1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

InetKW message- Do I need to be in safe mode to remove?

Discussion in 'Virus & Other Malware Removal' started by StaceFlorida, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. StaceFlorida

    StaceFlorida Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    7
    Hello! I was browsing this fourum, as well as others, to figure out how to stop the InetKW error (familiar to some of you, I'm thinking- The one where inetkw is telling you that it can't load- "Error loading C:\PROGRA~\INTERN~2\inetkw. The specified module could not be found."). I was deleting a lot of spyware, must have deleted something needed by inetkw, because every 3-5 minutes I'm gotten this message.

    I decided to research it, found out what I need to do what is said below:

    Well, I was wondering if you most definately have to go into safe mode to delete it, or could I just go to the program and delete it now and be okay.

    I just downloaded Hijack This! today, never ran a scan, but if you would like me to post my log I'd be happy to go in and do it. Please let me know what to do if the quote above is wrong.

    I'm fairly new to all this stuff, and I am only 13 (noticed the birthdays today. I feel like a child on here with a whole bunch of you experts! Happy Birthday to everyone, btw!)

    This is so helpful! Thank you!!! :)

    Stace
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Download HijackThis from here. Make a new folder for the program and then open it, click Scan. When it finishes scanning, do no remove anything but instead save the log and copy and paste it here. Someone will then come along and further help you.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, By far the majority of folks on here are not experts!

    Anyway...post the Hijackthis log, but make one just before you post as things can change a lot....

    You should post the log from version 1.98.2, if you do find that you have an older one, get it here:

    http://www.wilderssecurity.com/supportfiles/HijackThis1982.exe

    That is an already unzipped version, be ready to download it to a folder you have created....a good place would be on the desktop HOWEVER>>> you must create a new folder on the desktop, and rename it something creative like HJT, so the backups HJT makes will be stored in that same folder and not strung all over the place...

    Post the entire HJT log, (not the startup) right here as a reply in your thread. Holler if you need any copy/paste directions- doesn't seem that you do.

    [EDIT- got it in late, before I saw reply from Nok1-]
     
  4. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    What he said. I guess.
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hmmm wasn't meaning you Nok1> talking about the people who post for help...
     
  6. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Meh. I'm far from an expert. What do I know? I got involved in this forum after randomly helping some guy with some netbios stuff... Then decided to mess around in security.
     
  7. StaceFlorida

    StaceFlorida Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    7
    Ok. I do have v 1.98.2, and here is my logfile:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:59:19 PM, on 9/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\RUNDLL32.exe
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    C:\Program Files\Lavasoft Ad-aware plus\Ad-watch.exe
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\PROGRA~1\INTERN~2\inetsvc.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\AInstantMessenger\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This!\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snootysims.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
    O4 - HKLM\..\Run: [Real Spy Monitor] "C:\Program Files\Real Spy Monitor\winrsm.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
    O4 - HKLM\..\Run: [txocim] C:\WINNT\System32\txocim.exe
    O4 - HKLM\..\Run: [mpuiw] C:\WINNT\System32\mpuiw.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-aware plus\Ad-watch.exe /min
    O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AInstantMessenger\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31db9051c30869595221/netzip/RdxIE601.cab
    O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

    NOTE- sorry for this confusion, but Winlog.exe or anything like that is most likely my father's logger that he uses on my computer and is not a threat.
    Also do not worry about the Maxis things you see. This is a part of a game (The Sims) and do not pose any threat to me as I know.

    I am going to close the program now, but I will not remove or do anything until further instructons are given :)
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi!


    O4 - HKLM\..\Run: [Real Spy Monitor] "C:\Program Files\Real Spy Monitor\winrsm.exe"

    OK< this is Dad's monitoring software, so let's NOT remove this, as a matter of fact I will have to ask permission to help further! It's a visible program, so I feel that you are definitely :) NOT being a sneak... :)

    I would need you be logged as an administrator to do the fixing, tho, do you have full rights, as an admin, or are you a limited user?


    Go to Change or Remove Programs , or Add/Remove whichever you have....and uninstall these:

    Virtual Bouncer

    Internet Optimizer

    WebSavings from Rebates, or similar-

    PowerRegScheduler---don't expect it to show in list.

    These uninstallers do not do very much, but we have you try them first...in some cases.

    I will be right back with a list of things to fix.
     
  9. StaceFlorida

    StaceFlorida Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    7
    Okay! Yes, I am an admin on my computer, so I can do all the fixing.

    It says for internet optimizer that it is already uninstalled, so am I okay to remove it from the add/remove programs list? I think I rmeber deleting it via SpyDoctor.

    Do you want me to reboot after each uninstallation?
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, If you have time tonight- update AVG, SpyBot, and AdAware as well as SpyDoctor or any others that have updates....

    I haven't heard back yet about helping with your log...and I apologize, just that we have some rules to go by!


    Just caught your last post, it's very OK to remove from the list (Add/Remove) No need to reboot unless prompted to by Windows.
     
