virus's imside Aquarius?

Aspirant

Re: virus's inside Aquarius?

Wow! Cool is not the word...its Flipsin inspirational!

 

I did try your other suggested routing of copying multiple emails to another folder and running an aggressive scan. Could only do 250 at a time, any more and it only copied 300 odd of them, and slowed down to less each time. Because my PST files were over the 2G recomended I was hesitant to proceed in case I caused more damage than solved. That was christmas eve used up when I got home...nothing found.

 

Worth noting the viruses have migrated from the Aquarius folder (perhaps MSE and Malware bytes now removed were confusing it?) now to become resident in two PST files, one remains in archive 2010 as "Trojan.dropper.Agent.UYG" and the other is in the main Outlook PST folder as "Trojan.Agent.BAYD"

 

I tried the VBA, that I am not the slightest familiar, I was OK with the Sinclair ZX81...but thats it! Smiley Surprised)

 

Just finnished work so not as bright as usual, which then is nothing to write home about...

 

"Modify the variable outlookFolderName" etc...bit confused where and what to change. my folders in question with virus's  are;

C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\archive older than 31-12-2010.pst

and

C:\Users\Archbishop\AppData\Local\Microsoft\Outlook\Outlook.pst

 

I have created a folder c:\attachments. Now should I name the folder "attachments\"?

 

I shall have another bash when I wake tommorow afternoon. I would say here I have a gut feeling the virus is in an HTML link within a message....I have opened most, but not all attachments already-but it would be "cool" to snatch all the blighters out to scan in one swoop....thanks NikK!

 

 

Advocate

Re: virus's inside Aquarius?

Thanks, just hope it works on your PC too. It runs perfectly on mine now, but I cut my PST size from 1 GB to 70 MB a year ago or so. Mostly by deleting non-important emails, especially large ones.

 

Well 2 GB sounds problematic. But if you don't compact, the size will not shrink! And more important any deleted emails will not actually be deleted unless compacted!

I can understand that the drag-and-drop gets difficult with 2 GB of emails. A tip is to use the search function in Outlook for emails larger then 1 MB for example, and see if you can delete any non-important large emails.

Great that you've isolated the infections to 2 PST files, and that it left the Aquarius folder.

 

"Modify the variable outlookFolderName" was part only in the first version of the code. It doesn't exist anymore. I edited and updated my previous post including all VBA code, so you need to read my previous post again and forget what you read before. The new replaced code uses an easier approach:

 

You don't have to specify a path or name for any PST. Instead you open the PST in Outlook and select(left-click) the folder you want to extract attachments from. Then when you switch back to the VBA Editor and run the code, it will detect what PST and folder is selected in Outlook. A confirmation message is displayed to verify that you've selected the right folder, example where testPST is the name of the PST(Outlook data-file) and tstFolder is an email folder in that PST:

PST msgbox.png

 

If you've created the folder c:\attachments then you don't need to do anything else to run the code in testmode (testmode will list/log all attachments but not save the attachments to disk)

If running in testmode works without errors, you change line 11 in the VBA code you pasted in a new module. Change the line beginning with testmode = True to testmode = False  When testmode is set to False all attachments will be saved to disk.

 

If you have an HTML link in an email, that can never be an infection. It's only text. But when you click on the link and it's opened in a browser, then you can be at risk.

Almost all infections I've had in emails were "funny" and entertaining things sent by friends and trusted people, probably not knowing themselves that the attached files were infected. As such emails have a tendency to be more high risk than others, it might be a good start to delete any such non-important emails.

Aspirant

Re: virus's inside Aquarius?

Well, I finally got the beast running, and have been several hours extracting from the suspect PST folders and all the others and running an f-secure  scan at most aggressive level on all. Nothing was found? Grrrrrrrr! Wondering where to go from here? Could this code be changed to extract all emails complete to the "attahements" folder? Your time is assistance so far is so so much appreciated...glad it has been a fun time for you...for me its a biggy in frustration Smiley Surprised)  Wondering if the problem lies with F-Secure flagging "False Positives" I have heard this term but not a clue what it means...perhaps its the get out clause that says they have no clue either? Smiley Surprised) Still, I have to assume now that all attachments are clean and start wondering what next?

Superuser

Re: virus's imside Aquarius?

I seem to recall Bitdefender had a similar false positives issue with certain types of email attachments. I posted on their forums about it, but it was many years ago. I'll pop over there and see if they've still got my old posts.
Superuser

Re: virus's imside Aquarius?

Sorry, I'm not having much luck at the moment. This goes back to about 2006, and they don't seem to have posts going back that far. I'll see what I can find out later, when I'm back on my usual Desktop.
Superuser

Re: virus's inside Aquarius?

I'm afraid I've drawn a blank on this.  All I can recall is that when running a scan, which I think was with Bitdefender, it came up with several emails that it claimed contained viruses, yet no other scanner had done so, and the emails were several years old.  I deleted them all anyway, but it turned out to be some weird attachments extension that was flagging up as false positives.  Sorry I can't be more precise, and this could well be a wild goose chase, so I suggest you ignore the last three posts!

Advocate

Re: virus's inside Aquarius?

Nice :) But worse that nothing was found. I'm thinking if you never compacted the PST files, chances are that you might already have deleted the infected emails, but because you haven't done compact after those emails were deleted they are still present in the PST files. That could actually be the explanation to why you can't find them, but scanning the PST does find them. Think of it like all deleted items are being stored in an internal hidden folder inside the PST. Until you compact it. THEN it is emptied.

 

I think this is more likely than the infections being false-positives. A false-positive BTW is a clean file that is wrongly identified as "infected". If you have a file you think is safe and clean but it is detected as an infection, you can report it either from the scan results window or by submitting a sample to F-Secure SAS (Sample Analysis System). In that page you have 3 options to select what kind of sample it is: 1. Malware 2. Spyware/Adware/Riskware 3. False Positive

 

Back to topic, of course there's also a chance that the infections are in the email body and not in attachments as you say, but I guess PST compact is the reason. You really should compact the PST files even if it takes "forever" Smiley Wink Maybe that would solve the entire mystery?

I'll try and see if I can modify the code to save the entire emails. Not sure if it's possible to save as a .msg Outlook format(binary) as the drag-and-drop, or just as .txt files. The attachments were easy but an email can be in different formats. Well, I'll check it out and get back. Fun fun Smiley Tongue But we must get to the bottom of your problem, we're certainly getting closer to the solution I think!

Aspirant

Re: virus's inside Aquarius?

Thanks! Thanks! Thanks! NikK. 

 

I have compacted one while out working...took 10 hours.  Closed the window and now forgotten which one it was!!! :)

I shall compact all PST and come back in a few days after FS full computer aggresive scan.

 

Your comment about priviously deleted files still present in absence of compacting...makes sense to me...onward and up em!

Advocate

Re: virus's inside Aquarius?

No worries if you forget. If you compact one that you've already compact, it will be lightning fast compared to the first compact.

 

I'll await your results before looking into extracting complete emails.

Aspirant

Re: virus's inside Aquarius?

Just tried to run the Attachment Macro-its run ok before but now I get 

outlook macro.JPG

 

tried trawling the help menues but cannot find how to enable macros again....wondering if doing control f11 instead of Alt F11 might have triggered it? any ideas (probably staring me in front of nose)  

 

UPDATE! Just after posting this I found the answer