That is certainly spooky and considering what I have been through in the past 24-48 hours, not exactly light reading.
Well here’s an in-depth look at what happened to me - you’ll have to excuse the length. Unfortunately a lot of the info you need is unavailable to me:
I am an English Teacher and scour the internet for resources to use while teaching - usually I do this inside a VM Virtual-box - but over the weekend unfortunately I did not. My usual torrent application ´Deluge’ was not working and I used something called Qbittorent I think with its default settings in place. I only use the package manager from Manjaro to install apps. The things I download are pictures or videos which I cut, edit and paste into presentations - delete what I don´t need later. Now I also do this in Windows, as MS Teams in Windows allows me to share audio easier than in it’s Linux equivalent, so I have a shared download folder on a separate drive.
Both operating systems are on physically separate drives and are never in use at the same time – to be clear on the top of my desktop case is a drive port – I don’t use dual boot. I usually have Manjaro plugged in as I truly trust this OS compared to any others that I have used throughout my life.
Each OS drive has only got the applications installed that are relevant or needed for that OS. I refer to them as my system drives. So if something goes wrong with a system drive then I’m confident that I have not lost any essential data (most weekends I back-up that data to my cloud storage – sometimes I do this straight away – depends on how busy I am)
My Data is located on several hard disks, for example my mail will be on a separate drive to my desktop folder drive, or my download drive, or my teaching resources drive, etc., though I do have some drives partitioned usually for steam games or older backups, and other non-essential items.
Whenever I boot into Windows I don’t allow it access to those other drives, except for the download drive and thus the shared drive that Manjaro accesses too.
I know MSWindows10 leaves a fingerprint or something on my other drives as once it had left me in readonly mode when I tried to access them from Manjaro (further reading revealed that was something to do with fastboot – consequently disabled). However my Windows installation used the default antivirus software and was prevented – by me – from scanning the other drives.
Throughout the pandemic I have been forced to switch back to Windows to use MSTeams to share audio only for classes that needed this, otherwise I was able to use MSTeams in Manjaro for almost 90% of my classes. It’s almost impossible to setup the audio for MSTeams in Manjaro – the sound quality from my end using simultaneous audio is just incoherent for my students to hear – I have read multiple threads on this but not enough information on how to fix this. Have tried and failed – but will continue looking for a solution.
I am usually very careful with passwords and do pay attention each time an update appears. My email passwords are complex and unique – but the one I had decided to use for Manjaro was a simple 4 digit pin I made up just for Manjaro as I often run updates.
As I said before that the night before the incident – the last thing I noticed before I went to shut down my machine was that the mouse moved slowly off certain things while I was reading a guide to a game on a website – in this case it was an online plarium game which had been loaded up as web app through chromium, (we all need downtime and so playing games online is just a good way to unwind). I also did a lot of reading from a variety of websites – my chromium browser is set to load a number of grouped tabs in the background, some personal social media, others for learning whatever aspect of whatever it is I am learning – usually IT stuff – all trusted sites.
Prior to that I believe a video that I had downloaded from a torrent site was the culprit that had left a number of exe files in my download folder on my download drive. But that was on Saturday evening and later on Saturday evening I had booted into Windows10 – which may have triggered the virus to spread to other drives. I booted into Manjaro on Sunday to do my end of the month accounts for my clients with the intention of sending out my invoices on Monday. On Sunday afternoon I also checked for updates from Manjaro, as nearly every Monday morning (for as long as I can remember) I have issues logging into MS Teams, usually sound issues where my students cant hear me or I cant hear them. So that’s all the activity I can recall – at this very moment I am exhausted as since Monday I have had very little sleep.
So on Monday morning being prompted to enter my password, seemed unusual as there had been no updates on Sunday. The screen was my default password login screen with my username displayed, it 7.15am and have a class at 7.55am, Sunday I had prepared some scans from a book to use and was just about to send them to my client and at this point I was logging into my personal account through chromuim and this is when I noticed that the browser said that my internet connection was not secure – if I had not noticed that I would have logged into my business email, luckily I noticed and just instantly shutdown my computer, removed the Manjaro drive and booted into MSWindows10 logged in and went straight to MSTeams. While I was logged in I realized my other drives were still plugged into the computer (should say the side of my case is usually exposed and so pulling cables in an emergency is doable but not when I am running an OS).
During breaks I initially reported the issue on the forum and proceeded to download the latest ISO to prep for a fresh install for Manjaro (KDE), checked the signature using another app I downloaded from the internet (the first I could find) – the signature checked out fine. Later, I turned off my computer and unplugged all the drives, went into my old Manjaro – with no physical internet connection and could see that I was no longer admin and that I could not run a terminal window or access the file manager. Pretty much nothing I could do – was reading the forum advice from my phone (thanks by the way – really appreciated).
