unable to delete malware

Again I ask how to I get rid of this virus as the app cannot I have it showing in finder in a download folder for which it says I have no access. I have to gain access via get info but cannot get at the suspect file.  Help requested.

GH

---

sandy wrote:

Hello gjh,

if you read the full message you will see that it clearly states "Automatic cleanup was not successfu. Manual cleanup required".  (My red)

For a description of how to do this, please follow this article exactly  https://www.sophos.com/en-us/support/knowledgebase/118117.aspx

You can also do a search on this forum for 'manual cleanup' which will provide lots of information.

---

Hi gjh,

just taking a quick look at the screenshot you sent over shows me that the file in question (/Users/gjheth/Downloads/download.dmg) has been backed up onto a time machine backup that is stored on a removeable hard drive (I see reference to both a Goflex as well as a My Passport). In order to clean the threat, you'll need to make sure those drive(s) are available. Can you confirm this?

You are correct and they are available; they are two backup drives that I have used with time capsule.   I have tried to find the file via time capsule but cannot.  It doesn't appear to have a file name to reference.

Thanks for your help.

GJH

Ok, cool. Now you can follow the steps below, and let me know how you get on?  (taken from this KB article) 

1. Make a note of the complete file path. E.g., /Volumes/<Time Machine Volume Name>/Backups.backupdb/<Computer Name>/YYYY-MM-DD-NNNNNN/<User Name>/Library/Caches/Java/cache/6.0/8/123456-123456 
2. From the Sophos Preferences window,temporarily disable on-access scanning. 
3. In the Finder, navigate as close to this location as you can, starting from the <user name> portion. When the next level down no longer exists (or when you've found the file indicated), select 'Enter Time Machine' from the Time Machine menu item (a clock face with an arrow around the outside). 
4. Navigate to the date and time indicated by YYYY-MM-DD in the file path, and then follow the path to the detected file within Time Machine. 
5. Control or right-click the file, and select 'Delete All Backups of <detected filename>'. 
6. Click OK. From the Sophos Preferences window, re-enable on-access scanning.

Thanks,

Great, good luck!

Not all the path is available in the quaratine window and when I go to 'reveal in finder' I am taken to a download folder in the backup hard drive (in this case goflex) but it says I do not have permissions to open the folder.   I went to "get info" it says I have no access, even though I have selected "everyone read and write".  Please see attachment.

Thanks for your continued interest,

gjh

The place I was led to "Downloads" no permission was dated 2012, before I started backing up with the present two hard drives..

gjh

It looks like you tried to acces the file from withih Finder, but you won't be able to access the backup files from Finder because Time Machine manages the permissiosn so users can't accidentally mess with their backups. You have to go into Time Machine to remove the file.

Please take a look at steps 3-6 in my last message - essentually what you're going to do is:

1. Open finder and navigate to /users/gjheth/downloads

2. Click the time machine icon (small circle with a clock icon in the top right corner) and choose Enter time machine

3. From within time machine, alt click download.dmg and select Delete all backups of download.dmg

Note: If download.dmg is not available under "Now", you may need to go back in the time machine until you find a copy of the file. Then proceed to Delete all backups of download.dmg

4. When prompted click ok, and enter your password

5. When complete you can cancel out of Time Machine

6. Make sure you re-enable on-access scanning once you're done

AAhh  That makes sense now and I have as you suggested.  I have now started a scan to see if all is well and will get back to you.

Thanks again,

gjh