VBA/TrojanDownloader.Agent.TUW how to remove

[GGO 0]

Hello,

I have this outllok alert going on for days with VBA/TrojanDownloader.Agent has been detected in a file that oultook is attempting to access  and it keeps going on and on. Eset says threat cleaned but the alert comes back every 2 minutes.

I've scaned the computer with eset and it doesn't change.

I've goggled it but didn't find any solution that worked (including malware cleaning). Does anybody have any idea? 

Thank you for your help

 

[itman 1,659]

Open Eset Detection Log and post a few log entries related to this alert.

Since they will be posted in French and this is an English language forum, do the following. First, copy each log entry by right mouse clicking on the entry and selecting "Copy." Open Google Translate: https://translate.google.com/ and paste the entry in the left-side area. Finally, copy the English translation shown and paste it in your forum reply.

Edited July 24, 2020 by itman

[Marcos 5,074]

Do you receive email through IMAP(S)? If so, I'd recommend opening a ticket with your local support since further logs will be needed for perusal. A test account on the mail server may be needed as well. If you have access to your email via web, log in to the mail service and delete the offending email via the browser.

[GGO 0]

Hi!

so I've tried what you said deleting the emails through tyhe browser and nothing changed. 

Here is a very short extract of the log but they're all looking similar anyway. Thank you for your help

07/27/2020 11:54:56; IMAP filter; email; from: BillingOnline <BillingOnline@fedex.com> to: ggo@lifeandcoach.com subject [SPAM] FedEx - Invoice (s) Ready for Payment date Thu, Jul 16, 2020 14:00:55 +0100; VBA / TrojanDownloader.Agent.TUW trojan; contained infected files; DESKTOP-T6059IM \ flyin; An event occurred while receiving an email by the application: C: \ Program Files (x86) \ Microsoft Office \ root \ Office16 \ OUTLOOK.EXE (4910DF174B114ADC2CFA25B26F35FC6B28C24D42) .; E6215255BF5B8C638B09A288FF02AFA5E77D2B6B;
07/27/2020 11:54:56; IMAP filter; email; from: "QuickBooks Payments" <quickbooks@notification.intuit.com> to: ggo@lifeandcoach.com subject [SPAM] Payment received: Invoice 25228 date Wed , 22 Jul 2020 12:41:41 -0300; a variant of VBA / TrojanDownloader.Agent.TWY trojan; contained infected files; DESKTOP-T6059IM \ flyin; An event occurred while receiving a email through application: C: \ Program Files (x86) \ Microsoft Office \ root \ Office16 \ OUTLOOK.EXE (4910DF174B114ADC2CFA25B26F35FC6B28C24D42) .; D510E4BFF4448986B28DBFB51D35B724364DC7E4;

[itman 1,659]

Appears Eset is first detecting the e-mails as SPAM. Then detecting the e-mails as malicious in the SPAM folder and possibly not deleting them from there.

Check if these e-mails exist in your SPAM folder. If so, delete them from there.

Edited July 27, 2020 by itman

[Marcos 5,074]

I assume it's the responsibility of the IMAP server to sync emails and this way remove the malicious part of the email on the server so there could be an issue with syncing. I can check with devs later this week and update you then. In the mean time, you can collect logs as follows:

- enable advanced logging under Help and support -> Details for technical support
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

[itman 1,659]

5 hours ago, GGO said:

Here is a very short extract of the log but they're all looking similar anyway.

Based on what is shown on that log, I don't see anything indicating Eset actually deleted the malicious e-mail.

Verify your Eset e-mail is set to delete e-mail after detection as shown in the below screen shot: