Jump to content

Recommended Posts

  • Staff
What is Registry Scanner?

The Malwarebytes research team has determined that Registry Scanner is a fake registry cleaner. These so-called "registry cleaners" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
More information can be found on our Malwarebytes Labs blog.

How do I know if I am infected with Registry Scanner?

This is how the main screen of the registry cleaning application looks:

main.png

You will find these icons in your taskbar, your startmenu, and on your desktop:

icons.png

And see this warning immediately after install:

warning1.png

and these screens during "operations":

warning5.png

warning6.png

You may see this task in your Task Scheduler:

warning3.png


How did Registry Scanner get on my computer?

These so-called registry cleaners use different methods of getting installed. This particular one was bundled by other software.

How do I remove Registry Scanner?

Our program Malwarebytes can detect and remove this potentially unwanted application.
  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Registry Scanner?
  • No, Malwarebytes removes Registry Scanner completely.
  • The shortcut called Registry Scanner on the desktop can be deleted if it belonged to the rogue.
  • This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes help protect me?

We hope our application and this guide have helped you eradicate this registry cleaner.

As you can see below the full version of Malwarebytes would have protected you against the Registry Scanner installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
 

protection1.png


and we block traffic to their domain.

Technical details for experts

You may see these entries in FRST logs:
 
 (Registry Scanner) C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.exe
 C:\Windows\System32\Tasks\Registry Scanner
 C:\Users\Public\Desktop\Registry Scanner.lnk
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner
 C:\Program Files (x86)\Registry Scanner

Task: {C9828F01-43F1-4FEC-8398-342883F265ED} - System32\Tasks\Registry Scanner => C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.exe [2017-04-09] (Registry Scanner)
Alterations made by the installer:
 
File system details  
---------------------------------------------
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner
       Adds the file Error.xml"="4/12/2017 11:36 AM, 211 bytes, A
       Adds the file errordetails.xml"="4/12/2017 11:36 AM, 110682 bytes, A
       Adds the file ExtendedWindowsControls.dll"="8/21/2013 3:06 PM, 8192 bytes, A
       Adds the file helper.exe"="1/23/2017 9:36 PM, 7168 bytes, A
       Adds the file icon.ico"="4/19/2016 4:09 PM, 32038 bytes, A
       Adds the file issues.wav"="4/9/2017 1:28 PM, 242162 bytes, A
       Adds the file locii.txt"="3/16/2017 1:55 PM, 6 bytes, A
       Adds the file log.txt"="4/24/2014 7:25 AM, 3 bytes, A
       Adds the file log.xml"="4/12/2017 11:34 AM, 315 bytes, A
       Adds the file Microsoft.Win32.TaskScheduler.dll"="6/3/2014 1:08 AM, 171008 bytes, A
       Adds the file Newtonsoft.Json.dll"="6/14/2016 12:06 AM, 526336 bytes, A
       Adds the file Sys_auth.xml"="4/12/2017 11:34 AM, 316 bytes, A
       Adds the file System Ignitor.exe"="4/9/2017 1:36 PM, 2105856 bytes, A
       Adds the file System Ignitor.exe.config"="1/28/2017 3:22 PM, 1486 bytes, A
       Adds the file System Ignitor.pdb"="4/9/2017 1:36 PM, 480768 bytes, A
       Adds the file System Ignitor.vshost.exe"="4/9/2017 1:34 PM, 22984 bytes, A
       Adds the file System Ignitor.vshost.exe.config"="1/28/2017 3:22 PM, 1486 bytes, A
       Adds the file System Ignitor.vshost.exe.manifest"="11/18/2016 12:44 PM, 2673 bytes, A
       Adds the file trialerror.xml"="8/5/2014 5:21 AM, 55340 bytes, A
       Adds the file VTRegScan.dll"="4/30/2014 10:37 PM, 82944 bytes, A
       Adds the file WpfAnimatedGif.dll"="8/7/2013 11:30 AM, 28160 bytes, A
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner\de
       Adds the file System Ignitor.resources.dll"="4/9/2017 1:36 PM, 13824 bytes, A
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner\en
       Adds the file System Ignitor.resources.dll"="4/9/2017 1:36 PM, 12288 bytes, A
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner\es
       Adds the file System Ignitor.resources.dll"="4/9/2017 1:36 PM, 13824 bytes, A
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner\fr
       Adds the file System Ignitor.resources.dll"="4/9/2017 1:36 PM, 13824 bytes, A
    Adds the folder C:\Program Files (x86)\Registry Scanner\Registry Scanner\ja
       Adds the file System Ignitor.resources.dll"="4/9/2017 1:36 PM, 14848 bytes, A
    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner
       Adds the file Registry Scanner on the Web.url"="4/12/2017 11:33 AM, 134 bytes, A
       Adds the file Registry Scanner.lnk"="4/12/2017 11:33 AM, 1424 bytes, A
       Adds the file Uninstall Registry Scanner.lnk"="4/12/2017 11:33 AM, 310 bytes, A
    Adds the folder C:\Users\{username}\AppData\LocalLow\Mozilla\Temp-{3037838a-a14a-46f9-821d-9895a7c7705d}
    In the existing folder C:\Users\Public\Desktop
       Adds the file Registry Scanner.lnk"="4/12/2017 11:33 AM, 1406 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file Registry Scanner"="4/12/2017 11:34 AM, 3132 bytes, A

