New to Sophos - what is actually running?

Hello iwisa,

on-access scanning can be turned off if necessary by opening Preferences -> On-access scanning .

Christian

Thanks Christian,

If on access is turned off, does that mean that there are no processing resources being consumed or files being checked until I manually scan a drive?

Cheers.

The processes are still running and use a certain amount of (virtual) memory. CPU consumption should be near zero though. You might want to disable automatic updates too so that they don't occur at a "bad" time.

Christian

Great, thanks for the info Christian!

Sophos detected 1 threat (troj PDFj's - WM), The prescribed action was clean up which I started but the action just continues and won't stop or complete. How can I force quit the clean up?   I appoligize for asking this question as part of a reply but I cannot find the message board with the message button to send my own message. I have read the help section on posting messages but it isn't helpful enough. Thanks 

How long has the cleanup been going for?  Sometimes cleanup can take a long time -- especially on PDFs where it can dig way down into the PDF before deciding what sort of cleaning action to (fix PDF by removing the malicious bit, or just delete it).  If it's been going for a few hours, there's probably something wrong -- possibly that the PDF was deleted somehow during cleanup.  If it is truly stuck, the only thing I've done in the past to fix it is temporarily disable on-access scanning and reboot the computer.  Then just throw the PDF in the trash when your computer is back up and running.  There are likely more elegant methods someone more familiar with the QM system could suggest, but this way should work.

Don't forget to turn on-access back on afterward.

Regarding the board: click the "new message" button while in http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/bd-p/FTT_MAC_MAGNET to start a new thread.

Thanks Andrew:  I did as you said and when the computer came back on the threat message was highlighted in the QM. I clicked on the clean up button and in 3 seconds the threat was removed.  

Hi Andrew,

I have the same issue as RayB, though I have no clue where or what the threat is; but think it's not a pdf..

QM gave me the name of the threat being: OSX/Flshplyr-D

The cleanup is now running since 4 hours...prob not normal, right?

Your advice or assistance would be much appreciated.

As well as anyone else's who reads this post.

thx

OSX/Flshplyr-D is the new FlashBack variant -- it injects itself into Firefox and Safari, and steals private data you send through those web browsers, as well as containing the ability to download and install other malware.  If you are infected and the cleanup is not finishing in a timely manner, you will have to remove the malware manually, using Terminal.app.  Note that in most cases, SAV should be able to perform these steps safely by itself. 

If detection occurs when you've already had SAV installed and on-access scanning enabled, and you have difficulties uninstalling, try rebooting your computer, logging in as an administrator (if you only have one account, you're already doing this), and attempt to clean up again.

PLEASE DO NOT FOLLOW THE NEXT STEPS UNLESS SAV CLEANUP HAS FAILED AND YOU ARE COMFORTABLE USING THE TERMINAL

Sophos is not responsible for anything you may do to the stability of your Mac while attempting the following.  This is for informational purposes only.  If you don't understand what the instructions say when reading them now, don't follow them at all, and leave it to someone else who fully understands to perform the cleanup.

Open /Applications/Utilities/Terminal.app and paste in the following command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get the message "The domain/default pair of (<path>, DYLD_INSERT_LIBRARIES) does not exist" then there's no malware there, go on to the next step.

If you get one or more actual paths listed, copy those to somewhere, we'll need them in a moment.

Next, enter the following command:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you get a similar "does not exist" message, you likely aren't infected, and can just throw the file in the trash that the QM has detected (after temporarily disabling SAV on-access scans to unlock the file).

If you get one or more actual paths listed (every one that doesn't say "does not exist", copy them to the same place you copied the lines above (if you did).

Next, if you've got Firefox installed, enter:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Do the same thing you did above for Safari.app.

Next we'll drill down to the actual malware and remove it.  To do this, you'll need to be logged in with an Administrator account.  If you didn't set up limited user accounts on your Mac, you are likely already using an administrator account.  If you're using a limited user account, type

"su <administrator account username>" without quotes, where the bracketed bit is your actual short version of your username (no spaces).

Enter your password, and you're ready for the next step:

For each path you saved from the above commands, run the following command from the terminal, with <path> being the actual path (eg. '/Applications/Automator.app/Contents/Resources/mdworker'):

grep -a -o '__ldpath__[ -~]*' <path>

type 'sudo rm ' (note the space) on the command line, and then copy/paste the file path from the previous command.  Press return, and enter your administrator password.

Repeat the previous "grep" and "sudo rm" commands for each file path you found.

Copy/paste the following command (just in case you've installed an older variant of Flashback):

sudo rm ~/../Shared/.*.so

Next, enter the following commands:

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

If you have Firefox installed, also do the following commands:

sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist

Next, if you needed to log into your administrator account above, type 'exit' to log back out, and press return.  Do not do this if you were already logged into your administrator account.

Type the following commands:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

Next, copy/paste:

cd ~/Library/LaunchAgents/; ls|grep 'com.*.plist$'|sed 's/plist/update/'

A single file name should appear, ending with ".update". 

Enter the following command, with <file> being the name of the file:

defaults read ~/Library/LaunchAgents/<file> ProgramArguments

As above, copy the file path it returns, and then type:

rm <file path>

If you get an error, use "sudo rm" instead of "rm".  You will have to log back into your administrator account first,  if you needed to above.  If loging back in, use 'exit' to get back to the limited account you were previously in.

Next, type:

ls|grep 'com.*.plist$'

then type:

rm <file>

where <file> is the name of the file that was displayed.

Congratulations!  all traces of the Flashback malware should now be removed from your system.

REMINDER: the default cleanup SAV provides should do this for you in most circumstances.  This is to be done ONLY if for some reason the default cleanup is failing.

Good morning,

I got a warning message having a threat: OSX/Flshplyr-E in a file nama and orginal locations that when I try to search can't find it.

The "Action Available" is to Clean up manually but have not idea how to do it.

Somebody can guide me, pleasE?

Thanks a lot in advance