

This seems out of character for you. What makes your site so good is you include detailed step by step instructions on how to do things coupled with easy to understand but informative explanations of why take those steps and what they mean in the eyes of those who don't understand such terminology as "reset your browser".

Thanks for your compliment.

There's a difference though, between my website and my advice on this forum.... I can afford the one-time investment of time and effort in creating elaborate step-by-step how-to's on my website, but not so for my forum advice.

Because the latter is repetitive and would require more time and effort than I have to spare (at least when I can't give a link to a how-to on my website). So my forum advice is usually not so elaborate.

[Pjotr]

Don't shout.

Sorry for that, - and I do acknowledge that your advice was correct

Apology accepted. Good luck with getting things running again.

I've noticed that in the meantime, a mod (karlchen?) has undone the shouting.