Had to log back into MSWindows10 to continue teaching, after that class finished I installed something called Eset antivirus for Windows10 and after rebooting it couldn’t find anything wrong with my Windows installation. Then downloaded the Eset sysdisk rescue tool with the intent to boot off it and scan my other drives. I downloaded it but was not able to burn it onto a usb key – this was odd, no matter what spare usb key – Windows would bleep but not show it as attached. There was a setting in Eset for devices that had not been check-marked, when I checked it I was instructed to reboot. So I rebooted Windows10 only to find that I no longer had access to my keyboard or mouse! I tried various ports but with no luck – read forums too. So at the moment I have no Windows10 OS disk (Well I haven’t fixed it yet) I will leave that for tomorrow.
Monday evening I eventually booted into the latest ISO for Manjaro (KDE) – mentioned before (signature checked) – remember I did this in a potentially infected Windows10 installation or so I believe.
I managed to download the Eset tool and burn it on to a USB key. At this time there were no drives connected. After that I rebooted into the Eset tool with only the infected Manjaro drive installed. The tool allowed me the opportunity to examine the drive to some degree – I could see that most directories existed but their contents were not visible. I could see the grub and examine its contents but not knowing what to look for ie changes was a hopeless task. It seemed too that most files were encrypted and that the owner was definitely not me. I ran the Eset tool to scan it – not an easy tool at all to use and it failed to identify anything seriously wrong – except that many files were inaccessible – permission denied or corrupt – it found 4 windows viruses and deleted them. I then rebooted (without the infected Manjaro disk in place) reconnected my other drive and let the Eset tool scan them in-depth – it took over 4.5 hours to do this but found 55 viruses scattered over my disks. I looked at the files and most of them had a number like 3248.exe or something and they resided in my shared download drive.
I also used the Eset tool to extract some data that I needed and copied it safely to a USB Key (after scanning it twice)
While Eset was doing its thing on Monday night I decided that my router (Compal) needed to be reset to it manufacturers settings. I connected this physically to another linux distro – the name of which I can never recall – it seems that the netbook that it runs on can handle it as it is a really old device – still 64bit but running a dual core atom processor. Connecting to my router was however problematic. Was not able to reset it following the manufacturers advice. And even after it was reset it still accepted my old password – which led me to believe the instructions I was given are either incorrect or something else – I knew I was tired and agitated already – so I reset it online and gave it a new password and then had no luck for ages trying to disable its wi-fi connectivity. (Another thing I found too late was that I had left a USB wi-fi – tiny thing stuck in the back of my desktop, buried under some cables and would explain why the Eset tool said updates were available and flashed up at some point to connect to the internet – but I ignored that and so I believe I was not connected. The router was not physically connected earlier but may still have had wi-fi access). Eventually I turned off the router around 3.30am and went to bed.
During the course of the day my phone also updated (Huawei) it usually updates with Android patches every month or every second month – I let it install even though I was hesitant at first as I knew I had a KDE app on my phone that I once played with to communicate with my desktop. Needless to say, I uninstalled the KDE app.
I had used my phone throughout the day – mostly the authenticator app from Microsoft. As I need this to verify myself when logging into Skype or sometimes MSTeams. I logged into my Microsoft account and disconnected/deleted all my virtual machines that I knew or believed might have been accessible from my Manjaro installation – all the essential work was on Onedrive or backed up in my other cloud storage accounts. A lot of my work is also on a physically separate device. With the authenticator app I can review activity related to my Microsoft account and it seems that the account is constantly being logged into unsuccessfully every few hours from around the world. I don’t think changing my account would make any difference and have accepted that as the norm today no matter what account you have today hackers will keep trying to get to you – so 2FA (with some other methods) is the best way to protect yourself. Even logging into this forum I use 2FA – now how do I do that with my Linux login – that I want to know!)
Tuesday morning woke up at 7am and started the router – reset it as this time it wanted the initial pin password. Again set up some complex passwords (written down in a little black book) not stored anywhere digitally.
Had to use MSTeams through Android for my morning classes. Later managed to install Manjaro KDE again and set up a completely new username and complex password. Managed to get some normal work done. Installed MSTeams snap – it wasn’t that way before. Have tweaked the interface to my liking, but still have doubts about this set-up – like is it normal to have ~ after my username? As that’s how it appears in terminal at the moment. The other drives are not connected at the moment nor will they be for quite some time. Besides I need to save up some cash to buy some new drives. Last night I finally got some sleep – but I have a day ahead of me to fix my Windows10 installation. And I might also shred my current drive and try out another flavour of Manjaro – KDE has been fun and is so pleasant to just look at! I might just stick with it for a while.
I’m not a Windows fan but I need it for 10% of my classes where MSTeams allows me to share audio without issue.
I really wish I could share more here – and I hope others will read this and spot my mistakes – all I can say is don’t download anything you don’t entirely trust unless you are in a virtual environment that has no shared access to your current set-up. Doing so, absentmindedly, might lead you down the same rabbit hole I have only just crawled out of.
I still have questions concerning my current installation – but will scour the internet and forums here to resolve them if I can.