Powerpoint file accesses the web, how, where, what, why ?

[Joey]

I received a powerpoint presentation that, when I first open it,
accesses the web. Kerio firewall tells me that :
'POWERPNT.EXE' from your computer wants to connect to xxxxxx.com
[123.123.12.12], port 80

After several minutes of viewing, it tries again (I get another Kerio
popup.)

How can I find out what/where in this presentation is calling out to
the website? This is a .ppt file, so I *probably* have access to the
raw programming...???

I am very computer literate, but have never used powerpoint. Any help
or suggestions would be very appreciated. Thanks.

 

[Mike M.]

Edit the PowerPoint file (either double click the .ppt or open PowerPoint
and open the file). Check each slide for images, sounds or video clips that
might be linked from the web. Try right clicking on each shape (image,
sound, whatever) and checking it's properties. Something in there came from
a web site.

 

[clea]

I used your FIXLINKS tool and it reports that there are no links!!
Any other ideas on how it could be accessing the web?

(Note: it was quite a trick to download the demo, your links don't work, i
had to type in ftp:\\ and find the directory, then copy/paste to my hard
drive.)
...............................................
This DEMO reports all links but only repairs image links.
To repair other link types, please register FixLinks Pro
at http://get.pptools.com

LINKED PICTURES, SOUNDS, MEDIA; SHAPES WITH ACTION SETTINGS
Slide ShapeName Mouse Status Link Type
===== ========= ===== ====== =========
5 Picture 5 M/C N/A embedded picture
File: Embedded; no link

ACTION SETTINGS ON TEXT WITHIN SHAPES
Slide ShapeName Mouse Status Link Type
===== ========= ===== ====== =========
HYPERLINKS
Slide ShapeName Status Link
===== ========= ====== =====
TRANSITION SOUNDS
=================
(NOTE: transition sounds are always embedded, not linked.)

Approximate link storage: 0 bytes
.................................................

I received a powerpoint presentation that, when I first open it,
accesses the web. Kerio firewall tells me that :
'POWERPNT.EXE' from your computer wants to connect to xxxxxx.com
[123.123.12.12], port 80

After several minutes of viewing, it tries again (I get another Kerio
popup.)

How can I find out what/where in this presentation is calling out to
the website? This is a .ppt file, so I *probably* have access to the
raw programming...???

Sounds as though there might be an image linked to a picture on the web.
Our free FixLinks demo includes a report tool that'll list the links in your
PPT presentation; that might help you track it down.

http://www.pptools.com

 

[Joey]

Edit the PowerPoint file (either double click the .ppt or open PowerPoint
and open the file). Check each slide for images, sounds or video clips that
might be linked from the web. Try right clicking on each shape (image,
sound, whatever) and checking it's properties. Something in there came from
a web site.

Thanks for the suggestion. This was the first thing I tried. I right
clicked on everything, looking for something in the hyperlink field.
All was empty.
This was confirmed by using the PPTools tool FixLinks.

Any other ideas? Can a script be embedded inside the .ppt somewhere?

 

[clea]

I'm assuming the IP address you quoted before was a dummy, not the real one the
firewall's reporting. What's the real address or domain?

Yes, I "dummied" it. The actual address is a competitor of my company,
hence my suspiciousness!!!! (A company that has nothing to do with
microsoft, or powerpoint tools, or any software helper app, or anything at
all like that.)

Do you get the same alarm when you just start PPT up on its own, no files
loaded? Some versions do attempt to connect to the net on startup.

No alarm from PPT on its own.

Do you have an AV program running and does it have an office scan feature?
That might be triggering a network connect attempt.

Yes, AV running on a corporate network, I'm sure it does have office scan
feature. But it would NOT intentionally go to a competitors website...

Thanks for letting me know you had trouble with this. Does your firewall have
any say in EXE downloads? I suspect that might be the problem here, because
thousands of people a month download these things and this is the first time
I've heard this complaint in five years or more.

I don't *think* so... It appears that the download demo links on this page
http://www.rdpslides.com/pptools/FAQ00026.htm
point to files that aren't actually there. I found them, and copied them,
from
ftp://www.rdpslides.com/pptools/

 

[Mike M.]

Have you checked to see if there are any macros in the presentation?
Tools->Macros.

 

[clea]

I don't see anything listed in there, either.
thanks.
any more ideas?

 

[clea]

Wow, thank you for this suggestion!
Until now, I had always been opening it from my Outlook inbox.
So now I saved it to my hard drive, NO MORE POPUP WARNINGS!
The warnings only come when i open it directly from outlook, so it must be
some script embedded in the forwarded email!!! Maybe it is tracking who is
getting the email, and who opens it, etc.
So I guess this means that the .ppt file is fine, but I need to decipher the
email message now.
Is it time to do some asking in a different newsgroup...??
Thanks a lot for the help.
(now i really have to figure this one out: either we have a spy employee, or
an employee got his PC hacked into, or his email corrupted somehow.)

