A Trojan in Firefox that I don't use?!

Hi, a few days ago I had a funny thing where I found a software I mistakenly assumed I uninstalled was back again Non Existent App Showing in Tool Bar and Running!
I discovered and from the discussion that I did not really uninstall it.
As per the discussions I installed clamav.

Today, scanning my home directory and subdirectories with clamav. surprisingly I found:

$ clamscan -ri /home/limo/ | pv
LibClamAV Warning: PNG: Unexpected early end-of-file.                                                                               ]
/home/limo/.cache/mozilla/firefox/f86s9wb2.default-release/cache2/entries/0F71D29C8CFF7B9F2D4B8899E32DFB0271519D59: BC.Legacy.Exploit.CVE_2013_0030-2 FOUND
/home/limo/.cache/mozilla/firefox/f86s9wb2.default-release/cache2/entries/82748EEEE356AD0B49B9B85BB60C77FBC6FCC82F: BC.Legacy.Exploit.CVE_2013_0030-2 FOUND

I don’t understand how is that possible!
I do not use Firefox for browsing I mainly use Chromium (unless a link somewhere opened using the “default” browser that was firefox!)
Any way, I deleted completely fire fox and the cache and even uninstalled firefox!

I wonder how can this happen!
Can these pose any risk? Where did they get the root password? I am sure I never did! Or they are just there somehow but they can’t install, run or do anything?

Could it be a false positive!

Any Ideas highly appreciated.
Would you recommend I do a fresh install?
Thank you.

1 Like

That is the cache so those are files you downloaded using firefox.

From the above, it isn’t even clear if it is a real issue or a false positive. False positives are pretty common with trojans. That being said, it could very well be real.

If it is real, that particular vulnerability only impacts:

The Vector Markup Language (VML) implementation in Microsoft Internet Explorer 6 through 10 does not properly allocate buffers, which allows remote attackers to execute arbitrary code via a crafted web site, aka “VML Memory Corruption Vulnerability.”

So unless you are using an old version of Internet Explorer you should be fine.

This has nothing to do with the root password.


Keep in mind that most of what clamav reports on are Windows signatures. Before panicking, investigate the specific thing that was found and see if it even impacts you.

Be more careful about the links you click on.


I honestly don’t have a great experience with ClamAV.
I installed it on my NAS, it was eating up bandwidth when transferring stuff, and giving me a lot of false positive for ISO’s that had their checksum checked, and from the official websites.

1 Like

Dammit, i’ve clicked the link to enlarge my :clown_face: nose!

1 Like

I do not think I did download anything. Even if it was a link somewhere that opened firefox as default I would copy the link and download in chromium. So, maybe just links that opened whatever page.

Sure not! What Internet Explorer I’m only on EndeavourOS

Nothing other than the app that appeared somehow I gues as a result of either playing with python or something else. It just disappeared after I really removed it as in the other post.

I have no problems with my laptop or system, everything is working perfectly (other than this app that I thought I uninstalled)

So, I can comfortably believe it is just a false positive as I don’t use or download anything with Firefox.

Latest scan results:

Known viruses: 8667828
Engine version: 1.0.1
Scanned directories: 49322
Scanned files: 438409
Infected files: 0
Data scanned: 39928.14 MB
Data read: 122862.06 MB (ratio 0.32:1)
Time: 7081.450 sec (118 m 1 s)
Start Date: 2023:05:31 16:30:37
End Date:   2023:05:31 18:28:38
 310 B 1:58:01 [44.8miB/s] [  <=>                                                                                                   ]
[limo@asus ~]$ 

0 infected files!

So, I guess it was a false positive!
Thank you very much guys!

I will appreciate it if you send me a link to make my nose smaller!

The evidence disagrees. Whenever you any web content things are downloaded. It isn’t only when you click the download button.

No, it could absolutely be real but if it is real or false shouldn’t really matter in this case.

1 Like

I understand if it is false (false positive) it shouldn’t matter.
But how is it shouldn’t matter if it is true! You mean that I already deleted everything and have 0 files infected?

Because according to the CVE, it only works on certain versions of Microsoft Internet Explorer. If you weren’t using that, then it doesn’t matter.

I wonder could it work in wine’s placeholder IE though :laughing:


Who! Me!? No way even if I ended up living in the stone age! How would I make my OS itself viruses, trojans and spyware and use them as my operating system! They even don’t run smoothly!

I just remembered now 2 times 2 brand new computers different years and Windoze, just out of the box I got a crash while booting them first time out of the box!

Even if I am using wine, I will use Chromium, Chrome, Firefox, but definitely not that!

There are a lot of possibilities to get a virus with not much user input, it doesn’t really matter how exactly it gets there if it’s an actual virus :wink:

Again and as usual I am learning something new. I was under impression a malware is a malware on its own!

It matters with me because I’m on Linux, I should only “read” about viruses or even have them copied to my Linux machine, but they shouldn’t work (well, to be precise I should say in “almost” 100% of the cases!)

My girlfriend is just asking me if this is available for other parts of the body.

I’m sure for the right price you can get some e-mail in your spambox :rofl:

Just to update you guys.
This is the result of:

clamscan -ri / | pv
----------- SCAN SUMMARY -----------
Known viruses: 8667828
Engine version: 1.0.1
Scanned directories: 97577
Scanned files: 791623
Infected files: 0
Total errors: 12895
Data scanned: 63990.95 MB
Data read: 147796.70 MB (ratio 0.43:1)
Time: 11585.376 sec (193 m 5 s)
Start Date: 2023:05:31 18:53:06
End Date:   2023:05:31 22:06:11
 331 B 3:13:05 [29.3miB/s] [  <=>                                                                                                   ]
[limo@asus ~]$ 
So everything is perfect as expected from Linux!



I noticed it was saying something about png files ending before expected!
Some errors were related to files being larger than it is configure to scan!

I wonder what is that, or how to fix!