Google search asking for captchas

Couple of weeks ago Google started giving me that “we’ve detected suspicios activity” message whenever I tried to search for anything. Had to do the captcha or whatever to get past it. Didn’t matter which of my machines I was using. Finally I ran Norton on all of the Windows boxes and some form of Clam on the Linux boxes.

KlamAV could not quarrantine. Most likely because I ran it as a mere mortal. I deleted the files from the command line and rebooted.

Google has not been complaining now.

1 Like

There are many possible reasons why the Google search asks for CAPTCHAs.
E.g. your IP is dynamic, or you are behind CGNAT, or you are using IPv6, or VPN, or Tor, etc.
It’s very unlikely related to malware, especially since you are running Linux.

Looks like false positives.

That’s a bad idea, verify the RPM database integrity:

sudo rpm -V -a | sort -t / -k 2

Those files are provided by linux-firmware package:

$ sudo dnf provides /usr/lib/firmware/vxge/X3fw.ncf
Last metadata expiration check: 2:10:43 ago on Fri 26 Feb 2021 06:31:31 PM +03.
linux-firmware-20210208-117.fc33.noarch : Firmware files used by the Linux kernel
Repo        : updates
Matched from:
Filename    : /usr/lib/firmware/vxge/X3fw.ncf

$ sudo dnf provides /usr/lib/firmware/vxge/X3fw-pxe.ncf
Last metadata expiration check: 2:11:36 ago on Fri 26 Feb 2021 06:31:31 PM +03.
linux-firmware-20210208-117.fc33.noarch : Firmware files used by the Linux kernel
Repo        : updates
Matched from:
Filename    : /usr/lib/firmware/vxge/X3fw-pxe.ncf

I don’t think they are viruses; but to be sure, here is the checksums of them on my system if you want to compare them with yours:

$ sha256sum /usr/lib/firmware/vxge/*
9018db660d4df4be1a2dd89f0de41eeb0e0891aeca0a5cfaf3f2a86c8f7d139d  /usr/lib/firmware/vxge/X3fw.ncf
31d335b83af4a51b415a86c8a77515543fab085e3bdd4343882ac9f41cdf5694  /usr/lib/firmware/vxge/X3fw-pxe.ncf

I agree with @vgaetera, it can be coincidence and false-positive.



I deleted the files so nothing to compare to.

Linux is not immune to viruses. It is less prone this is true. I just wanted to give a heads up. Most recently there has been a virus infecting Mozilla Firefox users who use one of the add blocker plug-ins. It is supposedly some kind of crypto currency miner virus. I think this is the plug-in most prone

Don’t remember. I removed Firefox from all my machines after finding it.

Mostly just posted this for a heads up.

The Google message specifically stated one or more infected machines. Had been coming up for weeks. I deleted those files and rebooted that machine. Hasn’t come up once since.

6 viruses/problems found
Name of Problem Found: Heuristics.Encrypted.Zip

So, it seems that ClamAV found this file and detected it as an encrypted zip file. Since the zip file is protected by a password, ClamAV can’t open it in order to scan the content.

However I don’t know how these Linux firmware files works. Btw these firmware files are the notorious Linux binary blobs, that are closed sources drivers included in the Linux kernel. And they are mandatory to run some hardware despite the fact that they are not open source. (There is still a long ongoing debate about that in the FLOSS communities).


You are claiming that a potentially dangerous action such as removing system files can solve some issues which are most likely coincidental and unrelated.
At the same time, you are ignoring the advice to check the integrity of the RPM database and checksums.
That sounds like trolling.


You are right that browser extensions could contain malwares (that are pretty different from viruses btw) and it is up to the user to verify the author’s trust and extension’s reliability. However I’m not aware of any recent Firefox extensions issue.
Some time ago, I read articles about a fake AdBlock Plus extension that was in the Google Chrome store.


Not trolling dude.

I had deleted the files and verified the problem went away before posting. I came here to post a heads up, not get advice.

Not coincidental problem since Google got to the point of each and every time I needed to search giving me that message and making me do a Captcha. I put up with this ever increasing problem for a couple of weeks until it got that bad. I have now went more than a day without ever being prompted. When I’m writing I have to do a lot of research.

