What is the strange registry entry and how can I delete it?


  1. Posts : 238
    Win7-64
       #1

    What is the strange registry entry and how can I delete it?


    I have the following registry key that appears to do nothing but keeps re-creating itself:

    HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

    This key contains a Shell value that points to an empty directory on my system:

    C:\Users\Birk\AppData\Local\bc53345c\X

    If I delete this value it immediately gets recreated. If I use Autoruns to disable it, it still gets recreated. The specified folder in AppData\Local does not exist. I did a registry search for bc53345c and could not find any other instances of it, so how is it getting recreated?

    I am reluctant to delete the Winlogon key because I don't know how critical it is.
      My Computer


  2. Posts : 44
    Windows 7 Pro x86
       #2

    You have some variant of a ZeroAccess rootkit on your machine.

    You need this...

    Anti-rootkit utility TDSSKiller
      My Computer


  3. Posts : 238
    Win7-64
    Thread Starter
       #3

    Thanks Murmatron - tried that but it found nothing. I'll check out a couple of other rootkit killers and see if they find something.
      My Computer


  4. Posts : 238
    Win7-64
    Thread Starter
       #4

    I tried a couple of other rootkit killers. My system is Win7-64 so several of them did not run. But ComboFIx did run and found the problem....and fixed it.

    Running ComboFIx is a bit odd...it puts up a DOS-like window while it runs more than 50 separate checks. Then it reboots and puts up another DOS window that says "wait until the report is produced." The report shows all sorts of odd things, including files that ComboFix deletes, some of which it apparently puts back (like MSCONFIG.EXE).

    After that I did a manual reboot and things appear to be OK now.

    I also ran Stinger after completing ComboFix and it reported a trojan in the QuickBooks Patch.exe program. I have never run this so I don't know if the Patch program is really bugged or not, but Stinger deleted it anyway.

    Thanks for the tip. I hadn't suspected a rootkit.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 14:10.
Find Us