Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: What is the strange registry entry and how can I delete it?

24 Oct 2011   #1
bbinnard

Win7-64
 
 
What is the strange registry entry and how can I delete it?

I have the following registry key that appears to do nothing but keeps re-creating itself:

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

This key contains a Shell value that points to an empty directory on my system:

C:\Users\Birk\AppData\Local\bc53345c\X

If I delete this value it immediately gets recreated. If I use Autoruns to disable it, it still gets recreated. The specified folder in AppData\Local does not exist. I did a registry search for bc53345c and could not find any other instances of it, so how is it getting recreated?

I am reluctant to delete the Winlogon key because I don't know how critical it is.


My System SpecsSystem Spec
.

24 Oct 2011   #2
murmatron

Windows 7 Pro x86
 
 

You have some variant of a ZeroAccess rootkit on your machine.

You need this...

Anti-rootkit utility TDSSKiller
My System SpecsSystem Spec
24 Oct 2011   #3
bbinnard

Win7-64
 
 

Thanks Murmatron - tried that but it found nothing. I'll check out a couple of other rootkit killers and see if they find something.
My System SpecsSystem Spec
.


24 Oct 2011   #4
bbinnard

Win7-64
 
 

I tried a couple of other rootkit killers. My system is Win7-64 so several of them did not run. But ComboFIx did run and found the problem....and fixed it.

Running ComboFIx is a bit odd...it puts up a DOS-like window while it runs more than 50 separate checks. Then it reboots and puts up another DOS window that says "wait until the report is produced." The report shows all sorts of odd things, including files that ComboFix deletes, some of which it apparently puts back (like MSCONFIG.EXE).

After that I did a manual reboot and things appear to be OK now.

I also ran Stinger after completing ComboFix and it reported a trojan in the QuickBooks Patch.exe program. I have never run this so I don't know if the Patch program is really bugged or not, but Stinger deleted it anyway.

Thanks for the tip. I hadn't suspected a rootkit.
My System SpecsSystem Spec
Reply

 What is the strange registry entry and how can I delete it?




Thread Tools





Similar help and support threads
Thread Forum
An entry in registry missing
I want gain an access to com ports and require changed in registry entry of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PNP0501 but it seems the folder is not there. I have tried regcleaner and reg fix did not help. thanks
Drivers
Can you copy a WinXP Pro registry entry into Win 7 registry
Hello, Background: 1. I have a program I use always, I have the install disks and can install it on Win 7 Pro x64. It is a 32 bit program. However, this program had a critical patch issued as a download way back when and this patch cannot be installed on the 7 system, because the installer is...
General Discussion
Registry Entry to delete specific User Profile entries
I work for a University as a Lab Manager where we have over 300 computers running Domain Profiles. We have begun updating from XP to 7 and started to notice TEMP profiles being created. I have figured out how to resolve the issue by going to the registry ...
General Discussion
Unable to delete empty registry entry
I ran Auslogics Registry Cleaner, and it found many errors, and deleted all but one of the registry entries. I ran it a few more times, and it was still unable to delete it. So, I went into the registry and tried to manually delete it. Regedit tells me that it is "Unable to delete all specific...
General Discussion
Cannot delete Registry entry
After trying to recover from severe malware infection, I ran Spybot S&D. It removed several Registry entries but one it could not. I tried manually but it could not be removed. It is located at Hkey-users\S-1-5-21-200258984-2800820833-1255355968\Software\DataMngr. It has subdirectories "Files",...
System Security
CBS.Log strange entry
Well it is for me. Can anyone shed light on the following. This is how my CBS.log ends when I try to do a SFC /SCANNOW POQ 9 ends. 2010-12-09 18:52:50, Info CSI 00000030 Verify complete 2010-12-09 18:52:51, Info CSI 00000031 Verifying 100...
BSOD Help and Support

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 21:17.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App