Hello.
First, if this group is not the right one, feel free to
redirect me to any other group fitting my
needs.
My
Windows 2000 Adv. Sever machine is loading (or may be
trying to load) a so called zphgfue.dll.
I have an entry in the HKLM\...\Run key and another in the
HKLM\...\RunOnce key, the last one
marked with a "*" (so it loads in safe mode too). The DLL
is not present in the machine.
-> "*zphgfue"="rundll32
C:\\WINNT\\system32:zphgfue.dll,Init 1"
The keys can't be deleted, as EXPLORER.EXE automatically
re-creates it.
-> regedit.exe:964 DeleteValueKey HKLM\...\*zphgfue
. SUCCESS
-> explorer.exe:1096 SetValue HKLM\...\*zphgfue
. SUCCESS
. "rundll32 C:\WINNT\system32:zphgfue.dll,Init 1
Furthermore, any user have a zphgfue (no extension) file
in D&S\user\...\temp. Said file is in
use and can't be deleted. Deleting the file in a non
logged user directory is possible, of
course, but the file will be re-created in the next login.
The DLL appear to be accessed at least for mstha.exe and
mdm.exe.
-> mshta.exe:1280 OPEN
C:\WINNT\system32:zphgfue.dll
. SUCCESS Options: Open Access: Execute
-> mdm.exe:1628 OPEN C:\WINNT\system32:zphgfue.dll
. SUCCESS Options: Open Access: Execute
What is troubling me is:
a) I can't get any reference in the 'net
b) I have not said DLL, but the logs reports the accesses
as "SUCCESS".
c) The ":" syntaxis in the parameters line
(...system32:zphgfue.dll,Init 1)
Any insight/info/pointers will be pretty much appreciated.
TIA.
buho.