Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

[Solved] Ghost words virus? {speech recognition program}

(New)
(!)

ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
05-Sep-2002, 04:44 PM #1
Ghost words virus?
I recently got rid of a weird program that kept sending me to a weird site called xupiter. It kept resetting the homepage, etc. I finally got rid of it. But evidently acquired another problem at the same time.

When I run IE, it runs very sluggishly, and random words type in the search window as if a ghost is typing them. It also happens in other sites such as Yahoo, and would happen right here in this Window, if I was not on another computer. When not typing words, it seems to type little dots, etc. The words seem to possibly be coming from the web page that I am on, and seem to be automatic rather than a person typing them.

I installed Netscape 7, and this does not happen there.
Norton does not pick this up, and I ran a bot and trojan cleaner, and they found nothing.

This has made IE totally unusable, and no one really seems to be able to help me, as they say they have never seen it.

Any help on the removal of this "ghost writier" as I call it?
Rollin' Rog's Avatar
Computer Specs
Member with 45,855 posts.
 
Join Date: Dec 2000
Location: North of Hollywoodland
Experience: I know when to fold em'
05-Sep-2002, 05:03 PM #2
I see you posted a list of your startups here:

http://forums.techguy.org/showthread...195#post525195

Has it changed any since uninstalling xupiter?

And do you have a startup manager to help troubleshoot starting applications, such as...

http://www.mlin.net/StartupCPL.shtml

And I'd suggest running Spybot in addition to Ad-Aware:



Installing and running Spybot:

http://beam.to/spybotsd

1 -- create a new, 'host' folder in a convenient location (not on the desktop)

2 -- download the spybot program to it and run the setup file.

3 -- go to the Start Menu, find the program and run it. Click the "online" tab and "Search for Updates", then make your selection and click "Download Updates". You will not need to update the "main" program and can probably ignore the language and PGP (Pretty Good Privacy) updates.

4 -- run the scan (click "check all"). You will see some boxes checked and others not. Remove the pre-selected items. The others are mainly "cleanup" options (you can disable this feature by clicking Settings > FileSets, and unchecking "Usage Tracking". "System Internals" should be unchecked as well unless you are confident you know what it deals with).

5 -- it is a good practice to reboot afterwards, even if not prompted.

===============

Since this is specically an IE problem, it might be a good idea to have a look for Browser Helper Objects using BHO COP...

http://www.pcmag.com/article2/0,4149,2023,00.asp
ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
08-Sep-2002, 05:30 PM #3
Unhappy Ghost bot still here.
Well the spy bot program unfortunately did not remove the problem, and I still have the ghost typing in IE.

But thanks for the suggestion.

I am going to contact Microsoft, and will let you know of the results.

Meanwhile, we will use Netscape on this computer until fixed.

Thanks. R.H.
ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
08-Sep-2002, 06:30 PM #4
Angry Ghost virus
Never mind, microsoft won't give me support because the computer was bought from Dell. Grrrrrr.

I doubt anyone there will know. We will see.
Rollin' Rog's Avatar
Computer Specs
Member with 45,855 posts.
 
Join Date: Dec 2000
Location: North of Hollywoodland
Experience: I know when to fold em'
08-Sep-2002, 06:40 PM #5
Microsoft would only have told you to remove and reinstall or update anyway.

Did you try BHO COP? It should detect any integrated toolbars. As far as I know there are only 4 o4 5 default ones on your View > Toolbars tab.

Another thing you look for to identify any residual stuff in the registry location for these is to run regedit and navigate to

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions

You can right click on and delete everything in the Extensions folder which would be empty in a fresh install.

Also this site contains two very useful programs: Startuplist and and Hijackthis:

http://www.geocities.com/merijn_bellekom/new/files.html

We can interpret the Startuplist for you if you copy/paste the results here. I think Hijack this is a little like BHO COP, but covers search and homepage entries as well; I haven't had much experience with it yet.
ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
09-Sep-2002, 08:57 PM #6
Unhappy Still problems heres startup
I ran BHO Cop, and it showed only entries that seemed to be from Adobe Acrobat 5, and Norton Anti Virus.

I looked at the HKEY extensions in software under IE and only found entries for Netphone2, Realplayer, Instant Messenger, Yahoo messenger, and MS Messenger. So didn't see problem there.

I ran Hijack, and it found some entries which it said were not in Windows install and might affect IE. However, I ran the fix on these files, and did not help.

The following is what I found running Startup List: If you seen anything here let me know. I could not find.

It again seems to be only IE that is affected, not Netscape, etc. It types little dots, and then random words.

Any other ideas appreciated. Thanks

StartupList report, 9/9/2002, 8:52:43 PM
Detected: Windows XP (WinNT 5.01.2600)
* Using default options
==================================================

Running processes:

C:\WINNT\system32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Runservice.exe
?:\?\Navapsvc.exe
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\PROMon.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
?:\?\Navapw32.exe
C:\WINNT\system32\LVComS.exe
?:\?\hpgs2wnd.exe
C:\Program Files\kazaa\kazaa.exe
C:\Program Files\Real\RealPlayer\realplay.exe
?:\?\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
?:\?\hpgs2wnf.exe
C:\WINNT\system32\ctfmon.exe
?:\?\hpobrt07.exe
?:\?\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
?:\?\sapisvr.exe
?:\?\hposts07.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 2 for startuplist.zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Katie\Start Menu\Programs\Startup]
BHO Cop.lnk = C:\Program Files\BHOCop\BHOCop.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

--------------------------------------------------

Checking Windows NT UserInit/Load:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
PROMon.exe = PROMon.exe
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINNT\UpdReg.EXE
Jet Detection = C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
KaZaA Media Desktop = C:\Program Files\KaZaA\kazaa.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Yahoo! Pager = C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
ctfmon.exe = C:\WINNT\System32\ctfmon.exe
Mozilla Quick Launch = "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo -aim
AIM = C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell key & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\ssmypics.scr

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
Shell = Explorer.exe

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN!
.pif: HIDDEN!
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden

--------------------------------------------------
End of report, 6499 bytes

StartupList version: 1.23.0
Started from: C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 2 for startuplist.zip

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Rollin' Rog's Avatar
Computer Specs
Member with 45,855 posts.
 
Join Date: Dec 2000
Location: North of Hollywoodland
Experience: I know when to fold em'
09-Sep-2002, 09:33 PM #7
I see you have a Kazaa installation there, but not the usual spy and adware that goes with it (Spybot no doubt removed it). Is it still working? I'd really suggest dumping it.

Let's try running msconfig and disabling under the startup tab the following applications to test:

>> GWMDMMSG GWMDMMSG.exe Used with internal modems on Gateway PCs such as the 450SX Notebook. This is the "GTW modem messaging applet" and is not required for the modem to work correctly

>> Share-to-Web Namespace ..... Hpgs2wnd (see http://www.answersthatwork.com/Taskl...tasklist_h.htm)

>> KaZaA Media Desktop (really should be uninstalled)

>> Msmsgs

>> AIM

>> RealTray

>> Winamp agent

>> Upd.reg (sound card registration reminder)

The most likely possibilites would probably be the first or perhaps the second.

If you have any 3rd party Toolbars in the View menu you can try disabling them; you can even try exporting (saving) that registry key (click Registry > Export, name and save it to the desktop) and then deleting the entries in the pane. Then just doubleclick the saved Registry file to add them all back.

Last edited by Rollin' Rog; 09-Sep-2002 at 09:47 PM..
justjesse2's Avatar
justjesse2 justjesse2 is offline
Member with 161 posts.
 
Join Date: Jun 2002
Location: midwest
11-Sep-2002, 09:21 PM #8
i dont know if this is out-of-line for me to reply to this thread
i seem to have a lot of trouble running my own pc. i think i know what this ghost writer is.
i have voice activation for media player and i also have dictation activated
if my toolbar is open, it will write in the browser window
it also messes up in chat instant messages
i'm not sure but i think it is speech recognition
please tell me if this was out-of-line
ty
justjesse2
ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
14-Sep-2002, 11:28 AM #9
Thanks.
I think your response is not out of line, and that you may be correct.
I got on my daughters computer this morning, and I noticed that the problem had seemed to disappear. My son last night had been tinkering with it, and implementing some of the suggestions that had been made.
I also noticed that a little microphone that had been in the toolbar was missing. I also remember a while back her talking to her media player.

I think that you may have hit on the problem! I am going to tinker with it and find out.

Thanks for all help given on this forum!

I have indeed gained a lot of knowledge from this incident!
ronhum's Avatar
ronhum ronhum is offline
Member with 227 posts.
THREAD STARTER
 
Join Date: Sep 2002
Location: Texas
14-Sep-2002, 11:47 AM #10
That was the ghost!
Almost unbelievably, that was it! The speech recognition was activated. The program was doing an exceeding poor job of recognizing the speech, but tht could have been because it had been set up with daughters voice.

The ghost voice was my own, and the other folks with me trying to figure it out.

Since I was hit with the weird Xupiter website incident at the same time, I assumed it was some kind of weird trojan or virus.

However, evidently the Xupiter incident, and the voice deal were unrelated and was just coincidence that seemed to appear at same time.

Sometimes the simplest explanations are correct. Thanks!
Rollin' Rog's Avatar
Computer Specs
Member with 45,855 posts.
 
Join Date: Dec 2000
Location: North of Hollywoodland
Experience: I know when to fold em'
14-Sep-2002, 06:10 PM #11
Definitely a big thanks to justjessie2, that was certainly something we've never encountered here.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