Problems with Microsoft Narrator

[Guest]

This program has become an issue when working in Word 2003 and I cannot seem
to find a way to keep it from being activated. The real problem is not with
its inadvertent activation but with the fact that it does not shut down
properly when you exit. Once activated it will continue to run in the
background. When typing say in the 100 wpm range it is easy to accidently
hit the window key + u when actually trying to hit control + u for
underline.
The window+u will activate the narrator. Closing out is easy enough using
exit or the red X but this does not stop the process running in the
background. It will continue to run and couse problems when you shutdown or
restart. When you go to reboot or shutdown your computer for the day the
narrator will come right back up and not close out properly. What I usually
do if this happens is hit the red x on the two popups that come up with the
narrator as the machine is in the shutting down phase. Fist off I should
not have to do this. When I cancel it while in word it should completely
shut down and not cause this problem. Second, I was shutting down today and
did not get to the second popup in time and as I clicked it the machine was
just about to turn off. As I clicked that second popup's red X a blue
screen error came up stating that windows needed to be shut down in order to
protect the machine. It was a memory dump blue screen error. This was a
lttle worrysome to say the least. Had to hit the off button and then had
problems with the fans which started running at super high speed. Had to
hold in the off button to get machine to shutdown.

I would like to know why the circumstances surrounding this program not
shutting down properly would have caused a blue screen memory dump error
based on what I described above and what I can do to completely deactivate
this program so that this does not happen anymore? Any help would be greatly
appreciated.

KM1

 

[Ted Zieglar]

You might try your question here:
news://microst.public.windowsxp.accessibility

 

[Ramesh, MS-MVP]

When I press the WinKey + U key combo, and then press "Cancel" in the
resulting dialog, I still see a copy of Utilman.exe running in the
background. In the Utility Manager window that appears, select the line
reading "Narrator is not running" and then uncheck the option "Start
automatically when Utility Manager starts". Click OK. Then, you may Kill the
utilman.exe process via Task Manager.

 

[Guest]

My utility manager is set as you specify by default. My main issue is that
this program should not run in the backgraound after canceling it. It does.
Is there a way to keep this program from coming up if you inadvertently hit
the Winkey + U? Can this option be deactivated some how?

Also, Why when shutting down the computer, or rebooting, does this program
come back up and not shut down properly? This dog gone thing comes back up
when you try and shut down the computer even though you cancelled out of it
long before. I am not sure but I think that when I tried to click the cancel
button of one of the windows that came up, when I was closing down windows,
may have caused my blue screen memory dump error. Is that possible????

 

[Ramesh, MS-MVP]

Can this option be deactivated some how?

Yes, if you have Windows XP Professional. Load the Secpol.msc snap-in and
then disallow utilman.exe program. WinKey should now launch utilman.exe now.

 

[Ramesh, MS-MVP]

Correction:

WinKey should *NOT* launch utilman.exe now.

 

[Guest]

Do not have XP Pro, have XP Home Edition. By the way, do you have any
explanation for the blue screen memory dump error I got when closing down
windows when this program started running as the machine was shutting down.
--
KM1

Correction:

WinKey should *NOT* launch utilman.exe now.

 

[Ramesh, MS-MVP]

What was the error code displayed in the dump, and the module name if any?

 

[Guest]

I did not record this information. Is there a place where I can look for it
on my computer? Is it saved anywhere automatically? I checked the minidump
file and it was not located there, is there anywhere else?

Also, an unrelated topic. The computer we are working is very important and
used for business purposes as well as financial purposes. I cannot afford to
have any troubel with it. Not only is the situation above troublesome but I
recently added Microsoft Money to my computer and this program added two
BHO's files that were not listed before. I added this program without being
connected to the internet and the two BHO's files where not on my hijackthis
log before the program was added. Once I added this program they appeared on
my hijackthis log which I ran right after adding the program and before I
connected to the internet. These two files are:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

I am concened because one of my spyware scanners lists them both as spyware.
One as coolwebsearch and one as superology. However, I know they came from
the addition of Money. Can you direct me to somewhere or someone that can
tell me exactly what these two BHO's do and why they where added to my
computer? Any help would be appreciated, Thanks.

 

[Ramesh, MS-MVP]

You may check the Event Logs (eventvwr.msc)

For the BHO issue:
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
This is added by Microsoft Money.

The following is *suspicious* - possible CWS control.
{549B5CA7-4A86-11D7-A4DF-000874180BB3}
Ref: http://labs.paretologic.com/spyware.aspx?remove=Trojan/CWS Combo

Note: In both the above cases, HJT log says "(no file)", so the actual
module has been removed from your system already. If you're much concerned
(as this is a business computer), try posting your HJT log to www.aumha.net
forums. You'll get assistance from the best spyware removal experts there.