  11. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    BM, I answered your PM, sorry for the delay, was out for dinner.
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, ((Thanks AcaCandy! message received))

    Have an OK to proceed. I have also figured that you (DaD maybe) must have AdAware and/or all the rest of the antispyware proggies configured to not detect the Real Spy> is that right? That is good, since then it may not even find any parts of the monitor... :cool:

    If they don't find it at all, then it's a good program...
    it will be up to you though that if any part of it is detected, to not include it in the removal with any of your programs.

    I like to do the actual removals in Safe Mode:

    You can get to Safe Mode by tapping the F8 key several times just as the pc starts up....it may take more than one try> when you get the Startup menu open, select Safe Mode by arrowing down, and press Enter.

    From Safe Mode:

    Open Windows Explorer, and

    Run Task Manager by pressing CTRL+ALT+DEL together, once only, when window comes up, need you to End Process on just these two, be careful of how they are spelled:

    inetmgr.exe
    inetsvc.exe


    NEXT:

    Run Hijackthis, no browsers open, nothing open except HJT, put a check into boxes next to these, and fix them, after all are checked, don't skip any:

    C:\PROGRA~1\INTERN~2\inetmgr.exe


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - (no file)

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

    O4 - HKLM\..\Run: [txocim] C:\WINNT\System32\txocim.exe

    O4 - HKLM\..\Run: [mpuiw] C:\WINNT\System32\mpuiw.exe

    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm


    Still in Safe Mode:

    Find these FILES> at the end of the lines, and delete them:

    C:\Program Files\Internet Optimizer\optimize.exe

    C:\Program Files\VBouncer\BundleOuter.EXE

    C:\WINNT\System32\txocim.exe

    C:\WINNT\System32\mpuiw.exe

    C:\PROGRA~1\INTERN~2\inetmgr.exe--it is in Program Files, whichever folder it is in, delete the file.

    C:\Program Files\Web_Rebates\WebRebates0.exe

    C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    And delete the folders:

    C:\Program Files\Web_Rebates

    C:\Program Files\VBouncer

    C:\Program Files\Internet Optimizer

    NEXT:

    Your temp folder may be under your user name like this:

    C:\WINNT\documents and settings > your username > local settings >
    delete contents of temps, internet temps, cookies and history>> only delete Cookies IF you have a good record of your logins (passwords and user names) at sites you login to> they will require that you login next visit, and you must have your ID and passwords saved somewhere other than in Cookies!!!

    XP will probably not let you delete files newer than yesterday> none of today's> so you can sort them this way:

    Give the above things plenty of time to complete.

    THEN:

    Disabling System Restore does not delete or remove any of your personal data from your computer. The only files removed are those that System Restore created in the _RESTORE folder, the restore points. They will not do you any good as the infections will come back if you ever have to use System Restore. You can turn Restore back on, after we check that all is clean.

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    Run AdAware and perhaps SpyBot, and let them remove all they find EXCEPT good old any parts of::Real Spy Monitor, ask if you need help with any of the items the programs detect. They do make backups, so things can be put back easily, in most cases.

    Reboot again. Post a new Hijack logfile (y)

    You could wait until tomorrow- up to you, I will be here if it's OK. The fixing is not as hard as it may seem, you have probably done more involved things burning CDs.

    Just a step by step process, print things out>

    see the Thread Tools button at top of every page? That will print text version for you, you can of course select the pages you wish to print and not all the way back...
     
  13. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I forgot to have you get CWShredder!!

    Download it here:

    http://www.lurkhere.com/~nicefiles/

    It's just down the page a bit. You do need to make a new folder, right on desktop is OK, rename the new folder CWS and download to that, run from that. Run it just after you run Hijack this and fix the items in my list above;
    and after you delete files, folders, etc...


    Do not run CWShredder just yet, OK?

    It's automatic, start it up, hit the FIX button, not the scan only, and let it finish and remove files.
    Reboot, post the new log, and I hope you see this
    not that it will do any harm, just that you may have to post a new log again, is all. (y)
     
  14. StaceFlorida

    StaceFlorida Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    7
    Okay. I haven't tried going into safe mode on this computer yet. And I'm doing this all in safemode, correct?

    Yes, as far as I know, Real Spy Monitor is not recognized by my adaware/SpyBot S&D/ SpyDoctor. However I have installed everything but Adaware myself and so far I haven't set any real progs for it to not detect it, it just leaves it alone by itself.

    I already have my System Restore button off. Is this alright? Am I ready to go into safe mode?
     
  15. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,


    If you have had scans of AdAware and SpyBot etc with no "damage" to the Real Spy, I would say it is OK to go.

    You should first>> Post a brand new HJT log for me to see, then you can do the work.

    The first part of the work is done in Safe Mode. The video looks a lot different in SM but Windows works just the same. No Internet is available and no CD drive works, either.

    Your screen icons and size will be different, but that is how it is. If you find that any windows are too big and you cannot operate the buttons such as OK, Apply, etc we can actually change to Normal, but only if things are way too big in Safe Mode. Usually you can get by OK. Safe Mode screen size is 640x480- and you cannot change it.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270547

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice