Pixel Mathtab Com (Network Steve Forum)

Pixel Mathtab Com

Windows 7 Ultimate x64 with all patches
Outlook 2010 14.0.7140.5002 (32-bit) with all patches

Every now and then when I click on a message in Outlook 2010 I see:

A scan using MSE does not show anything. What is this and how do I get rid

January 27th, 2015 1:51am

Try using NetMon and check where the traffic is getting blocked.

Free Windows Admin Tool Kit Click here and download it now

January 27th, 2015 2:00am

>Try using NetMon and check where the traffic is getting blocked
Did you read what I wrote or are you a bot? I got a popup from Outlook saying it was trying to contact a tracking/malware site. I am not concerned that it was being blocked. I am concerned that it was trying to contract something. How do I get rid of it and stop it from coming back?

January 27th, 2015 8:46am

Please try downloading, installing and scanning with free version of Malwarebytes AntiMalware (download link at bottom of page).

http://www.malwarebytes.org/antimalware/

If this is effective, consider upgrading to Premium version and/or reading reviews and tests of AntiVirus programs.

Free Windows Admin Tool Kit Click here and download it now

January 27th, 2015 9:33am

Hi,

Do you have any add-in installed in your Outlook? Some users who have a similar issue report that the issue disappeared if we start Outlook in safe mode, you can also have a try. To do this, press Windows key + R to open the Run command, type outlook /safe and press Enter. If the issue would be gone in safe mode, we may use the following steps to find out the problematic add-in:

1. Go to File > Options > Add-ins.

2. Select COM Add-ins from the Manage box, and then click Go.

3. Click to clear the check box for any add-ins that you want to disable.

4. Click OK, and then restart Outlook.

5. Go to File > Options > Add-ins again and re-enable one COM add-in.

6. Exit Outlook, and then restart Outlook.

7. If the issue doesn't come back, repeat steps 5 and 6 for another extension. Repeat step 7 until the issue comes back again.

8. Upon we find the problematic add-in, contact the vendor of the COM add-in that is causing the issue, and then check whether there is an update to that COM add-in.

If above doesn't help, we may also try to use the Scanpst.exe tool to scan and repair your Outlook data file to see the result, which is also a method used to fix a similar issue. For your convenience:

http://support.microsoft.com/kb/272227/

Please let me know the result.

Regards,

Steve Fan

Forum Support

January 27th, 2015 11:45am

How do I get rid of it and stop it from coming

Free Windows Admin Tool Kit Click here and download it now

January 27th, 2015 11:39pm

>Do you have any add-in installed in your Outlook?
The only Outlook add-ins are from Microsoft.

January 28th, 2015 7:48am

The only thing ADWCleaner identified on my machine were three registry entries:
***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\Installer\Features\B696D3C37BD0D6C33A65D38BEC459181
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181

It missed one with the same GUID:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A771E8EB1E10BCE44AA8014E39DCC206\B696D3C37BD0D6C33A65D38BEC459181]

The details under those keys are below. They appear to be associated with VC or C++.

Can someone confirm that these keys are associated with Pixel.Mathtab.com before I delete them?

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\B696D3C37BD0D6C33A65D38BEC459181]

"VC_RED_enu_x86_net_SETUP"=""
"Servicing_Key"=""
"VC_Redist_12222_x86_enu"=""
"FT_VC_Redist_ATL_x86"="VC_Redist_12222_x86_enu"
"FT_VC_Redist_CRT_x86"="VC_Redist_12222_x86_enu"
"FT_VC_Redist_MFC_x86"="VC_Redist_12222_x86_enu"
"FT_VC_Redist_MFCLOC_x86"="VC_Redist_12222_x86_enu"
"FT_VC_Redist_OpenMP_x86"="VC_Redist_12222_x86_enu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181]

