1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Rundll32 & Dialup Screen errors

Discussion in 'Earlier Versions of Windows' started by pipercub, Jan 2, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. pipercub

    pipercub Thread Starter

    Joined:
    Dec 22, 2001
    Messages:
    44
    When I start up the computer I get a Rundll32 screen that says "This program has performed an illegal operation and will be shut down." I also get my "Dialup Connection" screen that appears. The last time this happened I was instructed to run Startup from "rmbox" an look for the lines
    "Distributed.netclient"="\"c:\\windows\\system\\dnetc.exe\"-hide" an
    "bymer.scanner"="\"c:\\windows\\system\\dnetc.exe\"-hide".
    I did find the "bymer" line and deleted it but did not find the Distributed.netclient line. I am including my current "Startup" from "rmbox".
    ---------- C:\WINDOWS\desktop\StartUp.txt

    Start-Ups checked at 07-30-2001 8:37:48.98p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.47) - Release Date 7/22/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "SystemTray"="SysTray.Exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "CLMFrontPanel"="clmpanel /i"
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "POINTER"="point32.exe"
    "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="D:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"
    "NIM"="D:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
    "McAfeeVirusScanService"="C:\\Program Files\\McAfee\\McAfee VirusScan\\AVSYNMGR.EXE"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [Registry Path]
    "Start-Ups"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file



    C:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\scan.exe C:\
    @IF ERRORLEVEL 1 PAUSE

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\InControl Desktop Manager.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler.exe

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
    (HKCU - Shell Folders)
    .....................................................................

    (HKCU - User Shell Folders)
    .....................................................................

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
    (HKLM - Shell Folders)
    .....................................................................

    (HKLM - User Shell Folders)
    .....................................................................

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe files - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com files - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr files - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat files - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif files - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta files - RegPath = HKCR\htafile\shell\open\command)


    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-


    LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS

    ==========================================================================
    __________________________________________________________________________

    - End -
    Any info would be appreciated.
    Thanks
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see any evidence of Bymer or dnet there.

    Try running msconfig and unchecking the rundll32 entry fro TweakUI and see if the rundll error stops. The only other ones there are for loadpowerprofiles.

    Could the dialup be from Realplayer or AIM? If that continues, try unchecking AIM and disable the RealPlayer start agent from within RealPlayers user interface.

    Also I'm not sure of the function of this:

    "CLMFrontPanel"="clmpanel /i"

    It appears to be a modem driver or interface of some kind.
     
  3. pipercub

    pipercub Thread Starter

    Joined:
    Dec 22, 2001
    Messages:
    44
    Hi Rog,

    So this is where you hang out. You helped me with this before on that other list. Unchecking Rundll for TweekUI stopped that screen from appearing. The CLMfrontPanel line is probably from my previous modem. There is an icon in the control panel that says CLM but wouldn't let me uninstall it. I ran "rmbox" again and did not see either of the lines "Distributed" or "Bymer" but in "regedit" when I do "Hkey_Local_Machine-software-microsoft-windows-current version-run" the "bymer" line shows up and if I right click on "bymer" then delete it when I turn my machine on and check, the line is back.

    (I like the Polish flag.)
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't see Bymer showing up in the Startup log list :rolleyes:

    Do you have an instance of it unchecked in msconfig>startup ?

    If so, there is also an entry in the RUN- folder of the registry. Both need to be removed.

    Anyway, the entry will show a path to the executable. Find the file and rename or delete it. See if you get any error messages when you restart.
     
  5. pipercub

    pipercub Thread Starter

    Joined:
    Dec 22, 2001
    Messages:
    44
    In the Msconfig>startup there is a "bymer" line and it is checked. In "regedit" the "bymer" line only shows up in "run". I am assuming by the executable you are referring to the "Msconfig" startup tab which shows the "bymer" line "C:\windows\system\wininit.exe". Is the "wininit.exe" the file to delete?
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Okedoke, that's it then.

    You want to delete wininit.exe in the SYSTEM directory. There is a valid one in the Windows directory, don't delete that.

    Here's the plan, delete the entry in the registry once more. Then go to start>shutdown, restart in MS-DOS mode. You should be in the Windows directory, so enter:

    cd system

    (now you should be in c:\windows\system\>)

    at the c:\windows\system\> prompt enter:

    del wininit.exe

    exit
    (or ctrl-alt-del to restart)
     
  7. pipercub

    pipercub Thread Starter

    Joined:
    Dec 22, 2001
    Messages:
    44
    Success !!!! Great instructions !

    I guess my only concern is that I had the worm in July and you got rid of it for me then but Mcaffee didn't and still doesn't detect it. I'm wondering if I have it on some software that I only occationally use. Thanks again Rog!
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Good timing, I just checked back in ;)

    Hard to say about it, McAfee may just not be doing a very great job of detecting Bymer. I think it's one of those things that are detected "heuristically" -- by behavior. The dnet client program has legitimate uses, so it can go undetected. Likewise wininit.exe is a legitimate file when it is in the Windows, not windows\system directory.

    Anyway glad all is well for now :)
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/63917

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice