Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

email attachments


  • Please log in to reply
14 replies to this topic

#1 oldsoldier

oldsoldier

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 12 February 2005 - 06:11 AM

My OS is Windows Professional and I use Outlook Express. I send and receive emails and I file the originals. When I return to the originals to read them again I find that each one has an .htm attachment. ATT00011.htm, ATT00023.htm, and so on. When I open one of these attachments I find that it is an exact copy of the email it is attached to. Can someone please explain why my original emails have these attachments? How can I get rid of them? Thank you. oldsoldier

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 13 February 2005 - 02:39 PM



#3 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 14 February 2005 - 07:42 AM

Do you ever wish that you had never asked the question ? I'm turned 70 and when I read Meryl's reply I am back in grammar school, there is an algebraic equation on the blackboard and its my turn to go to the front and chalk up a solution. The teacher looks like that man beside Meryl's reply, and his cane is twitching. I haven't a clue and the class knows it and my anal orifice is icy cold. Oh happy days. I never did fathom algebra or any other branch of mathematics but I have lived to tell the tale. I suppose that the .htm's are here to stay and that they are harmless. Life is too short to worry about such trifles. Many thanks Meryl. Nice try, but this old head will never take it in in a month of Sundays. Kind regards, oldsoldier.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 14 February 2005 - 03:11 PM

When you say you file the original emails what do you mean?

#5 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 15 February 2005 - 07:42 AM

Laurence,

I thought that this topic had ended but you have replied to my last posting and you need a reply.

I posted this question at Bleeping Computer and in the Computer Buyer forum. I had a reply from hans_Gruber1 and it was obvious that he had misunderstood me. Probably my fault. So I sent another posting with a better expanation. Then there was a response from Bleeping Computer, and you know the rest.

When I say that I file my emails, I highlight them, create a suitable folder and put them in it. A folder for this and another for that. When I go back to look at them, they have .htm attachments.

Yesterday I phoned a neighbour and we discussed these .htm's. I asked him to send me a test email. When it arrived, seconds later, it had an ATT000??.htm attachment. I opened the attachment and it was an exact copy of the email. Because I thought that the .htm query had died a death, I deleted that email and I do not know the exact ATT000 number, but I have looked at others he has sent, I call them virgin emails because they are not generated with the reply button, and sure enough, each has an ATT000 [sometimes 4 x 0] and two digits, then the suffix htm.

I'm a researcher and I have a lot of data. I clean my computer with all of my security programmes See the list in that long piece to Hans_gruber1. It takes ages but I do it every night, without fail. Touch wood, I have not had a problem, no virus, no malware. Yesterday, I downloaded SpywareNuker 2005, the free version. Before I used it I went through my computer with all of the other security programmes. Nothing was found so I did a deep scan with Spyware Nuker. It found one problem. It was a 'Phish.divxencoder - malware, which 'creates a false email portraying a Citibank letter asking the user to go to a specific website to confirm personal information, and that such information can be used to steal the users identity'.

I searched for the dodgy file with 'run' and could not open it because it might be used by more than one application. I feel uneasy about SpywareNuker. I cannot see how I got this Phish malware object. I do not bank online or anything like that, but perhaps I do not need not do that to get that kind of malware. I am wondering if this Phish file has been 'found' to persuade me to register for the better version of SpywareNuker. I have a suspicious mind.

That is my story. Thanks for your interest.



Joined: 02 Sep 2003
Posts: 165

Posted: Sun Feb 13, 2005 4:11 pm Post subject:

--------------------------------------------------------------------------------

when you reply to an email, the original email that you are replying to is saved as a .htm file and sent as an attachment with the email that you are sending, so when the email gets to where ever it is sent, the .htm file is opened with the rest of the email so that whatever has been said previously can be viewed.

To get rid of them you would have to stop using the reply function and just create a new email message instead
_________________
"Religion is a socio-political institution , for the control of peoples
thoughts lives and actions,based on ancient myths and superstitions,
perpetrated through generations of subtle yet pervasive brainwashing"

