I have a question about this section in the
How Malware Hides and is installed as a Service tutorial.
At times though, the malware will also install itself under these keys:
as subkeys called LEGACY_svcname. These LEGACY_svcname entries should be deleted as well, but will usually require you to change the permissions on them in order to delete them. Simply change the security permissions on these keys to Everyone (Full) and then delete them.
I went into regedit, and found quite a few LEGACY entries in those areas, e.g. (LEGACY_WEBCLIENT). I hope this isn't a stupid question, but-
Are all entries starting with "LEGACY" malware? That's what it sounds like to me. Just wanted to make sure before I delete anything.
Edited by Anonymous Annie, 29 September 2008 - 11:54 AM.