Custom scan cannot delete threat from Time Machine backup

Question

Hello, Team! My Computer Specs: iMac Intel Desktop OS X Lion. Home Edition. Latest updates. (Auto-Updated daily).  Two hard drives installed when purchased: Mac HD and HD 2. HD 2 holds my backups: 2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/ I'm the Admin.   I set my mac to show all hidden files.  No Windows software is being used. Problem : Finder alerted me that the file cannot be removed via Finder because it's in a backup file in Time Machine. I am only using Sophos, (no other 3rd party A/V's, etc) which I just installed a few days ago, after the news briefs. I did as thorough a search in the community forum for the Mac home edition, including advanced searches, as possible, to the best of my knowledge.  I also read and absorbed this topic, but am holding off doing Andrew's "gutsy solution"  :smileyhappy: in case it is not relevant to this issue: http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Issues-with-deleting-some-malware-through-custom-scans/m-p/2941 Screenshot shows the issue, the custom scan, the instructions from Sophos and the threat itself. I no longer have the account to which the cache files refer, so I cannot delete them that way. You'll see from the path. I tried to find the exact cache file , by copying the entire string and got it to where i could create two custom scans. There are hundreds of cache files and I tried to find that single one, from within TIME MACHINE, but it became extremely difficult. Because of the difficulty of finding that one specific cache file, I created a custom scan that contains the direct folder that has these cache files. (Per other posts in this forum).  Thank you! Quarantine Manager reported finding the following: Threat:  Mal/Iframe-F Clicking the threat brought me to the below page which says: "Affected Operating Systems: Windows"  That suggests I install your free Virus Removal Tool which, of course, I clicked on the Free Mac A/V for OS X link which brought me to the installer for the same software I'm using. I am not using Windows (in case this matters). http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-F.aspx Threat:  Mal/Iframe-F Aliases: Trojan-Downloader.JS.Iframe.bxs Notes:  entered the word "blank" for user names, ID's and account names from the full paths for posting this info in the forum. Quarantine Manager  thorough paths reported: Threat:  Mal/Iframe-F Path and FN: /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/cache/http/cache_16a50254fb67a90aeabadc97f938534b767c87f1.cache Action Available: The threat cannot be cleaned up. Please click the threat name above for manual cleanup instructions. Followed Steps 11 through 15 from here: KB: http://www.sophos.com/support/knowledgebase/article/112129.html   Ran the CUSTOM SCANS six times, including overnight. Time Machine just stays there until I get out of it with ESC.  The file does not get removed. Log: Sophos Anti-Virus Product version: 8.0.2C Detection engine version: 3.30.0 Detection data version: 4.76 Release date: 02 April 2012 Detects 3482976 threats NSHumanReadableCopyright Using IDE files:  **deleted for brevity** CREATED CUSTOM SCAN and selected two paths to scan: Scan name: "manual threat removal" Scan items: Path: /Volumes/Macintosh HD 2/Backups.backupdb/blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/browser_profile/cache/http enabled: yes Path: /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident enabled: yes Configuration: Scan inside archives and compressed files: Yes Automatically clean up threats: Yes Action on infected files: Delete Live Protection enabled: Yes Immediate scan started at 2012-04-19 09:39:38 -0400 2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/cache/http/cache_16a50254fb67a90aeabadc97f938534b767c87f1.cache Clean up not available for this threat Issue deleting threat Scan completed at 2012-04-19 09:40:08 -0400. 3250 items scanned, 1 threats detected, 1 issues I hope I provided enough info.  Thank you for your time and help! Quandary :1006345

Agile · Accepted Answer

Since the malicious iFrame was detected in a web cache, you can actually delete ALL the contents of the web cache folder (they aren't needed in backups; I'm actually surprised Time Machine backs them up).  To prevent this from happening in the future, you could add the path to the cache folder to your on-access exclusion list if you wanted to.  Or, you could go one step further and add it to your Time Machine exclusion list, which would also save space and speed up backups. :1006411