Back to top


shafto5



Joined: 08 Dec 2004
Posts: 3

Posted: Sun Feb 13, 2005 7:16 pm Post subject: Thanks to hans_gruber1

--------------------------------------------------------------------------------

Thank you hans_gruber1 for your reply. I am thinking that you believe that the .htm attachments are only attached to emails which I have sent after clicking the reply button on a received email. In other words, I have received an email and have clicked the reply facility to create a new email. The new 'reply' email then has an .htm attachment and the content of that .htm attachment is an exact copy of the text of 'reply' email, or its carrier. BUT, the .htm attachments are attached to all of my outgoing emails, not solely the emails created with the 'reply' button. I receive emails from Australia and elswhere and they have .htm attachments which copy their content. I have looked at all of my filed 'out' emails, and my 'virgin' emails, i.e. those sent as an original thought, and they have them as well. It is baffling. I have wondered if my Outlook Express is infected but this computer is running Norton System Works with System Doctor enabled, Clean sweep Internet Scan enabled, Clean Sweep Smart Sweep enabled, AVG 7.0 AntiVirus Professional, Kerio Peronal Firewall 4, AdAware SE Personal 1.05, Spybot Search and Destroy 1.3, SptwareBlaster 3.2, and a-squared 1.5.2. Windows XP Pro Server Pack 2 has been installed and I ensure that Microsoft critical updates are downloaded and installed. I am confident that none of these are causing the problem. I am a compulsive searcher for virus and malware etc, and never fail to close down before checking and cleaning the computer. I always check the .htm's with Norton and AVG before I open them, just in case. I'm not the brightest person where computing is concerned so I do hope that I have been able to explain clearly what is happening. It is a puzzle. Many thanks for you reply.

Back to top


hans_gruber1



Joined: 02 Sep 2003
Posts: 165

Posted: Sun Feb 13, 2005 9:37 pm Post subject:

--------------------------------------------------------------------------------

ahh I see, sorry to have misunderstood, do you backup the emails, or just keep them in a certain folder? Alls I can think is that the body of the email is just linked to the .htm attachment, so is not necessarily duplicated.

Another thing, do you use signatures? I found this site, it says something about backing up emails, and signatures being saved as .htm files, probably totally irrelevant, but thought I would post it anyway!
_________________
"Religion is a socio-political institution , for the control of peoples
thoughts lives and actions,based on ancient myths and superstitions,
perpetrated through generations of subtle yet pervasive brainwashing"

Back to top


shafto5



Joined: 08 Dec 2004
Posts: 3

Posted: Sun Feb 13, 2005 10:15 pm Post subject: The end of the road for .htm ?

--------------------------------------------------------------------------------

Thank you once again hans_gruber1. I do not back up my emails. They are filed in a system of folders in Outlook Express. Nor do I use signatures. Your interest is appreciated but I have a feeling that we have come to the end of the road and I will have to live with these curious .htm's. They seem to be harmless. About 50 people have seen my appeal and only you has responded. Out of curiousity, I entered the same appeal in a Bleeping Computer forum. There has been no reponse from that quarter. All the best. Shafto5

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 15 February 2005 - 06:04 PM

You are correct in the assumption that they may use false positives as a goad to make you purchase it. It has been documented here:


http://www.spywarewarrior.com/rogue_anti-spyware.htm

I personally do not think this is a security issue at all, but rather a "feature" of outlook express. If you open Outlook express and click on tools, then options. Then click on the Read tab. Tell me how it set under the Fonts and the international settings buttons. What settings are being used there.

Also tell me under the send tab if you are sending as plain text or html. Then tell me what the settings are under the international, html and plain text buttons.

Once again, this is not a malware issue, but rather how microsoft handles mail sometimes in outlook express, and is harmless in my eyes, but i am curious what your settings are because I do not have this issue.

#7 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:22 AM

Posted 15 February 2005 - 06:38 PM

What version of Spyware Nuker do you have. According to Grinler's link version 2 is ok.

In the late spring or early summer of 2004, TrekBlue released a new version of SpywareNuker (version 2, also known as SpywareNuker 2004) which is not built on the codebase licensed from BPS (1). Testing with this new version  -- also released under the name pcOrion -- indicates that it does detect and remove spyware and adware. Moreover it is not prone to inexcusable false positives, as its predecessor was. Thus, the new SpywareNuker 2004 is a significant improvement on the justly discredited original version of SpywareNuker. Still further, the objectionable advertising on the pcOrion home page has been removed, and TrekBlue/TrekData has taken steps to clarify the history of its relationship with BlueHaven, which is no longer a TrekBlue/TrekData company. (1, 2)

Given that the issues surrounding Spyware Nuker and pcOrion have been addressed by the TrekBlue/TrekData, we can no longer consider Spyware Nuker or pcOrion to be "rogue/suspect" anti-spyware.


I searched for the dodgy file with 'run' and could not open it because it might be used by more than one application.


The fact that you found that file and were unable to delete it indicates its active. You could try booting into safe mode and deleteing it then. Also try one of the trojan programs like a squared or Trojan Hunter. They will have a better shot at cleaning it. You may be an unwitting host to the sending of emails in this phishing scam. Do you use a firewall?

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#8 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 16 February 2005 - 02:45 PM

1. Reply to Grinler

OE - Tools - Options - Read Tab - Open Fonts.
Western European.
Proportional Font - Arial
Fixed-width Font - Courier New
Font size - Largest.
Encoding - Western European [Windows].
Default encoding - Western European.

OE - Tools - Options - Read Tab - International Settings.
Default encoding - Western European [Windows] - greyed.
Use default encoding for all incoming messages box - not ticked.

OE - Tools - Options - Send Tab - Mail Sending Format.
HTML ticked.

