ClamXav scan..

Discussion in 'MacBook Pro' started by Derekhk, May 16, 2010.

  1. Derekhk macrumors member

    Joined:
    Feb 21, 2010
    #1
    Did a ClamXav scan just now and came up with three detections. All three were classified as "PHISHING.HEURISTICS.EMAIL.SPOOFEDDOMAIN". I deleted the files immediately.

    How worried or not worried should I be?
     
  2. frannbug macrumors member

    Joined:
    Apr 6, 2009
    Location:
    South West London, UK
    #2
    Invisible infection won't delete

    I've been getting .emlx files in my quarantine folder every few hours and they all seem to have come from my Time Machine backup folder. So I found the corresponding files on my hard drive, thinking that this would destroy the source and that no more would be backed up. All well and good, although I have to say that more kept coming and I secure deleted them every time.

    I have just returned to my computer, however, to find dozens of growl messages on my screen alerting me to the fact that invisible files have been found in the quarantine folder itself. So I did a search for invisible files and every one began with .BC. and a few random letters and numbers. I selected them all and looked for the contextual menu item to delete them. But there wasn't one. So I tried dragging them to the wastebin. I was asked for my password but even then the files were only copied to the bin, not moved. So how the heck do I get rid of these?

    I'm particularly anxious about this since they are all marked as being either Heuristics.Phishing.Email.SpoofedDomain or HTML.Phishing.Acc-4 files. Should I be worrying that they are reading all my passwords and sending them on? To the best of my knowledge we haven't had a Google van around here recently but even so I'd hate to think someone were sitting watching their computer collect all my bank details! :eek:

    What should I do, please?
     
  3. frannbug macrumors member

    Joined:
    Apr 6, 2009
    Location:
    South West London, UK
    #3
    This is bad! ClamXav has found 118 infected files while I slept last night. They are multiplying horribly! I feel I am only dealing with symptoms rather than attacking the disease at source.

    I thought Macs were immune from malevolent attack. It would appear that those wonderful days are over!
     
  4. aimbdd macrumors 6502a

    Joined:
    Dec 10, 2008
    Location:
    East Cost
    #4
    lol or maybe its just the scanner going crazy :p
     
  5. GGJstudios, Nov 11, 2010
    Last edited: Nov 11, 2010

    GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #5
    No computer has ever been immune to attack by malware, including Macs. While there are no viruses in the wild that run on current Mac OS X, there are still trojans that require the user to actively install them in order to run.
    • .emlx files are simply individual Mail messages. They are not malware.
    • Heuristics.Phishing.Email.SpoofedDomain and HTML.Phishing.Acc-4 refer to phishing emails. They are not viruses or trojans. They are simply emails designed to trick you into giving out information. If you don't reply to the emails or click the links, you have nothing to worry about.
    • Some Google searching for "Heuristics.Phishing.Email.SpoofedDomain" reveals many instances where ClamXav appears to be giving false positives. In other words, it thinks you're infected, but you're not.
    • Unless you are doing things like installing pirated software or installing codecs from porn sites, you have very little chance of having your Mac infected by anything.
    • While you may choose to run ClamXav or another AV app, it's quite unnecessary for the protection of your Mac.
    Knowledge is power. Arm yourself: Mac Virus/Malware Info
     
  6. frannbug macrumors member

    Joined:
    Apr 6, 2009
    Location:
    South West London, UK
    #6
    Thanks for that information. The .emlx files came from a phishing email I had about six months ago. It was from an eBay member, asking why I hadn't paid for items I hadn't ordered and my response was to send it straight to eBay's spoof address. That makes sense.

    But what about all these .BC. invisible files? What are they and should I be disposing of them? If it's a case of ClamXav suddenly being over vigilant, then might I have removed some files that are a vital part of some software, for example? I've blitzed several hundred of them in the last 24 hours.

    And why does all this start at the same time, about six months after the dodgy emails arrived? Why didn't ClamXav notice I hadn't thrown them away when they first appeared? It appears to me that the emails contained some sort of time bomb that kicked in because ClamXav has scanned my disks many times since the emails arrived in my inbox.

    I have slight suspicions that my copy of the music notation software Finale 2008 might be causing some weirdness on my computer. I haven't used it for some time, but it keeps causing QuickLook to crash even when it's not open (I know it's Finale from the crash message that comes up). And since I have started notating my music again, I've had all sorts of problems - dock icons disappearing, Finale being unable to save scores or make MP3 files of the music I've written, sudden slowdowns where everything I touch turns into a spinning beach ball so that the only thing I can do is force restart, even my iSight camera disappearing, digitally speaking - and now this business with ClamXav. I've ordered an upgrade, but could all this be caused by a buggy application?
     
