Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: What is the strange registry entry and how can I delete it?

24 Oct 2011   #1

What is the strange registry entry and how can I delete it?

I have the following registry key that appears to do nothing but keeps re-creating itself:


This key contains a Shell value that points to an empty directory on my system:


If I delete this value it immediately gets recreated. If I use Autoruns to disable it, it still gets recreated. The specified folder in AppData\Local does not exist. I did a registry search for bc53345c and could not find any other instances of it, so how is it getting recreated?

I am reluctant to delete the Winlogon key because I don't know how critical it is.

My System SpecsSystem Spec
24 Oct 2011   #2

Windows 7 Pro x86

You have some variant of a ZeroAccess rootkit on your machine.

You need this...

Anti-rootkit utility TDSSKiller
My System SpecsSystem Spec
24 Oct 2011   #3


Thanks Murmatron - tried that but it found nothing. I'll check out a couple of other rootkit killers and see if they find something.
My System SpecsSystem Spec

24 Oct 2011   #4


I tried a couple of other rootkit killers. My system is Win7-64 so several of them did not run. But ComboFIx did run and found the problem....and fixed it.

Running ComboFIx is a bit puts up a DOS-like window while it runs more than 50 separate checks. Then it reboots and puts up another DOS window that says "wait until the report is produced." The report shows all sorts of odd things, including files that ComboFix deletes, some of which it apparently puts back (like MSCONFIG.EXE).

After that I did a manual reboot and things appear to be OK now.

I also ran Stinger after completing ComboFix and it reported a trojan in the QuickBooks Patch.exe program. I have never run this so I don't know if the Patch program is really bugged or not, but Stinger deleted it anyway.

Thanks for the tip. I hadn't suspected a rootkit.
My System SpecsSystem Spec

 What is the strange registry entry and how can I delete it?

Thread Tools

Similar help and support threads
Thread Forum
Can you copy a WinXP Pro registry entry into Win 7 registry
Hello, Background: 1. I have a program I use always, I have the install disks and can install it on Win 7 Pro x64. It is a 32 bit program. However, this program had a critical patch issued as a download way back when and this patch cannot be installed on the 7 system, because the installer is...
General Discussion
An entry in registry missing
I want gain an access to com ports and require changed in registry entry of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PNP0501 but it seems the folder is not there. I have tried regcleaner and reg fix did not help. thanks
Registry Entry to delete specific User Profile entries
I work for a University as a Lab Manager where we have over 300 computers running Domain Profiles. We have begun updating from XP to 7 and started to notice TEMP profiles being created. I have figured out how to resolve the issue by going to the registry ...
General Discussion
Unable to delete empty registry entry
I ran Auslogics Registry Cleaner, and it found many errors, and deleted all but one of the registry entries. I ran it a few more times, and it was still unable to delete it. So, I went into the registry and tried to manually delete it. Regedit tells me that it is "Unable to delete all specific...
General Discussion
Cannot delete Registry entry
After trying to recover from severe malware infection, I ran Spybot S&D. It removed several Registry entries but one it could not. I tried manually but it could not be removed. It is located at Hkey-users\S-1-5-21-200258984-2800820833-1255355968\Software\DataMngr. It has subdirectories "Files",...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 19:06.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App