OE - Tools - Options - Send Tab - International Settings.
Default encoding - Western European [ISO] - highlighted.
Set default message direction right to left box - not ticked.
When replying to messages always use English headers box - ticked.

OE - Tools - Options - Send Tab - Mail Sending Format - HTML Settings.
Mime message format.
Encode text using quoted printable.
Allow 8 bit characters in headers box - not ticked.
Send pictures with messages box - ticked.
Indent message on reply box - ticked.
Automatic wrap text at 76 characters when sending - greyed.

OE - Tools - Options - Send Tab - Mail Sending Format - Plain Text Settings.
Mime ticked.
Encode Text using none.
Allow 8 bit characters in headers box - not ticked.
Uuencode - not ticked.
Automatically wrap text at 76 characters when sending - enabled
Indent the original text with > when replying and forwarding box - ticked.

OE - Tools - Options - Send Tab - News Sending Format.
Plain text - ticked.

OE - Tools - Options - Send Tab - News Sending Format - Html Settings.
Encode text using quoted printable.
Allow 8 bit characters in headers box - not ticked.
Send pictures with messages box - ticked.
Indent messages on reply box - ticked.
Automatically wrap text at 76 charctrers when sending - greyed

OE - Tools - Options - Send Tab - Plain Text Settings.
Mime not ticked.
Encode text using none - greyed.
Allow 8 bit characterts in headers box - not ticked
Uuencode ticked.
Automatically wrap text at 76 characters when sending - enabled.
Indent the original text with > when replying or forwarding box - ticked.


* I use an HP 1010 LaserJet printer.



2. Reply to Leurgy

Spyware Nuker 2005. Not registered.

Kerio 4 Personal Firewall 4.1. Licenced/registered.
Installed a week ago.
.htm's have been with me since 2004.
a squared does not find it.
I will look at Trojan hunter.

Thank you Grinler.
Thank you Leurgy

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 16 February 2005 - 05:37 PM

Those are the same settings I have except I use plain text for sending email instead of html. I still dont think this particular issue is malware related as I have seen it on my machine a few times but no idea why its happened.

What was the name of the file you can not delete?

#10 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 16 February 2005 - 06:13 PM

Grinler

Phish.divxencoder

Spyware Nuker 2005 has found file >Phish.divxencoder< and says it is a malware. My current safety programmes have not zapped it.

I have looked at the Spyware Warrior Rogue/Suspect Anti Spyware site. Thank you. Caveat emptor. Spyware Nuker has been removed from the suspect list, so I might keep it and I might not. I am interested in the Trojan Hunter, but it might not zap the Phish.divxencoder. Where does one stop ? When you have a computer your hand is never out of your pocket.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 16 February 2005 - 06:14 PM

What is the actual filename though that it is finding. Is that the actual file name its reporting?

#12 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 17 February 2005 - 03:29 PM

Grinler

I have just scanned with Spyware Nuker 2005. This is what has been reported.


Version: 3.3.14.1
Definition Database Date: 2/3/2005 02:25:16 PM
OS version: Windows XP 5.1.2600 [Service Pack 2]
Web Browser Version: IE:6.0.2900.2180;
Date/Time: 02/17/2005 19:54:46


Phish.divxencoder - Malware 938 Creates a false email portraying a Citibank letter asking the user to go to a specific website to confirm personal information. Such information can be used to steal the userís identity.
File 938 C:\Program Files\a2 free\a2clean.dll

I use the free version of the a2 Anti-Malware programme. I am invited by Spyware Nuker to get rid of the file but I cannot because I am not licenced. Your views about these programmes will be appreciated. If the file is a risk, I have to thank Spyware Nuker for finding it. If it is a risk, maybe I should remove the a2 Anti-Malware programme and keep Spyware Nuker. If it is not a risk, perhaps the report is suspect and I should remove Spyware Nuker and keep A2. These programmes do not always say how many signatures are loaded. Yesterday, a2 had 7 plugins and 91270 signatures. Spyware Nuker does not say what it has. I have a lot of research data in my computer, about 300 Mb, and I do not mind paying to have it protected.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 17 February 2005 - 04:38 PM

Thats a false positive, which is why it had that write up in the list of rogue antispyware apps. A2clean.dll is a perfectly valid file. I would definitely remove spyware nuker of a2. A2 is a highly respected application.

#14 oldsoldier

oldsoldier
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Location:County Durham, UK
  • Local time:09:22 AM

Posted 18 February 2005 - 02:03 PM

Grinler,

Sir, Many thanks for your help and advice. Spyware Nuker has been removed.

OE - Tools - Options - Send - Plain has been ticked.

I will tell you if the .htm's cease.

This has been a profitable learning curve.

oldsoldier.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:22 AM

Posted 18 February 2005 - 02:22 PM

Lets hope it resolves your problem. I have gotten them myself in the past, just not sure what causes them




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users