Sophos was unable to cleanup the above mentioned malware contained in a file named upd.DAT. It was first detected over a year ago but I have never been able to clean it up. Whenever I scan, it shows up again. Is there any action I can take to eliminate it?
Hello unfit4duty,
sorry, I forgot that the GUI (finder) does not delete but move to Trash. Please run a custom scan with the Delete option - if this also fails follow the instructions in Removing malware from a computer running Mac OS X item 18 (be careful when you turn off on-access scanning temporarily).
Christian
Hey Christian.
I'm still stuck. The file is not found via Finder. Sophos shows it as being in the /Volumes/Bootcamp/users/....... location. I do have Windows running on a partition on my iMac (seldom used by there if I need it). Some documentation I saw (Sophos?) suggested it was a Windows issue. I opened Windows and searched for the file on the Windows side but it was not found. Sophos says it can't be deleted. So does the Mac if I try to drag it to the trash. It appears the default program to open it is a media player called VLC. I deleted VLC but the file is still there. I don't get the responses illustrated in the forum post you provided, so I'm not sure what my next steps might be. I'm not that technically savvy, so I'm in a bit over my head. As far as I can tell, I am not impacted. I think Sophos has quarantined it but I can't eliminate it. Any suggestions?
Hello unfit4duty,
if the Boot Camp volume is formatted as NTFS then OS X can't write a file to (and thus delete from) it. Can't say how Finder behaves with NTFS volumes and why it won't display the file in question (but it's moot as you can't delete it from the Mac side anyway). It might be hidden on the Windows side (similar to files/folders starting with a dot which Finder doesn't display by default) - using Organize->Folder and Search options->tab View you can tell Explorer on Windows to display all files.
Or you could try the free Virus Removal Tool for Windows.
Christian
Hello unfit4duty,
normally you can run SVRT no matter what AV you have installed.
The name upd.dat is known to be used by malware as well as legitimate applications. Anyway, if you want to remove it (it should be more or less safe to do so, if it's really some part of a legitimate application the name implies it's not needed for regular execution) you have to do it from the Windows side.
Christian
Here's the latest Christian,
Still no luck getting rid of it. Sophos, on the Mac side, still shows it in quarantine.
I downloaded the PC version of Sophos on the Windows side, scanned, and found nothing. I searched on the Windows side and asked that it include "hidden" files. Still nothing. Norton sees nothing on the Windows side either.
So, I can't find the folder or file by searching on either side. I only see it via Sophos on the Mac side. I have been unable to delete it. It's in an interesting looking folder/directory named ish4435888 (if I search for that folder, I can't find it...only visible via Sophos). In addition to the dat folder, there is a css folder with just a couple of .css files, an image folder with a few PNG files (mostly buttons and colors), a locale folder with several UNIX executables in it, and a GIMP file. Many of these date to 2013/14 when I was taking a html class.
Since I can't seem to touch it, as long as it's in quarantine am I likely OK? Thanks again for your advice.
Hello unfit4duty,
I can't find the folder or file by searching on either side
if you did search for all kinds of hidden files/folders (note that you also have to uncheck Hide protected operating system files (Recommended)) then maybe it's really gone. The ish4435888 folder suggests that these files and folders belong to an "InstallCore enhanced" download of an otherwise freely available software (e.g. GIMP). It's classified as Adware and PUA (i.e. installed with the user's consent, subsequently a nuisance perhaps but not outright malicious) and thus AFAIK won't be detected by SVRT (but Troj/EncProc-U should be).
Perhaps Norton took care of it somewhen. Dunno how QM is supposed to behave here, usually it checks whether a threat is still present when you open it but I don't know the details of the logic. If you open QM, Clear the item from the list and run a custom scan on /Volumes/Bootcamp/users/ - does it recur? If not then it's no longer there.
as it's in quarantine am I likely OK
The quarantine is not more than a list of reported and not-yet-dealt-with detections, nothing is moved, or renamed, or otherwise made inaccessible. Only the enabled on-access scanner would provide protection.
Christian
