Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 2749 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anit-Virus for Mac: Mal/EncPk-FX --- having trouble cleaning manually

gtaggart

I recently downloaded Sophos Anti-Virus for Mac. After a few missteps, I discovered some great help in this forum on how to create a custom scan to remove a threat. (You can find it here at 01-02-2011 12:25 AM by the way.) Using that help, I quickly managed to delete 8 of 9 threats.

However, I have one threat that I'm having trouble finding, let alone deleting. It's the Mal/EncPk-FX. In the threat details box, the path and file name lists 18 separate Time Machine backups as well as the "Original Locations," which included one location on my hard drive and one Time Machine backup on the same external drive as the other Time Machine backups just mentioned.

I have run custom scans on the "Original Locations" and on the last of the 18 backups listed (or at least I think they are the ones listed). That leaves 17 more to go. I have yet to detect and remove the Malware just mentioned.

One final bit of information: I have a Windows virtual machine on my Mac, using Fusion. Because the Sophos' information on Mal/EncPk-FX indicates that two of its aliases refer to Win32, I ran an AVG on my virtual Windows machine and found nothing.

So with all of that, can anyone help me figure out how to clean up this virus/Malware manually? I'm having no luck at all.

Thanks,

gtaggart

:1002289


This thread was automatically locked due to age.
  • 0

    If you know the path to the file (you can find it in the scan logs if you don't already know it), go into Time Machine, navigate to the file, right/control click it and remove all instances of the file.  This should clean up most of your detections.

    As for this specific detection, due to the complex nature of how the detection rule works (it's partially looking for code designed to hide from AntiVirus software), it is not too surprising that AVG misses it.  Try sending a sample to Virus Total to see what other AV products detect.

    :1002309
  • 0

    Thanks, but that's not working for me. 

    Here's the path from "Thread Details" in Sophos:   /Volumes/BackUp/Backups.backupdb/…/Users/myusername/Downloads/Inst_295.exe

    When I follow the thread in an attempt to find Inst_295.exe , there is no such file. In other words, Sophos says it's there and that there is some Malware located there, but I can't find it.

    Any suggestions? Am I missing something? 

    I'll give the AVG suggestion a try and report back, but if you or anyone else has a suggestion as to how to find this file, I'm all ears.

    :1002317
  • 0

    In the finder, navigate to /Users/yourusername/Downloads/

    Then, enter Time Machine, and start scrolling back through your backups until the file shows up.  Once you find a copy, select it and delete all backups.

    If there are no instances of that file in the backup of your Downloads folder (for ANY backup date), then your TimeMachine backupdb is possibly corrupted.  I'd suggest starting a new backup archive for your current backups in this case.

    :1002319
  • 0

    Thanks. I'll try that.

    To be clear, the threat - Mal/EncPk-FX - is supposed to be in the thread I posted, a thread that ends with /Dowloads/Inst_295.exe.  However, I can't even find /Inst_295.exe.  Let's see if what you suggest works.

    Thanks again.

    :1002321