 

[clea]

I got too excited from this that I forgot that the popup says "POWERPNT.EXE"
is trying to access blahblah.com.
So, for some reason it does not access when I open from the hard drive, but
it accesses when I open it from outlook.
Hmmm...

Maybe something gets lost just from the simple act of me clicking SAVE to
put in on my hard drive??

thanks

 

[Mike M.]

You might want to post the question in the Outlook Express NG.

 

[clea]

Steve - the reason I couldn't easily download from your website: BLACK ICE!
The previous day, I had installed some company software that secretly
installed a copy of Black Ice. After I couldn't download several other
files, I began to investigate, and found the Black Ice installer in a
company folder... So, your website was fine, it was my end.
thanks.

I still don't know what could be happening with the powerpoint presentation.
I don't get the warning when i open it from the hard-drive, only when I open
it from the email attachment.

 

[clea]

I forwarded it to a webmail account, and forwarded it back, and it still
does it.

I suppose there is a chance that *my* machine is somehow affected and doing
this???

 

[Echo S]

I know that sometimes PPT will trigger the trip to the web if someone's copied an image and then pasted it into PPT. It seems that some of the HTML tags or the URL or whatever can get included with the paste, and that triggers the web access.

I don't know that this would trigger as an actual link using FixLinks. Steve would have to fill me in on that.

I'd probably save the file as HTML and then view it in IE to see if the source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as a TXT file and then see if there's anything in the HTML code which points to the competitor site. I don't know much about this, but there are 1-pixel tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

 

[clea]

I saved as html, and this is all it saved. It must be referencing the
actual material from somewhere else, because this html file is only 3k, but
the attachment is close to 1M.
How does it know where to find the 2004 NSM Breakout v2b.htm file? that
might shed some light on this.

=======================
<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=PowerPoint.Slide>
<meta name=Generator content="Microsoft PowerPoint 9">
<link id=Main-File rel=Main-File href="../2004%20NSM%20Breakout%20v2b.htm">
<link rel=Preview href=preview.wmf>
<title>Title Here</title>
<![if !ppt]><script src=script.js></script><script>
<!--
var gNavLoaded = gOtlNavLoaded = gOtlLoaded = false;
function Load()
{
str=document.location.hash,idx=str.indexOf('#')
if(idx>=0) str=str.substr(1);
if(str) PPTSld.location.replace(str);
}
//-->
</script><![endif]>
</head>

<frameset rows="*,25" frameborder=0>
<frameset cols="20%,80%" id=PPTHorizAdjust framespacing=2>
<frame src=outline.htm name=PPTOtl>
<frameset rows="100%,*" id=PPTVertAdjust framespacing=2 frameborder=1
onload="Load()">
<frame src=slide0001.htm name=PPTSld>
<frame src=slide0001.htm name=PPTNts>
</frameset>
</frameset>
<frameset cols="20%,80%" framespacing=2 frameborder=0>
<frame src=outline.htm name=PPTOtlNav scrolling=no noresize>
<frame src=outline.htm name=PPTNav scrolling=no noresize>
</frameset>
</frameset>

</html>
=====================

I'd probably save the file as HTML and then view it in IE to see if the

source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as a

TXT file and then see if there's anything in the HTML code which points to
the competitor site. I don't know much about this, but there are 1-pixel
tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

 

[Kathy J]

Clea,
Check in your temp files. Or, do a search for the file name, but make sure
that you are searching hidden files and system files. I am guessing that it
is in the Internet Temp space for your system.

(I've been following along in the background with interest. haven't had
anything to add, but am hoping to hear what the answer turns out to be for
future reference...)

--
Kathryn Jacobs, Microsoft MVP PowerPoint and OneNote
Author of Kathy Jacobs on PowerPoint - Available now from Holy Macro! Books
Get PowerPoint answers at http://www.powerpointanswers.com
Featured Presenter at PPT 2004 - http://www.pptlive/com

I believe life is meant to be lived. But:
if we live without making a difference, it makes no difference that we lived

I saved as html, and this is all it saved. It must be referencing the
actual material from somewhere else, because this html file is only 3k, but
the attachment is close to 1M.
How does it know where to find the 2004 NSM Breakout v2b.htm file? that
might shed some light on this.

