OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

How to remove infected files

Published October 27th, 2013 at 9:42 PM EST , modified October 27th, 2013 at 9:42 PM EST

I get questions all the time asking me how to remove a variety of infected files. There are a variety of different things that might be turned up by anti-virus software, some to worry about and many not to. They show up in a variety of places, some of which should not under any circumstances be touched by the user, much less by anti-virus software. How is a person supposed to know how to handle such things, or whether to handle them at all?

First and foremost, it’s important to follow one primary rule when your anti-virus software detects malware on a Mac: do nothing! At least, not right away. Far too many people have knee-jerk reactions, ranging from allowing the anti-virus software to remove malware that should have been handled differently to taking bad advice from a forum somewhere, ignoring the detection and uninstalling the anti-virus software. Such reactions can have a variety of disastrous consequences, however. It’s important to take a more cautious and researched approach to avoid those consequences.

One important piece of information that must be obtained before proceeding is the name of the malware that was found. Such names vary wildly, and even the same piece of malware may have a dozen different names, depending on what anti-virus software you’re using. Names will generally look something like OSX/Icefog.A, OSX_CLAPZOK.A, MacOS:Tored-A, Win32/Spy.Agent.NYU or Trojan.PWS.Multi.1145. As you may notice from those examples, names often (but not always) indicate the system that is affected (OSX or MacOS for Mac malware, Win32 for Windows).

If the name indicates that the malware is for Windows systems, disposing of it is a good idea to avoid passing it on to a Windows machine accidentally, but not particularly vital for your Mac’s safety. If the name doesn’t indicate the system, some research will be necessary to find out more about it. Often, searching Google for the exact malware name will get you that information. Putting that name in quotes (i.e., “OSX/Icefog.A”), to force Google to search for that exact text, can help narrow the results to only the most relevant.

If the name contains something like “OSX” or “MacOS”, or if researching a more generic-sounding name turns up the fact that it is actually Mac malware, more care needs to be taken. Unfortunately, once a computer is infected, there may not be a non-drastic way to completely purge the infection. In certain cases, where the malware has very well-known behaviors, removal isn’t too difficult, but the proper procedures will need to be followed, and those procedures will vary depending on the malware. However, a lot of the malware out there these days includes some kind of back door, giving the hackers remote access to your computer and making it possible for additional malicious payloads to be installed later. Even if you remove all known components of the malware, you could still have other unknown (and potentially undetectable) malicious processes that were installed through the back door.

For these reasons, I don’t advise trying to remove Mac malware without professional assistance. In many cases, unfortunately, removal may require completely erasing your hard drive and reinstalling everything from scratch.

VirusBarrier Express scan

VirusBarrier Express scan

To remove Windows malware, you first need to determine where the infected files are. How this is done varies wildly depending on the anti-virus software, so you may need to consult the user manual for your software if it’s not immediately obvious. Shown here is an example, from VirusBarrier Express, in which the path to the file is shown at the bottom of the list when a particular malicious file is selected. In many cases, though, you will be given a Unix-style file path. In some cases, you may not be given a file path, but can reveal the file in the Finder, in which case command-clicking in the folder name in the window’s title bar will reveal the path to that folder.

Regardless of how you determine the location of a file identified as malicious, you should only remove the file if it’s somewhere inside your user folder (the one inside the Users folder that matches your username, such as the folder named “thomas” in the VirusBarrier Express example shown above). Even then, certain locations inside your user folder (like the Library folder, your iTunes library or your iPhoto library, for example) are still off-limits. Generally speaking, any library of files that is maintained by a special app (other than the Finder) should not be messed with directly. A malicious file in a place like your Desktop, Documents, Downloads or Public folders can be safely deleted. Items in the Shared folder found in the Users folder may also be able to be deleted, though an admin user may be needed for that, and care will need to be taken before deleting files another user put there.

If the file is found in your iTunes or iPhoto library, you should try to determine where that item is within the library and delete it from within iTunes or iPhoto, rather than in the Finder. Similarly, if the file has a name ending in .emlx and is in the Mail folder inside your user Library folder, you should locate the message in Mail and delete it from there. In this case, opening the .emlx file in the Finder will open the message in Mail (which is perfectly safe as long as you don’t click any links or open attachments in the message), making it easy to delete.

