virus's imside Aquarius?



  • NikK
    NikK Posts: 935 Rock Star

    Thanks, just hope it works on your PC too. It runs perfectly on mine now, but I cut my PST size from 1 GB to 70 MB a year ago or so. Mostly by deleting non-important emails, especially large ones.


    Well 2 GB sounds problematic. But if you don't compact, the size will not shrink! And more important any deleted emails will not actually be deleted unless compacted!

    I can understand that the drag-and-drop gets difficult with 2 GB of emails. A tip is to use the search function in Outlook for emails larger then 1 MB for example, and see if you can delete any non-important large emails.

    Great that you've isolated the infections to 2 PST files, and that it left the Aquarius folder.


    "Modify the variable outlookFolderName" was part only in the first version of the code. It doesn't exist anymore. I edited and updated my previous post including all VBA code, so you need to read my previous post again and forget what you read before. The new replaced code uses an easier approach:


    You don't have to specify a path or name for any PST. Instead you open the PST in Outlook and select(left-click) the folder you want to extract attachments from. Then when you switch back to the VBA Editor and run the code, it will detect what PST and folder is selected in Outlook. A confirmation message is displayed to verify that you've selected the right folder, example where testPST is the name of the PST(Outlook data-file) and tstFolder is an email folder in that PST:

    PST msgbox.png


    If you've created the folder c:\attachments then you don't need to do anything else to run the code in testmode (testmode will list/log all attachments but not save the attachments to disk)

    If running in testmode works without errors, you change line 11 in the VBA code you pasted in a new module. Change the line beginning with testmode = True to testmode = False  When testmode is set to False all attachments will be saved to disk.


    If you have an HTML link in an email, that can never be an infection. It's only text. But when you click on the link and it's opened in a browser, then you can be at risk.

    Almost all infections I've had in emails were "funny" and entertaining things sent by friends and trusted people, probably not knowing themselves that the attached files were infected. As such emails have a tendency to be more high risk than others, it might be a good start to delete any such non-important emails.

  • Well, I finally got the beast running, and have been several hours extracting from the suspect PST folders and all the others and running an f-secure  scan at most aggressive level on all. Nothing was found? Grrrrrrrr! Wondering where to go from here? Could this code be changed to extract all emails complete to the "attahements" folder? Your time is assistance so far is so so much appreciated...glad it has been a fun time for you...for me its a biggy in frustration Smiley Surprised)  Wondering if the problem lies with F-Secure flagging "False Positives" I have heard this term but not a clue what it means...perhaps its the get out clause that says they have no clue either? Smiley Surprised) Still, I have to assume now that all attachments are clean and start wondering what next?

  • Simon
    Simon Posts: 2,674 Superuser
    I seem to recall Bitdefender had a similar false positives issue with certain types of email attachments. I posted on their forums about it, but it was many years ago. I'll pop over there and see if they've still got my old posts.
  • Simon
    Simon Posts: 2,674 Superuser
    Sorry, I'm not having much luck at the moment. This goes back to about 2006, and they don't seem to have posts going back that far. I'll see what I can find out later, when I'm back on my usual Desktop.
  • Simon
    Simon Posts: 2,674 Superuser

    I'm afraid I've drawn a blank on this.  All I can recall is that when running a scan, which I think was with Bitdefender, it came up with several emails that it claimed contained viruses, yet no other scanner had done so, and the emails were several years old.  I deleted them all anyway, but it turned out to be some weird attachments extension that was flagging up as false positives.  Sorry I can't be more precise, and this could well be a wild goose chase, so I suggest you ignore the last three posts!

  • NikK
    NikK Posts: 935 Rock Star

    Nice :) But worse that nothing was found. I'm thinking if you never compacted the PST files, chances are that you might already have deleted the infected emails, but because you haven't done compact after those emails were deleted they are still present in the PST files. That could actually be the explanation to why you can't find them, but scanning the PST does find them. Think of it like all deleted items are being stored in an internal hidden folder inside the PST. Until you compact it. THEN it is emptied.


    I think this is more likely than the infections being false-positives. A false-positive BTW is a clean file that is wrongly identified as "infected". If you have a file you think is safe and clean but it is detected as an infection, you can report it either from the scan results window or by submitting a sample to F-Secure SAS (Sample Analysis System). In that page you have 3 options to select what kind of sample it is: 1. Malware 2. Spyware/Adware/Riskware 3. False Positive


    Back to topic, of course there's also a chance that the infections are in the email body and not in attachments as you say, but I guess PST compact is the reason. You really should compact the PST files even if it takes "forever" Smiley Wink Maybe that would solve the entire mystery?

    I'll try and see if I can modify the code to save the entire emails. Not sure if it's possible to save as a .msg Outlook format(binary) as the drag-and-drop, or just as .txt files. The attachments were easy but an email can be in different formats. Well, I'll check it out and get back. Fun fun Smiley Tongue But we must get to the bottom of your problem, we're certainly getting closer to the solution I think!

  • Thanks! Thanks! Thanks! NikK. 


    I have compacted one while out working...took 10 hours.  Closed the window and now forgotten which one it was!!! :)

    I shall compact all PST and come back in a few days after FS full computer aggresive scan.


    Your comment about priviously deleted files still present in absence of compacting...makes sense to me...onward and up em!

  • NikK
    NikK Posts: 935 Rock Star

    No worries if you forget. If you compact one that you've already compact, it will be lightning fast compared to the first compact.


    I'll await your results before looking into extracting complete emails.

  • Just tried to run the Attachment Macro-its run ok before but now I get 

    outlook macro.JPG


    tried trawling the help menues but cannot find how to enable macros again....wondering if doing control f11 instead of Alt F11 might have triggered it? any ideas (probably staring me in front of nose)  


    UPDATE! Just after posting this I found the answer

  • NikK
    NikK Posts: 935 Rock Star

    Same thing happened to me too. The first time you create a new module, paste the code and run, it's ok. But closing Outlook and restarting it then gives this prompt.


