Threat (Troj/Invo-Zip) comes back after manually deleting it from Time Machine backup. What now!?

Question

I've been having an issue with this detected threat:

Every time I open the Quarantine Manager I see this threat in the list, but after a few seconds it disappears by itself before I have the chance to do anything about it.

I suspect the reason is that it has only been existing in my Time Machine backup, so I followed the steps from a thread in this forum about how to manually remove threats from TM backups.

In my case I have found out that the location for my threat seems to be in my mail 'Junk folder'. Through the Sophos Anti-Virus.log I found the pathway to where this threat is to be found:

(please note that I've replaced my e-mail account information with XXXXXXX)

V2/POP-XXXXXXX@XXXXXXXX.XX@mail.XXXXXXXX.XX/Junk.mbox/12A0ABC9-74E3-4CAB-ADBD-31C5B00D9360/Data/3/Attachments/3612/2/invoice.zip

I used Finder to locate the exact place for this threat, entered TM and removed it from all TM backups.

I then believed that the issue was solved, until the threat started to pop up again a couple of days later.

What do do now? I would really appreciate some help with this so I can get rid of this nasty thing once and for all.

This thread was automatically locked due to age.

ruckus · Accepted Answer

Right, so, the logs show five threats detected in, what I see as six separate files. The detection and locations are:

Detection Path 
 
 Troj/Invo-Zip 
 /Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2012-11-07-200847/Macintosh HD/Users/[***username***]/Library/Containers/com.apple.gamecenter/Data/Library/Mail/V2/IMAP-[***email address***]@imap.mail.yahoo.com/Bulk Mail.mbox/7AFB3378-FB30-4FCC-A7DA-049DA902169E/Data/Attachments/275/2/pdf-report-B31F1BDF77.pdf.zip

Mal/BredoZp-B 
 /Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2014-02-12-094645/Macintosh HD/Users/[***username***]/Library/Containers/com.apple.iPhoto/Data/Library/Mail/V2/IMAP-[***email address***]@imap.mail.yahoo.com/Deleted Messages.mbox/E4A4079E-2BF6-4C0B-8290-33B50DE20943/Data/0/2/Attachments/20695/2/report.zip

Troj/BredoZp-S 
 /Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2012-11-07-200847/Macintosh HD/Users/[***username***]/Library/Containers/com.apple.gamecenter/Data/Library/Mail/V2/IMAP-[***email address***]@imap.mail.yahoo.com/Sent.mbox/7AFB3378-FB30-4FCC-A7DA-049DA902169E/Data/Attachments/155/2/DHL_Label_8e248.zip

Mal/DrodZp-A 
 /Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2012-11-22-111528/Macintosh HD/Users/[***username***]/Library/Containers/com.apple.FaceTime/Data/Library/Mail/V2/IMAP-[***email address***]@imap.mail.yahoo.com/Deleted Messages.mbox/E4A4079E-2BF6-4C0B-8290-33B50DE20943/Data/1/Attachments/1433/2/WU-488429C6262.pdf.zip

OSX/Geonei-A 
 /Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2014-02-12-094645/Macintosh HD/Users/[***username***]/Downloads/Mac_Installer-1.app/Contents/Resources/InstallGenieo.app

/Volumes/IOMEGA_HDD/Backups.backupdb/your iMac/2014-02-12-094645/Macintosh HD/Users/[***username***]/Downloads/Mac_Installer.app

Since they are all in backups you're safe from them. Options you could choose are:

Clear the items from the list, exclude the backup drive from future scans, and ignore them being in there. Over time the backups will be deleted as space is required on the drive and the older back ups will be purged. 
 Keep scanning as you are doing but always ignore the ones that come up in the quarantine for the back up location and clear from list. 
 As the files are inside a Time Machine, go into Time Machine, and hunt down and delete the files. 
 
 Several users have opted for option one as it speeds up the scan time - no point scanning something in a backup (that would be detected by the on-access scanner if it was ever restored). Some perhaps select option two, or maybe fall into that one when they run a new scan and forget to exclude the drive. Basically when there is problem cleaning up: dig into the log and when you see part of the path mention '....Backups.backupdb/...' stop right there, head back to the quarantine and clear those from the list - repeat as required. If you configure a scan right and always use that the detections won't come back and you'll fall into option one.

However some decide to go with option three. Since the files are inside a TM backup (a rather complex and encrypted file - hence why SAV can't delete from outside of the program) it's not recommended to do anything outside of Time Machine. Therefore to follow option three I'd suggest:

Switch hidden files on first ( http://openforum.sophos.com/t5/Mac-tools-help/How-to-show-all-hidden-files-in-Finder/td-p/18485 ) 
 Note the date and path of the detections (see your original logs as I redacted info. in the table above). 
 Enter Time Machine. You will be able to see all files if you followed point one and hence won't be hindered by hidden files/folders. 
 Use the noted dates and paths to delete all copies of a particular threat (file) from inside Time Machine (there is a handy option to do this in TM). 
 Leave Time Machine. 
 For the post under point one above switch the hidden files filter back on so Finder is less cluttered for daily use. 
 
 Of course steps 3-5 are a bit vague so watch this video:

Hope that helps move you forward. Post back if you need anything/say how you got on. 
 :1018569

Threat (Troj/Invo-Zip) comes back after manually deleting it from Time Machine backup. What now!?

Submitted a Tech Support Case lately from the Support Portal?