  7. GGJstudios, Nov 11, 2010
    Last edited: Nov 11, 2010

    GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #7
    It's possible that a buggy app could cause many of the symptoms you have. Be aware that just because an app creates problems doesn't make it malware. Malware (viruses, trojans, worms, etc.) are designed to create problems, whereas some apps are simply poorly designed and unintentionally screw up.

    If you want my recommendation, I'd uninstall ClamXav and be done with it. That's one of the great things about using a Mac: you don't need AV software. It consumes system resources, slows your system down, can give false positives, etc. If you read the link I posted and use reasonable caution when downloading and installing apps, you'll be fine. Here's a few simple things to do:
    • Read the link I posted, so you understand what is and isn't true about malware.
    • Disable Java (not JavaScript) in your web browser (info at the bottom of the linked post)
    • Only install software from reputable sites.
    • If you're not sure about an app, use MRoogle to search this forum to see what others have said about it.
    • Make sure all your passwords (including email accounts) are complex and hard to guess
    • Make sure any wireless network you have is WPA2 protected with a secure (complex) password.
    • Don't let anyone else have physical access to your computer.
     
  8. scottlinux, Nov 11, 2010
    Last edited: Nov 11, 2010

    scottlinux macrumors 6502a

    scottlinux

    Joined:
    Sep 21, 2005
    #8
    clamav scans for windows viruses (only)

    :)

    Using clam on desktop os x is pretty odd, but if it makes you feel safe...

    It is also used (its primary use) on linux servers scanning email for windows malware and viruses. It can often give false positives with email - particularly saying a message seems like a 'scam'. This does not mean you have a virus.
     
  9. frannbug macrumors member

    Joined:
    Apr 6, 2009
    Location:
    South West London, UK
    #9
    Thanks for the advice. I've read your link and all the related links. I did have iAntivirus a few months ago - it was recommended by MacFormat magazine. But it started running my system at full pelt for hours at a time so I removed it. Well, most of it. Reference to it still comes up in the code my computer is set up to show during startup. I have no idea how to purge completely the last bits of it from my system. I hope ClamXav can be removed more easily.

    I've followed almost all of your advice. What functionality have I lost by disabling Java? Does that mean I will no longer be able to play videos on my browser?

    I will remove ClamXav when it when it runs out of copies of the dodgy emails from my Time Machine backups to quarantine. The system won't allow me to remove them by hand and I know they were dodgy as I've already described above. However, I'm still concerned that when I email people with PCs I could be sending them malware if I have no AV. I'm not sure the distinction between viruses, Trojans and worms really makes a lot of difference - they're all malware and all unwanted! I've had the thing that takes over your email address and spams everyone else a long time ago (because I posted on a Microsoft forum and my email address got published) and it was very inconvenient for me, let alone all the poor recipients of the emails who had me down as a spammer! That may not have been a virus but I certainly don't want to repeat the experience.

    Finally, I'm not sure of my ability to avoid downloading dodgy software. I don't really want to be deprived of the ability to download utilities such as iAlertU, Shovebox, Alarm Clock, Growl, Chronosync, Combine PDFs and Doug's Scripts for iTunes as well as various plugins for FireFox and the like. I enjoy their functionality and don't want to be reduced to just what Mac OSX can provide. Does that make me vulnerable?
     
  10. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #10
    Best way to FULLY DELETE a program
    You will lose very little, if any, functionality by disabling Java. It's JavaScript, which is a different animal, that enables most of the functionality you're thinking of. Yes, you'll still be able to play videos with Java disabled.
    As I mention in the post I linked to, each computer user, whether it be Mac OS, Windows, Linux, etc. has a responsibility to protect their own system. Even if you run AV to make sure you never send malware to a Windows user, that doesn't protect them from the millions of other sources of potential infection. A better approach is for each Windows user to take care of their own protection. The only way you can send malware to a Windows user is if it's first sent to you, or you download it.
    That's not malware of any kind. That's a result of your email account being either hacked or spoofed, which can happen regardless of which OS you have on your computer and regardless of any AV software, if any, you use. Make sure your email passwords are complex and hard to guess. Beyond that, there's not much you can do about spoofing.
    The apps you list are not "dodgy" software. Most of the apps you download and install are perfectly fine. The dangerous software resides predominately in pirated software or in codecs or other such apps offered by disreputable sites like porn sites. If you're interested in an app, use MRoogle to search this forum to see what others have said about the app. If you get good reports here, you're most likely safe. Also, if you get apps from reputable sites like cnet Downloads for Mac (formerly VersionTracker) or other well-known sites, you're pretty safe. Unless you're stealing pirated copies of apps or routinely installing software offered by porn sites, you have a VERY small chance of ever encountering malware that could affect your Mac.
     
