dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1374
share rss forum feed

Simple Guy

join:2012-05-16

[Snow] Removing malware Troj/Java-FR in OS X

I need to manually remove a Trojan from my system. It was detected by my AV software "Sophos Anti-Virus version 7.3.11C.

The Trojan that is currently in quarantine is "Troj/Java-FR"--which is a MS or windows Trojan.

The automatic removal option failed and the application informs me I must "manually" remove the critter.

I find the directions to do that incomprehensible and either I'm not doing it right or it for some other reason it won't remove the threat.

I checked the DSLR Security forum sub forum for removing threats and found it incomprehensible in its directions to get help plus all of the instructions I understand seem to apply to Windows.

Finally, all though I would like to remove the "threat" it is identified as a MS or Windows threat plus it is now in quarantine should I even care? (The Sophos AV program scans for both OS X and Windows threats.)

Any specific clear and simple instructional or educational help would be appreciated.

Thank you.



tmpchaos
Requiescat in pace
Co-Lead Mod
join:2000-04-28
Hoboken, NJ

Do you have the url where you got the instructions?


Simple Guy

join:2012-05-16

Here is the site:

»openforum.sophos.com/t5/Mac-tool···d-p/1779

The above site is one choice from this Google search results page which offers other choices:

»www.google.com/search?q=How+do+r···irefox-a

My problem is I have poor vision and am not the brightest bulb when it come to following written directions.

I think I got as far doing everything it told me to do but I can’t seem to functionally finding the location of the Trojan to run the special scan to manually remove.

I’ve sure seen easier directions for an AV to clean—easier by a country mile.

Not to be redundant but since the bug is a MS OS bug with Java and it is on my Mac and in the Sophos quarantine should I even bother with it?



lordpuffer
RIP lil
Premium
join:2004-09-19
Rio Rancho, NM
kudos:2

Since it is in Quarantine, have you tried to just open the "Quarantine Manager," and highlight the nasty and then click on "Clean Up Threat"?
--
"Panama Red Is Back In Town" - The New Riders of the Purple Sage


drhoward_t

join:2012-05-08
Saint Louis, MO
reply to Simple Guy

said by Simple Guy:

Not to be redundant but since the bug is a MS OS bug with Java and it is on my Mac and in the Sophos quarantine should I even bother with it?

You are correct, almost all trojans/viruses are Windows based and cannot run on Unix. (Mac OSX is Unix). So it can't hurt you but it's good to get rid of it at your leisure.

Simple Guy

join:2012-05-16
reply to lordpuffer

Yes, and it tries and is unable to do so and then gives the SOP that I must manually remove the threat and here I am in the OP!



norwegian
Premium
join:2005-02-15
Outback

First understand most, not all, but a big majority of java exploits are cleaned up by deleting all temp files in their directories, there would have to be some form of cleaning tool you could source for free for this purpose, or a more experienced linux user may list the simple cleanup points.

According to the link though, you have to look at which component scanned the file and how it's particular needs for cleaning, it may have done the job already but the detection just needs removing from the Sophos A/V list. I'm gathering it was an active detection on visiting a site? Not a file scan done once a month?

This then becomes relevant:

quote:
- If you found the item through On-access scanning, choose 'Preferences' from the Sophos Anti-Virus menu. In the Logging pane, select 'View Log' .
Does it still show?
Also this is relevant:
quote:
•Open the Quarantine Manager.
•Click the Action Available column heading to sort the list of threats according to the action available.
•Select all the threats for which the action available is Clean up.
•Click Clean Up Threat.
Check 1 step at a time and see if anything is alerting.
If not then this point seems very important:

quote:
Note:
•You must authenticate by clicking the lock icon at the bottom of the Quarantine Manager window.
•Any threats that are cleaned up are cleared from the list.


After these few steps, does any alert still show?
If so, where is the action alerting from, can you post an image of the detection screen?

Understand, if none of this works, please visit the security cleanup forum and discuss your needs, rather than back off before you let them talk to you about cleaning properly.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



buckingham
Buckingham Pa
Premium
join:2005-07-17
Buckingham, PA
Reviews:
·Verizon FiOS
reply to Simple Guy

I find when I get this warning, it's most often something attached to an email message in the Junk folder and could even have been relocated onto a TimeMachine volume, depending on timing. If the former, deleting the Junk email fixes it. If the latter, I just remove it from the list since it would be difficult to actually locate it in the TimeMachine volume.



tmpchaos
Requiescat in pace
Co-Lead Mod
join:2000-04-28
Hoboken, NJ
Reviews:
·Optimum Online
reply to Simple Guy

The quarantine manager should show you the path to the suspect file. You will want to post a screenshot of that, so that we can tell you where to do a custom scan via the main Sophos scan window.
--
***ATMFAQ***DIFAQ***Kitchen Sink***


Simple Guy

join:2012-05-16
reply to Simple Guy

Thanks for the input but we are kind of spinning our wheels because of my incompetence, visual problems, and lack of Mac understanding in depth having switched from Windows plus some of the posters are not reading all the appropriate posts and are asking questions all ready answered or instructing me to do things I've all ready done. Not a complaint--just an FYI. I am guilty of doing the same thing at times. (Blushes.)

