Regdefend doesn't catch startup regchanges.

Discussion in 'Ghost Security Suite (GSS)' started by ChicknDip, Aug 20, 2007.

Thread Status:
Not open for further replies.
  1. ChicknDip

    ChicknDip Registered Member

    Aug 15, 2007

    I'm trying out RegDefend 2 only to be able to get to know what process constantly adds the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCCrystalCpuInfo",

    Deleting the key using regedit correctly asks if I want to remove, but the problem is, something is recreating this key every time the system starts up, and RegDefend isn't able to catch it.

    Isn't there any option to make regdefend a service, or at least start it as soon as possible to get to know the process that keeps recreating this key.
    Last edited: Aug 20, 2007
  2. TopperID

    TopperID Registered Member

    Oct 1, 2004
    RD does not start particularly early on my system, and I don't think it can be made to start early enough for your purpose. The only Reg guard I can think of that is both fast and configurable is the one in KAV's PDM; but that won't help if you are not running Kaspersky. ZA Pro is even faster, and may protect the Services sub-Keys, but again you probably wouldn't want to trial it just to find out!

    It is possible you have unseen malware in a temp location recreating the Key each time. You might get more info running a combofix log, but really SuperAntispyware is probably your best bet for a fix and its log may provide the info you require.
  3. f3x

    f3x Registered Member

    Feb 6, 2006
    Montreal, Quebec
    Hi ChicknDip
    The new version of GSS will alert you as soon as winlogon is loaded in memory.
    The protection is active before, but no alert will be visible, due to ... well nowhere to display it ;)

    However in the current release of the alpha you cannot configure RD.
    It should be possible to do it in next release.
    I hope it help.
  4. CCon

    CCon Guest


    Hi ChicknDip,

    your service entry are made by the little programm "Core Temp.exe". If you activate it by automation, then "Core Temp.exe" will also recreate the entry.

    Greetings from DE

Thread Status:
Not open for further replies.