There was nothing dangerous about deleting those files. That machine just runs BOINC. I rotate Linux distros on the BOINC rack machines rather often.

Every Linux user needs to be installing and running ClamAV.

This way of solving problems without concrete evidence is generally harmful.
You should at least verify that the result is reproducible and not just a coincidence.
Otherwise this thread can be considered misleading, misinformation, harmful advice, etc.
I have the same files but I have no issues, so it looks like your method is invalid.


Have you run Clam?
Did it flag them with the exact same message?

If you did not do that up front and verify the exact same output, then your assessment is completely invalid.

Everyone running Fedora had the same files when they finished the installation. Viruses tend to infect system files. Not everyone will get the same virus. The only way for that to happen is for the virus to come directly from the distro.

For your statement to be valid you would need to

  1. run ClamAv

  2. Have it flag those files in the exact same way

  3. Be connecting to in America.

The last statement has to do with different laws in different countries restricting what Google can/cannot do. If you are connecting from a location where GDPR is enforced they probably can’t even monitor a system like they do in America. I’m not a lawyer so that is just a guess.

You aren’t immune from a virus just because you are running Linux. ClamAV exists for a reason. Every person should be running it.

A good summary of this thread, and the answer to the title question.


Wait. As I said before, I think that it is pretty normal that an antivirus report a problem on any kind of password protected/encrypted tar/zip archive, since it can’t inspect its content.

Look here:

$ clamscan -h 
    --alert-encrypted[=yes/no(*)]        Alert on encrypted archives and documents
    --alert-encrypted-archive[=yes/no(*)] Alert on encrypted archives

Please note the asterisk: by default clamscan doesn’t raise an alert if it find an encrypted/password protected file.

So, if I run clamscan on the files worrying you, without any option (default don’t mind about encrypted files):

$ clamscan /usr/lib/firmware/vxge/
/usr/lib/firmware/vxge/X3fw-pxe.ncf: OK
/usr/lib/firmware/vxge/X3fw.ncf: OK

If I enable the mentioned options:

$ clamscan --alert-encrypted-archive  /usr/lib/firmware/vxge/
/usr/lib/firmware/vxge/X3fw-pxe.ncf: Heuristics.Encrypted.Zip FOUND
/usr/lib/firmware/vxge/X3fw.ncf: Heuristics.Encrypted.Zip FOUND

So they don’t contain a virus! They are simply files that the antivirus can’t inspect.

If you still have doubts, try to create a password protected zip file, i.e.

$ zip -e somefile

Where somefile is a picture, a document, whatever file you want.
Then try to scan this zip file with KlamAV.


Most recently there has been a virus infecting Mozilla Firefox users … I removed Firefox from all my machines after finding it.

I presume you switched to Chromium or Google Chrome, and are probably logged on your Google account in Chrome. This is the real reason you don’t get captchas anymore. When you were using Firefox with Adblock, you had poor tracking and very good ad blocking. Google’s business model is tracking (aka spyware) and ads. Chrome offers protection only from tracking by other companies and only allows very poor adblocking in its addon store.

See for example Google's Captcha in Firefox vs. in Chrome | Hacker News

BTW the “we’ve detected suspicious activity” is just the standard text, it doesn’t really mean anything, and unless your computer is literally being used to try to interfere with Google (Really unlikely), there’s zero way for Google to find out if you have a virus on your computer. You can trigger it by going to Google Search and doing F5 enough times in a row.


@alciregi explained Heuristics.Encrypted.Zip well. Beside that ClamTK can check files on, you can do it manually too (and force a rescan if the file has already been checked). To feel safer, compare checksums with upstream files (maybe you can still do it if you find them in clamav's logs), if they match, it’s most probably not an attack on you :wink:
vxge - kernel/git/firmware/linux-firmware.git - Repository of firmware blobs for use with the Linux kernel BTW this is a firmware for the Exar X3100 10Gbps adapters, you probably don’t need it, but it’ll appear again after next linux-firmware update.

