Unable to remove LEGACY_MPR keys

code64_99 · #1 04-22-2004, 03:44 AM

Dear All,

I think my pc is infected with some kind of worm (probably one of the Agobot starins).

When infected, I have explored.exe or rundil16.exe running.

I killed the process using task manager. Then I searched the h/d for these 2 files and deleted it. The worm also infect C:\WINNT\system32\drivers\etc\hosts.

I ran regedit and removed all keys that contain explored.exe or rundil16.exe.

I did some research on web and understand that I suppose to remove some LEGACY_MPR keys.

I searched and found 3 keys:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_MPR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\ LEGACY_MPR\0000]
"Service"="MpR"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Login"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_MPR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\ LEGACY_MPR\0000]
"Service"="MpR"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Login"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MPR]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_MPR\0000]
"Service"="MpR"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Windows Login"

Now, I am not able to remove these keys. It says "cannot delete LEGACY_MPR: error while deleting key".

Then I thought I should do it in Safe mode. Guess what? I cannot delete these keys too.

So, I tried to download Kugle Regediter 3.0 (Shareware with 30 days trial). First I thought I could remove the keys. But, Wwhen I refresh it, everything is still there.

I think because of this, the worm keep coming back
What shall I do?

Appreciate your help!

________________

YF

snowmonkey · #2 04-22-2004, 08:24 AM

instead of doing it manually, why do you let a software do it for you. I have used "Spy Sweeper" 30 days trial version and it works awesome, give it a try :
http://downloads-zdnet.com.com/3000-2144-10200144.html

cheers

P.S; after installing the software, allow the software to update itself.

code64_99 · #3 04-22-2004, 08:40 PM

Quote:

Originally posted by snowmonkey
instead of doing it manually, why do you let a software do it for you. I have used "Spy Sweeper" 30 days trial version and it works awesome, give it a try :
http://downloads-zdnet.com.com/3000-2144-10200144.html

cheers

P.S; after installing the software, allow the software to update itself.

Hi,

Thanks for your suggestion.

I have updated ad-aware and pest patrol installed and I scan it frequently to detect and remove spyware. Unfortunately, the keys cannot be removed by anyone of them. I have Trend antivirus as well, but it can only detect and remove the files I mentioned, not these keys.

cheers!

_______________________

YF

code64_99 · #4 04-23-2004, 02:23 AM

Quote:

Originally posted by snowmonkey
instead of doing it manually, why do you let a software do it for you. I have used "Spy Sweeper" 30 days trial version and it works awesome, give it a try :
http://downloads-zdnet.com.com/3000-2144-10200144.html

cheers

P.S; after installing the software, allow the software to update itself.

Hi snowmonkey,

I have tried spysweeper, but unable to detect / clean these keys.

I would appreciate more suggestions.

Thank you.

______________

YF

Jezmy · #5 03-15-2006, 03:22 PM

Hi there all...

Generally, you will find that LEGACY_ keys in the registry cannot be deleted because the are owned by the system or another account, rather than a user (Administrator, etc).

In order to get rid of them you must grab ownership... or at least permission to edit the key.

Use REGEDIT and navigate to the key you want to get rid of, then Right-click and select "permissions".

If you are SURE you want to get rid of the key, click the "Add" button and enter "Everyone" in the "Select users or groups" box and hit return.

Make sure that "Everyone" is selected in the Permissions window. You should have a set of tick-boxes in the lower pane. Tick the box marked "Allow" on the "Full Control" line. (All the boxes below "allow" automatically set themselves). Click "OK" and you should be back at the "normal" regedit screen.

You should now be able to delete the offending key.

Good luck.

tiertangier · #6 02-10-2007, 01:06 PM

If I may interject. Regedit.exe does not have an option to change permissions (assuming you are using Windows 2000(not sure about XP)). However, Regedt32.exe does have that option. I encountered some difficulty when searching for a particular key (HKLM\system\controlset001\enum\root\legacy_flexne t_licensing_service). You may have to find what you are looking for with Regedit.exe and make note of it. Then navigate to that key in Regedt32.exe. When you find it use the Security menu to find the permissions function. I was able to take ownership of and delete the offending key. Thanks for your help.