malware,
has been partly(mostly) removed, traces remain that attempt to add the
infector to outgoing replies
somewhere in registry, possibly in signatures
HKCU\identities\{number}\software\microsoft\outloo k express\5.0\signatures
look in tools, options, signatures for something that shouldnt be there
--
-- -- -- -- --
Adaware
http://www.lavasoft.de
spybot
http://www.safer-networking.org
AVG free antivirus
http://free.grisoft.com/
Etrust/Vet/CA.online Antivirus scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Super Antispyware
http://www.superantispyware.com/
Panda online AntiVirus scan
http://www.activescan.com
Panda online AntiSpyware Scan
http://www.pandasoftware.com/virus_info/spyware/test/
Catalog of removal tools (1)
http://www.pandasoftware.com/download/utilities/
Catalog of removal tools (2)
http://www3.ca.com/securityadvisor/n...aspx?CID=40387
Trouble Shooting guide to Windows
http://mvps.org/winhelp2002/
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/winhelp2002/hosts.htm
links provided as a courtesy, read all instructions on the pages before
use
Grateful thanks to the authors/webmasters
_
"Larry" wrote in message
...
Hi Michael,
We removed all other email accounts from her machine and we still have
the problem.
I checked her machine and the code is being added when she sends the
reply. The code is on the reply in her SENT ITEMS box and looks like
this:
!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
HTMLHEAD
META http-equiv=Content-Type content="text/html; charset=iso-8859-1"
META content="MSHTML 6.00.6000.16481" name=GENERATOR
STYLE/STYLE
SCRIPT src="http://127.0.0.1:37935/xpopup.js"
type=text/javascript/SCRIPT
/HEAD
BODY bgColor=#ffffff
DIVFONT face=Arial size=2/FONT /DIV
DIV style="FONT: 10pt arial"----- Original Message -----
DIV style="BACKGROUND: #e4e4e4; font-color: black"BFrom:/B
...
Larry
*****
Michael Santovec wrote:
: This is what OE would normally generate
:
: !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
: HTMLHEAD
: META http-equiv=Content-Type content="text/html; charset=iso-8859-1"
: META content="MSHTML 6.00.2900.3132" name=GENERATOR
: STYLE/STYLE
: /HEAD
: BODY
:
: If she looks in the message in the Sent Items folder at the Message
: Source (Ctrl-F3), is the script there? If not, then it's being
: inserted after leaving OE.
:
: Since it's only happening in replies, she should also look at the
: orignal message from your in her Inbox to see if it might have been
: inserted in the way in. But I don't think that likely.
:
:
: "Larry" wrote in message
: ...
: : Hi Michael,
: :
: : She is not using any signature.
: :
: : There is a second email account but the emails are being received
: : into the default account and replied to from the default account.
: : As well any original emails are from the default account.
: :
: : The script is in the head - see below:
: :
: : !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
: : HTMLHEAD
: : META http-equiv=Content-Type content="text/html;
: : charset=iso-8859-1" META content="MSHTML 6.00.2900.3132"
: : name=GENERATOR STYLE/STYLE
: :
: : SCRIPT src="http://127.0.0.1:37935/xpopup.js"
: : type=text/javascript/SCRIPT
: : /HEAD
: : BODY bgColor=#ffffff
: : DIV /DIV
: : DIV style="FONT: 10pt arial"----- Original Message -----
: : DIV style="BACKGROUND: #e4e4e4; font-color: black"BFrom:/B A
: :
: :
: : Michael Santovec wrote:
: : : Does she have more than one mail account in Tools, Accounts?
: : :
: : : New messages use the default account. Replies and forwards use
: : : the account that downloaded the message.
: : :
: : : Some differences in the accounts could be the mail servers that
: : : they pass through or using a different signature.
: : :
: : : If the script is towards the end of message, it could be a
: : : signature.
: : :
: : :
: : : "Larry" wrote in message
: : : ...
: : : : Thanks Michael,
: : : :
: : : : I had already checked her machine to make sure she is not using
: : : : any stationery or business cards in her emails. We have also
: : : : run a virus scan (latest defs), Adaware and Spybot and all were
: : : : clean.
: : : :
: : : : Further puzzling info on this: It is only being added to
: : : : replies, not original emails.
: : : :
: : : : She sent me an original html email which did NOT have the script
: : : : problem. I replied to this clean original html email from her.
: : : :
: : : : My reply to this email: I checked the html code for anything
: : : : like what
: : : : she is getting just to make sure it isn't originating on my
: : : : machine and
: : : : it was clean.
: : : :
: : : : When she replied to my reply, the script was added and the error
: : : : occurred. We did this twice to makes sure of what was
: : : : happening. This
: : : : also occurs if she replies to an html email originated on my
: : : : machine.
: : : :
: : : : Why this is being added to only replies and not original html
: : : : email is beyond reason. Any help appreciated!!
: : : :
: : : : Larry
: : : : *****
: : : : Michael Santovec wrote:
: : : : : She's probably using stationery and it has some script
: : : : : specified that doesn't make a lot of sense. It's looking for
: : : : : a script on a web server at port 37935 on the current PC
: : : : : (hers when sending, yours when reading). You are most likely
: : : : : getting the error that the script can't be found or the
: : : : : server connected to.
: : : : :
: : : : : Perhaps she has a virus.
: : : : :
: : : : : If you set OE to the restricted zone (Tools, Options,
: : : : : Security) OE shouldn't try to run it.
: : : : :
: : : : :
: : : : : "Larry" wrote in message
: : : : : ...
: : : : : : I have a friend whose html emails always cause a script
: : : : : : error. The line
: : : : : : that is causing the problem is added to all html emails she
: : : : : : sends for some reason.
: : : : : :
: : : : : : The line is
: : : : : : SCRIPT src=3D"http://127.0.0.1:37935/xpopup.js"
: : : : : : =type=3Dtext/javascript/SCRIPT
: : : : : :
: : : : : : Can anyone tell me how to get rid of this.
: : : : : :
: : : : : : Cheers,
: : : : : :
: : : : : : Larry