Jump to content
GGO

VBA/TrojanDownloader.Agent.TUW how to remove

Recommended Posts

Hello,

I have this outllok alert going on for days with VBA/TrojanDownloader.Agent has been detected in a file that oultook is attempting to access  and it keeps going on and on. Eset says threat cleaned but the alert comes back every 2 minutes.

I've scaned the computer with eset and it doesn't change.

I've goggled it but didn't find any solution that worked (including malware cleaning). Does anybody have any idea? 

Thank you for your help

 

eset detection.JPG

Share this post


Link to post
Share on other sites
Posted (edited)

Open Eset Detection Log and post a few log entries related to this alert.

Since they will be posted in French and this is an English language forum, do the following. First, copy each log entry by right mouse clicking on the entry and selecting "Copy." Open Google Translate: https://translate.google.com/ and paste the entry in the left-side area. Finally, copy the English translation shown and paste it in your forum reply.

Edited by itman

Share this post


Link to post
Share on other sites

Do you receive email through IMAP(S)? If so, I'd recommend opening a ticket with your local support since further logs will be needed for perusal. A test account on the mail server may be needed as well. If you have access to your email via web, log in to the mail service and delete the offending email via the browser.

Share this post


Link to post
Share on other sites

Hi!

so I've tried what you said deleting the emails through tyhe browser and nothing changed. 

Here is a very short extract of the log but they're all looking similar anyway. Thank you for your help

07/27/2020 11:54:56; IMAP filter; email; from: BillingOnline <BillingOnline@fedex.com> to: ggo@lifeandcoach.com subject [SPAM] FedEx - Invoice (s) Ready for Payment date Thu, Jul 16, 2020 14:00:55 +0100; VBA / TrojanDownloader.Agent.TUW trojan; contained infected files; DESKTOP-T6059IM \ flyin; An event occurred while receiving an email by the application: C: \ Program Files (x86) \ Microsoft Office \ root \ Office16 \ OUTLOOK.EXE (4910DF174B114ADC2CFA25B26F35FC6B28C24D42) .; E6215255BF5B8C638B09A288FF02AFA5E77D2B6B;
07/27/2020 11:54:56; IMAP filter; email; from: "QuickBooks Payments" <quickbooks@notification.intuit.com> to: ggo@lifeandcoach.com subject [SPAM] Payment received: Invoice 25228 date Wed , 22 Jul 2020 12:41:41 -0300; a variant of VBA / TrojanDownloader.Agent.TWY trojan; contained infected files; DESKTOP-T6059IM \ flyin; An event occurred while receiving a email through application: C: \ Program Files (x86) \ Microsoft Office \ root \ Office16 \ OUTLOOK.EXE (4910DF174B114ADC2CFA25B26F35FC6B28C24D42) .; D510E4BFF4448986B28DBFB51D35B724364DC7E4;

Share this post


Link to post
Share on other sites
Posted (edited)

Appears Eset is first detecting the e-mails as SPAM. Then detecting the e-mails as malicious in the SPAM folder and possibly not deleting them from there.

Check if these e-mails exist in your SPAM folder. If so, delete them from there.

Edited by itman

Share this post


Link to post
Share on other sites

I assume it's the responsibility of the IMAP server to sync emails and this way remove the malicious part of the email on the server so there could be an issue with syncing. I can check with devs later this week and update you then. In the mean time, you can collect logs as follows:

- enable advanced logging under Help and support -> Details for technical support
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and upload the generated archive here.

Share this post


Link to post
Share on other sites
5 hours ago, GGO said:

Here is a very short extract of the log but they're all looking similar anyway.

Based on what is shown on that log, I don't see anything indicating Eset actually deleted the malicious e-mail.

Verify your Eset e-mail is set to delete e-mail after detection as shown in the below screen shot:

Eset_Email.thumb.png.f860d461885313a13bdcdd1a3863fdfe.png

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...