"POWERPNT.EXE from your computer wants to connect to xxxxx.com" and Powerpoint is NOT running !

[clea]

Warning to Steve R.: If you have things to do and do not wish to go off on a
wild goose chase, stop reading immediately!!
Otherwise, Hi, I am the guy who, in June of this year had a presentation
that you found a strangely formed embedded gif with a call inside the gif to
the internet (or something like that. I went looking for the old thread but
couldn't find it.)

I think I have a new ghost in the machine. I do not have powerpoint
running, but I get a popup from Kerio firewall that says

Outgoing Connection Alert!
'POWERPNT.EXE' from your computer wants to connect to advxxxx.com
[123.456.78.90], port 80
Details about application:
c:\program files\microsoft office\office\powerpnt.exe

(I faked the xxxxx and the 123 part, but it is the same address as was in
the June problem)
So I look in Windows Task Manager (I am using Win2k) and I don't see
powerpoint in either the Applications list or the Processes list. Huh?

How can POWERPNT try to access the internet when it isn't even running!?!

Are there tricks I can try to narrow this down?

Thanks to anyone who dares venture into this weird one.

 

[Steve Rindsberg]

You're hogging all the good ones for yourself. It's not fair.
You have to share some of them with the others. ;-)

First thing I'd do if it were mine is to search the computer for other files
named PowerPnt.exe (thinking that some idiot virus may have installed itself as
such). And perhaps do a full text search for that same name (on the theory
that some idiot but insidious virus may launch a bat file that names some other
file to PowerPnt.exe, launches it and .... you get the idea.)

Warning to Steve R.: If you have things to do and do not wish to go off on a
wild goose chase, stop reading immediately!!
Otherwise, Hi, I am the guy who, in June of this year had a presentation
that you found a strangely formed embedded gif with a call inside the gif to
the internet (or something like that. I went looking for the old thread but
couldn't find it.)

I think I have a new ghost in the machine. I do not have powerpoint
running, but I get a popup from Kerio firewall that says

Outgoing Connection Alert!
'POWERPNT.EXE' from your computer wants to connect to advxxxx.com
[123.456.78.90], port 80
Details about application:
c:\program files\microsoft office\office\powerpnt.exe

(I faked the xxxxx and the 123 part, but it is the same address as was in
the June problem)
So I look in Windows Task Manager (I am using Win2k) and I don't see
powerpoint in either the Applications list or the Processes list. Huh?

How can POWERPNT try to access the internet when it isn't even running!?!

Are there tricks I can try to narrow this down?

Thanks to anyone who dares venture into this weird one.

--
Steve Rindsberg, PPT MVP
PPT FAQ: www.pptfaq.com
PPTools: www.pptools.com
================================================
Featured Presenter, PowerPoint Live 2004
October 10-13, San Diego, CA www.PowerPointLive.com
================================================

 

[clea]

The only POWERPNT.EXE file found in the Search Results is in C:\Program
Files\Microsoft Office\Office. Note that I entered lower text into the
search bar, but the file it found is all capital letters.
Thanks for the idea. I appear to be trojan free. (FWIW: Our company runs
Trend Micro virus scanner on all our PC's, and I also run Spybot S&D and
Lavasoft Adaware, and am pretty careful and aware about viruses and
trojans.)

Another clue: All 5 times that it has happened *may* have been first thing
when I come in for the morning. IE: I just got in, turned on the monitor,
ctr/alt/del and enter my password (password protected screensaver in Win2K),
and the Kerio Firewall popup is there to greet me. It was this way for the
last 3 mornings. Maybe monday or tuesday it happened during the day too, or
instead, but for sure the last 3 days it was *only* first thing in the
morning.

thanks.

 

[Steve Rindsberg]

The only POWERPNT.EXE file found in the Search Results is in C:\Program
Files\Microsoft Office\Office. Note that I entered lower text into the
search bar, but the file it found is all capital letters.