1. The threat was discovered by a scan that I ran.

2. The choice of clean up threat was used and the Sophos tried but said that the threat could not be cleaned up and I had to MANUALLY remove it. There the problem starts. I just can seem to follow or understand the directions to successfully set up and run the special manual scan.

3. I have been to the Security clean up forum but found it's directions and "instructions" muddled and confusing not to mention very unfriendly but it also seemed to be by its language geared to Windows. Hence my post here.

Here is what the screen shot would say if I could print one:

Threat: Troj/Java-FR
Date: May 27, 2012 2:30 AM

Path and Filename: /volumes/untitled/Users/John/AppData/Local…eployment/cache/6.0/33/7522c961-4b3891e7

Action Available: Cleanup of the threat not successful. You must clean up manually.

I've used Windows for over 15 years and switched to Mac recently. I think Windows 7 is great and I still have a nice PC. But I do really prefer the Mac. But I'm just not familiar with the more intricate parts of it--I have no instruction books or booklets so I just wing it.

I will say that even though Sophos is free AND has a great reputation I've never encountered a AV or anti-malware program that was so complicated to clean something. Maybe its just the combo of the Sophos and the Mac.


tmpchaos
Requiescat in pace
Co-Lead Mod
join:2000-04-28
Hoboken, NJ
Reviews:
·Optimum Online

What the say they want you to do next is to create and run a custom scan- of only the location where the threat exists. To do this, open the main Sophos window and click the + in the bottom left.



That opens the scan window.



Clicking the + at the lower left of this box will open a window to navigate to the location you want to scan.
Assuming that your user is 'John', I would navigate to your user folder in the window, and if there's a folder named AppData, I would choose that. If there isn't, I would choose 'John'.
--
***ATMFAQ***DIFAQ***Kitchen Sink***

Simple Guy

join:2012-05-16

I was able to run the special scan but all it says no threat detected even though it is shown that the trojan is still in the quarantine manager.

One part that doesn't fit is it says in the directions if the special scan ask about privileges select scan all but you will be first prompted for administrator password. No where does it ask for that.

However, I am the only user so you would think by default I am the administrator.

So screw it I've had enough. (I tried several places to scan including user john as there is no apps data.)

So I just uninstalled Sophos. I will reinstall and run a full scan with directions to delete any threats.

When it finishes I will either decide to live with it or get another free Mac AV/AntiMalware program. (I live on a low fixed income.)


Simple Guy

join:2012-05-16

I finally found the right location and set things up correctly. The "manual" procedure scan ran. It detected the "threat." But...the directions say that if I check my quarantine manager the threat should now be gone. It isn't.

Screw this. Damn MS Windows--they even manage to "infect" one's Mac.


Simple Guy

join:2012-05-16
reply to Simple Guy

Anyone know how I can view and delete hidden files on a Mac?

I know how on Windows but not a Mac. I am sure the file that is the infected file is a hidden file and if I can "view" it I can delete it. Right?



norwegian
Premium
join:2005-02-15
Outback
reply to Simple Guy

Click for full size
Click for full size
said by Simple Guy:

I finally found the right location and set things up correctly. The "manual" procedure scan ran. It detected the "threat." But...the directions say that if I check my quarantine manager the threat should now be gone. It isn't.

Do you understand this link:
»www.sophos.com/sophos/docs/helpf···ine.html

If you do in fact have a hard time reading it, it is quite small. Have you tried copying to a word document or something similar and then making the letters all bigger by modifying the font size?

Excuse if we are going off the track and seem like we are not listening, but some questions need asking and we all might have varying views, but we are not looking at what you are looking at, that is we are not at that computer.

Also to upload an image here, use this link to see how Apple take screen shots. Then I've added 2 screen shots to show how to start an upload of an image to this site, so we can see what is exactly happening there.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



lordpuffer
RIP lil
Premium
join:2004-09-19
Rio Rancho, NM
kudos:2
Reviews:
·CableOne
reply to Simple Guy

Click for full size
Click for full size
Click for full size
It's easy to take screenshots/windows shots/area shots with a Mac. See First Attachment.

Make sure that your preferences for "Scan Local Drives" for Sophos are set like in the Second Attachment.

Then, using the Scanner in the Third Attachment, run a FULL SCAN, by clicking on the arrow and by choosing FULL SCAN. It should ask for your Admin Password.

After that is done, let us know if it removed the Trojan, or just Quarantined it. Hopefully it will remove it.
--
"Panama Red Is Back In Town" - The New Riders of the Purple Sage

Simple Guy

join:2012-05-16

The screen shots and information posted are for the Windows version of Sophos. The interface for the Mac is entirely different. Not alike at all. Windows has all those choices the Mac version does not. Most of the stuff shown in your screen shot doesn't even exist on the Mac version such as the options when you right click on the tray icon or there is no choices for checking any hidden files anywhere through the sophos Mac version.

