InetKW message- Do I need to be in safe mode to remove?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

StaceFlorida

Thread Starter
Joined
Sep 5, 2004
Messages
7
Hello! I was browsing this fourum, as well as others, to figure out how to stop the InetKW error (familiar to some of you, I'm thinking- The one where inetkw is telling you that it can't load- "Error loading C:\PROGRA~\INTERN~2\inetkw. The specified module could not be found."). I was deleting a lot of spyware, must have deleted something needed by inetkw, because every 3-5 minutes I'm gotten this message.

I decided to research it, found out what I need to do what is said below:

The file that looks for inetkw.dll is inetmgr.dll which is located in the c:\windows\system32 folder. Find that file delete it and run hijackthis in safe mode that should clear up the problem.
Well, I was wondering if you most definately have to go into safe mode to delete it, or could I just go to the program and delete it now and be okay.

I just downloaded Hijack This! today, never ran a scan, but if you would like me to post my log I'd be happy to go in and do it. Please let me know what to do if the quote above is wrong.

I'm fairly new to all this stuff, and I am only 13 (noticed the birthdays today. I feel like a child on here with a whole bunch of you experts! Happy Birthday to everyone, btw!)

This is so helpful! Thank you!!! :)

Stace
 
Joined
Feb 15, 2004
Messages
826
Download HijackThis from here. Make a new folder for the program and then open it, click Scan. When it finishes scanning, do no remove anything but instead save the log and copy and paste it here. Someone will then come along and further help you.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, By far the majority of folks on here are not experts!

Anyway...post the Hijackthis log, but make one just before you post as things can change a lot....

You should post the log from version 1.98.2, if you do find that you have an older one, get it here:

http://www.wilderssecurity.com/supportfiles/HijackThis1982.exe

That is an already unzipped version, be ready to download it to a folder you have created....a good place would be on the desktop HOWEVER>>> you must create a new folder on the desktop, and rename it something creative like HJT, so the backups HJT makes will be stored in that same folder and not strung all over the place...

Post the entire HJT log, (not the startup) right here as a reply in your thread. Holler if you need any copy/paste directions- doesn't seem that you do.

[EDIT- got it in late, before I saw reply from Nok1-]
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hmmm wasn't meaning you Nok1> talking about the people who post for help...
 
Joined
Feb 15, 2004
Messages
826
Meh. I'm far from an expert. What do I know? I got involved in this forum after randomly helping some guy with some netbios stuff... Then decided to mess around in security.
 

StaceFlorida

Thread Starter
Joined
Sep 5, 2004
Messages
7
Ok. I do have v 1.98.2, and here is my logfile:

Logfile of HijackThis v1.98.2
Scan saved at 8:59:19 PM, on 9/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\WINNT\System32\RUNDLL32.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Lavasoft Ad-aware plus\Ad-watch.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\AInstantMessenger\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.snootysims.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [Real Spy Monitor] "C:\Program Files\Real Spy Monitor\winrsm.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [txocim] C:\WINNT\System32\txocim.exe
O4 - HKLM\..\Run: [mpuiw] C:\WINNT\System32\mpuiw.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lavasoft Adwatch] C:\Program Files\Lavasoft Ad-aware plus\Ad-watch.exe /min
O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AInstantMessenger\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.com/teleport/hotdate/NPC/MaxisHotDateTeleX.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/31db9051c30869595221/netzip/RdxIE601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

NOTE- sorry for this confusion, but Winlog.exe or anything like that is most likely my father's logger that he uses on my computer and is not a threat.
Also do not worry about the Maxis things you see. This is a part of a game (The Sims) and do not pose any threat to me as I know.

I am going to close the program now, but I will not remove or do anything until further instructons are given :)
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi!


O4 - HKLM\..\Run: [Real Spy Monitor] "C:\Program Files\Real Spy Monitor\winrsm.exe"

OK< this is Dad's monitoring software, so let's NOT remove this, as a matter of fact I will have to ask permission to help further! It's a visible program, so I feel that you are definitely :) NOT being a sneak... :)

I would need you be logged as an administrator to do the fixing, tho, do you have full rights, as an admin, or are you a limited user?


Go to Change or Remove Programs , or Add/Remove whichever you have....and uninstall these:

Virtual Bouncer

Internet Optimizer

WebSavings from Rebates, or similar-

PowerRegScheduler---don't expect it to show in list.

These uninstallers do not do very much, but we have you try them first...in some cases.

I will be right back with a list of things to fix.
 

StaceFlorida

Thread Starter
Joined
Sep 5, 2004
Messages
7
Okay! Yes, I am an admin on my computer, so I can do all the fixing.

It says for internet optimizer that it is already uninstalled, so am I okay to remove it from the add/remove programs list? I think I rmeber deleting it via SpyDoctor.

Do you want me to reboot after each uninstallation?
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, If you have time tonight- update AVG, SpyBot, and AdAware as well as SpyDoctor or any others that have updates....

I haven't heard back yet about helping with your log...and I apologize, just that we have some rules to go by!


