Hello All:

At http://www.diamondcs.com.au/index.php?page=regprot
we are shown some screen shots of RegistryProt in action. In the first of these it is shown detecting a nasty which seems to be called uabmruua.exe. Beneath the screen shot we are told: "The above picture is a screenshot of an actual SubSeven infection, as detected by RegistryProt. " Forgive my ignorance, but the question that's puzzled me for a long time is - how do we know that uabmruua.exe is a nasty? How do we learn to distinguish between safe and dangerous registry modifications? ??? Is there a list anywhere that we could check modifications against? My apologies in advance if this question has already been treated in another thread, and thanks to everyone for your past help to this newbie.

Regards

-{ Quote: " quoting: tepi link=board=9;threadid=17523;start=0#msg108033 date=1070871732]... how do we know that uabmruua.exe is a nasty? How do we learn to distinguish between safe and dangerous registry modifications? ??? " }-

You may not always be able to without a good deal of research. However, the main use I see for these type of tools is to alert you to the unexpected change.

What I mean is this... RegProt monitors a specific set of startup related run keys. These keys should not normally be changing on your system (at least not frequently) unless you do something to cause a change or the addition of a new startup key.

When you install a new piece of software which has a resident module or something similar, then you'd expect to see an alert from RegProt either at install time or while configuring the product to auto-start at boot. RegProt is a good confirmation tool under these circumstances.

But, if you aren't installing anything or modifying the startup options on your system or in any application, and suddenly you get an alert from RegProt that something has tried to add itself to your startup - that's the time to get on your guard and start doing research. In many cases, this could very well be malware related, so it's good to get suspicious and research it.

There will be some legitimate applications attempting to add keys you really don't want in startup, as well. On my system, Microsoft Word tries to add an auto-upgrade key (wkdetect.exe) every time I start it. I kill it every time with RegProt, but I'm still looking for a way to keep Word from doing it in the first place.

-{ Quote: "Is there a list anywhere that we could check modifications against? My apologies in advance if this question has already been treated in another thread, and thanks to everyone for your past help to this newbie." }-

Not really. Though pacs-portal (http://www.pacs-portal.co.uk/startup_pages/startup_full.php) may be a good starting place. If you find the expanded name of the EXE being added, you can then use that to try to get more information on the item. You can in fact find the one I hate, wkdetect.exe on that page.

Hello LWM:

Thank you for your very full and informative post, and for the link. All is becoming clearer. I'll head for that link right now.

Regards.