"ProductName"="Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729"
"PackageCode"="6FA475E1FF6BF6040AF5CD353E55314B"
"Language"=dword:00000409
"Version"=dword:09007809
"Assignment"=dword:00000001
"AdvertiseFlags"=dword:00000184
"InstanceType"=dword:00000000
"AuthorizedLUAApp"=dword:00000001
"DeploymentFlags"=dword:00000003
"Clients"=hex(7):3a,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181\SourceList]
"PackageName"="vc_red.msi"
"LastUsedSource"=hex(2):6e,00,3b,00,31,00,3b,00,63,00,3a,00,5c,00,38,00,38,00,\
32,00,33,00,38,00,65,00,36,00,61,00,39,00,62,00,32,00,63,00,39,00,33,00,65,\
00,66,00,35,00,66,00,5c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181\SourceList\Media]
"DiskPrompt"="[1]"
"1"=";1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181\SourceList\Net]
"1"=hex(2):63,00,3a,00,5c,00,38,00,38,00,32,00,33,00,38,00,65,00,36,00,61,00,\
39,00,62,00,32,00,63,00,39,00,33,00,65,00,66,00,35,00,66,00,5c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181\Features]
"VC_RED_enu_x86_net_SETUP"="5`c]JiaZ6?P)l9)Iv!9H?A]0bijiu8c(GgTG19a]x^0z+HQ(N@50a!!QmQt3Vi+)V]Gyo?lwWXuam3)llJu?E[k6g8cqPj6cCQT7GX@qSCMbJ@FE`'-qt^gO1P[E[-!T7Au(C?32=}KCv~vr%I&k0@X{usS$s=bdn?,em&$.C=&-j_avj0)7i,]x`_Q`)9^=utkKv2k((]$k`H2K?=a9JgQeu$M3.CDo?gE%E@$G4%O33o!ZZh@IzQ3J_8taH3S=1sGLO``q*$GOm@v}Txa*znYQE[dm@_nDX9!4'+Hmt3Tb)^[@2PSO!@urrWK_j8gXtkqpV%tpP=l.hN%UbE8Y@QIkKPkLi9Bi?xcPF^BcLWv~7HiO]@*hBVAnsv4E.PVQvj9nf?(j%a8ko~k3-*qFagQ.r=v4jT-f4V01!'!@7I](_=v}OljWfu`4-JSSWJWnc9unIC42cfbq^[=brkm}r8DW{=A!Igl16~Wh_4b@]@80YxxiESU&7ynQs+5Wo90037abAJ)P"
"Servicing_Key"="N~=CS6YuR?JaKO&hd{u98h5xw2NY$?uhS]5u_i6N"
"VC_Redist_12222_x86_enu"="]$i8f{cUCAL6PArlXIvF"
"FT_VC_Redist_ATL_x86"="3i?bBN[RM6!F'^'91k54yYg%afJWd78p8mrW5+Mfob10{5~Ib4pbWOg@s5E-v!f]Wn+p@5%wDahDKW3'eri-.8TRF4tm1Sjm5Y]8h}vG*(M(F5}OA{IO_n*ZVC_Redist_12222_x86_enu"
"FT_VC_Redist_CRT_x86"="uvp~C_vaG6-r!&+C3I%]92,+Kn$9.7m$ofpy!Ktbq&vXf9!-V4(Z[O^[&Xr'd5w)%SU$o4t`JHOr9DC0k'VI7oRP~7U=o)ms&,3B=.hw9$aEc7G{lyy(CzF0VC_Redist_12222_x86_enu"
"FT_VC_Redist_MFC_x86"="-EnVx*}4B8{{l=gZ@m1kI@yCj'brE4q0LDoYL~fX^+NYK4w?(7+e=i(MTt%-g[m0%C!}L5O6hxDf?@'NMrNuGte}T4$fobOP4@MM~NpMp$[Dm4HGyYz=3~&xVC_Redist_12222_x86_enu"
"FT_VC_Redist_MFCLOC_x86"="H{a5U.k._4M64aH.Z!4&@ee4I`4ki5YGeYQc4%wxy.p'nXbN65^1mNF8r$?(FoSTglQqj7&raxYOnT@*c.Ax?}X2q49SEhGrK8t6a1LIH,3G.77PpD^V@MRSVC_Redist_12222_x86_enu"
"FT_VC_Redist_OpenMP_x86"="'FU,_s8e~3Kvnz+ryF82MOpPm6x+D4pamfX1o92zxIE%bPQ(h3)m'~_*pfXNpH9*1-6~P34&{Kw47F).M9,OU5cMx4fi?f@{0!DHvIDDHos144%{sNt=LR3xVC_Redist_12222_x86_enu"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181\InstallProperties]
"LocalPackage"="c:\\Windows\\Installer\\f0140.msi"
"AuthorizedCDFPrefix"=""
"Comments"=""
"Contact"=""
"DisplayVersion"="9.0.30729"
"HelpLink"=""
"HelpTelephone"=""
"InstallDate"="20110903"
"InstallLocation"=""
"InstallSource"="c:\\88238e6a9b2c93ef5f\\"
"ModifyPath"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,78,\
00,65,00,20,00,2f,00,58,00,7b,00,33,00,43,00,33,00,44,00,36,00,39,00,36,00,\
42,00,2d,00,30,00,44,00,42,00,37,00,2d,00,33,00,43,00,36,00,44,00,2d,00,41,\
00,33,00,35,00,36,00,2d,00,33,00,44,00,42,00,38,00,43,00,45,00,35,00,34,00,\
31,00,39,00,31,00,38,00,7d,00,00,00
"NoModify"=dword:00000001
"NoRepair"=dword:00000001
"Publisher"="Microsoft Corporation"
"Readme"=""
"Size"=""
"EstimatedSize"=dword:000000f0
"UninstallString"=hex(2):4d,00,73,00,69,00,45,00,78,00,65,00,63,00,2e,00,65,00,\
78,00,65,00,20,00,2f,00,58,00,7b,00,33,00,43,00,33,00,44,00,36,00,39,00,36,\
00,42,00,2d,00,30,00,44,00,42,00,37,00,2d,00,33,00,43,00,36,00,44,00,2d,00,\
41,00,33,00,35,00,36,00,2d,00,33,00,44,00,42,00,38,00,43,00,45,00,35,00,34,\
00,31,00,39,00,31,00,38,00,7d,00,00,00
"URLInfoAbout"=""
"URLUpdateInfo"=""
"VersionMajor"=dword:00000009
"VersionMinor"=dword:00000000
"WindowsInstaller"=dword:00000001
"Version"=dword:09007809
"Language"=dword:00000409
"DisplayName"="Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181\Patches]
"AllPatches"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181\Usage]

It missed one with the same GUID:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A771E8EB1E10BCE44AA8014E39DCC206\B696D3C37BD0D6C33A65D38BEC459181]
"PatchGUID"=""
"MediaCabinet"=""
"File"="FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8"
"ComponentVersion"="9.0.30729.1"
"ProductVersion"="9.0.30729"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2015 8:24am

>am a fan of MalWareBytes
MalWareBytes found nothing.

January 28th, 2015 8:45am

Can someone confirm that these keys are associated with Pixel.Mathtab.com before I delete them?

A bare minimum, it's obvious that your system has become infected just by the sheer results searching the topic. This is something that goes well beyond "just Outlook" BUT doing nothing else then a quick google search on

"B696D3C37BD0D6C33A65D38BEC459181"

Shows that this is also related to a virus profile. What you're asking is for some guarantee that this thing hasn't masked itself in some fashion.

Comes down to

#1 - If you run Malwarebytes as <mystifeid> suggested (which I would also have suggested if it wasn't mentioned already and
#2 - You run ADWCleaner to eliminate what it finds

Does the problem resolve itself? If you don't trust the above 2 programs and want 100% certainty/recoverability - then take a image backup of your system before running them but if the above 2 items don't clean it up and none of the other suggestions in any other related articles do either, then you have a far greater problem to deal with in terms of your system in general.

Free Windows Admin Tool Kit Click here and download it now

January 28th, 2015 8:58am

Hi Saberman,

Any update on this issue? Please don't hesitate to post back.

Regards,

Steve Fan

Forum Support

January 30th, 2015 6:09am

>Any update on this issue?
I allowed ADWCleaner to delete the three registry entries it gound and left the one it didn't find in place.

I also added twp lines to my hosts file:
 127.0.0.1 mathtag.com
 127.0.0.1 pixel.mathtag.com

Waiting to see if popup shows up again.

Free Windows Admin Tool Kit Click here and download it now

January 30th, 2015 7:18am

I also added twp lines to my hosts file:
 127.0.0.1 mathtag.com
 127.0.0.1 pixel.mathtag.com

One flaw with the above - if the only reason that you're not getting the popup are the entries in the Hosts file - means that all you done is having dealt with the "symptom" versus the underlying "cause" - in short you still have an infected system. An analogy would be someone having on-going recurring headaches - two ways to deal with it - (1) keep taking pills to avoid experiencing headaches or (2) find out what's causing the problem in the first place and fix it to avoid recurrence.