 

[Guest]

As far as the event viewer, there is nothing in it. I think the machine was
just about to shut down on its own. Nothing was recorded in the event viewer
regarding the memory dump error.

As far as the BHO's, I have been doing some searching myself as well and
found the same things you mentioned in your post. However, I added Microsoft
Money to my computer without being connected to the internet and did a
hijackthis log before I ever was connected again. Both of these BHO's were
added by Money. If that one is a variant of CWS, which is also what my
Xcleaner scanner is telling me, then Microsoft is adding spyware to my
machine. I need to be able to discuss these two BHO's with someone and
should not have to pay for support for it. Do you have anyone I can contact
or talk to regarding this. I know if I post a hijackthis log they will just
tell me to remove the two items and I do not want to do that if they are both
part of Money and may be needed for a function I have yet to use. By the way
this post regarding these two issues from DSL Reports BroadBand.com helps to
identify a lttle bit regarding where they are from,
http://www.dslreports.com/forum/remark,12921040?hilite=hang
however, I have also found the 549... one listed on some sites as a
Trojan/CWS combo. If you read through the above post about in the middle it
says that once they removed Money from their computer these two BHO's were
gone. I want to use Microsoft Money and need to find out about these two
items, who do I contact to do this???

 

[Ramesh, MS-MVP]

Why not crosspost this in Money groups?

I'd simply try installing MS Money in a test system and then compare the
BHOs. Then, I'd find the InProcServer32 for that control. That's would give
the exact info you require. {549B5CA7-4A86-11D7-A4DF-000874180BB3}

Secondly, both the GUIDs you posted shows (no file), so they are removed
anyways. how?

 

[Guest]

I will look for the Money groups but last time I looked I did not find any
community for this. Where is it???

I do not know what you mean by the InProcServer32? What is this, how is it
found, and how do I use it???

Those GUID's where added when I added Microsoft Money and they where not
connected to a file from the get go. I check my hijackthis log all the time
and have saved the log. I disconected from the internet, then turned off all
my virus protection, spyware protection, and firewall, then I added the
program. When I restarted my Microsoft Antispyware it told me I had new
bho's and they needed my approval. I clicked allow and then ran a
hijackthislog and those two bho's were there as you see them, no file. I had
not connected to the internet at all yet. I then ran Xcleaner and it
identified one file as CoolWebSearch and the other as Superology, both
spyware. However, how could this be they where from Microsoft Money. I did
not remove anything yet so that is why I am questioning these files. Either
Microsoft is adding spyware to their programs or they are false positives. I
have no other explanation. Any more help or direction you could give me
would be appreciated.

Did you look at the DSL report link I gave you, it talks about these two
files. However, I have also found the one,
549B5CA7-4A86-11D7-A4DF-000874180BB3, on on spyware site listed under a
Trojan/CWS. What should I believe? How can both be part of money and the
same number come up as a Trojan/CWS on another site? Again any more
direction would be appreciated.

 

[Ramesh, MS-MVP]

Where is it???

Microsoft Public Newsgroups:
http://aumha.org/nntp.php


After installing Money on a test system, load Regedit.exe and navigate to:

HKEY_CLASSES_ROOT\{GUID}\InProcserver32

In the right-pane, note down the (default) value. It will point to a DLL
file. (This file name will give you a clue)

Repeat the same for the other BHO / GUID.


Perhaps that particular Malware is using the same GUID string... Again, the
InProcserver32 should reveal the secret.

From what I see in this situation, it looks like a False-positive.

--
Ramesh, Windows XP MVP
http://windowsxp.mvps.org

I will look for the Money groups but last time I looked I did not find any
community for this. Where is it???

I do not know what you mean by the InProcServer32? What is this, how is
it
found, and how do I use it???

Those GUID's where added when I added Microsoft Money and they where not
connected to a file from the get go. I check my hijackthis log all the
time
and have saved the log. I disconected from the internet, then turned off
all
my virus protection, spyware protection, and firewall, then I added the
program. When I restarted my Microsoft Antispyware it told me I had new
bho's and they needed my approval. I clicked allow and then ran a
hijackthislog and those two bho's were there as you see them, no file. I
had
not connected to the internet at all yet. I then ran Xcleaner and it
identified one file as CoolWebSearch and the other as Superology, both
spyware. However, how could this be they where from Microsoft Money. I
did
not remove anything yet so that is why I am questioning these files.
Either
Microsoft is adding spyware to their programs or they are false positives.
I
have no other explanation. Any more help or direction you could give me
would be appreciated.

Did you look at the DSL report link I gave you, it talks about these two
files. However, I have also found the one,
549B5CA7-4A86-11D7-A4DF-000874180BB3, on on spyware site listed under a
Trojan/CWS. What should I believe? How can both be part of money and the
same number come up as a Trojan/CWS on another site? Again any more
direction would be appreciated.