Jump to content

Recommended Posts

  • Staff

What is RegistrySmart?

The Malwarebytes research team has determined that RegistrySmart is a fake registry scanning application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are stronglyadvised to follow our removal instructions below.

warning3.png

How do I know if I am infected with RegistrySmart?

This is how the main screen of the rogue application looks:

main.png

You will find these icons in your taskbar, on your desktop and in your Start-menu:

icons.png

And see these warnings during install:

warning1.png

warning2.png

and thhis type of warning after a "scan":

warning5.png

You may see this entry in your list of installed programs:

warning4.png

and this task in your Scheduled Tasks:

warning3.png

How did RegistrySmart get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was installed by a bundler.

How do I remove RegistrySmart?

Our program Malwarebytes can detect and remove this rogue.

  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of RegistrySmart?

  • No, Malwarebytes removes RegistrySmart completely.

How would the full version of Malwarebytes help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.

As you can see below the full version of Malwarebytes would have protected you against the RegistrySmart rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
 


protection1.png

Technical details for experts

Possible signs in FRST logs:

 

(E-NextMedia) C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
C:\Windows\System32\Tasks\RegistrySmart Scheduled Scan
C:\Users\{username}\Desktop\RegistrySmart.lnk
C:\Windows\Tasks\RegistrySmart Scheduled Scan.job
C:\Users\{username}\AppData\Roaming\RegistrySmart
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart
C:\Program Files (x86)\RegistrySmart

RegistrySmart 2.10.4342 (HKLM-x32\...\RegistrySmart_is1) (Version: 2.10 - E-NextMedia)
Task: {17BA9627-AFC4-4A8A-A2AE-E0331FA6372D} - System32\Tasks\RegistrySmart Scheduled Scan => C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe [2011-11-11] (E-NextMedia)
Task: C:\Windows\Tasks\RegistrySmart Scheduled Scan.job => C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe
scheduled C:\Program Files (x86)\RegistrySmart
{username}.Run

Alterations made by the installer:
 

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\RegistrySmart
       Adds the file DataBase.ref"="11/11/2011 12:02 PM, 16164 bytes, A
       Adds the file license.rtf"="7/2/2009 8:19 AM, 9989 bytes, A
       Adds the file RegistrySmart.exe"="11/11/2011 12:02 PM, 4780032 bytes, A
       Adds the file RegistrySmart.url"="7/30/2018 11:52 AM, 53 bytes, A
       Adds the file unins000.dat"="7/30/2018 11:52 AM, 5273 bytes, A
       Adds the file unins000.exe"="7/30/2018 11:51 AM, 774489 bytes, A
    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart
       Adds the file RegistrySmart on the Web.lnk"="7/30/2018 11:52 AM, 1690 bytes, A
       Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1983 bytes, A
       Adds the file Uninstall RegistrySmart.lnk"="7/30/2018 11:52 AM, 986 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
       Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1133 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\RegistrySmart\Log
       Adds the file 2018 Jul 30 - 11_52_27 AM_094.log"="7/30/2018 11:52 AM, 0 bytes, A
    In the existing folder C:\Users\{username}\Desktop
       Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1965 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file RegistrySmart Scheduled Scan"="7/30/2018 11:52 AM, 3342 bytes, A
    In the existing folder C:\Windows\Tasks
       Adds the file RegistrySmart Scheduled Scan.job"="7/30/2018 11:52 AM, 458 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures]
       "RegistrySmart Scheduled Scan.job"="REG_BINARY, ................................
       "RegistrySmart Scheduled Scan.job.fp"="REG_DWORD", -177504305
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RegistrySmart_is1]
       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe"
       "DisplayName"="REG_SZ", "RegistrySmart 2.10.4342"
       "DisplayVersion"="REG_SZ", "2.10"
       "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\RegistrySmart"
       "Inno Setup: Deselected Tasks"="REG_SZ", ""
       "Inno Setup: Icon Group"="REG_SZ", "RegistrySmart"
       "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,quicklaunchicon"
       "Inno Setup: Setup Version"="REG_SZ", "5.2.2"
       "Inno Setup: User"="REG_SZ", "{username}"
       "InstallDate"="REG_SZ", "20180730"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\RegistrySmart\"
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "E-NextMedia"
       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\RegistrySmart\unins000.exe" /SILENT"
       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\RegistrySmart\unins000.exe""
       "URLInfoAbout"="REG_SZ", "http://www.regsmartpro.com/"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegistrySmart\RegistrySmart\Settings]
       "Updated"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\RegistrySmart\RegistrySmart\RegistrySmart]
       "AskIfOne"="REG_DWORD", 0
    [HKEY_CURRENT_USER\Software\RegistrySmart\RegistrySmart\SectionToScan]
       "CheckAppPaths"="REG_DWORD", 1
       "CheckComReg"="REG_DWORD", 1
       "CheckDrivers"="REG_DWORD", 1
       "CheckFileAss"="REG_DWORD", 1
       "CheckFonts"="REG_DWORD", 1
       "CheckHelpDiles"="REG_DWORD", 1
       "CheckHistory"="REG_DWORD", 1
       "CheckServices"="REG_DWORD", 1
       "CheckSharedFiles"="REG_DWORD", 1
       "CheckShortcuts"="REG_DWORD", 1
       "CheckSounds"="REG_DWORD", 1
       "CheckStartup"="REG_DWORD", 1
       "CheckUninstall"="REG_DWORD", 1
       "CheckUser"="REG_DWORD", 1

Malwarebytes log:
 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 7/30/18
Scan Time: 11:59 AM
Log File: 34ec19fe-93df-11e8-add8-00ffdcc6fdfc.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.6123
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 251110
Threats Detected: 29
Threats Quarantined: 29
Time Elapsed: 3 min, 29 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123

Module: 1
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123

Registry Key: 6
Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RegistrySmart Scheduled Scan, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{17BA9627-AFC4-4A8A-A2AE-E0331FA6372D}, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{17BA9627-AFC4-4A8A-A2AE-E0331FA6372D}, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RegistrySmart_is1, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, HKLM\SOFTWARE\WOW6432NODE\RegistrySmart, Quarantined, [1364], [212840],1.0.6123
Rogue.RegistrySmart, HKCU\SOFTWARE\RegistrySmart, Quarantined, [1364], [210497],1.0.6123

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
Rogue.RegistrySmart, C:\Users\{username}\AppData\Roaming\RegistrySmart\Log, Quarantined, [1364], [170329],1.0.6123
Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\REGISTRYSMART, Quarantined, [1364], [170329],1.0.6123
Rogue.RegistrySmart, C:\PROGRAM FILES (X86)\REGISTRYSMART, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REGISTRYSMART, Quarantined, [1364], [171858],1.0.6123

File: 17
Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\RegistrySmart - Changes.txt.lnk, Quarantined, [1364], [199824],1.0.6123
Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart - Changes.txt, Quarantined, [1364], [199824],1.0.6123
Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart.exe, Quarantined, [1364], [199824],1.0.6123
Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart.lnk, Quarantined, [1364], [199824],1.0.6123
Rogue.RegistrySmart, C:\Users\{username}\AppData\Roaming\RegistrySmart\Log\2018 Jul 30 - 11_52_27 AM_094.log, Quarantined, [1364], [170329],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\DataBase.ref, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\license.rtf, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.url, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\unins000.dat, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\unins000.exe, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\WINDOWS\SYSTEM32\TASKS\RegistrySmart Scheduled Scan, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\RegistrySmart.lnk, Quarantined, [1364], [171220],1.0.6123
Rogue.RegistrySmart, C:\WINDOWS\TASKS\RegistrySmart Scheduled Scan.job, Quarantined, [1364], [207855],1.0.6123
Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk, Quarantined, [1364], [171858],1.0.6123
Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk, Quarantined, [1364], [171858],1.0.6123
Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\Uninstall RegistrySmart.lnk, Quarantined, [1364], [171858],1.0.6123

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.