Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 6 subscribers
  • Views 37966 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is a Trojan stopping Sophos running full scan?

mambaman

Hi guys

I recently was presented with a whole bunch of Trojans that had been sent to my Google Mail account in iMail. Apple had quarantines some of them to the Spam folder though not all but Sophos identified all of the Trojans and I clicked 'clean up. The issue kept appearing however and I am not sure whether this is because the Trojan is self-replicating or because there were a lot of them

I decided to run a full scan but something keeps holding that up: checking my log there are several messages of this type:

  • com.sophos.intercheck: Issue: Could not scan /private/tmp/68f01de2.$$$
    com.sophos.intercheck: An unexpected error occurred

    And similar. This seems to be what is stopping the scan

    Can anyone advise

I am wondering whether it is linked to the Torjans themselves all of which appear to be of this type:

  • com.sophos.intercheck: 2012-01-03 14:30:58 +0000 Threat: 'Troj/JSRedir-EK' detected in /Users/benamponsah68/Library/Mail/V2/Mailboxes/Junk (Gmail).mbox/C49321ED-C846-415A-BC11-115D7CA05705/Data/1/3/1/Attachments/131557/2/kizjfxyvpun.html

Any help appreciated as I am stumped

com.sophos.intercheck: Access to the file denied

:1004921


This thread was automatically locked due to age.
  • 0

    To enter Time Machine, you need to go to the right hand side of your menu bar, near the timestamp and the Sophos shield icon.  Select that menu icon, and select the text "Enter Time Machine."

    You should never attempt to manually edit your actual Time Machine volume -- this can cause backup corruption in certain conditions.

    :1005007
  • 0

    Ok thanks Andrew-I worked that out

    Ok I used this as one of the errant file paths and got this file up in Finder:

    file://localhost/Volumes/Ben's%20Time%20Machine%20Back-up/Backups.backupdb/Ben%20Amponsah’’’’s%20iMac/2012-01-11-091551/Macintosh%20HD/Users/benamponsah68/Library/Mail/V2/IMAP-benamponsah68@imap.gmail.com/%5BGmail%5D.mbox/Spam.mbox/C49321ED-C846-415A-BC11-115D7CA05705/Data/3/3/1/Attachments/133799/2/ocelotem.html
    Presume its one of the family
    I highlight the file and enter TM but then the file disappears and i am presented with all of the main folders again?
    Please bear with me: I feel we are almost there
    :1005009
  • 0

    The path you want is: "Ben%20Amponsah’’’’s%20iMac/2

    012-01-11-091551/Macintosh%20HD/Users/benamponsah68/Library/Mail/V2/IMAP-benamponsah68@imap.gmail.com/%5BGmail%5D.mbox/Spam.mbox/C49321ED-C846-415A-BC11-115D7CA05705/Data/3/3/1/Attachments/133799/2/" in the Finder.  Time Machine should have this folder too.  If you can't get to it in the Finder because it's already deleted, just navigate to there in Time Machine.
    :1005011
  • 0

    Ok I have followed your instructions to the letter: even went so far as to hand type that address path into the Finder box as for some reason it was not copying the whole thing from your forum post

    And here's what I got:

    http://img696.imageshack.us/img696/866/screenshot20120111at193.png

    ??????

    :1005013
  • 0

    Andrewa question;

    Can I not just delete the whole of my Time Machine and remove the virus like that-I know its a bit drastic but everythiung oh there is just backing up whats on my Mac anyway

    :1005015
  • 0

    You could do that.. it seems a bit extreme to me though.

    You could also try navigating the path by hand -- I think the "%20" for spaces is part of what's throwing off the Go To string.

    :1005017
  • 0

    Ok I tried navigating by hand but could not find the 'Library' sub-folder in benamponsah68-see link:

    http://img97.imageshack.us/img97/4753/screenshot20120111at222.png

    That folder Just isnt there so very frustrated....

    :1005019
  • 0

    ah yes... you may have more luck with replacing all instances of %20 with spaces.  I'll try quoting a copy/pastable string in here.

    The reason for that is that Apple, in their infinite wisdom, made the Library folder invisible in the Finder starting with OS X 10.7.  It's still there, it just doesn't show up by default in Finder navigation.  One second and I'll get you the path you need....

    :1005021
  • 0

    "/Users/benamponsah68/Library/Mail/V2/IMAP-benamponsah68@imap.gmail.com/[Gmail].mbox/Spam.mbox/C49321ED-C846-415A-BC11-115D7CA05705/Data/3/3/1/Attachments/133799/2/"

    You may need to strip out a newline character in there, depending on how your browser presents it.

    The plus side is that it appears Mail.app detected the mail as spam as well :)

    :1005023
  • 0

    Ok thanks Andrew: I will give that a try

    :1005025
Cookie Information Banner