Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can't Delete Malicious Registry Key and Values

  • Please log in to reply
1 reply to this topic

#1 Hedgehog64


  • Members
  • 1 posts
  • Local time:05:50 AM

Posted 03 December 2017 - 01:20 AM

Toshiba Satellite L15W-B running MS Windows 10 Home Version 10.0.16299 Build 16299


My laptop appears to be affected by malicious registry entry that is not detected by Norton Security, but has been detected and quarantined by Malwarebytes.  However, it keeps coming back.  It has also been detected and removed by Spybot before coming back.  I have tried to delete the entries in regedit, but it won't let me.   When trying, the error message states "Error deleting key"  "Cannot delete ......: Error while deleting key"


Any assistance would be greatly appreciated.  Thank you.


Malwarebytes report:


-Log Details-
Scan Date: 11/30/17
Scan Time: 3:32 AM
Log File: 0aeb7ac2-d5a9-11e7-8617-4cbb586f922f.json
Administrator: Yes
-Software Information-
Components Version: 1.0.236
Update Package Version: 1.0.3377
License: Free
-System Information-
OS: Windows 10 (Build 15063.726)
CPU: x64
File System: NTFS
User: Redacted
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 437076
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 8 min, 23 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 1
PUP.Optional.HomePageHelper, HKU\S-1-5-21-4251988924-370044948-2596866876-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B84BCC0C-36D6-11E5-8267-4CBB586F922F}, Quarantined, [12572], [239111],1.0.3377
Registry Value: 3
PUP.Optional.HomePageHelper, HKU\S-1-5-21-4251988924-370044948-2596866876-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B84BCC0C-36D6-11E5-8267-4CBB586F922F}|FAVICONURLFALLBACK, Quarantined, [12572], [239111],1.0.3377
PUP.Optional.HomePageHelper, HKU\S-1-5-21-4251988924-370044948-2596866876-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B84BCC0C-36D6-11E5-8267-4CBB586F922F}|FAVICONURL, Quarantined, [12572], [239111],1.0.3377
PUP.Optional.HomePageHelper, HKU\S-1-5-21-4251988924-370044948-2596866876-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B84BCC0C-36D6-11E5-8267-4CBB586F922F}|URL, Quarantined, [12572], [239111],1.0.3377
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)

BC AdBot (Login to Remove)


#2 Unworn_Kilt


  • Members
  • 237 posts
  • Gender:Male
  • Location:Australia
  • Local time:08:50 PM

Posted 03 December 2017 - 01:29 PM

G'day and Welcome Hedgehog64,



I need to advise you that I am only a Standard Member, like you. I am not a Trained Malware Removal Expert. As such I'm limited in what tools I can use and the advice I can give. If you have any concerns about the advice or information I give, please contact a Moderator before actioning it.



I'm happy to try and help you sort out this issue if you wish?


If so, please continue....




Do Not Enclose Reports In Quotes or Delete or Insert Any Characters - No Redaction!

Please Post All Reports in Plain Text. Ensure You Include All Report Headers.

Please Press the Return Key 3 Times Between Reports.

Don't Attach them either.....Pleeeez!



Please make sure you have Backed Up your Files and Save any Work you have Open before proceeding!

You can find Free Back Up Software in the Bleeping Computer "Downloads" Section.

It's unlikely that anything I ask you to do will wipe your data, but better to be safe than sorry.



Some Tools May Close Down Any Open Windows or Programs, Please Be Aware of This!




Remember that there is no such thing as a "Stupid Question." If you encounter ANY problems or difficulties along the way, STOP and Message Me!!




**Read All Notes Under Individual Instructions BEFORE Running the Tools.**


You might find it useful to print these instructions for reference.





My suggestions:







Download a copy of a program called RKill (Courtesy of Grinler at Bleeping Computer) which is available at the links below:

(This program attempts to stop any running malware processes so other tools may function efficiently, plus a few other things.)


Save it to your Desktop so you can easily locate it.


(If one won't run, download the other. Malware sometimes recognises RKill.exe and tries to interfere with it.)



RKill.exe                              <<== Try this first.


RKill as iExplore.exe         <<== Try this one if option one doesn't work.


