Program behaviors concerning load points are monitored, and a specific program attempting to actively maintain a previously set value of a specific load point is detected. In response, the specific program is adjudicated to be malware, and one or more actions are performed to protect the computer. The monitored behavior can be write operations targeting load points. In this scenario, the behavior indicating that a program is malware can comprise performing a requisite number of write operations to a load point within a requisite time period. The monitored behavior can also be altering load point values, and monitoring the results. The altering of load points can comprise removing values specifying programs to run, and/or changing names of programs. Detecting that a specific altered load point value has been automatically reset within a requisite time period to run the specific program upon start-up indicates that the program is malware.