Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

odbc_set


  • Please log in to reply
12 replies to this topic

#1 _aleph_

_aleph_

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 01 March 2010 - 02:05 PM

I have a user who keeps getting an odbc_set entry in her registry at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad.

I've deleted it repeatedly, but something keeps rewriting it. After I delete the entry, she gets one clean boot-up, then she gets 2 odbcmr32.dll related errors at each subsequent reboot until I delete the entry again.

I have looked in Administrative Tools/Data Sources (ODBC), but I'm not sure what I should be seeing/not seeing there, it just looks like some file associations for Excel, SQL, etc.

She isn't running any software that dozens of other of my users aren't running, but she's the only one getting the registry value rewritten. If anybody has a clue, I sure could use some help with this.

Thanks,

_aleph_

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:31 PM

Posted 01 March 2010 - 02:23 PM

Then its probably needed, what issues are trying to resolve? If you are getting errors then you need to update Windows or another application.




Mod edit: removed quote of entire previous thread for ease of reading,already read it once.

Edited by boopme, 01 March 2010 - 03:03 PM.


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:31 PM

Posted 01 March 2010 - 02:38 PM

I guess that I'd like to know...what the actual error message is.

I guess that I'm also curious what made you focus on registry values?

Louis

#4 _aleph_

_aleph_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 01 March 2010 - 04:24 PM

I'll have to get the wording of the error msgs tomorrow when I'm on-site. As for looking in the registry, several other computers had a similar value in the HKLM Run key. When I deleted those, the error msgs disappeared and the entry stayed gone. Why did I look in the registry in the first place? It was obvious that some process was trying to run (now that I think about it, I believe one of the errors was that the file is not a valid image file) and the All Users and user profile didn't have anything suspicious in the Startup folder, so I checked the HKLM Run key. When that was deleted but the errors still apeared, I did Google & forum searches for other places in the registry where commands to start programs can be found.
_aleph_

#5 _aleph_

_aleph_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 01 March 2010 - 04:34 PM

Cryptodan,

Sorry, I scrolled to the bottom and completely missed your reply. I'm just trying to get 2 error messages from popping up every time my user boots-up. She just has to acknowledge them and her system works fine, but it's a bother to her and makes her feel like there's something wrong with her computer. She's a library department manager, so the last thing she needs is an annoyance to start her work day every day.

If you come up with any ideas, speak up!

Thanks,

_aleph_

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:31 PM

Posted 01 March 2010 - 04:57 PM

Is the computer fully updated?

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 56,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:31 PM

Posted 01 March 2010 - 05:37 PM

FWIW: I think that a number of "bad image" errors result from malware, IIRC.

Lots of guessing on these, from what I see.

Louis

#8 _aleph_

_aleph_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 02 March 2010 - 09:31 AM

cyrptodan,

Systemwide (library system), a WSUS server does the updates for us. I can't see this being an update issue. That reg value is being rewritten, but since the process can't start, the error msgs pop up. Since she has a roaming profile, she gets the errors on every machine she logs into. I'm beginning to wonder if there is a particular computer in the department that she uses that may actually be trying to run something corrupt or unauthorized from Startup, placing the reg value which copies her profile to the server, from which it propogates to all other machines when she logs in, and makes my live adventurous. Everyone else on the domain enjoys error-free boot-ups. There's something wrong in her profile that I can't identify, and my network admin is loath to delete her profile in AD so that I could delete her local profiles to keep them from overwriting the server copy and them maybe move on with my life. Anybody got any extra straw? I believe I'm grasping at my last piece.

She'll be in around lunchtime (we're in EST) and I'll get the error msgs and any other thing I can stumble upon that might be a clue to this mystery, and I'll post it all here.
_aleph_

#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:31 PM

Posted 02 March 2010 - 11:24 AM

Delete her profile and have it recreated.

#10 _aleph_

_aleph_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 22 March 2010 - 01:53 PM

I believe that the IT powers that be are finally ready to recreate her profile on the server so we can delete locally cached copies and get her logging on in a trouble-free fashion again. It seems most likely that this was an infection with Win32/Cemgar. Unfortunately, I found no silver bullet and we have to use the shotgun approach.

Thanks, for the help.
_aleph_

#11 _aleph_

_aleph_
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:31 PM

Posted 23 March 2010 - 11:02 AM

HA! I spoke too soon. A co-worker forund the silver bullet!

What had to be done was go to each of the affected computers (we have roaming profiles) and do the following:
Boot into Safe Mode
Delete C:\WINDOWS\system32\odbcmr32.dll (a hidden file)
Delete the registry entry called odb_set under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Search and delete any registry entry containing the string odbcmr32
Reboot into normal mode

I hope this info helps future generations...
_aleph_

#12 hamluis

hamluis

    Moderator


  • Moderator
  • 56,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:31 PM

Posted 23 March 2010 - 11:37 AM

A little late, http://www.bleepingcomputer.com/startups/o....dll-16814.html.

Louis

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:31 PM

Posted 23 March 2010 - 12:30 PM

For what its worth:

Win32/Cemgar




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users