Regarding Adblock Plus, it’s been known for some unwanted actions (force-whitelisting those who pay them IIRC), use uBlock Origin instead.
That leads us to Google CAPTCHA issue, if your adblocker axes Google’s scripts and browser removes cookies, you may be blocked more often for so called ‘detected suspicious activity’.

But that’s not all, Google isn’t neutral, like Facebook and the rest of too big players, they’re more likely to block what’s not in line with their corporate culture/ideology. I verified it multiple times with fresh systems on new computers with fresh IPs (dynamic IP, not through VPN): if I open a few facebook profiles of currently elected non-mainstream politicians or popular groups that are not in line with FB (just to be clear, there’s no unlawful content), I can no longer browse FB pages without logging in. Some direct links to posts work, but sooner or later scrolling or watching video gets me redirected to login page. I can’t even access ‘neutral’ content without a fresh IP (with cookies clean-up or different browser). No such issues it I test with dumb stuff, funny cat videos, etc. :wink:

Orwell made mistake about the year.


That would be a false presumption. I installed Epiphany, Falkon, and Opera. Opera does use Google libraries, but I don’t use it that much.

unless your computer is literally being used to try to interfere with Google (Really unlikely), there’s zero way for Google to find out if you have a virus on your computer.

Not every virus, no. A boot sector virus intent on destroying your machine they cannot find. Viruses that are mostly bots being used to probe various Google properties (veeeeeerrrrryyyy likely) and those engaged in certain other online activities they (and cloudflare and many others) can isolate/track/identify can be.


I don’t remember the names of the tools but there are some common tools used to trace back participants in DDoS attacks, etc. It’s how they were able to identify one huge DDoS attack a few years ago was almost all IoT devices.

Falkon is a Qt based browser. Epiphany uses Mozilla libraries.

Oh, forgot to mention.

I log into Google about 3 times per year. When I have to go look at that GMail account because I used it as the registration email address for something. Some years never. Other than that, I don’t log into Google. I used to have to log into it quite a bit to use UseNet groups but I haven’t been posting much.

One last Oh. Sorry for multiple responses, but I keep getting interrupted.

The Mozilla Firefox uninstall was quite a while back. Had nothing to do with this virus issue.

Big Brother is watching you!

Recently i got a message from Google that i should check my saved passwords. When i logged in they showed me which online account i should check, because passwords where hacked.

As i saw the account i had to smile, then it was an Demo-users account from an CMS who everyone could use (stupid who works with a demo user and pw).

Beside smiling it made me also thinking of my privacy. I use generally Firefox but I’m logged in with google. So, I might have to change my attitudes.

BTW “we’ve detected suspicious activity” might be also marketing. They want you to sell their Products beside gathering your data and earn a lot with it making advertisement tailored for you.

So i guess, the conclusion we can make is, that “A Fedora 33 virus” was a bit exaggerated and we can change the topic to something like “Detected suspicious activity in /usr/lib/firmware/vxge/X3fw.ncf”.

What means that Firmware update, where is closed source and was file was the reason for the alarm, and not really Fedora 33 who opts for Opensource Software.

Been two full days. No suspicious activity captcha screen. I’ve had to look a lot of stuff up today and yesterday.

I changed the topic that it is visible what the problem is. I did let your “fedora 33 virus” on it that people can find it … also with google search :wink:.

Blocked captcha screen causes hick-up with google-search, not a fedora 33 virus!

This is your personal opinion and i do respect it. I was long a Windows user and i saw how a default installation of windows was in the last 15 years (til windows7 i used it). Every default installation had the admin user as default and it was even possible to set no PW.

This is really a optimal environment for Malaware Viruses and other malicious staff who writes to system files.

In the other hand in a Linux environment it is usual that you get a closed system and that you have to open it up when you need it. For example per default you cant login in a desktop environment with root if you not change the config.

So this “give root alias admin rights” for everyone that things work, is a invention of MSW and not really from Linux/Unix.

About Computer-Viruses people need in first case to change their attitudes and just after that if it is still necessary install ClamAV on their WorkStations.

Are you using google’s DNS?
If you feel threatened, on router (e.g. OpenWRT, RouterOS) capture DNS queries and IPs that your computer connects to and check it with some known blacklist.