INETD.EXE error on boot up and shutting down??

[Ceilidh]

Hi Folks,

I'm getting two error messages on boot up just as my desktop is loading. 1) can't locate INETD.EXE and after closing that message I get this one, 2) INETD.EXE can't be found in the win.ini file locate string or delete this file...Once I've cleared these messages off my computer it either freezes or it goes off. Just goes right to the "its now safe to turn off your computer" than the only way I can get the computer working is to do a scanreg/restore. Now I don't know if this means anything as well but i'm blue screening with the vxd error. If that is important I've saved the full error message. I would be grateful for some feedback and advice on why my computer is having a hissey fit, but please speak slow I'm really blonde

[HKEd]

Hi Ceilidh...welcome to the forum.

It sounds very much like you have the Badtrans worm:
http://www.symantec.com/avcenter/[email protected]

Manual removal will be a little tricky if you're inexperienced. There is a batch file available to automate the deletion of the worm, but it works by creating a wininit.ini file containing NUL= statements to delete the files. If you also have the Bymer worm, or wininit.exe is missing or damaged (a possibility seeing as Windows boots to the shutdown screen, using this method would only complicate things.

If I understand you correctly, you can get to Windows after a scanreg /restore (also very strange if that's the case). If so, download StartLog.com from:
http://home.earthlink.net/~rmbox/Ret...d/Only_IE.html

Save it to the desktop and double-click on it. It will generate a text file called StartLog.txt (you can ignore the StubPath.txt file that is also created). StartLog.txt opens in NotePad. Click on Edit, then Select All. Right-click on any text area and select Copy, then right-click > Paste into your reply here. There'll be helpers here who can analyze the StartLog and advise you what to do (I'll check back later - it's Sunday lunchtime here).

[Ceilidh]

HKED,

Thank you for the info. I'm at work at the moment, yes I have to work Sundays..sheesh. Anyway when I get home tonight I will do as you said. Wish me luck!

Ceilidh

[Ceilidh]

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 10-08-2001 5:03:50.15p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Ati2cwad.exe"
"AtiKey"="atiptkad.exe"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

*(RegPath not found..)*

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON.EXE -service"
"MiniLog"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\MINILOG.EXE -service"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=C:\WINDOWS\INETD.EXE

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET BLASTER=A220 I5 D1 H1 T4

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

AVINIT.EXE

-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================
__________________________________________________________________________

- End -

[Ceilidh]

Here is the log from my computer, its all Greek to me. I hope this helps.

Thank you again for all your help

Ceilidh

[Abby]

look at what number 7 says
see the run = Inetd entry? I dont think that's supposed to be there

------------------
"If it ain't broke, work on it til it is"

[Ceilidh]

What should I do?

[Abby]

lol I dont know what you would do BUT I would go to start/run/ type msconfig
and see if inetd had a box beside it in startup
now that's what I would do. Sometimes I do stuff and it doesnt work but I dont think this would hurt anything if you want to try

------------------
"If it ain't broke, work on it til it is"

[Ceilidh]

Yes it does have a box beside it

[Abby]

uncheck it....click the box to make the check go away then click ok or apply whatever it is

------------------
"If it ain't broke, work on it til it is"

[HKEd]

Hi Ceilidh (and Abby)...you could also type sysedit in the Run box. Click on win.ini and edit out C:\WINDOWS\INETD.EXE so that the line looks like:

Run=

That's the way it should look. Save and exit. Reboot and look for Inetd.exe and Hkk32.exe using Find Files. If found, delete them.

This trojan is a password-stealer so it would be prudent to change all passwords ASAP.

I notice you're not running any antivirus software. These days, that's akin to running across a busy street with your eyes closed. AVG is pretty good and it's free. You can download it here:
http://www.grisoft.com/html/us_index.html

Let us know if the startup problem persists.

BTW, I checked that AVINIT.EXE in DOSSTART.BAT. It's a sound driver.

[Ceilidh]

It worked like a charm! I edit the registry and rebooted, no error message and nothing in any of the files. Thank you both for all you're help!

Ceilidh

ps, you're ever in the Maritimes, beers on me!