This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Removing malware from backups

Hi there everyone.

I'm completely new to this to please be gentle.

In the last couple of days I have upgraded my mac hard drive, when it came back I backed up my files to my external hard drive, ran sophos home edition for mac and it found around 31 threats including Mal/DrodZp-A and many others begining with Troj/DocDi...

I followed the instructions on how to remove these from my mail... And found various unopened emails attachments in old mail and junk files. I have been deleting these as and when they arrive, but on the odd occasion they do arrive with a subject from for example My Hermes or another delivery company JUST as I am expecting a parcel from that company. Highly annoying, now obviously I don't open them.

So I have deleted all emails and attachments, but when I use Sophos it still detects these threats in my backups, when I follow the path to delete, I can't find it or if I do it says 'the operation can't be completed because backup items can't be modified'.

When I go to time machine, there are no back ups for the dates the malware seems to have been contracted (if that's the right word).

Pretty much daily Sophos is finding malware on my laptop and everytime I clean up it says Automatic cleanup was not successful, manual clean up is required.

I'm concerned that all my devices are becoming infected... Or that I've caused some irreparable damage.

Your help would be amazing, before I go and spend some hard earned cash on taking it to an expensive shop to be poked and probed!!!

Thank you!

GC.



This thread was automatically locked due to age.
Parents
  • Hi Georgina,

    I will start by alleviating some of your concerns, both Mal/DrodZp and Troj/DocDl are Windows malware so you aren't 'infected' you just have malicious files on your machine. The DrodZp detection's will be for zipped files, and the DocDl's will be for Office documents, most likely Word or Excel files. If you were on a (unprotected) Windows machine and ran these they would connect to a malicious server and download a malware payload, this would then be run on the machine. Most commonly it would be ransomware.

    As you indicated you will be receiving these files as attachments on emails. Ideally you want some Anti Spam software to help filter these from getting into your inbox. Sophos has several products that can help with this if you are interested.

    Regarding the removal of the malicious files in Time Machine, this requires a couple of extra steps (Similar to the equivalent Shadow Copies on Windows). Have a read of this article and it should help you remove them: https://community.sophos.com/kb/en-us/118117 

Reply
  • Hi Georgina,

    I will start by alleviating some of your concerns, both Mal/DrodZp and Troj/DocDl are Windows malware so you aren't 'infected' you just have malicious files on your machine. The DrodZp detection's will be for zipped files, and the DocDl's will be for Office documents, most likely Word or Excel files. If you were on a (unprotected) Windows machine and ran these they would connect to a malicious server and download a malware payload, this would then be run on the machine. Most commonly it would be ransomware.

    As you indicated you will be receiving these files as attachments on emails. Ideally you want some Anti Spam software to help filter these from getting into your inbox. Sophos has several products that can help with this if you are interested.

    Regarding the removal of the malicious files in Time Machine, this requires a couple of extra steps (Similar to the equivalent Shadow Copies on Windows). Have a read of this article and it should help you remove them: https://community.sophos.com/kb/en-us/118117 

Children
  • Hi Peter,

    Thank you so much for the reply - I read that article and went though all the steps before posting onto this forum.

    The problem I am having is that I get stuck when I reach a certain part of the path. This is where I am being told to go:

    /Volumes/Work and Adverts/Backups.backupdb/Georgina Cullen’s MacBook/2016-04-17-105209/Macintosh HD/Users/georginacullen/Library/Mail/V3/POP-myemail@mail3.gridhost.co.uk/INBOX.mbox/7194668E-FA83-41E9-BA4C-7E7D77E91D7C/Data/5/7/3/1/Attachments/1375409

    And this is how far I get:

    /Volumes/Work and Adverts/Backups.backupdb/Georgina Cullen’s MacBook/2016-04-17-105209/Macintosh HD/Users/georginacullen/Library

    I can't seem to find any part of my library which contains a folder for mail, and I've pretty much opened and looked in all of the folders individually (well, nearly).

    Also when I go back to time machine to see if they are there, I can't find any folder which contains my attachments - the path again stops at 'library'.

    I have however just found that I may be able to delete all back ups of mail via the applications folder in time machine - would this be a possible solution?

    I'll defo get the anti spam software just to stop me from throwing my laptop out the window!!

    Thanks for your help so far.

    GC :)

  • Hi Georgina,

    Have a look at this post: https://community.sophos.com/malware/f/147/t/77421 the last comment from Rod explains how he solved the same situation you are having.