Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 6119 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I remove a PWS-Zbot from my Mac?

jonfink

I ran MacHomeAV yesterday and it found four items, three of which it removed. The one it didn't is a "PWS-Zbot!zip" Trojan that is located in what appears to be a gmail mail file stored on my Macbook. There didn't seem to be a way for the Sophos software to disable and remove it (or I couldn't figure it out). I was able to find the file and moved it to the Trash, but haven't deleted it because a couple of other bulletin boards suggested that this kind of malware may have pieces that are located elsewhere on my hard drive, and if I delete the mail file I may not eliminate the problem. My question is whether I can simply empty the trash, or is there a way to have the Sophos software take care of this? At the moment, there is a VirusScan window open on the Mac showing the result of the last scan (with the PWS-Zbot displayed). This window won't let me do anything else on the computer. However, I'm reluctant to close it, in case there's a way to get the Sophos software to operate from there. If I close it, the Sophos software no longer shows the PWS-Zbot file, and I have to run a scan again, which takes about two hours. Any help would be greatly appreciated.

:1013475


This thread was automatically locked due to age.
  • 0

    The label 'PWS-Zbot' doesn't seem to be a complete name for a detection.  For example Sophos tend to have the type of threat forward slash family name dash strain.  For example:

    Troj/PWSZbot-G

     ...which is a Trojan ('Troj/').  After the name the '-G' is the seventh strain detected (working A-Z and thereafter AA, AB, and so on).

    Sounds like this is a Windows Trojan and hence can't infect your Mac.  I'm not sure what other forums suggest, but if they are talking about the malware actually being allowed to run on a Windows computer then there could be other parts of the malware dotted around the computer - it runs and will drop other files around the system.  As we're talking about a Mac and OS X the detection is presumably just for the initial payload file - it hasn't run and there are no other dropped files.

    Short answer: delete it.  It's save in the Trash if you prefer to leave it there for a bit - maybe reboot and check your mail opens OK etc. just to be safe.

    :1013481
  • 0

    Thanks very much for the feedback. I believe I deleted the original file that Sophos would/could not deal with. When I run a virus scan now the software typically finds and deletes up to three threats that are described by messages like "/private/tmp/78681dc2.$$$ detected and deleted." Should I be worried about these? Should I erase my drive and reinstall everything from a Time Machine backup, or will that just recopy whatever the problematic files are?

    :1013531