virus's imside Aquarius?
Comments
-
Thanks, just hope it works on your PC too. It runs perfectly on mine now, but I cut my PST size from 1 GB to 70 MB a year ago or so. Mostly by deleting non-important emails, especially large ones.
Well 2 GB sounds problematic. But if you don't compact, the size will not shrink! And more important any deleted emails will not actually be deleted unless compacted!
I can understand that the drag-and-drop gets difficult with 2 GB of emails. A tip is to use the search function in Outlook for emails larger then 1 MB for example, and see if you can delete any non-important large emails.
Great that you've isolated the infections to 2 PST files, and that it left the Aquarius folder.
"Modify the variable outlookFolderName" was part only in the first version of the code. It doesn't exist anymore. I edited and updated my previous post including all VBA code, so you need to read my previous post again and forget what you read before. The new replaced code uses an easier approach:
You don't have to specify a path or name for any PST. Instead you open the PST in Outlook and select(left-click) the folder you want to extract attachments from. Then when you switch back to the VBA Editor and run the code, it will detect what PST and folder is selected in Outlook. A confirmation message is displayed to verify that you've selected the right folder, example where testPST is the name of the PST(Outlook data-file) and tstFolder is an email folder in that PST:
If you've created the folder c:\attachments then you don't need to do anything else to run the code in testmode (testmode will list/log all attachments but not save the attachments to disk)
If running in testmode works without errors, you change line 11 in the VBA code you pasted in a new module. Change the line beginning with testmode = True to testmode = False When testmode is set to False all attachments will be saved to disk.
If you have an HTML link in an email, that can never be an infection. It's only text. But when you click on the link and it's opened in a browser, then you can be at risk.
Almost all infections I've had in emails were "funny" and entertaining things sent by friends and trusted people, probably not knowing themselves that the attached files were infected. As such emails have a tendency to be more high risk than others, it might be a good start to delete any such non-important emails.
-
Well, I finally got the beast running, and have been several hours extracting from the suspect PST folders and all the others and running an f-secure scan at most aggressive level on all. Nothing was found? Grrrrrrrr! Wondering where to go from here? Could this code be changed to extract all emails complete to the "attahements" folder? Your time is assistance so far is so so much appreciated...glad it has been a fun time for you...for me its a biggy in frustration
) Wondering if the problem lies with F-Secure flagging "False Positives" I have heard this term but not a clue what it means...perhaps its the get out clause that says they have no clue either? ) Still, I have to assume now that all attachments are clean and start wondering what next? -
I'm afraid I've drawn a blank on this. All I can recall is that when running a scan, which I think was with Bitdefender, it came up with several emails that it claimed contained viruses, yet no other scanner had done so, and the emails were several years old. I deleted them all anyway, but it turned out to be some weird attachments extension that was flagging up as false positives. Sorry I can't be more precise, and this could well be a wild goose chase, so I suggest you ignore the last three posts!
-
Nice
But worse that nothing was found. I'm thinking if you never compacted the PST files, chances are that you might already have deleted the infected emails, but because you haven't done compact after those emails were deleted they are still present in the PST files. That could actually be the explanation to why you can't find them, but scanning the PST does find them. Think of it like all deleted items are being stored in an internal hidden folder inside the PST. Until you compact it. THEN it is emptied.I think this is more likely than the infections being false-positives. A false-positive BTW is a clean file that is wrongly identified as "infected". If you have a file you think is safe and clean but it is detected as an infection, you can report it either from the scan results window or by submitting a sample to F-Secure SAS (Sample Analysis System). In that page you have 3 options to select what kind of sample it is: 1. Malware 2. Spyware/Adware/Riskware 3. False Positive
Back to topic, of course there's also a chance that the infections are in the email body and not in attachments as you say, but I guess PST compact is the reason. You really should compact the PST files even if it takes "forever"
Maybe that would solve the entire mystery?I'll try and see if I can modify the code to save the entire emails. Not sure if it's possible to save as a .msg Outlook format(binary) as the drag-and-drop, or just as .txt files. The attachments were easy but an email can be in different formats. Well, I'll check it out and get back. Fun fun
But we must get to the bottom of your problem, we're certainly getting closer to the solution I think! -
Thanks! Thanks! Thanks! NikK.
I have compacted one while out working...took 10 hours. Closed the window and now forgotten which one it was!!!
I shall compact all PST and come back in a few days after FS full computer aggresive scan.
Your comment about priviously deleted files still present in absence of compacting...makes sense to me...onward and up em!
-
Just tried to run the Attachment Macro-its run ok before but now I get
tried trawling the help menues but cannot find how to enable macros again....wondering if doing control f11 instead of Alt F11 might have triggered it? any ideas (probably staring me in front of nose)
UPDATE! Just after posting this I found the answer
-
Same thing happened to me too. The first time you create a new module, paste the code and run, it's ok. But closing Outlook and restarting it then gives this prompt.
In Outlook go to File menu, Options. Then Security Center, settings. Then Macro settings.
Change the radio button from the 2nd to the 3rd(Prompt for all macros). Close and Restart Outlook incl VBA Editor.
Now you'll be prompted for activating macros or not.
ps. I don't have an english office version so my translations in finding the settings may not be correct.