January 30th, 2015 7:51am

No. The problem is when I click on certain emails I see the popup. I suspect the sender's system is infected and the email is causing a reference to the URL. Not sure why there is a popup as any self-respecting virus won't show it.

I can't clean everyone's system but I can stop the reference to the URL from doing anything which is what the change to the hosts file does.

To continue with your analogy -- the change to the hosts file acts as a vaccine that prevents future infections.

Free Windows Admin Tool Kit Click here and download it now

January 30th, 2015 8:39am

You're absolutely correct if the issue is related to a tracking pixel contained in the email body but it would also follow that the issue would likely show itself in messages from the same sender or specific senders. Also agree with you in terms of adding the entries in the Hosts file to remap the domain in the tracking pixel to 127.0.0.1 (local host loopback address). However, the change to the Hosts file <in and of itself> would not prevent something from adding a tracking pixel to outbound email messages - the only people who would know that are the recipients. In any case, don't know enough about this particular issue to know how it manifests itself on the host system so will leave it at that.

January 30th, 2015 9:05am

>the issue would likely show itself in messages from the same sender or specific senders
Note that the source of the popup is Outlook itself. I suspect the message only appears when there is congestion on the path to the URL. If the response is quick there would be no need for the popup.

There is a good description of the problem at:
http://www.msoutlook.info/question/720

Free Windows Admin Tool Kit Click here and download it now

January 30th, 2015 9:32am

There is a good description of the problem at:
http://www.msoutlook.info/question/720

January 30th, 2015 10:10am

I had an interesting experience when I clicked on the link to this thread:

Since I use VirtualBox and backup the VM there is a simple solution -- go back aways. On the other hand it can be interesting to play with an infected VM. Especially since MSE and a few other "protection" systems failed to detect and protect.

As the saying (curse) goes: May you live in interesting times.

Free Windows Admin Tool Kit Click here and download it now

January 30th, 2015 11:49am

The problem is when I click on certain emails I see the popup.

Are these emails sent from the same sender? Or from users in same domain?

Seems the issue disappeared after modifying the Hosts file, correct? If you need further assistance on this issue, please don't hesitate to contact us.

Regards,

Steve Fan

Forum Support

February 3rd, 2015 3:06am

>Are these emails sent from the same sender? Or from users in same domain?
Same sender: seagate.com

I have a couple of messages stored that I use to test with. The problem is much less but occassionally I still see the contacting: \\pixel.mathtag.com\Event popup. It doesn't last as long and doesn't hang Outlook

I looked at the source for one of the messages and found:

<img border=0 width=1 height=1 id="_x0000_i1038" src="//pixel.mathtag.com/event/img?mt_id=662414&mt_adid=130312&v1=&v2=&v3=&s1=&s2=&s3="><img border=0 id="_x0000_i1039" src="http://app.e.seagate.com/e/FooterImages/FooterImage1?elq=b449ba3e3ed54a0cb70c5d9fe991463a&siteid=43975733"><o:p></o:p>

Free Windows Admin Tool Kit Click here and download it now

February 3rd, 2015 9:58am

I looked at the source for one of the messages and found:

<img border=0 width=1 height=1 id="_x0000_i1038" src="//pixel.mathtag.com/event/img?mt_id=662414&mt_adid=130312&v1=&v2=&v3=&s1=&s2=&s3="><img border=0 id="_x0000_i1039" src="http://app.e.seagate.com/e/FooterImages/FooterImage1?elq=b449ba3e3ed54a0cb70c5d9fe991463a&siteid=43975733"><o:p></o:p>

That is generally referred to as a "tracking pixel" - not intended to be visible in a message - a technique commonly used by many to determine if their message was opened for "tracking" purposes

Diagnostic page for mathtag.com
http://google.com/safebrowsing/diagnostic?site=mathtag.com/

What is Pixel tracking definition ?
http://digitalmarketing-glossary.com/What-is-Pixel-tracking-definition

Web bug
http://en.wikipedia.org/wiki/Web_bug

February 3rd, 2015 4:02pm

This topic is archived. No further replies will be accepted.
Other recent topics