  • Right Click RKill and Select "Run As Administrator."
  • Soon after a Black Box will appear while RKill Runs. (This is normal. RKill may appear to hang. It's just working.)
  • When the RKill has finished it will Open a Report in Notepad.
  • RKill will also save a copy of its log to your Desktop called "RKill.log"
  • After RKill has run successfully Don't Restart your computer until the other tool(s) have run.
  • Please Copy and Paste the contents of the Report into your Next Reply.
  • If the RKill will not run in Normal Windows Mode, Restart in Safe Mode and Repeat the above Steps.




Please Ignore any warnings from about RKill containing Viruses or Trojans etc. If necessary, shut down or temporarily disable your Antivirus while RKill runs. Don't forget to Re-enable your Anti-Virus once RKill completes, unless I ask otherwise.


If RKill still won't run, please Post back here and advise me.(After trying both versions and Safe Mode.) Please note any Error messages or other useful information and Include it in your Reply.






Please download Security Check Tool (by screen317) from HERE & save it to your Desktop.



  • Right Click SecurityCheck and Select "Run As Administrator."
  • Follow the Prompts in the Black Box which opens on your screen.
  • When the program is complete a Notepad Document called Checkup.txt should open Automatically in Notepad.
  • Please Copy & Paste the Contents of Checkup.txt into your Next Reply.



Please Note the Following:


If you receive an "UNSUPPORTED OPERATING SYSTEM! ABORTED!," please Restart Windows and Security Check should Run Fine.

Should a problem persist, please Post Back Here and include any Error Messages & Other Useful Information.


Security Check may require you to permit "Dig.exe" to access the internet. Please allow access through your Firewall if necessary.

It is not uncommon for Security Check to generate "false positives" from  some Anti-Virus/Anti-Malware Programs. Please Ignore These if They Occur.






Download Farbar Service Scanner onto your Desktop (FSS:)  HERE



Please Ensure the following Options are Selected:



  • RpcSs and PlugPlay <= (May be greyed out.)
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services


(Please Don't Click the "Search Files" or "Export Service Buttons")


  • Click the Scan button to start scanning.


(FSS may take a short while to complete.)



  • When the Scan is Complete, a Report should Pop-Up in Notepad.
  • Please Copy and Paste the Contents into your Next Reply.


*(The Tool will create a log file called FSS.txt in the Folder the Tool is Run from.

That log will be saved. If there are any problems with the Pop-Up one, Copy from FSS.txt.)






Download MiniToolBox(By FARBAR) to your Desktop:  HERE



Right Click the Blue\Black MiniToolBox Icon and Select "Run as Administrator."

(The Tool will show Version: 17-06-2016 in the title bar.)



Select the following Check-boxes:



  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (DO NOT change any settings for this - Only "Problems" should be set by Default.)
  • List Users, Partitions and Memory size
  • List Minidump Files
  • List Restore Points



Click the "Go" Button.



  • A Report should Pop-Up on your Screen in Notepad after a short wait.
  • Please Copy an Paste the Report Contents into your Next Reply.


(If you accidentally "kill" the Notepad Report, all is not lost, it should be saved on your Desktop as MTB.txt)






Download AdwCleaner(from Xplode.)   


From here: AdwCleaner.exe



Save to your Desktop so you can easily locate it.




  • Before Starting Ensure You've Saved Anything You Have Open that you Wish to Keep!!
  • Right Click AdwCleaner.exe & Select "Run As Administrator"
  • Please Click on the Tools Menu. There should be 2 Tabs: Options & Advanced.
  • In Options under Delete, Select Tracing Keys(Usually pre-selected,) and, under RESET select all Options on the Right Hand Side.
  • Do Not select any other Options with Square Boxes.
  • There should be Options for Mode and Debug. You can leave these at their Defaults. Press OK.
  • Next, you should see Two main Buttons, Scan and Logfiles. Please Press Scan.
  • AdwCleaner will Start to Update the Database if required. This may take a little while.
  • The Progress Bar will gradually move to the right as the scan progresses. It can take a while.
  • Next you should receive a Popup Notification advising of the Scan Result.
  • Select any Items AdwCleaner may have found for Deletion, or, Deselect anything you may wish to keep.
  • Under the Popup there will be a Log. Please Copy and Paste the Contents into your next Reply.
  • Next, Click Clean. This will require you to reboot the machine. Please do so.
  • Once the computer has rebooted, a second Log should appear. Please Paste into your Reply as well.



  • If you need to access Logs again, Open the Tool and Click the LogFiles Button. They are stored there.



The Logs can be a tad confusing at first. They all contain a number such as [S0] which is Log One. They are also accompanied by a date to the left side column. The lower the number in the square brackets, the earlier the Log. For example, I may have Logs; AdwCleaner[S0].txt (Earliest) to AdwCleaner[S27].txt (Most Recent.) Double Click a Log to Open it.





Next, as you have Malwarebytes installed on your Machine, please do the following:
Re-run the steps for RKill (Step 1. All Points.)
This is due to the Reboot Required after Running AdwCleaner.
  • Start the Malwarebytes Application.
  • Open the Malwarebytes Dashboard.
  • Ensure that Malwarebytes is Updated to the Most Recent Definitions and Version.(Version Update requires license or Trial.)
Click Settings, then Application:
Enable the Following Options If Not Enabled:
(If you do not have a license or trial activated some options will not be able to be set.)
  • Automatically download and install application updates
  • Notify me when full version updates are available
  • Show Malwarebytes notifications in the Windows System Tray
  • Show Notifications when Real Time Protection settings are turned off
  • Set Manual Scans have high priority
  • Configure Proxy Server if you use one. (If you don't know what this means you likely don't. If in doubt, CHECK!)
Now switch to the Protection Tab and where possible Enable:
(The same license note as above applies here too.)
  • Web Protection
  • Exploit Protection
  • Malware Protection
  • Ransomware Protection
  • Scan for Rootkits.
  • Scan within Archives.
  • Use Signature-Less anomaly detection for increased protection
  • Always detect PUPs
  • Always detect PUMs
  • Automatically check for updates (Select Check every 15 Mins.)
  • Notify if time since last update exceeds 24 hours
  • Start Malwarebytes at Windows Startup
  • Enable Self Protection Module
  • Enable Self Protection Early Start
  • Automatically Quarantine detected Malware
I suggest, when in this situation, using Threat Scan. Select Scans Tab. Select all Drives(C: D: etc.,) and ensure scanning for Rootkits is enabled. (The Rootkit option MAY not be available to you if you haven't activated Trial, or, don't have a license. I don't recall.)
  • If you'd rather not Use Threat Scan, Return to Dashboard and Click Scan Now.
  • Once Scan is complete, please Ensure any Threats found are Selected and Removed.
  • Please obtain a copy of your Scan Report from the Reports section and Paste in to your Next Reply.




Please Download Sophos Virus Removal Tool:  HERE
Please save this to your Desktop.
Right Click the Installer Icon to commence the Installation Process.
  • Click Next
  • Accept the Terms and Conditions if you agree. (If not things sort of grind to a halt for a while :)  You'll need to Post here again.)​
  • Click Next
  • Click Install
  • Click Finish to end the Installation process.
Once the Install is complete you should be the proud "Licensee" of a copy of Sophos Virus Removal Tool, complete with Shiny New Desktop Launch Icon and Start Menu Additions!!
  • Right Click the Sophos VRT Icon and Select "Run as Administrator."
  • The SVRT should now launch and Update.(Make sure you're connected to the 'Net if possible.)
  • The SVRT will announce that it is Up to Date.
  • Click Start Scanning.
  • The SVRT should start scanning accordingly.
  • Allow the scan to complete.
  • Dispose of any located Threats, ensuring that you Copy and Paste the Log File into your Reply.
  • (There probably won't be a report if no threat was found.)
Please Re-Run (Step 1, All Points) for RKill and Paste in the Report with your Reply.
I'll go over the results and get back to you as soon as possible.
If you have not heard back in about 48 hours, please PM me. If I still don't get back to you, PM a Moderator.
Please be aware we may be running on different time zones. I'm GMT+10hrs.
We are volunteers, so please be a little patient.
Cheers for now!
KILT  :thumbup2:

Edited by Unworn_Kilt, 03 December 2017 - 02:24 PM.



I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.





** Walk Softly and Carry a Big Stick **




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users