AVG-6 boot up engine

Discussion in 'Trojan Defence Suite' started by ENT, Jan 29, 2005.

Thread Status:
Not open for further replies.
  1. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, TDS has shown me that I still have @AVG-6 engine boot. I haven't used AVG for 2 or 3 yrs! I found it in the registry but it's in Legacy what ever that is, and the registry won't let me delete it. TDS will let me change the file name but I haven't got a clue what to change it to? I need some Geek help? Thanks :) Maybe this isn't the right forum?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi ENT, When you are in reg edit and have navigated to the Legacy entry, right click the entry and select "permissions" you will see that it greyed out, click the allow boxes and apply. You will now be able to delete the entry.

    Be aware that mucking around in the registry can seriously damage your PC's health, so back up your registry first before making any changes.

    HTH Pilli
     
  3. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, I tried but I don't have that option in my registry, just delete or rename? Thanks for your help!
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    When you are at the legacy key do not open the key just right click it and then you will be able to change the permissions providing you have administrative rights.

    Pilli
     
  5. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Sheesh! I have AD. rights but it still won't work! Didn't open it either. Something I am missing? Brother....! Do you ever sleep? Thanks again
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Do I ever sleep? Yes, but not for long :)
    Let's see if this will help :) Note that this the cuser arrow on the legacy_procguard folder, simply right click key's folder and select "permissions" Tick full control and apply - You can then delete the key

    Screenshot:
     

    Attached Files:

  7. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Process Guard? ummm I don't have Process Guard anymore. I messed up my computer too much with the settings :) Am I right you think I have Process Guard or do I need to get more sleep? :)
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    hi ent, that was just an example :D
     
  9. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Ohhhhh! :) Hee-Hee.... I understand now.... BUT I still don't have a thingy that says permissions that I can tick on when I rt. click? Wait...Do you mean when I go to search and find LEGACY to click on properties and allow permission? If so I did that and I still can't delete? I still get the error in rededit? I know this is probabley a real pain for you....
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Could AVG still have parts installed that are being started somehow? If so we move to plan B :)

    Restart your machine into Safe mode, Here is how if you do not already know - Just before windows starts to load i.e directly after you Bios loads press F8 several times, you should see a DOS like window with several items on it - Select Safe Mode then try the procedure as stated in previous posts.

    HTH Pilli
     
  11. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, doesn't work in safe mode either? :-( Error: cannot delete ?
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Ent, We shall have to try another approach, if this does not succeed then you may have to contact Grisoft, I believe they have a forum now.

    Download a good registry cleaner if you do not already have one. Here is free one I found, I do not know how good it is but you can always ask elsewhere. http://personal.inet.fi/business/toniarts/ecleane.htm#download

    Pilli
     
  13. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Ok Pilli, I give too! You know Process Guard and Ewido are in there too and I don't have them on my machine either. I just wish I knew why I can't delete ANY of them? Not nice! It's MY MACHINE!!!! :) I have Reg Supreme Pro and CC Cleaner and now Toni Arts and none of them show it except TDS, and it only shows AVG6 starting up. Do you know why those LEGACY files are soooo important that they can't be deleted? I can delete any other files and mess things up, why not them......? :) Thanks For all of your help! I really appreciate it! ENT
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    If you can see them with regedit then they are there :)
    I think the reason that TDS3 see them is that it watches start keys for changes which could be due to malware.

    Legacy keys: Are to do with Start up programs I think though I am no expert. :(
    Here is the procedure again taken from MS KB:
    How to delete legacy keys:
    To delete legacy keys will require editing the security permission for the keys. Highlight the specific key and select 'Security | Permissions...' from the menu bar. Set the 'Everyone' group to "Full Control" and click 'OK'.


    Hopefully you will see the "everyone" Icon.

    Here is some more KB information:
    On a computer that runs Windows 2000 and Windows XP
    Windows 2000 and Windows XP have two separate Run policies: the Windows 2000 Run at Startup policy and the Windows 2000 Legacy Run at Startup policy. Windows 2000 Professional, Windows 2000 Server, and Windows XP use these policies. The Windows 2000 and Windows XP Run at Startup policy is similar to the other Windows family of operating systems.

    To modify this list:
    Open the Microsoft Management Console (MMC), and then add the Group Policy snap-in.

    Click Local Computer Policy, click Computer Configuration, and then click Administrative Templates.

    Click the System object, double-click Run these programs at user logon in the list of Local System policies in the right pane, and then click either Enable, Disable, or Not Configure.

    NOTE: In Windows XP, click the System object, click the Logon object, and then double-click Run these programs at user logon.

    To modify the list, you must enable the policy, and then click Show to modify the list of programs to run at Startup. A list of these files can be found in the registry under the following key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    The second Run policy involves legacy programs. Many third-party programs such as RealAudio can be included in this category. These programs use a different registry key to configure the program to run at Startup. This registry key (the same registry key that Windows 95/98 and Windows NT use) is located at:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    -or-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Programs that are configured to run at Startup from this registry key are considered legacy programs.

    Windows 2000 and Windows XP do not enable you modify this list directly from the MMC Group Policy snap-in. Windows 2000 and Windows XP only enable you to enable or disable this entire list. To do this, go to the object in the MMC that contains the "Run these programs at user logon" policy. This is explained in the preceding section. Then find the policy called "Disable legacy run list". If you do not want any of your legacy programs to run, you can enable this policy.

    Windows XP Home Edition
    If you only want to modify the list of legacy programs that run at Startup, you must use either Regedit or Regedt32:
    Run Regedit or Regedt32, and then go to one of the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    -or-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    If you do not want a program to run at Startup, find that particular program and delete its entry from one of these registry keys.

    You can add entries here as well, but it is recommended that you use the Windows Run at Startup policy to add programs that you want to run at Startup.

    The third-party products discussed in this article are manufactured by vendors independent of Microsoft; we make no warranty, implied or otherwise, regarding these products' performance or reliability.

    REFERENCES
    For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

    Q147381 How to Use System Policies On a Standalone Computer
    Q159936 Using the Windows NT 4.0 or Windows 95 System Policy Editor
    Q179365 INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
     
  15. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    HI, I went into the help in regedit and it says I cannot change or delete keys with a predefined value such as ROOT which is what I am trying to do! I haven't tried to change the d word, wonder what would happen if I do that? Maybe I am getting in toooo deep....By the way there was no permission icon :) I'm probably just stuck with these entries. I think I quit... :) Thanks for your time and effort! ENT
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Ent, I have reached the end of my knowledge regarding this though maybe DCS might know of an answer. :)
     
  17. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, I've just got the Trial so I don't think I can post on forum, Thanks, ENT
     
  18. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    All that you should need to do is edit the registry using regedt32.exe (C:\WINDOWS\system32\regedt32.exe). Make sure that you have backed up your registry before you do this.

    Start regedt32.exe and locate the KEY that you wish to delete. Right-click on the key and select PERMISSIONS. Highlight the GROUP or User Name that you are useing and then put a tick in the FULL CONTROL option box. Then hit APPLY and then OK it. Wait a few seconds and you should now be able to delete it?

    The only other thing I can think of, is that you have some other application that is protecting your registry.

    Anyway, hope that it goes well :).

    Regards,
    Jade.
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi ENT,

    If nothing else works, try running regedit via PowerPrompt. Extract powerprompt.exe to C:\WINDOWS\system32. Next go Start/Run, type cmd and press Enter. In the console window that pops up, type powerprompt and press Enter. In the powerprompt console that pops up, type regedit and press Enter. Regedit will start with SYSTEM privileges which should allow you to delete the locked keys. When you are finished, type exit in the powerprompt console and press Enter to shut it down. Hope it works for you. As always, back up your registry first (or at least export the keys so that you can restore them).

    Nick
     

    Attached Files:

    Last edited: Jan 31, 2005
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nice utility Nick :) Let's hope it helps ENT - Thanks. Pilli
     
  21. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, I'm getting embarrassed....I tried both and couldn't delete? They said I needed (net Framework) to use that utility so maybe I don't have it? When I tried regedt.exe I couldn't find LEGACY....?:-( I found Outpost & RegRun in there also! Are all of these engines starting up at startup? Thanks, ENT
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi ENT,

    PowerPrompt does require the .Net Framework to be installed. You can get it here: .NET Compact Framework 1.0 SP2 Redistributable (Re-release).

    The registry key you are looking for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root. It contains subkeys named "LEGACY_*" that refer to device drivers (hardware and software) and services that may or may no longer be installed. Generally, those references to uninstalled programs are harmless.

    Nick
     

    Attached Files:

  23. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    WOW...I can't get windows installer to work. I went to microsoft's site and tried all of their suggestions and still can't get the installer to work. I really do give up.....:) Thanks for all of your help, ENT
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ent, I sounds as though you need to do a re-install or even a reformat as the behaviour you describe is definately not good, you may like to try a repair install before doing a full re-format but to be sure a reformat would be best.

    Pilli.
     
  25. ENT

    ENT Registered Member

    Joined:
    Jan 4, 2005
    Posts:
    67
    Hi, I totally agree! :) Thanks for your patience and all of your help. ENT
     
Thread Status:
Not open for further replies.