This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/DocDl-EA

I am getting a daily notification of this infected file in my Outlook Temp folder. I use Sophos quartantine manager to remove the threat, but it keeps coming back. Clearly the root of the problem is not being resolved. Any ideas what is depositing this file (sf_trans_7891048.doc) every morning and how to get rid of it?

Thanks.

:1020277


This thread was automatically locked due to age.
  • Hi chrubble,

    Since the threat is in your Outlook temp folder, I'm guessing the threat is being re-downloaded from your mail server and will require a manual removal. The following video will walk you through how to do that, can you please take a look and let me know if you're still having trouble? Thanks,
    :1020282
  • I'm afraid that doesn't work for me. The most current scan dosn't appear in logs (I haven't deleted it) and the infected item does not appear in previous logs for time/date of detection. I can p.m. you screen grabs to show what my logs show, if that would help?

    Also, my most recent Sophos full scan has frozen (around 10 hours ago). It's the second time that it's frozen at the same point in the full scan, which is worrying.

    :1020288
  • It looks to me like the threats that are captured outside of a user triggered scan are not reported in the logs. Also, the user scan does not find the threat that the general security alert picks up. It's very strange.

    :1020295
  • You think that's bad ....... I get a warning message every 30 minutes that Troj/DocDl-DS has been detected. Everytime I open the Quarantine manager it disappears.

    I have no idea what to do, sorry!

    :1020312
  • I am having the same issue- nearly daily (sometimes more than once a day) detections of this Trojan. Sometimes I need to clean it up in the quarantine manager, and sometimes when I go there it apparently has already been cleaned. However I cannot figure out where the threat is located- the only notification is that it is detected. In the log it does not say, either. I am concerned that there is a persistent threat somewhere on my drive (or from some email source that I receive mail from frequently) that I am not eliminating.

    Any ideas?
  • Its hard to know exactly what is going wrong, but here is a common problem: are you using an email service which synchronizes your local inbox with a remote server? Microsoft Exchange does this, as do generic IMAP mail servers. So even though the file gets removed locally, its still in your remote inbox (and gets copied back by your email client program). You need to find the email message containing this attachment and use your email client to delete it. That will delete it from the remote server as well as the local copy.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development