Mageia forum

[joeclem111]

I have been using Mageia 2 since last December and, as a Mandriva user previously, I love Maggie. For the last few weeks I have been having some fun. Once or twice it has booted and not displayed the desktop icons. Last night it would not respond to the "turn off" instruction. The worst thing is that the USB mouse (I am on a laptop) does a double click when I only click once. I have reset the mouse in KDE to single click but this is no cure. It feels like there is a rogue program doing this. I do a recursive scan on the home directory maybe 4 times a day and can find a java script threat (phishing) in the firefox cache even when I have not used Firefox and that suggests a trojan may be downloading the threat. A recursive scan of the whole system does not find any threat. Does anyone have any knowledge of this? Are there any known rogue programs that do this? Any constructive help welcome, LATE NEWS, I have determined the mouse to be at fault, didn't expect it as it is only weeks old. The other questions still stand about unusual behaviour and a possible trojan.

[doktor5000]

What tool do you use to scan your home, and which script java threat does it find exactly?

[joeclem111]

Clamav is my scanner and the java script is usually called "packed" with some other references. I have divided my 500 Gb hard drive with an 8 Gb swap, a 50 Gb partition for the programs and a 200 Gb partition which has /home on it. This is because, on a re-install, the old Mandriva did not over write the /home so all data is usually left intact.

[doktor5000]

Clamav is my scanner and the java script is usually called "packed" with some other references.

Which references exactly? Please provide some output from clamav.

[joeclem111]

I have been clean today. Please be patient and I will copy the exact nasty when I next find one and post the name here. Thank you so far.

[joeclem111]

I have just found the following threat in /home/user/.mozilla/firefox/qsh25xPUA.Script.Packed-2. Hope this tells you something.

[doktor5000]

Well, PUA is a common acronym for Potential Unwanted Application, which most virus scanners use for runtime compression algorithms or similar software. This doesn't tell you anything about the compressed script which is found by clamav, if it's malicious or benign. What i'd worry about is that normally nothing writes directly in /home/user/.mozilla/firefox/
I'd expect something like that in /home/user/.mozilla/firefox/profileid.default/Cache ...
Could you please check that script via https://www.virustotal.com/en/ ?

Maybe you want to check http://endian-firewall.1086186.n5.nabbl ... d4445.html

[joeclem111]

I have deleted the package so would have to wait for the next incidence before I could check the full package. I also have found this where you indicated, ie, in the Cache. Do you think I have a trojan in play?

[doktor5000]

As mentioned, you should definitely check it again thoroughly if it reoccurs. From what you've written, i don't think it's a "trojan".
But better be safe than sorry.

Apart from that, why did you enabled scanning for PUA's in the first place? It's disabled by default.
Please also check http://forums.clamwin.com/viewtopic.php?p=15576 and http://web.archive.org/web/200901092005 ... upport/pua

[joeclem111]

I didn't enable it, it was like that from the install. I will be missing now till later on Friday as I am in hospital for an op. Will scan on my return and let you know I am back.

I am home and all is well with the op.I have scanned and as yet have not found any more threats. Will continue till I get one and will then have it checked by your link and will post the result.

[joeclem111]

Today I got a threat for the first time in a long time. I could not navigate via your virus link as it would not show me the hidden directories. I then went to the directory to move the file to an accessible directory but the file was not there, even though I was showing all hidden files. I had no choice but to delete it. It was in /home/user/.mozilla/firefox/qsh25x PUA.js.Xored. Hope this helps.

[doktor5000]

The file was not there, but you deleted it? Huh?
Also noticed that the "PUA.js.Xored" is only a classification by clamav, not part of the filename.

[joeclem111]

It was clamav that found it and ofered the delete option after a recursive scan of /home. This delete was done from within the clamav package.

[doktor5000]

How did you search for the file manually?
Also please look again at my earlier comments. clamav basically only told you that the file was x-ored: https://en.wikipedia.org/wiki/Exclusive ... _operation
That's not what i'd call a "threat". Please disable PUA scanning as already mentioned above, it produces too many false positives and is generally not recommended.

Do you use clamtk as frontend?

[joeclem111]

I use clamTK but it is out of date (4.43). Last time I updated clamTK on the old laptop it disabled clamav altogether. I invoked clamTK and chose to scan home (recursive).

[doktor5000]

In clamtk you manually have to enable scanning for PUA, so either you're using old/migrated settings in your /home, or enabled it yourself.
It is definitely disabled by default - when i ran clamtk, i had to enable it explicitly [- and got 3 "PUA" findings in my firefox profile, which are no threats at all]

Please disable it, as already mentioned, it produces too many false positives.
And please mark the thread accordingly by editing the topic of the first post and prefix it by [SOLVED], thanks

[joeclem111]

Thanks so much for all you have done.