04-25-2012, 07:02 PM

On April 20th I changed the settings of my computer per the "What security steps should I take?" and the "Why am I being redirected to other sites?" as per this guide: Mac Virus/Malware FAQ - Mac Guides

Then I downloaded ClamXav (love this app!), to scan my Mac Mini. It found 6 infected files. I right-clicked on each file and moved them to the trash. Then emptied the trash securely (Secure Empty Trash), and scanned again. It found the same six files again, in the same location of my computer.
So I changed the Preferences in ClamXav to delete them, and scanned again. It said it moved them to the trash. Then I Secure Emptied Trash, and five of the six files come up again as being in the computer. I have tried also after it finds the files to right-click and show me the file in the finder, and manually moving them to the trash, then emptying the trash securely, and still in the next scan they appear again.

The only file which I did manage to erase successfully from my Mac was a Worm-Autorun-3571 (called javatmp2665542262960398524.exe).

The five files which I can't erase are all .emlx files, located in:
/Users/myuser/Library/Mail/V2/IMAP-myemail@imap.gmail.com/[Gmail].mbox/All Mail.mbox/3B0EAA9B-2838-4042-AE3E-F385EDA6A001/Data/0/3/Messages/30113.emlx (The infection name of this one is Heuristics.Phishing)
/Users/myuser/Library/Mail/V2/IMAP-myemail@imap.gmail.com/[Gmail].mbox/All Mail.mbox/3B0EAA9B-2838-4042-AE3E-F385EDA6A001/Data/7/2/Messages/27781.emlx (The infection name of this one is Heuristics.Phishing)
/Users/myuser/Library/Mail/V2/IMAP-myemail@imap.gmail.com/[Gmail].mbox/All Mail.mbox/3B0EAA9B-2838-4042-AE3E-F385EDA6A001/Data/9/2/Messages/29852.emlx (The infection name of this one is Heuristics.Phishing)
/Users/myuser/Library/Mail/V2/IMAP-myemail@imap.gmail.com/[Gmail].mbox/All Mail.mbox/3B0EAA9B-2838-4042-AE3E-F385EDA6A001/Data/2/Messages/2721.emlx (The infection name of this one is Worm-Autorun-945)
/Users/myuser/Library/Mail/V2/IMAP-myemail@imap.gmail.com/[Gmail].mbox/All Mail.mbox/3B0EAA9B-2838-4042-AE3E-F385EDA6A001/Data/3/Messages/3305.emlx (The infection name of this one is Email.Trojan-31)

Searching I realize that it finds the .emlx file on my computer again because I am using imap, and the email has not been erased off of my email server, so they appear again in my computer automatically. My question is HOW TO DO I FIND OUT WHICH EMAIL CORRESPONDS TO EACH FILE SO I CAN DELETE THEM FROM MY EMAIL SERVER??

I am not so concerned with the "Heuristics.Phishing" but I would like to delete the one that contains the Trojan-31 and Worm Autorun-945... I have been searching on internet but I cant find the answer. Any help would be greatly appreciated! Thank you!!

04-25-2012, 08:05 PM

Those are all Windows trojans which no impact or effect on your Mac. If the trojans exist on the server, it's up to your ISP to remove them not you.

04-25-2012, 08:16 PM

I figured out I find the file using the Finder -> Go -> Go to folder -> ~/Library and finding the file, clicking on it and it opens the email.

The one that is supposed to have the Email.Trojan-31 infection is this one which included information and links about Trojans and how to erase and repair them:
From: VSAntivirus.com <vsantivirus@vsantivirus.com>
Subject: VSantivirus No. 2201 Año 10, jueves 27 de julio de 2006
Date: July 27, 2006 2:14:35 AM CDT
To: VSAntivirus <vsantivirus@listas.vsantivirus.com>

The one that is supposed to have the infection Worm-Autorun-945 is this one which included information and links about Worms and how to erase and repair them:
From: VSAntivirus.com <vsantivirus@vsantivirus.com>
Subject: VSantivirus No 2272 Año 10, miércoles 18 de octubre de 2006
Date: October 18, 2006 12:32:34 AM CDT
To: VSAntivirus <vsantivirus@listas.vsantivirus.com>

The Heuristics.Phishing supposed infections corresponded to the following emails:
From: Monster.com.mx <info@monstermail.com.mx>
Subject: El lenguaje corporal en las entrevistas.
Date: April 26, 2011 5:54:48 PM CDT
Reply-To: info@monstermail.com.mx

From: Monster.com.mx <info@monstermail.com.mx>
Subject: Sueldo. ¿Cuánto valgo?
Date: February 29, 2012 1:21:13 PM CST
Reply-To: info@monstermail.com.mx

From: Monster.com.mx <info@monstermail.com.mx>
Subject: Expande tus oportunidades laborales con el Networking
Date: June 21, 2011 11:55:23 AM CDT
Reply-To: info@monstermail.com.mx

I've deleted them all from my email server and my Mac, and will scan again to see if now they don't show up.

04-25-2012, 08:20 PM

Quote:

Originally Posted by chscag

Those are all Windows trojans which no impact or effect on your Mac. If the trojans exist on the server, it's up to your ISP to remove them not you.

Thank you very much for your reply.

I suspect the infection notice was a false positive and those emails weren't really infected, but still it bothered me to have them show up in the scan, and they were emails I could delete as they were not important to keep, so I did. Now I hope they don't show up again now that I have deleted them! We'll see!

03-11-2013, 01:03 PM

I'm concerned that your answer to this problem was to open the email.. If it was targeted to OSx that's usually how you actually get the infection.

03-13-2013, 01:19 AM

Quote:

Originally Posted by jferguson

I'm concerned that your answer to this problem was to open the email.. If it was targeted to OSx that's usually how you actually get the infection.

Dear JFerguson,
Thank you for your concern. I opened the emails because I knew what they were, and the sender. It was a newsletter I subscribed to from vsantivirus.com, and it had no attachments so I felt confident in opening them. After I deleted the emails from my email account the scan came out clean, and I haven't had any problem with my Mac (not that I would as they were Windows viruses anyway, but just saying that nothing bad happened!

Kind Regards,

Tamara