Files found outside the user folder should generally not be touched. In such a case, if the file is considered Windows malware, it’s highly likely that the detection is a false positive. I have seen anti-virus software identify important system files as malware, so if you delete files outside the user folder, you could end up crippling your system. One exception to this rule is the .MobileBackups folder, which contains one week’s worth of daily Time Machine backups. This folder could contain malware, but that malware can safely be ignored, since it will be deleted automatically after one week.

If malware is found in a Time Machine backup on an external hard drive, the infected file absolutely must not be removed in the Finder or by the anti-virus software! Doing so can corrupt your backups, which is obviously never a good thing. These malicious files can simply be left alone. When the backup drive fills up, Time Machine will begin removing the oldest files, so eventually those files will disappear by themselves. You just have to be aware that they are there, in case you restore those files somehow. If you decide you want to remove them, though, enter Time Machine (choose Enter Time Machine from the Time Machine menu), navigate to each file and control-click it, choosing “Delete all backups of [item]”.

If, after reading all this, you still aren’t sure how to handle a particular piece of malware that has been called to your attention, seek the advice of a security professional. You will need to have three primary pieces of information in order to get effective assistance: the full name of the malware, the name of the file identified as that malware and the full path to that file. Screenshots of the relevant information, as reported by your anti-virus software, can help immensely!

Tags: ,

7 Comments

  • Jay says:

    Good advice all around. Question though; The professional I’d call on in the case of a malware infection is the antivirus I have installed. I assume they know what they are doing and users should be able to expect an AV to detect ánd clean up properly (‘aggressively advertised’ utilities being the exception). If you end up in Best Buy they simply run an AV to clean out your system, the Apple Store will tell you “it’s not a virus” and if you insist long enough they’ll offer an erase and install… What would be professionals you recommend?

    • Thomas says:

      Anti-virus software can’t be relied upon to do the removal, for a variety of reasons. It may get some of the stuff, but probably not all of it.

      The issue of what professional to call is a sticky one. Most techs at somewhere like Best Buy or an Apple Store will probably want to do an erase and install, and when it comes to a Mac infection, that’s the safest way to handle it if you don’t know what you’re doing.

    • Sid Cannon says:

      Spot on, what Professionals do you trust? Bodie & Doyle? lol 🙂 I might be a bit more paranoid than your average user, where if I suspect an infection it has to be a wipe and re-install. The most tech savvy person in the world can’t convince me, that after malware removal my machine is 100% clean.

      That is why I have reverted back to Windows 7 as my main OS. I know you think I’ve gone mad, but with Shadow Defender protecting me, I know my machine is squeaky clean each time I boot up. I can’t find similar software for OSX, and even though malware on OSX is a lot less likely, I feel more secure with Windows 7 and Shadow Defender.

  • Al says:

    Thanks Thomas. You’ve given me a first reference for users to read until they are able to get me details on what they’ve actually found.

  • Antea Buel says:

    I am going thru this for the past 3 weeks. i will be glad to erase and reinstall most of my suff from the Seagate back-up, but i have doubts about this. I feels like i had a fire and should let it burn and vanish. Are the documents, photos and copies of anything i had before clean, virus or malware free, in one word “safe” to reinstall on my new-again computer?
    It is depressing, isn’t it? My computer was holding 80% of my life, records, projects, memories… I feel violated.

    • Thomas says:

      What malware did you have? Chances are good that erasing and reinstalling is completely unnecessary. If it is, though, documents and photos should be safe.

    • Al says:

      It’s difficult to judge without details of what was found and what type of backup you use, but in general it’s usually best to ignore your backup as anything you remove may corrupt the entire backup if you don’t do it properly. Just make a mental note that if you ever need to restore from backup that the first thing you do is scan your hard drive to make certain no malware was accidentally restored.

This post is more than 90 days old and has been locked. No further comments are allowed.