This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/DocDl-DGO How to manually remove with Free MAC version 9.4.2?

Got this malware yesterday. Sophos site says they have protection for this as of yesterday May 24 but didn't work for me.

My quaranteen manager says to manually remove. There are no instructions how, tech support will not address this. How to do this with Free Mac Edition 9.4.2

I need help because I keep getting more emails with this zip file attached and the list is growing.



This thread was automatically locked due to age.
Parents
  • Hi Douglas,

    The Troj/DocDl* detection is for a Document Downloader (DocDl) it will most likely be a Microsoft Word or Excel file that contains a macro. If you opened this (on a Windows machine) and ran the macros it would attempt to connect to a malicious server and download the malware payload.

    Are you able to show any screenshots or error messages you are seeing? 

    Does it give you the location of where this file is? if it is on an email I suggest deleting the email right away.

  • I deleted the emails I could find. The Sophos Quarantine manager has 3 file locations listed but will not clean up. It says manual clean up required. There is no picture of a lock on my quarantine manager as all the Sophos screen shots suggest and there is no instruction how to manually clean up with the Free MAC home edition 9.4.2. 

    I am afraid to clear the list in the manager because I do not know if the files still exist. I did not open them.

  • Hi Douglas,

    Clearing the list is fine as all this does is remove the alert from your quarantine, it isn't what actually stops the files from being run. If they still exist on the machine they would be detected again if they attempted to do anything.

    I suggest you reboot your machine and see if they get cleaned during the reboot, I would be surprised if they did to be honest though as I suspect they might have already been removed, which is why the cleanup is failing. 

    If they are still listed in the quarantine after a reboot, clear them from the list a do a full scan and see if they are detected again. If not then they are gone. If they are detected again please can you let me know.

Reply
  • Hi Douglas,

    Clearing the list is fine as all this does is remove the alert from your quarantine, it isn't what actually stops the files from being run. If they still exist on the machine they would be detected again if they attempted to do anything.

    I suggest you reboot your machine and see if they get cleaned during the reboot, I would be surprised if they did to be honest though as I suspect they might have already been removed, which is why the cleanup is failing. 

    If they are still listed in the quarantine after a reboot, clear them from the list a do a full scan and see if they are detected again. If not then they are gone. If they are detected again please can you let me know.

Children
  • Hi Peter, I too have the identical problem with   Troj/DocDI-DBF

    I do the manual clean but it remains from the file path scanned for manual removal.

    I then followed your suggestion, deleted and rescanned the entire MAC.

    It came back again, though I have to say that originally there were 3 Troj/ somethings and 2 of them were cleared by your method. This one remains.

    Any ideas please?

    Thank you

  • Hi Rod,

    Can you collect the Sophos Diagnostic Utility logs using the instructions at the bottom of this article: https://www.sophos.com/support/knowledgebase/33533.aspx#macgeneral 

    If you send them into support@sophos.com and let me know the case number I will take a look for you.

  • Thanks Peter, could you please check the  http://sophtrac/Default.aspx?articleid=33533#macgeneral as the links doesn't seem to work.

    Thanks

    Rod

  • Sorry I have corrected the above link now and made myself a coffee :-)

  • Many thanks Peter, I have run the tool and attached the SDU.tgx it to an email to support@sophos.com but have no case number unless I am sent one later.

    Hope this will find you!

    Thanks again

    Rod

  • Cracked it, with PeterM's significant help, thank you.

    Follow the instructions thus far. The items needing manual clean must then be deleted as follows, then re boot the Mac,  re run Sophos and make sure they do not reappear. If they do reappear go ahead with a custom scan of Time Machine where mine had 34 of same Malware attachments which I again manually cleared, re booted and re ran Sophos. I am now clear! Here's how:

    The secret to me was seeing the full file path on Sophos and then tracking back to that point and deleting the actual offending file ( then re running etc etc) To do this you need to read the entire location by copying and pasting from Quarantine Manger onto clip[board or Word or pages or anywhere that you can read the entire path.

    Then open 'Finder ' and click on 'GO' at top and hold down 'ALT' to show hidden menu ' Library' .  From Library I was able to follow to the end to find the offending attachment.( by reading from the clipboard of the path which I mentioned earlier)   For some of mine the path stopped before the end point, there was nothing at all after some of the path but for others I was able to get to the end where the malware was hiding.  I think that when I got to a dead end it shows that the malware is no longer in existence but for other malwares needing manual clean up I was able to get to the actual end point of the path.

    Clearly the secret is in knowing how to show the hidden start to the path which in my case was always in 'Library'

    Then reboot Mac, then re run Sophos and do it again as  a custom scan if necessary on Time Machine.

    Thanks PeterM mine are now all cleared including Time Machine

    To do a Custom Scan on Time Machine is simple. Click Custom Scan, hit the + and click on Time Machine and run.

    Many thanks to PeterM

  • Hi All

     

    I too have this problem and am frustrated by the lack of help and instructions Sophos provides. 

    I have followed the above PeterM steps, although I am already familiar with the show/hide of hidden files and re-booting Finder.  My problem is that the path Sophos shows STILL doesn't appear once the hidden folders are shown.  This is an example of the path shown:   

    /Volumes/BitTorrent-42516/BitTorrent.app/Contents/MacOS/BitTorrent

     

    Any suggestions appreciated on what to do next appreciated