BleepingComputer.com: odbc_set

I have a user who keeps getting an odbc_set entry in her registry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad.

I've deleted it repeatedly, but something keeps rewriting it. After I delete the entry, she gets one clean boot-up, then she gets 2 odbcmr32.dll related errors at each subsequent reboot until I delete the entry again.

I have looked in Administrative Tools/Data Sources (ODBC), but I'm not sure what I should be seeing/not seeing there, it just looks like some file associations for Excel, SQL, etc.

She isn't running any software that dozens of other of my users aren't running, but she's the only one getting the registry value rewritten. If anybody has a clue, I sure could use some help with this.

Thanks,

_aleph_

Then its probably needed, what issues are trying to resolve? If you are getting errors then you need to update Windows or another application.




Mod edit: removed quote of entire previous thread for ease of reading,already read it once.

This post has been edited by boopme: 01 March 2010 - 03:03 PM

I guess that I'd like to know...what the actual error message is.

I guess that I'm also curious what made you focus on registry values?

Louis

I'll have to get the wording of the error msgs tomorrow when I'm on-site. As for looking in the registry, several other computers had a similar value in the HKLM Run key. When I deleted those, the error msgs disappeared and the entry stayed gone. Why did I look in the registry in the first place? It was obvious that some process was trying to run (now that I think about it, I believe one of the errors was that the file is not a valid image file) and the All Users and user profile didn't have anything suspicious in the Startup folder, so I checked the HKLM Run key. When that was deleted but the errors still apeared, I did Google & forum searches for other places in the registry where commands to start programs can be found.
_aleph_

Cryptodan,

Sorry, I scrolled to the bottom and completely missed your reply. I'm just trying to get 2 error messages from popping up every time my user boots-up. She just has to acknowledge them and her system works fine, but it's a bother to her and makes her feel like there's something wrong with her computer. She's a library department manager, so the last thing she needs is an annoyance to start her work day every day.

If you come up with any ideas, speak up!

Thanks,

_aleph_

Is the computer fully updated?

FWIW: I think that a number of "bad image" errors result from malware, IIRC.

Lots of guessing on these, from what I see.

Louis

cyrptodan,

Systemwide (library system), a WSUS server does the updates for us. I can't see this being an update issue. That reg value is being rewritten, but since the process can't start, the error msgs pop up. Since she has a roaming profile, she gets the errors on every machine she logs into. I'm beginning to wonder if there is a particular computer in the department that she uses that may actually be trying to run something corrupt or unauthorized from Startup, placing the reg value which copies her profile to the server, from which it propogates to all other machines when she logs in, and makes my live adventurous. Everyone else on the domain enjoys error-free boot-ups. There's something wrong in her profile that I can't identify, and my network admin is loath to delete her profile in AD so that I could delete her local profiles to keep them from overwriting the server copy and them maybe move on with my life. Anybody got any extra straw? I believe I'm grasping at my last piece.

She'll be in around lunchtime (we're in EST) and I'll get the error msgs and any other thing I can stumble upon that might be a clue to this mystery, and I'll post it all here.
_aleph_

Delete her profile and have it recreated.

I believe that the IT powers that be are finally ready to recreate her profile on the server so we can delete locally cached copies and get her logging on in a trouble-free fashion again. It seems most likely that this was an infection with Win32/Cemgar. Unfortunately, I found no silver bullet and we have to use the shotgun approach.

Thanks, for the help.
_aleph_

HA! I spoke too soon. A co-worker forund the silver bullet!

What had to be done was go to each of the affected computers (we have roaming profiles) and do the following:
• Boot into Safe Mode
• Delete C:\WINDOWS\system32\odbcmr32.dll (a hidden file)
• Delete the registry entry called odb_set under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
• Search and delete any registry entry containing the string odbcmr32
• Reboot into normal mode

I hope this info helps future generations...
_aleph_

A little late, http://www.bleepingcomputer.com/startups/o....dll-16814.html.

Louis

For what its worth:

Win32/Cemgar