"POWERPNT.EXE from your computer wants to connect to xxxxx.com" and Powerpoint is NOT running !

[clea]

Warning to Steve R.: If you have things to do and do not wish to go off on a
wild goose chase, stop reading immediately!!
Otherwise, Hi, I am the guy who, in June of this year had a presentation
that you found a strangely formed embedded gif with a call inside the gif to
the internet (or something like that. I went looking for the old thread but
couldn't find it.)

I think I have a new ghost in the machine. I do not have powerpoint
running, but I get a popup from Kerio firewall that says

Outgoing Connection Alert!
'POWERPNT.EXE' from your computer wants to connect to advxxxx.com
[123.456.78.90], port 80
Details about application:
c:\program files\microsoft office\office\powerpnt.exe

(I faked the xxxxx and the 123 part, but it is the same address as was in
the June problem)
So I look in Windows Task Manager (I am using Win2k) and I don't see
powerpoint in either the Applications list or the Processes list. Huh?

How can POWERPNT try to access the internet when it isn't even running!?!

Are there tricks I can try to narrow this down?

Thanks to anyone who dares venture into this weird one.

 

[clea]

The only POWERPNT.EXE file found in the Search Results is in C:\Program
Files\Microsoft Office\Office. Note that I entered lower text into the
search bar, but the file it found is all capital letters.
Thanks for the idea. I appear to be trojan free. (FWIW: Our company runs
Trend Micro virus scanner on all our PC's, and I also run Spybot S&D and
Lavasoft Adaware, and am pretty careful and aware about viruses and
trojans.)

Another clue: All 5 times that it has happened *may* have been first thing
when I come in for the morning. IE: I just got in, turned on the monitor,
ctr/alt/del and enter my password (password protected screensaver in Win2K),
and the Kerio Firewall popup is there to greet me. It was this way for the
last 3 mornings. Maybe monday or tuesday it happened during the day too, or
instead, but for sure the last 3 days it was *only* first thing in the
morning.

thanks.

 

[clea]

I usually get rid of the Office startup, and it was gone on this machine,
but there were quite a few other things that I decided to dump. (Too many
programs decide for themselves that they should Start when the computer
starts!!!)
Also, I ran the Sysinternals program called "Autoruns" (very cool FREE
utilities there) and I disabled a few other oddball things (like RealPlay
and Quicktime). I will reboot tonight and see how it is next week.

Thanks for the ideas.

 

[clea]

Well, now I do NOT get the Powerpoint popup, so your suggestion to look in
at the startup junk moved me to delete what must have been the culprit. I
can't say what it would have been, though.
But now that willy-nilly deleting may have caused this new popup, not from
Kerio, but from Outlook, I think. It just now popped up after coming out of
screen saver, and I have seen it several times the last few days.

"Warning: Opening "Default Security Settings"
The form for this item has not been registered in this folder or in your
company's forms library. Because this item contains macros, which could...
blah blah blah
Disable Macros Enable Macros"

I keep choosing Disable Macros, but I have no idea to what it is referring.
All I did was come out of screensaver.
Weird stuff. Thanks for the sympathy and suggestions...