-
A great VBA Editor article for macro security level, tips on adding macros to the Toolbar, and more:
http://slipstick.com/developer/how-to-use-outlooks-vba-editor/
-
@NikK Success! 4 viruses found in one PST folder using your attachment extractor!
They all were emails I sent to spoof Amazon advising suspicious emails that I attached to the message (never dreamt they could be inside messages I had sent)
I will not jump for joy just yet, these were recent messages 2/12/2013. Once I have compacted all and run a clean virus scan..Then will be the time to celebrate after over a year trying to find these... Will keep you posted!
-
-
It's probably a strange kind of attachment, a non-normal type. On the yellow line, putting the mouse cursor over "folderpath" will inform you what mail folder it is. Mouse over on "email.Subject" will inform what email it is.
Then in Outlook find the email and remove any strange attachments from that email(save them somewhere else first if you want to keep them).
Then End the code. You then have to restart the code unfortunately.
I'll see if I can come up with a code change that handles this.
-
ok, it's an attachment type that you can't save to disk. It's either a reference, embedded item or an OLE object. Here's a quick fix.
In the code, replace the yellow line from your screenshot with these lines:
On Error Resume Next filename = Replace(folderpath, "\", "-") & " " & email.Subject & " - " & attachment.filename If Err.Number <> 0 Then filename = Replace(folderpath, "\", "-") & " " & email.Subject & Chr(10) & Chr(10) _ & "Unhandled Attachment: " & attachment.DisplayName & Chr(10) _ & "Type: " & attachment.Type MsgBox filename, vbExclamation Err = 0 On Error GoTo 0 Exit Sub End If On Error GoTo 0Now hopefully this error won't stop the code anymore, and give you a msgbox about which email the non-file attachment is in so you try investigate in manually if you want. Or simply drag-and-drop the email to windows explorer and scan it.
Note: You can't edit the code while it's running.
-
@NikK...Blimus! What can I say...Email attachments found using your extractor Macro have been removed and all PST files now compacted. 2 Full FS scans now show no malware present!!!! This has been a stress for over a year now with little or no support from F-Secure other than advise to open every email to locate the malware. But full marks to you NikK..Please take a Bow my mate..Your expert support here has been inspirational and certainly made me a wiser chap than before...All sooo much appreciated!!!! Job done, solution accepted..Thanks again!
-
Thanks guys!
Archbishop, I am very pleased to hear my VBA code could help out, and that you're finally clean!! Great news!
Thanks for all kudos! Hopefully the code can help others in the future as well.
A last advice: now that you've compacted all PSTs, make a habit of doing it every month or so. Then it will never take >10 hours anymore, probably only minutes.
-
Hi.
I just tried your nice vba macro, but it always fails with an error message at line 107 "stream.WriteLine txt" . Something about "wrong procedure call" ( not quite sure how it is called in english).
Most of the e-mails we get here have pretty long subject lines, so I think it's because of too long text.
Is there a way to solve this problem ?
kinda regards,
thunder
-
Subjects are shortened to 50 chars, so that shouldn't be a problem.
Luckily the error occurs in a non critical part of the code: writing to a log file
The easiest way to solve it is to just delete that code by deleting the last 8 lines of code EXCEPT the last line. Or to be exact, change the last 9 lines from:
Sub WriteToLog(ByRef txt As String)
Dim fso As Object, stream As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Set stream = fso.OpenTextFile(logFile, 8, True) '8=append, True=create if doesn't exist
stream.WriteLine txt
stream.Close
Set stream = Nothing
Set fso = Nothing
End Sub... to only these 2 lines:
Sub WriteToLog(ByRef txt As String)
End Sub
Let's hope the rest of the code will work!
If you should run into the error "Outlook cannot do this action on this type of attachment", the solution is here
-
Actually a quicker fix and let's you keep the log file too, is to change the line that caused the error from:
stream.WriteLine txt
to:
stream.WriteLine GetSimpleName(txt)
If that doesn't help the try my first suggestion.
I think the error seems to be caused by "unusual" characters that couldn't be written to the log file (a text file).
-
Hi, this is great, thank you!
1) with the script modification provided 4-1-14 (page 5 of this topic), is there a way to not have a pop-up window to check through?
2) Halfway through processing a compacted 5G PST file the script threw this error: "Run-time error '-2147352567 (80020009)': Array index out of bounds" Any ideas?
Script highlight line:
>If UCase(TypeName(inFolder.Items.Item(no))) = "MAILITEM" Then
Thanks!
-
1) You could comment out the line of code that does the pop-up by adding a ' character at the beginning of that line. Or simply delete that line of code:
MsgBox filename, vbExclamation
2) Out of bounds mean an item doesn't exist. Don't know what could be causing it but I'd check the log file to see what folder/email/attachment were processed when it happened, and then try to open these manually to see if it's perhaps corrupt.
Everytime a new folder is processed it logs Processing: foldername (X items) and that error indicates somehow that the X number of items isn't correct which is weird. Maybe with that much data something might be corrupt.
You could try to run the macro for one folder at a time instead of all folders at once to get it running more than halfway, and to find out what folder or item is causing the error.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!