8 Replies Latest reply: Apr 3, 2013 12:54 PM by MadMacs0
Reds_fan Level 1 Level 1 (0 points)

I found a folder that I thought had been deleted from my trash.  My folder's name is titled "Icons."  The problem is when I open the folder, all of my files are not viewable.  Each item says BRLaser has 4 numbers and then ends in .icns.  They are all pictures of different printers...seriously?  The were all accounting files initially, mostly spreadsheets and some PDF files.

This all started when I ran Clam and detected several Trojans.  After I cleaned them up, Quarantined them and sent them to the trash, this is when I had problems.  Does anybody have a solution to this?


iMac (21.5-inch Mid 2011), Mac OS X (10.7.4)
  • MadMacs0 Level 5 Level 5 (4,660 points)

    Reds_fan wrote:

     

    I found a folder that I thought had been deleted from my trash.  My folder's name is titled "Icons."  The problem is when I open the folder, all of my files are not viewable.  Each item says BRLaser has 4 numbers and then ends in .icns.  They are all pictures of different printers...seriously?  The were all accounting files initially, mostly spreadsheets and some PDF files.

    This all started when I ran Clam and detected several Trojans.  After I cleaned them up, Quarantined them and sent them to the trash, this is when I had problems.  Does anybody have a solution to this?

    If I had a list of what ClamXav found (file & infection names) and where they were initially located, I might be able to help. It would be in one of your ClamXav scan logs. Did you find these with the ClamXav app or Sentry? How long ago?

  • Reds_fan Level 1 Level 1 (0 points)

    I couldn't find it in the scan logs.  I do know that some were from an email that had a virus attached to it (fake email from the Better Business Bureau).  If I remember correctly, they also were tracking trojans.

    These were found from the ClamXav app and they were discovered yesterday.

  • Reds_fan Level 1 Level 1 (0 points)

    Actually I just found a couple.  Filename is 36317.emlx, infection name Email.Trojan-432.  Another is 36321.emlx, Win.Trojan.Agen

  • MadMacs0 Level 5 Level 5 (4,660 points)

    Reds_fan wrote:

     

    Actually I just found a couple.  Filename is 36317.emlx, infection name Email.Trojan-432.  Another is 36321.emlx, Win.Trojan.Agen

    OK, so those are both e-mails, so you will need to do a little repair work.

     

    The only Trojan's known to impact OS X were sent to Tibetan sympathizers, so unless you are in that catagory, you have nothing to worry about. The second one is Windows only.  I need to check on the first one, but odds are great that it is also.

     

    First of all, here's an easy way to locate find out what mailbox they came from:

     

    Open the Terminal app (found in /Applications/Utilities/), then copy and paste the following after the "$ " prompt:

    grep 'FOUND' ~/Library/Logs/clamXav-scan.log

    and hit return.

     

    Now open the Mail app and highlight each of the mailboxes where infected files were found and select "Rebuild" from the bottom of the Mailbox menu.

     

    If this was from a Gmail account let me know as there is probably still more work to be done.

     

    And for the future:

     

    Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

     

    So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

     

    When possibly infected e-mail files are found:

    - Highlight the entry in the ClamXav window's top pane that needs to be dealt with.

    - Right-click/Control-click on the entry.

    - Select "Reveal In Finder" from the pop-up menu.

    - When the window opens, double-click on the file to open the message in your e-mail client application.

    - Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).

    - If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.

  • MadMacs0 Level 5 Level 5 (4,660 points)

    Reds_fan wrote:

     

    infection name Email.Trojan-432.

    The identifying string for this one is:

     

    We_encourage_you_to print_this{WILDCARD_ANY_STRING(LENGTH<=16)}(attached_file),_answer_the_question s_and_respond_to_us

     

    except that I substituted "_" for spaces to prevent this entry from being identified as malware.

     

    So it sounds like the attached file would need to be opened, either to infect a computer or it is a phishing attempt to obtain privacy information. Again, odds are the attachment would not have opened on a Mac, even if you had tried.

  • Reds_fan Level 1 Level 1 (0 points)

    Thanks.  I put the prompt in that you suggested and it says "No such file or directory."  I'm not concerned about my email too much, but rather the file that I initially had a bunch of documents in.  Here is my original post, maybe this will help:

    The problem is when I open the folder, all of my files are not viewable.  Each item says BRLaser has 4 numbers and then ends in .icns.  They are all pictures of different printers...seriously?  They were all accounting files initially, mostly spreadsheets and some PDF files.

  • thomas_r. Level 7 Level 7 (30,530 points)

    I have the feeling that you may be misunderstanding something about the file system. I've never heard of anything, malware or otherwise, that will replace a folder full of documents with a folder full of printer icons.

     

    Where is this Icons folder? Where do you expect your documents to be? Can you provide a screenshot to help us understand what you're seeing? (Press command-shift-3, or command-shift-4 and then drag a rectangle around the area to take a picture of. The resulting screenshot will appear on your desktop. Click the camera icon in the toolbar of this forum's message editor to insert the screenshot in a post. Be sure not to post a screenshot containing sensitive personal information.)

     

    Regarding the malware that was found, those are not Mac malware, and thus could not have caused this problem.

  • MadMacs0 Level 5 Level 5 (4,660 points)

    Reds_fan wrote:

     

    I put the prompt in that you suggested and it says "No such file or directory."

    I don't see how that could be possible if you copied and pasted it, but OK...

     

    I'm not concerned about my email too much, but rather the file that I initially had a bunch of documents in.

    Well yes, I understand that, but it doesn't make any more sense to me than it does to you. I am fairly certain that those "BR" files are from Brother Laser Printer drivers, but not having any Brother printers yet, I can't be positive. How they would have gotten into a folder that previously contained spreadsheets and PDF files is anybody's guess. It certainly would not have been caused by malware and with no evidence that they were identified as malware by ClamXav I don't see how they could have been moved there during your scan.