  11. munkery, Nov 13, 2010
    Last edited: Nov 14, 2010

    munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #11
    ClamAV contains definitions for Windows, Linux, and OS X malware.

    A search for osx and boonana in it's database shows the following:

    Trojan.OSX.Cowhand
    OSX.RSPlug-2
    Trojan.OSX.OpinionSpy.B
    Trojan.OSX.OpinionSpy.A
    OSX.RSPlug
    Trojan.OSX.iservices.A
    Trojan.OSX.iservices.B
    OSX.DNSChanger.dmg
    OSX.DNSChanger.dmg-1
    Trojan.OSX.RSPlug.F.dmg
    Trojan.OSX.RSPlug.F.dmg-1
    Trojan.OSX.RSPlug.F.dmg-2
    Trojan.OSX.RSPlug.F.dmg-3
    Trojan.OSX.RSPlug.F.dmg-4
    Trojan.OSX.RSPlug.F.dmg-5
    Trojan.OSX.RSPlug.G.dmg
    Trojan.OSX.RSPlug.G
    Exploit.OSX.Safari
    OSX.DNSChanger
    OSX.Trojan-2
    Trojan.OSX.Opener
    Trojan.OSX.RSPlug.C
    Trojan.OSX.RSPlug.D
    OSX.Tored
    Trojan.Java.Boonana
    Trojan.Java.Boonana-1
    Trojan.Java.Boonana-2
    Trojan.Java.Boonana-3
    Trojan.Java.Boonana-4
    Trojan.Java.Boonana-5

    Some of these are no longer relevant. The relevant entries represent the variants of the 4 known active Trojans.

    Phishing emails can not infect your system so there is no need to remove the dodgy emails from your Time Machine backups. You are safe to remove ClamXav if you no longer want to use it.

    You can manually delete the emails from Time Machine by navigating to the item in Time Machine, secondary clicking the item, and choosing Delete all backups of "item name." You will also have to delete them from ~/Library/Mail and the email server (depending on your settings -> IMAP) to prevent them from returning to your backups.

    In ClamXav, you can use the Sentry feature to keep your email clean by setting it to watch ~/Library/Mail and ~/Library/Mail Downloads. It is not recommended to use the quarantine feature when scanning emails -> http://clamxav.com/index.php?page=prefs

    Set the Sentry to scan ~/Downloads to check apps you download if you are unsure. Most of the relevant OS X malware definitions in ClamXav are also included in XProtect built in to Snow Leopard. As suggested by GGJstudios, only download software from known safe sources if you want to avoid the need for AV software. User knowledge is a better defence against trojans than AV software.

    If you keep AV software on your system only for on demand scans, ClamXav only uses system resources when you are performing a scan (if you do not use the Sentry). ClamXav is the only AV software without on access scanning so that it will only use resources when running an on demand scan if you wish to do on demand scans from time to time.
     
  12. frannbug macrumors member

    Joined:
    Apr 6, 2009
    Location:
    South West London, UK
    #12
    com.pctools.iantivirus.kfs warning?

    Thanks for all the help, guys. I finally managed to eradicate the questionable files and then removed both the dregs of iAntivirus and the complete ClamXav app. from my computer. I certainly had quite a lot of the former still residing in my system files so thanks for the link to a thorough way of removing apps, GGjstudios.

    There is just one thing. I don't think iAnti has really completely gone, even after this purge. The reason? When I start up my computer I get a message that says,:

    Warning - kext com.pctools.iantivirus.kfs has immediate dependencies on both com.apple.kernel* and com.apple.kpi.* components; use only one style.

    This also shows up in my kernel log. I have searched in vain for the file com.pctools.iantivirus.kfs and found nothing apart from this log.

    So how do I get rid of this one?
     
  13. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #13
    Try looking in /Library/Extensions or /System/Library/Extensions.
    Also look for a .plist with a name similar to com.Intego.plist in /Library/Preferences or /Users/username/Library/Preferences.
     

Share This Page