ClamTK/ClamAV Refuses To Remove Multiple Trojan Infections!

StarTreker · 9 November 2020 00:32

I was seeing some strange lagging activity with Steam recently, so I decided to run a system wide scan. And boy was I in for a shock, when over 1000 infections were found via the same exact trojan virus. I have been infected by this same virus before, I remember it, and removed it.

But at that time, there were only two infected files, and it wasn’t that big of a deal. After removing the said infection, I thought I was safe, clearly, I was wrong. Some of the files located in other wine directories, I was able to get the infections removed.

However, all these infected files that I am unable to remove, are all located in the OPT directory under Wine-Stable. I don’t understand why ClamTK refuses to let me delete those infected files, there are just over 800 of them! Thinking maybe the GUI was at fault, I Googled the code for executing a terminal based scan.

I specifically executed a system wide scan with auto remove as the option, and this was a sudo command, which means, it should have full permissions! Once the scan was over, it came back saying 800+ infections that couldn’t be removed.

So ya, saying that I am frustrated would be an understatement.

carmar · 9 November 2020 01:03

How about trying with pkexec?

zabadabadoo · 9 November 2020 10:33

@StarTreker. Within Clam, have you sent it for Analysis?

Also. Have you run Rkhunter as well as Clam?

StarTreker · 9 November 2020 13:23

I can’t do anything with the 800+ files, Clam just seems to well, clam up.

Because of this issue, is what got me to install RKhunter, didn’t know it was command only though. But I followed instructions and ran the scan code, and most of it came up clean as a whistle.

I did get many warnings however, but when I had looked up info on RKhunter before install, I learned that it can give a lot of false positives. Does RKhunter automatically remove stuff? I ask, because I get the impression that it does not, it left those warnings be, and gave me 0 options for removal.

I am sure if you ran RKhunter on your system, it would probably come up with a bunch of warnings too. There doesn’t seem to be a lot of good options for good anti-virus software for Linux. I thought about installing Comodo Antivirus, but the install is so convoluted and BS, that I just said screw it.

If they can’t bother getting their app in the Ubuntu repository, and keep it updated, its not worth my time. None of these anti-virus apps are even in the repository, the only one that is, is ClamAV, which Zorin comes with by default anyways.

I know that ESET is the best anti-virus software for any OS, but their software is a paid service, and not looking to spend more money on stuff right now. So, not really sure what to do about this, clearly its got to be a made for Windows trojan, and how it got in Wine’s folders and infected them, must have something to do with Windows software.

Either that, or I am getting attacked from Steam, however, its highly unlikely. When you do google searches, it is clear I am not the only one to receive trojans in the Wine folders.

zabadabadoo · 9 November 2020 18:24

@StarTreker.
When I run Clam (ClamTK GUI), I do get numerous warnings labelled as “PUA”. But after research in the past, I concluded Clam throws up false positives re PUA’s, particularly flagging Trojans in Firefox cache2 entries. But your case is different if actual infected files (not PUA’s) are listed.
There was some discusssion re antivirus for Linux/Ubuntu on the old forum which you have probably seen in the past. Conclusion was only ClamAV is available for Linux as many still think Linux desktop is unworthy of attracting viruses and malware and don’t even bother with Clam. Windows is thick with them and therefore Wine is a defence weakness you have to be wary of.

Rkhunter only warns me of minor things, no rootkits or malware.

StarTreker · 9 November 2020 20:33

This is really good to know Zaba! As RKhunter didn’t seem to flag any trojans that I can recall, just showed warnings for many files. Its ClamAV that is showing the same trojan attached to 800+ files. Could be that ClamAV is just as unreliable as I think it is.

Even I know that if I want real Antivirus, I need to purchase an ESET subscription, as they are the only quality paid service for Antivirus. So far, my computer isn’t being toasted by a virus, so I might be ok.

In the past when I used to be on Windows and got virus’s, it took powerful anti-virus software in, which was a paid service, in order to remove them. And 20-years ago, I got a boot sector virus, and that sucker destroyed a hard drive. That was the time when I was like, I need good anti virus, and back then it was AVG, before they sold their souls to the Cypris country devil.

Then I used Kespersky for time, until all the evidence came out about Russia’s hacking, then I got rid of it. But I switched to Linux shortly after so it didn’t matter. Heard how Linux was ultimately secure, figured I wouldn’t have to worry ever again. Of course, I was new to Linux then, didn’t understand how it worked fully.

But in understanding the Wine folders, its easy to understand how you can get a Windows virus, because it was tailored for the Windows program folder, which is found in the Wine folder. But since the virus was coded for Windows, more then likely its not doing anything on Linux. And Linux is a far more secure OS.

Literally, apps can’t do anything serious without our ROOT passwords, or SUDO commands. Its not so for Windows, on Windows, APPS have full control on Microsofts OS, to do anything and everything. Which is why firewall apps were so popular back in the day, to put a plug in them holes, to keep those nasty app fingers out of them!

StarTreker · 13 November 2020 21:12

OK, I have an update for everyone. The only solution was to remove Wine. At first I was reluctant to do so, because I thought Steam still required Wine. But after doing some research, I learned that Steam no longer required Wine, because it had its own version built in with Steam Play and Proton.

So the only reason I would need Wine, is to run a piece of Windows software, that I was no longer using anymore anyways. It took me awhile to remove Wine, I had to use Synaptic Package manager. There was a broken package situation I was dealing with that was halting my efforts in the beginning.

BTW, is it normal to have a Wine folder called Wine Devil? If you guys answer NO to that question, then that proves that Trojan has been messing around. Also, in the process of removing Wine, I discovered that there was a unsafe Launchpad PPA entry on my system, could have been my fault, I’ve added a few PPA’s in the past to install software.

Anyways, I removed the PPA that the system said was unsafe, and I was able to update the system after that. So just a headsup to anyone who might be thinking that Linux is impervious to virus’s, its not. If you have a Wine program folder on your Linux system, your chances of getting a virus goes up exponentially. Remember that.

My recommendation? DO NOT USE WINE!

And in the words of the Mandalorian, “This is the way”

carmar · 13 November 2020 22:42

Never seen “Wine Devil”.

From the little I gather about Proton, it includes Wine.