ClamXav finding trojans; what do I do with them?

Where these "viruses" were found?

first of all allow my to help informationally

http://www.reedcorner.net/mmg/

http://www.clamxav.com/BB/viewforum.php?f=1&sid=f451f391441f09e60c92a1338c79bdbf

https://discussions.apple.com/thread/4843307?answerId=21364871022#21364871022

the first link is to a "security awareness site for macs" the second is to "clamxav support form" and the third is a link to a similar infection on the mac side from the mac forum.

As for clamxav most of the time i have manually deleted issues discovered after finding out what they truly were.

First, for faster, more efficient answers to questions about ClamXav I encourage you to visit the ClamXav Forum.

If you are finding these "Trojans" using the ClamXav application in a manual scan, there is no preference to delete the files. That is only used with the Sentry feature.

It is important to note know exactly where these infected files are located, as certain files don't like to be moved or deleted manually as they may correupt an index file. That includes most all e-mail along with iPhoto, iTunes and backup files. Such files need to be deleted from within the appropriate application, not the A-V program or the Finder.

There are a couple of ways to figure out which files were found:

- In ClamXav open the Scan Log by clicking the icon on the tool bar

- When the "clamXav-scan.log" window opens, you will only be looking at the only the most recent results

- Select Find->Find from the Edit menu or type Command-F

- Type "FOUND" in all caps and without the quotes in the Find: box

- Uncheck the "Ignore Case" box

- Click the "Next" button or type Command-G until you find what you are looking for

- If it doesn't show up in the most recent results, use the "▲ Earlier|" button in the lower right corner of the window to move back through the log.

or

Open the Terminal app (found in /Applications/Utilities/), then copy and paste the following after the "$ " prompt:

grep 'FOUND' ~/Library/Logs/clamXav-scan.log

and hit return.

while you are waiting for madmacs response (have indirectly worked with the person before) allow me to make you aware of the email aspects.....first of all see the "apple discussion link" in the earlier post. on some of the heuristics.phising.email alerts....they are legitamite emails from reliable sources however due to formatting/structure they come up as a alert.... then again they could be bad as well.... just wanted to make you aware

The trashed files are harmless for your Mac, unless you have some sort of virtualization software running Windows.

The rest are mail messages, but as MadMacs0 pointed out you must locate and delete them from within Apple Mail.

staying on the emal vein from the earlier discussion post

The word Heuristics means that it wasn't positively identified as a phishing message, just that something about the say it was formatted looked suspicious.

These should always be read first to make certain they aren't something important.

Secondly moving it will corrupt the mailbox index.

Here's my standard guidance on handling such things: Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail. So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

When possibly infected e-mail files are found: - Highlight the entry in the ClamXav window's top pane that needs to be dealt with. - Right-click/Control-click on the entry. - Select "Reveal In Finder" from the pop-up menu. - When the window opens, double-click on the file to open the message in your e-mail client application.

- Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name). - If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu. - If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.

AliWonder wrote:

you mean I look for all the files that have 'FOUND' next to them?

Yes.

(Some are showing as in the trash I think because I trashed them?).

That's correct. How they got there is not particularly important right now. The "Win" in the name indicates they are most certainly Windows only malware and it's always good to get rid of it to prevent it from being passed on to any PC users you correspond with. One of them is a fake Firefox applicaiton, also not unusual in the PC world. In any case, emptying the Trash Can at this point should permanently take care of them.

the other files which include this - amghardanna@yahoo.com@imap.mail.yahoo.com/ - are totally weird. This is my late boyfriend's email address. He used to use my computer, and for some reason that 'Mail' thing brings up all of his e-mails, including huge amounts of spam that comes via his Facebook page. I don't know how to stop it doing this.

I would agree that you need not be concerned by any of them. I don't know what would cause Mail to open on it's own, but deleting his account from it would probably be a good idea at this point.

I'm not a Mail user myself, currently have an older version with my setup and only use it for testing purposes, but I think I can walk you through doing that if you would like me to. It would not do anything as far as any of his actual accounts are concerned, just remove it from Mail.

And sorry for your loss....