Virus within Zotero: Mal/FBJack-P

I'm using Zotero standalone and Firefox plug-in on a 2013 Mac Book Air.

My anti-virus software (Sophos) is flashing up a message saying that my Zotero cash contains a virus called Mal/FBJack-P

Sophos explain what it is here: https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~FBJack-P/detailed-analysis.aspx

The problem is that Sophos can't seem to get rid of the files. It says five files are infected, and is showing the file path as: Users/MYNAME/Library/Caches/Zotero/Profiles/1m931hpk.default/Cache/1/8B/EF06Cd01,

But when I navigate to this location, the folder is empty (it doesn't show any files). I've tried reinstalling Zotero to get rid of the files but it didn't work, so I really would like to just delete these files so that i'm free of it.

Has anyone else come across this virus and/or have any tips for removing it? I've had it for a few weeks now and it's starting to irritate...

Look forward to your replies!

John
  • This isn't actually a part of Zotero, but part of a webpage snapshot you downloaded with Zotero, so that's what you're looking for.

    What I would try is to find the folder EF06Cd01 in the storage directory of the Zotero data folder (which I think would be
    /MYNAME/Library/Caches/Zotero/Profiles/1m931hpk.default/zotero in your case, if not see here: http://www.zotero.org/support/zotero_data )
    Figure out which zotero item it belongs to and delete the Snapshot in Zotero.

    If it's not there, this may be syncing from the server, in which case you'll need to find it there. You should be able to see it at the URL
    https://www.zotero.org/wadh3337/items/itemKey/EF06Cd01
  • Zotero standalone uses the same architecture as firefox, so you should be able to delete the whole Zotero folder under ~/Library/Caches without problem. (Do this after you have shut Zotero down.) Zotero will recreate the folder the next time it starts. Your data is not stored there unless you relocated the data directory there. (Backup first if you're truly afraid.)
  • What I would try is to find the folder EF06Cd01 in the storage directory of the Zotero data folder (which I think would be
    /MYNAME/Library/Caches/Zotero/Profiles/1m931hpk.default/zotero in your case
    No, the "/MYNAME/Library/Caches" folder is for cache data (temporary files). Firefox/Zoteor_standalone profile folders should be in "/MYNAME/Library/Application Support".
  • right, of course.
  • So you seem to be suggesting different options: just delete the cache file under firefox or go into library application support, find the files and delete them manually.

    But i'm confused: if the files aren't in the cache folder, then how will deleting it get rid of the problem?
  • do both. Deleting the Cache won't hurt, but if this keeps re-appearing as an issue, there's a good chance it won't be enough to fix it.
  • "EF06Cd01" isn't actually a Zotero item key — it just looks sort of like one. So you won't find anything at the zotero.org URL above or with that folder name in the data directory within Application Support. Try just emptying the cache folder.

    If this comes up again after that (e.g., during syncing), let us know.
  • Yes, I found out when I was looking in the data directory that none of these items are in there.

    I deleted the cache folder, but that unfortunately doesn't seem to have got rid of the problem. It just popped up again now with a file: Users/MYNAME/Library/Caches/Zotero/Profiles/1m931hpk.default/Cache/D/8A/39FEDd01

    And when I hit the sync button, the virus warning pops up again, so almost definitely linked to syncing in some way.

    I'd be super grateful if you have any suggestions for how to proceed (a way of emptying the online cache and/or the one in firefox maybe?) I'm not super-computer literate so apologies if the solution is really obvious.
  • Is the file (39FEDd01) still there? If so, can you open it with a text editor (textedit should work)? (Right click and select an editor from the "open with" menu or drag and drop into textedit.)

    According to the description by Sophos, this should be a javascript virus, so loading it into a text editor should do no harm, and it should look like human-readable code. If it's embedded in a web page, it should read like an html file, with some javascript code that you don't understand. Ignore that and read the part you can understand and that might give you enough clue which record in your library is associated with it.

    Another way to test, if you don't have many items in your library yet, is to double click on each item in your library to revisit the original page, and see which one would trigger the alarm.
  • the problem would seem to be that per the initial post:
    But when I navigate to this location, the folder is empty (it doesn't show any files).
    Could be that those are - for whatever reason - hidden files?
    (see http://osxdaily.com/2009/02/25/show-hidden-files-in-os-x/ on showing hidden files on a mac)
  • At least on a Mac, the profile root under the caches folder (1m931hpk.default in this case) should be hidden, but after getting inside, the folders and files should be in plain sight.
  • If you provide a Debug ID for a sync attempt that triggers this, I might be able to tell you the item in question.
  • edited November 4, 2013
    It doesn't seem to be triggered instantly by a sync. But I ran the logging and then did a virus scan and it flashed up as detecting something. I'm not sure if this is helpful or not, but the number is: D1295371244.

    I'm finding it very hard (i.e. I don't know) what is triggering the virus alert.
  • An update which hopefully sheds a bit more light: So I just downloaded a PDF, saved it, renamed it and attached it to a new reference I just created in my Zotero library and this triggered the virus alert

    I just redid the entire process, running the Debugger and it triggered the virus alert again. here's the ID: D349031353.

    So it seems connected to attaching documents and then opening them in Zotero? Sophos gives the file in question the following path:
    /Users/MYNAME/Library/Application Support/Zotero/Profiles/1m931hpk.default/zotero/tmp/JQDTPNJC.zip.tmp
  • edited November 4, 2013
    So if you paste 'JQDTPNJC' into the Zotero search bar you can see the item in question. Delete it, empty the trash, sync.
Sign In or Register to comment.