Threat (Troj/Invo-Zip) comes back after manually deleting it from Time Machine backup. What now!?

From the log extract posted I can't see if it was in a TM backup or not.  If it was and you successfully deleted it from in there...does the file remain outside of the backup?

Do you use a local mail application and does that still have the email/attachment?  And is the mail account a web mail account?  If so you will want to log into the mail account with a web browser and also delete the mail from there (so it doesn't download again).

Watch/listen to this video.  It may help explain what to do.

Hi.

I'm a 54 year-old Mac user who has been using Macs for over 20 years now. I prefer Macs to PCs because I found that if I ever had a problem with the Mac  I could generally solve it even though I don't know that much about the inner workings of computers. 

I recently downloaded Sophos for Mac OSX and did a complete scan which reported issues but no threats. At the time my Mac wasn't connected to my external hard drive. Upon connecting it to the hard drive in question Sophos identified two threats, one of which it successfully cleaned up. The other  - 'Troj/Invo-Zip' - I couldn't get rid of. Attempts to clean it up either returned a 'failed' message or ran for hours. On digging around the web and this site in particular, I realise I'm not the only one who has had this problem. I tried the various possible solutions suggested but nothing worked. In frustration, I eventually instructed the Quarantine Manager to 'clear from list' - my intention being to run another complete scan of my system AND external hard drive. Imagine my surprise then when the subsequent scan found nothing. Since I cleared it from the list I'm assuming it's hidden in my system somewhere and will resurface again at some point. If so, and I encounter the same problem in trying to clean it up what can I do? A manual clean up wasn't even an option first time around because there was no information on it - no path and filename or original location. Without this information, searching for it would be the computer equivalent of searching for a needle in a haystack. Any help would be much welcomed. Thanks.

You can dig into the logs and see if the path of the original threat was recorded.  The thread below should help explain how to access the logs - the extact log you need to check depends on the type of scan that detected it (on-access, on-demand, Finder right-click).

http://openforum.sophos.com/t5/Mac-tools-help/Where-are-the-logs-for-SAV-for-Mac/td-p/16091

Thanks, ruckus. I'll have a go at that. The scan that detected it was an on-access, incidentally.

Hi, ruckus.

I done another scan and it found five threats (see screenshot). This time I have paths and filenames for all five. As I feared, the auto cleanup failed and I'm being instructed to clean up manually. Despite having watched the video you recommended, I'm afraid it's all about as clear as mud to me. I consider myself a fairly articulate and intelligent person but when it comes to this kind of thing my head starts to swim. Of course, the fact that the path is incomplete doesn't help but is there something obvious I'm overlooking? 

I know that I am intelligent, because I know that I know nothing. - Socrates :smileyhappy:

Screenshot is too small to make out what the quarantine is showing you, however I don't really need to see it.  I assume the path will be something SAV cannot delete from ('write access' required) or the item was saved there temporarily and is now gone (I'm saying that so you're not confused if you get to the end folder and it's empty).

I'd suggest the way forward is to go back to the log (in Console) for the scan type that detected the items and getting the full path from there.  Use that to guide you.  Of course the 'reveal in Finder' button may also allow you to jump straight to the location - can't see in the screenshot if that's available after you click the padlock and select one of the items(?).

Note:  If you encounter a hidder folder use the thread below to reveal it in Finder - I'm not saying this is necessary but just adding it in case you need to check a path that doesn't seem to be shown in Finder.

http://openforum.sophos.com/t5/Mac-tools-help/How-to-show-all-hidden-files-in-Finder/td-p/18485

Okay, just noticed that the previous screenshot is too small to read and can't be enlarged except by me so here it is again, full sized. I had a go at following the video above but, since all the viruses appear to be located on my external HD, it wasn't as simple as the guy who posted the video made it look. Managed to locate the second one down on my external drive by following the path indicated by the log. It led me to a Pkg installer which, when I tried to delete it said I couldn't because it was backed up in Time Machine. Found it in Time Machine and deleted it only to see it return shortly after. As for the others, I would get so far down the path indicated in the log and then I'd hit a brick wall - it would lead me to the folder in my name within the users folder and then instruct me to follow 'containers/library'. At this point the trail disappears - there is no containers/library sub-folder. 

Another confusion is that the path name for some of the viruses indicates an infection date in 2012 but when I go into the scan log to try and track it down there is nothing listed before 2013. I may just be thick but is there any way I can rid my Mac of these things before I eventually lose patience and throw it out of my upstairs window. Have these viruses become so sophisticated since the days when I used Norton that they can no longer be deleted by AV software? If anyone can help me out with an idiot-proof solution I'll be eternally grateful. Thanks in anticipation.

Hi, ruckus.

Thanks for your continued support (and patience). 

To answer your question, I'm relatively comfortable using Terminal if I'm shown what to do. I know nothing about code, however, so wouldn't even know where to begin if I had to tackle it unaided. I'm heartened by the fact that with the viruses being in my back up files they pose no real threat. However, the Troj/Invo-Zip virus I cleared from the list in frustration earlier was originally unearthed on my Mac before I reconnected my external drive to it. If the best I can manage is get rid of it of the Mac itself I will consider a small victory.

I thought it would be easier for both of us to email the scan log to you. The original file name was too long and so I had to rename it Iomega EDD.log.zip. I'm just going to email it over to you right now. I've been at this all night now though so I'm going to call it a night and get some sleep so it'll be some time tomorrow before I can get back to you if there's anything you need from me.

Thanks once again for all your efforts to help me. They are very much appreciated.

Right, so, the logs show five threats detected in, what I see as six separate files.  The detection and locations are:

Since they are all in backups you're safe from them.  Options you could choose are:

• Clear the items from the list, exclude the backup drive from future scans, and ignore them being in there.  Over time the backups will be deleted as space is required on the drive and the older back ups will be purged.
• Keep scanning as you are doing but always ignore the ones that come up in the quarantine for the back up location and clear from list.
• As the files are inside a Time Machine, go into Time Machine, and hunt down and delete the files.

Several users have opted for option one as it speeds up the scan time - no point scanning something in a backup (that would be detected by the on-access scanner if it was ever restored).  Some perhaps select option two, or maybe fall into that one when they run a new scan and forget to exclude the drive.  Basically when there is problem cleaning up: dig into the log and when you see part of the path mention '....Backups.backupdb/...' stop right there, head back to the quarantine and clear those from the list - repeat as required.  If you configure a scan right and always use that the detections won't come back and you'll fall into option one.

However some decide to go with option three.  Since the files are inside a TM backup (a rather complex and encrypted file - hence why SAV can't delete from outside of the program) it's not recommended to do anything outside of Time Machine.  Therefore to follow option three I'd suggest:

1. Switch hidden files on first (http://openforum.sophos.com/t5/Mac-tools-help/How-to-show-all-hidden-files-in-Finder/td-p/18485)
2. Note the date and path of the detections (see your original logs as I redacted info. in the table above).
3. Enter Time Machine.  You will be able to see all files if you followed point one and hence won't be hindered by hidden files/folders.
4. Use the noted dates and paths to delete all copies of a particular threat (file) from inside Time Machine (there is a handy option to do this in TM).
5. Leave Time Machine.
6. For the post under point one above switch the hidden files filter back on so Finder is less cluttered for daily use.

Of course steps 3-5 are a bit vague so watch this video:

Hope that helps move you forward.  Post back if you need anything/say how you got on.