How to remove infected files
Published October 27th, 2013 at 9:42 PM EST , modified October 27th, 2013 at 9:42 PM EST
I get questions all the time asking me how to remove a variety of infected files. There are a variety of different things that might be turned up by anti-virus software, some to worry about and many not to. They show up in a variety of places, some of which should not under any circumstances be touched by the user, much less by anti-virus software. How is a person supposed to know how to handle such things, or whether to handle them at all?
First and foremost, it’s important to follow one primary rule when your anti-virus software detects malware on a Mac: do nothing! At least, not right away. Far too many people have knee-jerk reactions, ranging from allowing the anti-virus software to remove malware that should have been handled differently to taking bad advice from a forum somewhere, ignoring the detection and uninstalling the anti-virus software. Such reactions can have a variety of disastrous consequences, however. It’s important to take a more cautious and researched approach to avoid those consequences.
One important piece of information that must be obtained before proceeding is the name of the malware that was found. Such names vary wildly, and even the same piece of malware may have a dozen different names, depending on what anti-virus software you’re using. Names will generally look something like OSX/Icefog.A, OSX_CLAPZOK.A, MacOS:Tored-A, Win32/Spy.Agent.NYU or Trojan.PWS.Multi.1145. As you may notice from those examples, names often (but not always) indicate the system that is affected (OSX or MacOS for Mac malware, Win32 for Windows).
If the name indicates that the malware is for Windows systems, disposing of it is a good idea to avoid passing it on to a Windows machine accidentally, but not particularly vital for your Mac’s safety. If the name doesn’t indicate the system, some research will be necessary to find out more about it. Often, searching Google for the exact malware name will get you that information. Putting that name in quotes (i.e., “OSX/Icefog.A”), to force Google to search for that exact text, can help narrow the results to only the most relevant.
If the name contains something like “OSX” or “MacOS”, or if researching a more generic-sounding name turns up the fact that it is actually Mac malware, more care needs to be taken. Unfortunately, once a computer is infected, there may not be a non-drastic way to completely purge the infection. In certain cases, where the malware has very well-known behaviors, removal isn’t too difficult, but the proper procedures will need to be followed, and those procedures will vary depending on the malware. However, a lot of the malware out there these days includes some kind of back door, giving the hackers remote access to your computer and making it possible for additional malicious payloads to be installed later. Even if you remove all known components of the malware, you could still have other unknown (and potentially undetectable) malicious processes that were installed through the back door.
For these reasons, I don’t advise trying to remove Mac malware without professional assistance. In many cases, unfortunately, removal may require completely erasing your hard drive and reinstalling everything from scratch.
To remove Windows malware, you first need to determine where the infected files are. How this is done varies wildly depending on the anti-virus software, so you may need to consult the user manual for your software if it’s not immediately obvious. Shown here is an example, from VirusBarrier Express, in which the path to the file is shown at the bottom of the list when a particular malicious file is selected. In many cases, though, you will be given a Unix-style file path. In some cases, you may not be given a file path, but can reveal the file in the Finder, in which case command-clicking in the folder name in the window’s title bar will reveal the path to that folder.
Regardless of how you determine the location of a file identified as malicious, you should only remove the file if it’s somewhere inside your user folder (the one inside the Users folder that matches your username, such as the folder named “thomas” in the VirusBarrier Express example shown above). Even then, certain locations inside your user folder (like the Library folder, your iTunes library or your iPhoto library, for example) are still off-limits. Generally speaking, any library of files that is maintained by a special app (other than the Finder) should not be messed with directly. A malicious file in a place like your Desktop, Documents, Downloads or Public folders can be safely deleted. Items in the Shared folder found in the Users folder may also be able to be deleted, though an admin user may be needed for that, and care will need to be taken before deleting files another user put there.
If the file is found in your iTunes or iPhoto library, you should try to determine where that item is within the library and delete it from within iTunes or iPhoto, rather than in the Finder. Similarly, if the file has a name ending in .emlx and is in the Mail folder inside your user Library folder, you should locate the message in Mail and delete it from there. In this case, opening the .emlx file in the Finder will open the message in Mail (which is perfectly safe as long as you don’t click any links or open attachments in the message), making it easy to delete.
Files found outside the user folder should generally not be touched. In such a case, if the file is considered Windows malware, it’s highly likely that the detection is a false positive. I have seen anti-virus software identify important system files as malware, so if you delete files outside the user folder, you could end up crippling your system. One exception to this rule is the .MobileBackups folder, which contains one week’s worth of daily Time Machine backups. This folder could contain malware, but that malware can safely be ignored, since it will be deleted automatically after one week.
If malware is found in a Time Machine backup on an external hard drive, the infected file absolutely must not be removed in the Finder or by the anti-virus software! Doing so can corrupt your backups, which is obviously never a good thing. These malicious files can simply be left alone. When the backup drive fills up, Time Machine will begin removing the oldest files, so eventually those files will disappear by themselves. You just have to be aware that they are there, in case you restore those files somehow. If you decide you want to remove them, though, enter Time Machine (choose Enter Time Machine from the Time Machine menu), navigate to each file and control-click it, choosing “Delete all backups of [item]”.
If, after reading all this, you still aren’t sure how to handle a particular piece of malware that has been called to your attention, seek the advice of a security professional. You will need to have three primary pieces of information in order to get effective assistance: the full name of the malware, the name of the file identified as that malware and the full path to that file. Screenshots of the relevant information, as reported by your anti-virus software, can help immensely!