Just caught your last post, it's very OK to remove from the list (Add/Remove) No need to reboot unless prompted to by Windows.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
BM, I answered your PM, sorry for the delay, was out for dinner.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, ((Thanks AcaCandy! message received))

Have an OK to proceed. I have also figured that you (DaD maybe) must have AdAware and/or all the rest of the antispyware proggies configured to not detect the Real Spy> is that right? That is good, since then it may not even find any parts of the monitor... :cool:

If they don't find it at all, then it's a good program...
it will be up to you though that if any part of it is detected, to not include it in the removal with any of your programs.

I like to do the actual removals in Safe Mode:

You can get to Safe Mode by tapping the F8 key several times just as the pc starts up....it may take more than one try> when you get the Startup menu open, select Safe Mode by arrowing down, and press Enter.

From Safe Mode:

Open Windows Explorer, and

flrman1 said:
Originally Posted by flrman1
Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Run Task Manager by pressing CTRL+ALT+DEL together, once only, when window comes up, need you to End Process on just these two, be careful of how they are spelled:

inetmgr.exe
inetsvc.exe


NEXT:

Run Hijackthis, no browsers open, nothing open except HJT, put a check into boxes next to these, and fix them, after all are checked, don't skip any:

C:\PROGRA~1\INTERN~2\inetmgr.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

O4 - HKLM\..\Run: [txocim] C:\WINNT\System32\txocim.exe

O4 - HKLM\..\Run: [mpuiw] C:\WINNT\System32\mpuiw.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm


Still in Safe Mode:

Find these FILES> at the end of the lines, and delete them:

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\VBouncer\BundleOuter.EXE

C:\WINNT\System32\txocim.exe

C:\WINNT\System32\mpuiw.exe

C:\PROGRA~1\INTERN~2\inetmgr.exe--it is in Program Files, whichever folder it is in, delete the file.

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

And delete the folders:

C:\Program Files\Web_Rebates

C:\Program Files\VBouncer

C:\Program Files\Internet Optimizer

NEXT:

flrman1 said:
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\administrator\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder
Your temp folder may be under your user name like this:

C:\WINNT\documents and settings > your username > local settings >
delete contents of temps, internet temps, cookies and history>> only delete Cookies IF you have a good record of your logins (passwords and user names) at sites you login to> they will require that you login next visit, and you must have your ID and passwords saved somewhere other than in Cookies!!!

XP will probably not let you delete files newer than yesterday> none of today's> so you can sort them this way:

dvk01 said:
as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.
Give the above things plenty of time to complete.

THEN:

Disabling System Restore does not delete or remove any of your personal data from your computer. The only files removed are those that System Restore created in the _RESTORE folder, the restore points. They will not do you any good as the infections will come back if you ever have to use System Restore. You can turn Restore back on, after we check that all is clean.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

Run AdAware and perhaps SpyBot, and let them remove all they find EXCEPT good old any parts of::Real Spy Monitor, ask if you need help with any of the items the programs detect. They do make backups, so things can be put back easily, in most cases.

Reboot again. Post a new Hijack logfile (y)

You could wait until tomorrow- up to you, I will be here if it's OK. The fixing is not as hard as it may seem, you have probably done more involved things burning CDs.

Just a step by step process, print things out>

see the Thread Tools button at top of every page? That will print text version for you, you can of course select the pages you wish to print and not all the way back...
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, I forgot to have you get CWShredder!!

Download it here:

http://www.lurkhere.com/~nicefiles/

It's just down the page a bit. You do need to make a new folder, right on desktop is OK, rename the new folder CWS and download to that, run from that. Run it just after you run Hijack this and fix the items in my list above;
and after you delete files, folders, etc...


Do not run CWShredder just yet, OK?

It's automatic, start it up, hit the FIX button, not the scan only, and let it finish and remove files.
Reboot, post the new log, and I hope you see this
not that it will do any harm, just that you may have to post a new log again, is all. (y)
 

StaceFlorida

Thread Starter
Joined
Sep 5, 2004
Messages
7
Okay. I haven't tried going into safe mode on this computer yet. And I'm doing this all in safemode, correct?

Yes, as far as I know, Real Spy Monitor is not recognized by my adaware/SpyBot S&D/ SpyDoctor. However I have installed everything but Adaware myself and so far I haven't set any real progs for it to not detect it, it just leaves it alone by itself.

I already have my System Restore button off. Is this alright? Am I ready to go into safe mode?
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi,


If you have had scans of AdAware and SpyBot etc with no "damage" to the Real Spy, I would say it is OK to go.

You should first>> Post a brand new HJT log for me to see, then you can do the work.

The first part of the work is done in Safe Mode. The video looks a lot different in SM but Windows works just the same. No Internet is available and no CD drive works, either.

Your screen icons and size will be different, but that is how it is. If you find that any windows are too big and you cannot operate the buttons such as OK, Apply, etc we can actually change to Normal, but only if things are way too big in Safe Mode. Usually you can get by OK. Safe Mode screen size is 640x480- and you cannot change it.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top