I think I may have downloaded a virus (SOLVED)

[Jim Dandy]

rm -Rf ~/.wine


Thank you. Since I don't plan to ever have windows on this I guess that would be a good solution.
Even after deleting wine (I think I did anyway) it keeps coming back. And the funny thing, if any of it is funny, is that each one is a different size than the one I just sent to the trash and deleted.

[µT6]

Jim, if you said that you didn't installed wine, why this command worked for you?

i think you said you didn't installed wine but the install already had it installed

you could at least verify that you had such folder before ignoring my first reply, remember that all we want to do is help but if you don't follow the steps we post, it is wasted time

remember to stop the wine service, so the virus stops working on the ram, you can do that by killing the wine service as i mentioned or stopping wine in the configure your computer/system/manage system services and stop wine

of course this wont work if you don't have wine installed but it seems you have it so to discard open synaptic and search for wine, if installed remove it

[zorlac]

This

is way more effective than any antivirus program. 

[Jim Dandy]

Jim, if you said that you didn't installed wine, why this command worked for you?

i think you said you didn't installed wine but the install already had it installed

you could at least verify that you had such folder before ignoring my first reply, remember that all we want to do is help but if you don't follow the steps we post, it is wasted time

remember to stop the wine service, so the virus stops working on the ram, you can do that by killing the wine service as i mentioned or stopping wine in the configure your computer/system/manage system services and stop wine

of course this wont work if you don't have wine installed but it seems you have it so to discard open synaptic and search for wine, if installed remove it

I promise you I am NOT ignoring anything anyone has posted to me. I don't always understand what they said and sometimes what they said didn't work for me* but that doesn't mean I didn't read it or that I am not trying to follow directions. I appreciate any help that anyone offers.

*Many times when I try to do something on the command line the instructions I get either weren't clear or maybe just weren't clear to me where they might be to someone who is a longtime user but I get things like "command not found." It gets frustrating but I always try to be nice about it and thank people for trying to help. I think this may be the first time I have been accused of wasting the time of those who tried to help. But no one should concern themselves with it any further. And again, thanks to those who tried to help.

[joechimp]

Seems some things never change.

EDIT: That wasn't to you JimDandy or anyone. Just a personal observation about something.

[µT6]

i haven't mentioned any console command

i suggested to uninstall wine, delete .wine folder and stop wine service to get rid of the annoying file you downloaded

[Jim Dandy]

i haven't mentioned any console command

i suggested to uninstall wine, delete .wine folder and stop wine service to get rid of the annoying file you downloaded

I wasn't just talking about you. I tried to delete wine and I guess it is gone but I don't know for sure. What I do know for sure is the file keeps coming back. But, once again, thanks for the help you offered and thanks to everyone. I don't have a lot of stuff downloaded so maybe the best thing to do would be a fresh install (and no more downloads from PB).

[AndrzejL]

Jim.

Run these commands in terminal:

Code: [Select]

su
give it a root's password

Code: [Select]

touch /forcefsck
and then reboot Your machine... I am guessing that there is something funny going on with Your file system. Boot time may take slightly longer then usual as the hard drive will be checked for errors.

Interesting thing... File that keeps coming back...

Regards.

Andrzej

[Jim Dandy]

Jim.

Run these commands in terminal:

Code: [Select]

su
give it a root's password

Code: [Select]

touch /forcefsck
and then reboot Your machine... I am guessing that there is something funny going on with Your file system. Boot time may take slightly longer then usual as the hard drive will be checked for errors.

Interesting thing... File that keeps coming back...

Regards.

Andrzej

Thank you. If it found something funny it didn't let me know. I am assuming you meant to restart? I didn't shut it completely down and then turn the power on again--if that is what you meant I can do it again.

[AndrzejL]

No - restart is just fine Dude.

Is the file back now again?

Regards.

Andrzej

[µT6]

"What I do know for sure is the file keeps coming back. But, once again, thanks for the help you offered and thanks to everyone. I don't have a lot of stuff downloaded so maybe the best thing to do would be a fresh install (and no more downloads from PB)."

that might be a possible solution but doesn't offer a real solution

if this happens again, would you just reinstall again?

first try to wipe the file and then if all the suggestions doesn't work the last option should be reinstall but i still think that you have a windows virus running thanks to wine residing in ram and that is why i mentioned the disable wine service and uninstall wine

[Cris70]

mmm I have never seen a Linux virus.
You MAY have a rootkit, but I think this has to have a simpler solution.

You say you downloaded it from PB. Are you sure you don't have a torrent downloader that's set to autostart at boot? It may have cached the URL and now it starts downloading again every time you delete the file. I use FatRat and it has this kind of behavior. Maybe you're using a command-line torrent downloader that runs in background, so you don't notice it. Do you see the file growing if you let it alone?

You could try to use the "lsof" command to see which process (if any) is writing to that file. Run it as root from a shell and grep the output looking for the name of the "immortal" file.

You could also look into the first bytes of the AVI file to see if it really is a win32 executable file. If the first two bytes are "MZ" (hexadecimal 4D 5A) then it probably is a win32 executable binary. You need a hex editor/viewer for this.

Hope this helps...
Bye
Cris

[Rudge]

Until the process is identified and stopped, the file is just going to keep getting re-created by whatever that process is.

[AndrzejL]

Until the process is identified and stopped, the file is just going to keep getting re-created by whatever that process is.

I am suspecting that Jim's torrent client is re-downloading the file... Could be wrong... Would not be a first time and will not be the last time...

Like Cris70 mentioned - Torrent client autostarting after reboot and trying to download (leech) the file or even upload (peer) the file for others could cause this behaviour...

I don't believe in the virus / rootkit... but I gave Jim the link to Avast installation howto just in case I am wrong...

Regards.

Andrzej

[Jim Dandy]

No - restart is just fine Dude.

Is the file back now again?

Regards.

Andrzej

Yes, it is back again. It is like Dracula. And now when I try to send it to the trash I get this notice that my trash is full and I have to empty the trash manually. But there is nothing in the trash, at least it doesn't show anything when I click on it. It is all very confusing.