04-19-2012 08:55 AM
My Computer Specs:
iMac Intel Desktop OS X Lion. Home Edition. Latest updates. (Auto-Updated daily).
Two hard drives installed when purchased: Mac HD and HD 2.
HD 2 holds my backups:
2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/
I'm the Admin. I set my mac to show all hidden files.
No Windows software is being used.
Finder alerted me that the file cannot be removed via Finder because it's in a backup file in Time Machine.
I am only using Sophos, (no other 3rd party A/V's, etc) which I just installed a few days ago, after the news briefs.
I did as thorough a search in the community forum for the Mac home edition, including advanced searches, as possible, to the best of my knowledge.
I also read and absorbed this topic, but am holding off doing Andrew's "gutsy solution" in case it is not relevant to this issue:
Screenshot shows the issue, the custom scan, the instructions from Sophos and the threat itself.
I no longer have the account to which the cache files refer, so I cannot delete them that way. You'll see from the path.
I tried to find the exact cache file, by copying the entire string and got it to where i could create two custom scans. There are hundreds of cache files and I tried to find that single one, from within TIME MACHINE, but it became extremely difficult. Because of the difficulty of finding that one specific cache file, I created a custom scan that contains the direct folder that has these cache files. (Per other posts in this forum). Thank you!
Quarantine Manager reported finding the following:
Clicking the threat brought me to the below page which says:
"Affected Operating Systems: Windows"
That suggests I install your free Virus Removal Tool which, of course, I clicked on the Free Mac A/V for OS X link which brought me to the installer for the same software I'm using.
I am not using Windows (in case this matters).
Notes: entered the word "blank" for user names, ID's and account names from the full paths for posting this info in the forum.
Quarantine Manager thorough paths reported:
Path and FN:
/Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/
Action Available: The threat cannot be cleaned up. Please click the threat name above for manual cleanup instructions.
Followed Steps 11 through 15 from here:
Ran the CUSTOM SCANS six times, including overnight. Time Machine just stays there until I get out of it with ESC.
The file does not get removed.
Product version: 8.0.2C
Detection engine version: 3.30.0
Detection data version: 4.76
Release date: 02 April 2012
Detects 3482976 threats
Using IDE files: **deleted for brevity**
CREATED CUSTOM SCAN and selected two paths to scan:
Scan name: "manual threat removal"
Path: /Volumes/Macintosh HD 2/Backups.backupdb/blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/browser_profile/cache/http enabled: yes
Path: /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident enabled: yes
Scan inside archives and compressed files: Yes
Automatically clean up threats: Yes
Action on infected files: Delete
Live Protection enabled: Yes
Immediate scan started at 2012-04-19 09:39:38 -0400
2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/
Clean up not available for this threat
Issue deleting threat
Scan completed at 2012-04-19 09:40:08 -0400.
3250 items scanned, 1 threats detected, 1 issues
I hope I provided enough info. Thank you for your time and help!
Solved! Go to Solution.
04-20-2012 05:06 AM
Did I give too much information? I hope someone - maybe an admin - can help me with this. I ran another full scan and it found the threat again
04-20-2012 09:50 AM
Since the malicious iFrame was detected in a web cache, you can actually delete ALL the contents of the web cache folder (they aren't needed in backups; I'm actually surprised Time Machine backs them up). To prevent this from happening in the future, you could add the path to the cache folder to your on-access exclusion list if you wanted to. Or, you could go one step further and add it to your Time Machine exclusion list, which would also save space and speed up backups.
04-20-2012 10:37 AM - edited 04-20-2012 12:12 PM
I'll follow your tips for excluding those cache files from being backed up. Please see the next message for the results that resolved this problem and got rid of the threat.
Thanks so much for the replies!
04-20-2012 12:10 PM
Fixed. Thank you very much, Andrew! Big Kudos to you! (I hope others will give credit to the people who help us. Maybe they don't understand how to rate the support answers)
I attempted to delete one cache file from the backups folder on my HD, to see if that would work. It didn't: The trash can indicated: "The operation can't be completed because backup items can't be modified."
Next, I rebooted, ran Time Machine and was able to delete the cache folder that held the threat.
I closed Time Machine and then right-clicked some more cache folders on my backup HD and was able to delete them (as you suggested) after entering my password. (I'm not sure why it wouldn't let me delete those the first time).
I then ran the manual scan and the threat was gone. I'm currently rescanning both local drives.
Less of a Quandary now!
04-23-2012 10:55 AM
Full scan completed. No threats found. The Sophos T.S. is great! Thank you for it!
Per Andrew's suggestion, I also excluded the cache files folder that Time Machine was unnecessarily backing up.
I'll try to contribute here, if I happen to know an answer, but being a new user, I prefer to leave it to the experts.