Rundll32 & Dialup Screen errors

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

pipercub

Thread Starter
Joined
Dec 22, 2001
Messages
44
When I start up the computer I get a Rundll32 screen that says "This program has performed an illegal operation and will be shut down." I also get my "Dialup Connection" screen that appears. The last time this happened I was instructed to run Startup from "rmbox" an look for the lines
"Distributed.netclient"="\"c:\\windows\\system\\dnetc.exe\"-hide" an
"bymer.scanner"="\"c:\\windows\\system\\dnetc.exe\"-hide".
I did find the "bymer" line and deleted it but did not find the Distributed.netclient line. I am including my current "Startup" from "rmbox".
---------- C:\WINDOWS\desktop\StartUp.txt

Start-Ups checked at 07-30-2001 8:37:48.98p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.47) - Release Date 7/22/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[Registry Path]
"Start-Ups"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"CLMFrontPanel"="clmpanel /i"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"POINTER"="point32.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[Registry Path]
"Start-Ups"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"
"NIM"="D:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[Registry Path]
"Start-Ups"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[Registry Path]
"Start-Ups"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[Registry Path]
"Start-Ups"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
"McAfeeVirusScanService"="C:\\Program Files\\McAfee\\McAfee VirusScan\\AVSYNMGR.EXE"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[Registry Path]
"Start-Ups"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file



C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\scan.exe C:\
@IF ERRORLEVEL 1 PAUSE

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
(HKCU - Shell Folders)
.....................................................................

(HKCU - User Shell Folders)
.....................................................................

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
(HKLM - Shell Folders)
.....................................................................

(HKLM - User Shell Folders)
.....................................................................

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe files - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com files - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr files - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat files - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif files - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta files - RegPath = HKCR\htafile\shell\open\command)


-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-


LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

==========================================================================
__________________________________________________________________________

- End -
Any info would be appreciated.
Thanks
 
Joined
Dec 9, 2000
Messages
45,855
I don't see any evidence of Bymer or dnet there.

Try running msconfig and unchecking the rundll32 entry fro TweakUI and see if the rundll error stops. The only other ones there are for loadpowerprofiles.

Could the dialup be from Realplayer or AIM? If that continues, try unchecking AIM and disable the RealPlayer start agent from within RealPlayers user interface.

Also I'm not sure of the function of this:

"CLMFrontPanel"="clmpanel /i"

It appears to be a modem driver or interface of some kind.
 

pipercub

Thread Starter
Joined
Dec 22, 2001
Messages
44
Hi Rog,

So this is where you hang out. You helped me with this before on that other list. Unchecking Rundll for TweekUI stopped that screen from appearing. The CLMfrontPanel line is probably from my previous modem. There is an icon in the control panel that says CLM but wouldn't let me uninstall it. I ran "rmbox" again and did not see either of the lines "Distributed" or "Bymer" but in "regedit" when I do "Hkey_Local_Machine-software-microsoft-windows-current version-run" the "bymer" line shows up and if I right click on "bymer" then delete it when I turn my machine on and check, the line is back.

(I like the Polish flag.)
 
Joined
Dec 9, 2000
Messages
45,855
I don't see Bymer showing up in the Startup log list :rolleyes:

Do you have an instance of it unchecked in msconfig>startup ?

If so, there is also an entry in the RUN- folder of the registry. Both need to be removed.

Anyway, the entry will show a path to the executable. Find the file and rename or delete it. See if you get any error messages when you restart.
 

pipercub

Thread Starter
Joined
Dec 22, 2001
Messages
44
In the Msconfig>startup there is a "bymer" line and it is checked. In "regedit" the "bymer" line only shows up in "run". I am assuming by the executable you are referring to the "Msconfig" startup tab which shows the "bymer" line "C:\windows\system\wininit.exe". Is the "wininit.exe" the file to delete?
 
Joined
Dec 9, 2000
Messages
45,855
Okedoke, that's it then.

You want to delete wininit.exe in the SYSTEM directory. There is a valid one in the Windows directory, don't delete that.

Here's the plan, delete the entry in the registry once more. Then go to start>shutdown, restart in MS-DOS mode. You should be in the Windows directory, so enter:

cd system

(now you should be in c:\windows\system\>)

at the c:\windows\system\> prompt enter:

del wininit.exe

exit
(or ctrl-alt-del to restart)
 

pipercub

Thread Starter
Joined
Dec 22, 2001
Messages
44
Success !!!! Great instructions !

I guess my only concern is that I had the worm in July and you got rid of it for me then but Mcaffee didn't and still doesn't detect it. I'm wondering if I have it on some software that I only occationally use. Thanks again Rog!
 
Joined
Dec 9, 2000
Messages
45,855
Good timing, I just checked back in ;)

Hard to say about it, McAfee may just not be doing a very great job of detecting Bymer. I think it's one of those things that are detected "heuristically" -- by behavior. The dnet client program has legitimate uses, so it can go undetected. Likewise wininit.exe is a legitimate file when it is in the Windows, not windows\system directory.

Anyway glad all is well for now :)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top