=======================
<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=PowerPoint.Slide>
<meta name=Generator content="Microsoft PowerPoint 9">
<link id=Main-File rel=Main-File href="../2004%20NSM%20Breakout%20v2b.htm">
<link rel=Preview href=preview.wmf>
<title>Title Here</title>
<![if !ppt]><script src=script.js></script><script>
<!--
var gNavLoaded = gOtlNavLoaded = gOtlLoaded = false;
function Load()
{
str=document.location.hash,idx=str.indexOf('#')
if(idx>=0) str=str.substr(1);
if(str) PPTSld.location.replace(str);
}
//-->
</script><![endif]>
</head>

<frameset rows="*,25" frameborder=0>
<frameset cols="20%,80%" id=PPTHorizAdjust framespacing=2>
<frame src=outline.htm name=PPTOtl>
<frameset rows="100%,*" id=PPTVertAdjust framespacing=2 frameborder=1
onload="Load()">
<frame src=slide0001.htm name=PPTSld>
<frame src=slide0001.htm name=PPTNts>
</frameset>
</frameset>
<frameset cols="20%,80%" framespacing=2 frameborder=0>
<frame src=outline.htm name=PPTOtlNav scrolling=no noresize>
<frame src=outline.htm name=PPTNav scrolling=no noresize>
</frameset>
</frameset>

</html>
=====================

I'd probably save the file as HTML and then view it in IE to see if the

source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as a

TXT file and then see if there's anything in the HTML code which points to
the competitor site. I don't know much about this, but there are 1-pixel
tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

 

[Echo S]

Hm. the full link seems to be missing in this information, so I'd check in your temporary internet files folder as Kathy suggested. That may shed some light.

I'd also check the HTML of the Outlook email itself. Double-click to open the message in Outlook, then File/Save as/HTML. Open the HTML in IE and use View/Source to see if there are any hidden URLs in there.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

I saved as html, and this is all it saved. It must be referencing the
actual material from somewhere else, because this html file is only 3k, but
the attachment is close to 1M.
How does it know where to find the 2004 NSM Breakout v2b.htm file? that
might shed some light on this.

=======================
<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=PowerPoint.Slide>
<meta name=Generator content="Microsoft PowerPoint 9">
<link id=Main-File rel=Main-File href="../2004%20NSM%20Breakout%20v2b.htm">
<link rel=Preview href=preview.wmf>
<title>Title Here</title>
<![if !ppt]><script src=script.js></script><script>
<!--
var gNavLoaded = gOtlNavLoaded = gOtlLoaded = false;
function Load()
{
str=document.location.hash,idx=str.indexOf('#')
if(idx>=0) str=str.substr(1);
if(str) PPTSld.location.replace(str);
}
//-->
</script><![endif]>
</head>

<frameset rows="*,25" frameborder=0>
<frameset cols="20%,80%" id=PPTHorizAdjust framespacing=2>
<frame src=outline.htm name=PPTOtl>
<frameset rows="100%,*" id=PPTVertAdjust framespacing=2 frameborder=1
onload="Load()">
<frame src=slide0001.htm name=PPTSld>
<frame src=slide0001.htm name=PPTNts>
</frameset>
</frameset>
<frameset cols="20%,80%" framespacing=2 frameborder=0>
<frame src=outline.htm name=PPTOtlNav scrolling=no noresize>
<frame src=outline.htm name=PPTNav scrolling=no noresize>
</frameset>
</frameset>

</html>
=====================

I'd probably save the file as HTML and then view it in IE to see if the

source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as a

TXT file and then see if there's anything in the HTML code which points to
the competitor site. I don't know much about this, but there are 1-pixel
tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

 

[clea]

Well, i didn't find the reference on my hard drive as kathy suggested, but i
found a folder that must have been created when i saved as html as you
suggested. There is a lot of .html .jpg .png, a few .xml, and a few strange
ones: preview.wmf, oledata.mso, editdata.mso, image.wmz, and slide.emz
are any of these suspicious?

I saved as html, and this is all it saved. It must be referencing the
actual material from somewhere else, because this html file is only 3k, but
the attachment is close to 1M.
How does it know where to find the 2004 NSM Breakout v2b.htm file? that
might shed some light on this.

=======================
<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=PowerPoint.Slide>
<meta name=Generator content="Microsoft PowerPoint 9">
<link id=Main-File rel=Main-File href="../2004%20NSM%20Breakout%20v2b.htm">
<link rel=Preview href=preview.wmf>
<title>Title Here</title>
<![if !ppt]><script src=script.js></script><script>
<!--
var gNavLoaded = gOtlNavLoaded = gOtlLoaded = false;
function Load()
{
str=document.location.hash,idx=str.indexOf('#')
if(idx>=0) str=str.substr(1);
if(str) PPTSld.location.replace(str);
}
//-->
</script><![endif]>
</head>

