Laptop strange behaviour, suspected malware

Hello, today something very strange happened. I was reading something on a website I opened in Google Chrome and minimized Chrome. After 2 minutes I came back to my laptop and a .pdf file from my desktop opened in Chrome without me clicking anything. Similar things had happened before, for example a website opens in Chrome while I’m browsing another website, without me clicking anything.
I have the following specs:

    ~  inxi -F                                                                                                                             ✔ 
System:
  Host: user-80vk Kernel: 5.15.76-1-MANJARO arch: x86_64 bits: 64
    Desktop: KDE Plasma v: 5.26.2 Distro: Manjaro Linux
Machine:
  Type: Laptop System: LENOVO product: 80VK v: Lenovo ideapad 110-17IKB
    serial: <superuser required>
  Mobo: LENOVO model: Nano 7C1 v: SDK0J40700 WIN
    serial: <superuser required> UEFI: LENOVO v: 3QCN20WW date: 05/17/2017
Battery:
  ID-1: BAT0 charge: 28.3 Wh (99.0%) condition: 28.6/30.1 Wh (95.0%)
CPU:
  Info: dual core model: Intel Core i3-7100U bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 695 min/max: 400/2400 cores: 1: 683 2: 700 3: 700 4: 700
Graphics:
  Device-1: Intel HD Graphics 620 driver: i915 v: kernel
  Device-2: AMD Sun XT [Radeon HD 8670A/8670M/8690M / R5 M330 M430 Radeon
    520 Mobile] driver: radeon v: kernel
  Device-3: Microdia USB 2.0 Camera type: USB driver: snd-usb-audio,uvcvideo
  Device-4: Syntek EasyCamera type: USB driver: uvcvideo
  Display: x11 server: X.Org v: 21.1.4 driver: X: loaded: modesetting,radeon
    dri: iris,radeonsi gpu: i915 resolution: 1600x900~60Hz
  API: OpenGL v: 4.6 Mesa 22.2.1 renderer: Mesa Intel HD Graphics 620 (KBL
    GT2)
Audio:
  Device-1: Intel Sunrise Point-LP HD Audio driver: snd_hda_intel
  Device-2: Microdia USB 2.0 Camera type: USB driver: snd-usb-audio,uvcvideo
  Sound API: ALSA v: k5.15.76-1-MANJARO running: yes
  Sound Server-1: PulseAudio v: 16.1 running: yes
  Sound Server-2: PipeWire v: 0.3.59 running: yes
Network:
  Device-1: Realtek RTL810xE PCI Express Fast Ethernet driver: r8169
  IF: enp1s0 state: down mac: 54:e1:ad:0b:af:b6
  Device-2: Intel Dual Band Wireless-AC 3165 Plus Bluetooth driver: iwlwifi
  IF: wlp2s0 state: up mac: 7c:67:a2:58:c0:7d
  IF-ID-1: wg-mullvad state: unknown speed: N/A duplex: N/A mac: N/A
Bluetooth:
  Device-1: Intel Bluetooth wireless interface type: USB driver: btusb
  Report: rfkill ID: hci0 state: up address: see --recommends
Drives:
  Local Storage: total: 931.51 GiB used: 57.98 GiB (6.2%)
  ID-1: /dev/sda vendor: Western Digital model: WD10JPCX-24UE4T0
    size: 931.51 GiB
Partition:
  ID-1: / size: 685.33 GiB used: 57.96 GiB (8.5%) fs: ext4 dev: /dev/sda2
  ID-2: /boot/efi size: 299.4 MiB used: 27.7 MiB (9.2%) fs: vfat
    dev: /dev/sda1
Swap:
  ID-1: swap-1 type: partition size: 8.8 GiB used: 0 KiB (0.0%) dev: /dev/sda3
Sensors:
  System Temperatures: cpu: 32.0 C pch: 34.0 C mobo: N/A gpu: radeon
    temp: 27.0 C
  Fan Speeds (RPM): N/A
Info:
  Processes: 208 Uptime: 9h 25m Memory: 7.66 GiB used: 2.66 GiB (34.7%)
  Shell: Zsh inxi: 3.3.23
    ~                                                                                                                               ✔  4s  


Dumb question: do you live alone?


This may come from a website opened in one of the tabs. Some websites have a predatory ad behavior, “stealthily” changing their tab or opening new ones in the background.
It can also come from a predatory extension. You should check those.

1 Like

I do not live alone. I have the following extensions: Adblock, Browsec VPN(disabled), Google Docs Offline, NoScript(disabled), Plasma integration, WebRTC Leak Prevent, Windscribe VPN.

In order for any one to even try to understand it would need to be
able to be…,
replicated

and in order to do that
or not!

you would need to be … specific
about the web site and link and .pdf

as it is, it’s all but speculation - with a certain spin attached :wink:

2 Likes

Do you recognize the PDF? Did you maybe download this hours ago and it now just finished?

1 Like

Yes, I recognize the PDF. I downloaded it 1 month ago, and it has been staying on my desktop.

What @ Nachlese said.

1 Like

This was the website: https://www.anwalt.de/rechtstipps/mobbing
The .pdf was a receipt for an angle grinder which I ordered online. It has been staying on my desktop for over a month now.

replication …
can you replicate?

I can’t.

1 Like

This is an isolated problem. Other users were not affected. I was at the end of the page I had been reading, then I left the laptop for 2 minutes. When I came back, I maximized Google Chrome(which I had minimized before leaving the laptop), and then the .pdf opened in a new tab randomly.

Have you tried to reproduce the issue with all your extensions disabled?


What is your default application set for opening PDF files?

1 Like

I have not tried to reproduce the issue with all my extensions disabled. The default app is Okular.

I havn´t seen such a behaviour of my system not in 27 years of using Linux.

1 Like

I’ve seen similar behaviour, when I have accidentally moved my mouse across the wrong file or icon, and sat there wondering how ‘that’ happened before realising I did it.

Something strange happened today. A search bar appeared on the top of my desktop full of questions marks in a field. It was like this ???. Could it be something I pressed? After that I unlocked the screen by entering my password, the screen moved down and google chrome closed by itself.

Unfortunately none of us were watching at the time, so it’s really hard to say what you did or didn’t do.

1 Like

And since then?

1 Like

Maybe that is opening your PDF from your online account :woman_shrugging:
I find it very amusing to read these kind of strange stuff happening on a Linux system :kissing_closed_eyes:

1 Like

I liked maycne.sonahoz and TriMoon’s comments 1 hour ago and now I opened the thread and the likes were gone. If someone has access to my WiFi network, can they gain access to Manjaro, assuming I have a strong password set?

I still see them, so the problem is likely only on your end.
I think your web browser, and/or one of the installed addons, is blocking scripts and/or AJAX queries.

1 Like