Registry details  
------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegistryScanner\Scanner]
       "InstallPath"="REG_SZ", "C:\Program Files (x86)\Registry Scanner\Registry Scanner"
       "Track"="REG_SZ", "01"
    [HKEY_CURRENT_USER\Software\RegistryScanner\Scanner]
       "InstallPath"="REG_SZ", "C:\Program Files (x86)\Registry Scanner\Registry Scanner"
       "Track"="REG_SZ", "01"
Malwarebytes log:
 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/12/17
Scan Time: 11:52 AM
Logfile: mbamSystemIgnitor.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1712
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 326426
Time Elapsed: 1 min, 30 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Rogue.RegistryScanner, C:\PROGRAM FILES (X86)\REGISTRY SCANNER\REGISTRY SCANNER\SYSTEM IGNITOR.EXE, Quarantined, [8937], [384993],1.0.1712

Module: 1
Rogue.RegistryScanner, C:\PROGRAM FILES (X86)\REGISTRY SCANNER\REGISTRY SCANNER\SYSTEM IGNITOR.EXE, Quarantined, [8937], [384993],1.0.1712

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 8
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\de, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\en, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\es, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\fr, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\ja, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\PROGRAM FILES (X86)\REGISTRY SCANNER, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REGISTRY SCANNER, Delete-on-Reboot, [8937], [385007],1.0.1712

File: 30
Rogue.RegistryScanner, C:\PROGRAM FILES (X86)\REGISTRY SCANNER\REGISTRY SCANNER\SYSTEM IGNITOR.EXE, Delete-on-Reboot, [8937], [384993],1.0.1712
Rogue.RegistryScanner, C:\USERS\{username}\DESKTOP\REGISTRY-SCANNER-01236541_SILENT.EXE, Delete-on-Reboot, [8937], [384992],1.0.1712
Rogue.RegistryScanner, C:\PROGRAM FILES (X86)\REGISTRY SCANNER\REGISTRY SCANNER\SYSTEM IGNITOR.EXE.CONFIG, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\de\System Ignitor.resources.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\en\System Ignitor.resources.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\es\System Ignitor.resources.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\fr\System Ignitor.resources.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\ja\System Ignitor.resources.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.pdb, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\Error.xml, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\errordetails.xml, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\ExtendedWindowsControls.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\helper.exe, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\icon.ico, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\issues.wav, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\locii.txt, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\log.txt, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\log.xml, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\Microsoft.Win32.TaskScheduler.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\Newtonsoft.Json.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.vshost.exe, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.vshost.exe.config, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\System Ignitor.vshost.exe.manifest, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\Sys_auth.xml, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\trialerror.xml, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\VTRegScan.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\Program Files (x86)\Registry Scanner\Registry Scanner\WpfAnimatedGif.dll, Delete-on-Reboot, [8937], [385010],1.0.1712
Rogue.RegistryScanner, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REGISTRY SCANNER\REGISTRY SCANNER ON THE WEB.URL, Delete-on-Reboot, [8937], [385007],1.0.1712
Rogue.RegistryScanner, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Registry Scanner.lnk, Delete-on-Reboot, [8937], [385007],1.0.1712
Rogue.RegistryScanner, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Registry Scanner\Uninstall Registry Scanner.lnk, Delete-on-Reboot, [8937], [385007],1.0.1712

Physical Sector: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.