<frameset rows="*,25" frameborder=0>
<frameset cols="20%,80%" id=PPTHorizAdjust framespacing=2>
<frame src=outline.htm name=PPTOtl>
<frameset rows="100%,*" id=PPTVertAdjust framespacing=2 frameborder=1
onload="Load()">
<frame src=slide0001.htm name=PPTSld>
<frame src=slide0001.htm name=PPTNts>
</frameset>
</frameset>
<frameset cols="20%,80%" framespacing=2 frameborder=0>
<frame src=outline.htm name=PPTOtlNav scrolling=no noresize>
<frame src=outline.htm name=PPTNav scrolling=no noresize>
</frameset>
</frameset>

</html>
=====================

I'd probably save the file as HTML and then view it in IE to see if the

source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as a

TXT file and then see if there's anything in the HTML code which points to
the competitor site. I don't know much about this, but there are 1-pixel
tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

 

[Echo S]

I don't think so but I wouldn't expect them to be. What you're looking at is,
taken as a whole, the HTML version of the original PPT file.

Since the original PPT file on its own doesn't trigger the attempt to connect
to the net, I wouldn't expect any of this stuff to do so either.

Back to Outlook, I think ...

Yes. I meant for Joey to save the actual Outlook message. I was thinking maybe there's a tracking GIF in there or something...

Echo

 

[clea]

I saved the message as text, didn't notice anything. Then I took the saved
file from my hard drive, created a new email, attached the file, sent it to
myself, and I still get the popup about web access! So now I think it rules
out the email and points back to the .ppt !!?!!
On both the original email, and my newly created email (I use Outlook) if I
double click on the message to open it in it's own window, I don't get the
paperclip icon in the upper right, it displays the attachment in a frame
down at the bottom of the email. When I click on the attachment down there,
I do NOT get the web access popups. (Also, reminder, opening the .ppt from
the hard drive does not give a popup.)
The only way I get the popups is if I am in Outlook, viewing the email in
the preview window/frame, and there is a paperclip, I click on the
paperclip, then click on the filename, then I get the web access popups.
How could .ppt know how it was being opened?
I got zero responses from the microsoft.public.outlook newsgroup. Maybe I
should try a new post with a more sensational headline...
I sure appreciate all your suggestions.
thanks

That would be the PPT file saved as HTML? Echo meant to save the message the
file was attached to as TXT. That may shed more light.

I saved as html, and this is all it saved. It must be referencing the
actual material from somewhere else, because this html file is only 3k, but
the attachment is close to 1M.
How does it know where to find the 2004 NSM Breakout v2b.htm file? that
might shed some light on this.

=======================
<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=PowerPoint.Slide>
<meta name=Generator content="Microsoft PowerPoint 9">
<link id=Main-File rel=Main-File href="../2004%20NSM%20Breakout%20v2b.htm">
<link rel=Preview href=preview.wmf>
<title>Title Here</title>
<![if !ppt]><script src=script.js></script><script>
<!--
var gNavLoaded = gOtlNavLoaded = gOtlLoaded = false;
function Load()
{
str=document.location.hash,idx=str.indexOf('#')
if(idx>=0) str=str.substr(1);
if(str) PPTSld.location.replace(str);
}
//-->
</script><![endif]>
</head>

<frameset rows="*,25" frameborder=0>
<frameset cols="20%,80%" id=PPTHorizAdjust framespacing=2>
<frame src=outline.htm name=PPTOtl>
<frameset rows="100%,*" id=PPTVertAdjust framespacing=2 frameborder=1
onload="Load()">
<frame src=slide0001.htm name=PPTSld>
<frame src=slide0001.htm name=PPTNts>
</frameset>
</frameset>
<frameset cols="20%,80%" framespacing=2 frameborder=0>
<frame src=outline.htm name=PPTOtlNav scrolling=no noresize>
<frame src=outline.htm name=PPTNav scrolling=no noresize>
</frameset>
</frameset>

</html>
=====================

I'd probably save the file as HTML and then view it in IE to see if

the
source info has any oddball URLs in them.

I'd probably try the same thing with the Outlook email itself. Save as

a
TXT file and then see if there's anything in the HTML code which points to
the competitor site. I don't know much about this, but there are 1-pixel
tracking gifs and things like that which may be the source of the problem.

--
Echo [MS PPT MVP]
http://www.echosvoice.com
presenter, PPT Live '04
Oct 10-13, San Diego http://www.powerpointlive.com

--
Steve Rindsberg, PPT MVP
PPT FAQ: www.pptfaq.com
PPTools: www.pptools.com
================================================
Featured Presenter, PowerPoint Live 2004
October 10-13, San Diego, CA www.PowerPointLive.com
================================================

 

[clea]

Ha!
Yes, always-on high speed connection, active all the time.
It is about 800K file, and yes proprietary.
Now that I know about sending it to myself and it still has it, i will retry
the cut-it-in-half idea until I can localize which page(s) do this. I
will try to find a non-proprietary page, or delete the text or graphics, and
send you the problem.
thanks
-----------------------