Removing the ‘Here you have’ virus from Outlook Outbox

We have seen numerous instances of users whose PCs are supposedly cleaned of the virus continuing to send the message. This is due to Outlook being configured to use Cached Mode. While the virus was active, it filled the cached Outbox, which gets dumped as soon as the user opens Outlook. In addition to this, the virus prevents the users from deleting the infected messages in the Outbox. To resolve this, follow these instructions:
1.       Disconnect the computer from the network.
2.       Change the user’s Outlook profile so that Cached mode is NOT used.
3.       Restart Windows in Safe Mode, and log in as the local administrator.
4.       Open My Computer, and navigate to:
1.       Windows XP: C:Documents and Setting%username%Local SettingsApplication DataMicrosoftOutlook.
2.       Windows 7: C:Users{username}AppDataLocalMicrosoftOutlook
 NOTE: it may be necessary to change the folder view to show hidden files and folders. Be sure to change this setting back when done with this process.
5.       Shift-Delete the OST file with the name of the user’s profile so that it is permanently deleted.
6.       Restart Windows in normal mode and have the user log in.
7.       Rescan using the Symantec removal tool.
8.       Notify the Exchange Team so that the send limit can be removed.
9.       Open Outlook and verify that everything appears normal.
10.   The user’s Outlook profile may be put back in Cached mode. NOTE: Putting Outlook in cached mode will require the Windows Indexing service to re-index the mailbox. Re-indexing can take as long as several hours, and searches within Outlook may return incomplete or no results until the indexing is complete.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: