Yes malware writers are very clever. It's getting more common for them to name a malicious file after a valid system file but change the spelling by one letter. That's why exact spelling is very important. Take your example:adaware.exe
is the valid Ad-Aware executable file. (I don't think capitalization matters, but the hyphen does.)
A while back you had to be careful with the printer spooler.spoolsv.exe
is a valid system process.spoolsrv.exe
and some other malware.
Another trick they use is to use a legitimate file name, but put it in a different folder. Two files of the same name are not allowed in a particular folder. Ad-Aware.exe should be in the Program files folder. Often instead you will see a bad file in the system folder. So for example the following would be at least suspicious in XP:
To answer your original question--
I take it you're talking about the WinTasks Process Library
at www.liutilities.com. And you were looking at this page:http://www.liutilities.com/products/wintas...ibrary/adaware/
Yes, that is a trustworthy source of information. Members of the HJT Team use it often.
Note that it is for processes
. BC's startup database--and there are several others out there--are for startups only. IOW, not every process you see in Task Manager is set to start when Windows starts and many others that do don't show up in msconfig because they don't start from the various run
keys of the registry. Startup databases only include info about files known to start from those reg keys.
Another good source of info for all processes (also known as Tasks
) is TASK LIST PROGRAMS- AnswersThatWork.com