That's normal, I expect.

Another clue: All 5 times that it has happened *may* have been first thing
when I come in for the morning. IE: I just got in, turned on the monitor,
ctr/alt/del and enter my password (password protected screensaver in Win2K),
and the Kerio Firewall popup is there to greet me. It was this way for the
last 3 mornings. Maybe monday or tuesday it happened during the day too, or
instead, but for sure the last 3 days it was *only* first thing in the
morning.

Hmm. Check your startup folder for some kind of Office Startup thingeroo. In
some versions of Office it's set to load part of the Office code at startup to
make things faster later. I generally thump it on the head and set it out for
Mr. Recycle Bin to snack on.

thanks.

--
Steve Rindsberg, PPT MVP
PPT FAQ: www.pptfaq.com
PPTools: www.pptools.com
================================================
Featured Presenter, PowerPoint Live 2004
October 10-13, San Diego, CA www.PowerPointLive.com
================================================

 

[clea]

I usually get rid of the Office startup, and it was gone on this machine,
but there were quite a few other things that I decided to dump. (Too many
programs decide for themselves that they should Start when the computer
starts!!!)
Also, I ran the Sysinternals program called "Autoruns" (very cool FREE
utilities there) and I disabled a few other oddball things (like RealPlay
and Quicktime). I will reboot tonight and see how it is next week.

Thanks for the ideas.

 

[Steve Rindsberg]

I usually get rid of the Office startup, and it was gone on this machine,
but there were quite a few other things that I decided to dump. (Too many
programs decide for themselves that they should Start when the computer
starts!!!)
Also, I ran the Sysinternals program called "Autoruns" (very cool FREE
utilities there) and I disabled a few other oddball things (like RealPlay
and Quicktime). I will reboot tonight and see how it is next week.

And report back? Thanks!

Thanks for the ideas.

--
Steve Rindsberg, PPT MVP
PPT FAQ: www.pptfaq.com
PPTools: www.pptools.com
================================================
Featured Presenter, PowerPoint Live 2004
October 10-13, San Diego, CA www.PowerPointLive.com
================================================

 

[clea]

Well, now I do NOT get the Powerpoint popup, so your suggestion to look in
at the startup junk moved me to delete what must have been the culprit. I
can't say what it would have been, though.
But now that willy-nilly deleting may have caused this new popup, not from
Kerio, but from Outlook, I think. It just now popped up after coming out of
screen saver, and I have seen it several times the last few days.

"Warning: Opening "Default Security Settings"
The form for this item has not been registered in this folder or in your
company's forms library. Because this item contains macros, which could...
blah blah blah
Disable Macros Enable Macros"

I keep choosing Disable Macros, but I have no idea to what it is referring.
All I did was come out of screensaver.
Weird stuff. Thanks for the sympathy and suggestions...

 

[Steve Rindsberg]

Well, now I do NOT get the Powerpoint popup, so your suggestion to look in
at the startup junk moved me to delete what must have been the culprit. I
can't say what it would have been, though.

But now that willy-nilly deleting may have caused this new popup, not from
Kerio, but from Outlook, I think. It just now popped up after coming out of
screen saver, and I have seen it several times the last few days.

"Warning: Opening "Default Security Settings"
The form for this item has not been registered in this folder or in your
company's forms library. Because this item contains macros, which could...
blah blah blah
Disable Macros Enable Macros"

It does sound like Outlook (forms and all). But if you've got a thimble, I can
pour you all I know about Outlook and leave you room for some sake.

I keep choosing Disable Macros, but I have no idea to what it is referring.
All I did was come out of screensaver.
Weird stuff. Thanks for the sympathy and suggestions...

--
Steve Rindsberg, PPT MVP
PPT FAQ: www.pptfaq.com
PPTools: www.pptools.com
================================================
Featured Presenter, PowerPoint Live 2004
October 10-13, San Diego, CA www.PowerPointLive.com
================================================