    In Outlook go to File menu, Options. Then Security Center, settings. Then Macro settings.

    Change the radio button from the 2nd to the 3rd(Prompt for all macros). Close and Restart Outlook incl VBA Editor.

    Now you'll be prompted for activating macros or not.

    ps. I don't have an english office version so my translations in finding the settings may not be correct.

  • NikK
    NikK Posts: 935 Rock Star

    A great VBA Editor article for macro security level, tips on adding macros to the Toolbar, and more:


  • @NikK Success! 4 viruses found in one PST folder using your attachment extractor! Smiley Wink


    They all were emails I sent to spoof Amazon advising suspicious emails that I attached to the message (never dreamt they could be inside messages I had sent)


    I will not jump for joy just yet, these were recent messages 2/12/2013. Once I have compacted all and run a clean virus scan..Then will be the time to celebrate after over a year trying to find these... Will keep you posted!

  • runing macro on suspect PST file brought up this


    outlook macro run time error.JPG


    Pressing debug brought up this line


    Outlook macro debug line.JPG


    Duh! ????

  • NikK
    NikK Posts: 935 Rock Star

    It's probably a strange kind of attachment, a non-normal type. On the yellow line, putting the mouse cursor over "folderpath" will inform you what mail folder it is. Mouse over on "email.Subject" will inform what email it is.

    Then in Outlook find the email and remove any strange attachments from that email(save them somewhere else first if you want to keep them).

    Then End the code. You then have to restart the code unfortunately.


    I'll see if I can come up with a code change that handles this.

  • @NikK...Blimus! What can I say...Email attachments found using your extractor Macro have been removed and all PST files now compacted. 2 Full FS scans now show no malware present!!!!  This has been a stress for over a year now with little or no support from F-Secure other than advise to open every email to locate the malware. But full marks to you NikK..Please take a Bow my mate..Your expert support here has been inspirational and certainly made me a wiser chap than before...All sooo much appreciated!!!!  Job done, solution accepted..Thanks again!

  • Simon
    Simon Posts: 2,674 Superuser
    Well done, Nik! Have a Kudos! :)
  • NikK
    NikK Posts: 935 Rock Star

    Thanks guys!


    Archbishop, I am very pleased to hear my VBA code could help out, and that you're finally clean!! Great news!

    Thanks for all kudos! Hopefully the code can help others in the future as well.


    A last advice: now that you've compacted all PSTs, make a habit of doing it every month or so. Then it will never take >10 hours anymore, probably only minutes.

  • Hi.


    I just tried your nice vba macro, but it always fails with an error message at line 107 "stream.WriteLine txt" . Something about "wrong procedure call" ( not quite sure how it is called in english).


     Most of the e-mails we get here have pretty long subject lines, so I think it's because of too long text.

    Is there a way to solve this problem ?


    kinda regards,


  • NikK
    NikK Posts: 935 Rock Star

    Subjects are shortened to 50 chars, so that shouldn't be a problem.


    Luckily the error occurs in a non critical part of the code: writing to a log file

    The easiest way to solve it is to just delete that code by deleting the last 8 lines of code EXCEPT the last line. Or to be exact, change the last 9 lines from:


    Sub WriteToLog(ByRef txt As String)
        Dim fso As Object, stream As Object
        Set fso = CreateObject("Scripting.FileSystemObject")
        Set stream = fso.OpenTextFile(logFile, 8, True) '8=append, True=create if doesn't exist
        stream.WriteLine txt
        Set stream = Nothing
        Set fso = Nothing
    End Sub


    ... to only these 2 lines:


    Sub WriteToLog(ByRef txt As String)

    End Sub


    Let's hope the rest of the code will work!

    If you should run into the error "Outlook cannot do this action on this type of attachment", the solution is here

  • NikK
    NikK Posts: 935 Rock Star

    Actually a quicker fix and let's you keep the log file too, is to change the line that caused the error from:


    stream.WriteLine txt




    stream.WriteLine GetSimpleName(txt)


    If that doesn't help the try my first suggestion.

    I think the error seems to be caused by "unusual" characters that couldn't be written to the log file (a text file).

  • mduffy
    mduffy Posts: 2

    Hi, this is great, thank you!


    1) with the script modification provided 4-1-14 (page 5 of this topic), is there a way to not have a pop-up window to check through?

    2)  Halfway through processing a compacted 5G PST file the script threw this error:  "Run-time error '-2147352567 (80020009)': Array index out of bounds"   Any ideas?


     Script highlight line: 

    >If UCase(TypeName(inFolder.Items.Item(no))) = "MAILITEM" Then



  • NikK
    NikK Posts: 935 Rock Star

    1) You could comment out the line of code that does the pop-up by adding a ' character at the beginning of that line. Or simply delete that line of code:

    MsgBox filename, vbExclamation


    2) Out of bounds mean an item doesn't exist. Don't know what could be causing it but I'd check the log file to see what folder/email/attachment were processed when it happened, and then try to open these manually to see if it's perhaps corrupt.

    Everytime a new folder is processed it logs Processing: foldername (X items) and that error indicates somehow that the X number of items isn't correct which is weird. Maybe with that much data something might be corrupt.

    You could try to run the macro for one folder at a time instead of all folders at once to get it running more than halfway, and to find out what folder or item is causing the error.

  • mduffy
    mduffy Posts: 2

    Thank you!  Modified the code, checked the log file and removed the offending file (not sure why?), re-ran on the same PST and extracted all attachments (about 7,000) without further hitch.


This discussion has been closed.
Pricing & Product Info