I did everything correctly with the Mac scan. Everything. The special scan detected the threat. The information with the special scan said the threat should now be eliminated and that can be confirmed checking the checking the quarantine manager which would show the threat gone. But it is not gone. It is still there.

There are no options in the Mac Sophos to remove or select or deselect anything. You first at step one of the whole procedure run a full scan of all drives and it detects the threat. It shows the threat in the quarantine manager. You then tell it to clean up the threat which is your only option at that point. It tries. It fails. It tells you it fails. It says you must manually remove it. That is your only option. It tells you how to set up and run a special scan. I successfully did that. It detects the threat and says the threat should not be eliminated from the quarantine manager. It's not.

I know where the file is. It is in a hidden file. I know the name of the file.

At this point all I need to know is (please entirely forget about Sophos at this point) is how to use my Mac, (finder I presume) to navigate to where I can search or see hidden files. By doing that I can go to the location of the file and manually delete it.

Thank you.


Simple Guy

join:2012-05-16

1 edit
reply to lordpuffer

said by lordpuffer:

It's easy to take screenshots/windows shots/area shots with a Mac. See First Attachment.

Make sure that your preferences for "Scan Local Drives" for Sophos are set like in the Second Attachment.

Then, using the Scanner in the Third Attachment, run a FULL SCAN, by clicking on the arrow and by choosing FULL SCAN. It should ask for your Admin Password.

After that is done, let us know if it removed the Trojan, or just Quarantined it. Hopefully it will remove it.

Simply to be clear the screen shot you show of the interface does not exist for the Mac version as shown.

Screen shot one equivalent for the Mac is you have a choice to run a full scan. Period. No other options or choices or selections.


tmpchaos
Requiescat in pace
Co-Lead Mod
join:2000-04-28
Hoboken, NJ
Reviews:
·Optimum Online

That's incorrect. The screenshots both I and lordpuffer See Profile posted are from the Mac version of Sophos. His middle screenshot, for instance, can be found by clicking Sophos Ant-Virus at the top of your screen, then choosing Preferences from the drop down.
--
***ATMFAQ***DIFAQ***Kitchen Sink***



bjf123
We Want... A Shrubbery
Premium
join:2000-02-11
Hamilton, OH
reply to Simple Guy

If you want to try a different anti virus, Avast has a free mac version at »www.avast.com. Maybe give that a try?
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly.



Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
reply to Simple Guy

said by Simple Guy:

At this point all I need to know is (please entirely forget about Sophos at this point) is how to use my Mac, (finder I presume) to navigate to where I can search or see hidden files. By doing that I can go to the location of the file and manually delete it.

If you have the full path in /folder/folder/folder form, then from any Finder window, go to the "Go" menu at the top of the screen and select "Go To folder". Put in the path (without the filename) and it'll take you to that folder even if it's hidden.

In general, Finder only hides files/folders that begin with a ".", but there are some special folders that are also hidden, such as /Users/you/Library and all of the system folders (/etc, /private, /var and so on).
--
University of Southern California - Fight On!

Simple Guy

join:2012-05-16
reply to tmpchaos

said by tmpchaos:

That's incorrect. The screenshots both I and lordpuffer See Profile posted are from the Mac version of Sophos. His middle screenshot, for instance, can be found by clicking Sophos Ant-Virus at the top of your screen, then choosing Preferences from the drop down.

Thank you. However, I've discovered that I have a more current or latest version and the GUI is different, but that doesn't matter. In the end the functions are the same.

I have followed the directions specifically. In the most recent scan a new additional MS OS malware was detected and it was cleaned normally. That just left the original which is the OP.

To be absolutely perfectly clear I have followed the instructions to manually remove the Trojan and I have correctly carried out all instructions and run the custom scan but it does not delete the threat. There is no way to delete the this threat for some reason with Sophos. Sophos AV confirms all my actions have been the correct actions in black and white terms. No gray areas.

I'm curious about how I got this, which was very recent and then the second one was just today. Would I be correct in assuming that I am getting it via an email from a Windows computer, even if the email has no attachments of any kind?

Meanwhile I'm just going to switch to Avast if it is full anti-malware program v just a stand alone pure AV.

Thanks for all of your help and for your patience too.

modelamac

join:2002-04-13
Waterford, MI
reply to Simple Guy

This should work without a lot of fuss, since you know the name of the file.

The app EasyFind (free) will search for that file name in your hard drive or your Home folder, or wherever you tell it to search., It will look in hidden files. It will list every file with that name, show its location. The best thing is it will allow you to select and delete it right in that same window. If it requires Admin privileges to delete, you can right-click on the file and select "Show in Finder". Do that and delete it from the finder window, typing in your Admin password.

Get EasyFind here:

»www.macupdate.com/app/mac/11076/easyfind