What is RegistryCleaner?
The Malwarebytes research team has determined that RegistryCleaner is a "system optimizer". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems.
More information can be found on our Malwarebytes Labs blog.
How do I know if I am infected with RegistryCleaner?
This is how the main screen of the sytem optimizer looks:
You will find these icons in your taskbar, your startmenu, and on your desktop:
and see this warning during install:
and these screens during "operations":
You may see this entry in your list of installed programs:
and this task in your list of Scheduled Tasks:
How did RegistryCleaner get on my computer?
These so-called system optimizers use different methods of getting installed. This particular one was downloaded from their website:
How do I remove RegistryCleaner?
Our program Malwarebytes can detect and remove this potentially unwanted application.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes RegistryCleaner completely.
- This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
We hope our application and this guide have helped you eradicate this system optimizer.
As you can see below the full version of Malwarebytes would have protected you against the RegistryCleaner installer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
and we block access to their domain:
Technical details for experts
You may see these entries in FRST logs:
(UTILILAB) C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe C:\Windows\System32\Tasks\UTILILAB RegistryCLEANER C:\Users\Public\Desktop\RegistryCLEANER.lnk C:\Users\{username}\AppData\Roaming\Utililab C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UTILILAB C:\Program Files (x86)\UTILILAB (UTILILAB) C:\Windows\system32\roboot64.exe (UTILILAB ) C:\Users\{username}\Desktop\utililabrcsetup.exe RegistryCLEANER (HKLM-x32\...\RegistryCLEANER_is1) (Version: 2.0 - UTILILAB) Task: {AF098F63-F224-4850-A5D5-80E47D2A4B9A} - System32\Tasks\UTILILAB RegistryCLEANER => C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe [2012-05-22] (UTILILAB)Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\UTILILAB\RegistryCLEANER Adds the file Chinese_rcp.ini"="5/22/2012 6:11 PM, 46760 bytes, A Adds the file CleanSchedule.exe"="5/22/2012 8:03 PM, 250832 bytes, A Adds the file Danish_rcp.ini"="5/22/2012 6:11 PM, 87606 bytes, A Adds the file Dutch_rcp.ini"="5/22/2012 6:11 PM, 91072 bytes, A Adds the file eng_rcp.ini"="5/22/2012 6:11 PM, 83276 bytes, A Adds the file Finnish_rcp_fi.ini"="5/22/2012 6:11 PM, 84924 bytes, A Adds the file French_rcp.ini"="5/22/2012 6:11 PM, 97508 bytes, A Adds the file German_rcp.ini"="5/22/2012 6:11 PM, 97010 bytes, A Adds the file greek_rcp_el.ini"="5/22/2012 6:11 PM, 96978 bytes, A Adds the file install_left_image.bmp"="1/6/2011 6:40 PM, 154052 bytes, A Adds the file isxdl.dll"="5/18/2012 12:31 PM, 156584 bytes, A Adds the file Italian_rcp.ini"="5/22/2012 6:11 PM, 94158 bytes, A Adds the file Japanese_rcp.ini"="5/22/2012 6:11 PM, 58526 bytes, A Adds the file korean_rcp_ko.ini"="5/22/2012 6:11 PM, 66928 bytes, A Adds the file Norwegian_rcp.ini"="5/22/2012 6:11 PM, 84424 bytes, A Adds the file polish_rcp_pl.ini"="5/22/2012 6:11 PM, 88142 bytes, A Adds the file portugese_rcp_pt.ini"="5/22/2012 6:11 PM, 91054 bytes, A Adds the file Portuguese_rcp.ini"="5/22/2012 6:11 PM, 88700 bytes, A Adds the file RegCleanPro.dll"="5/22/2012 8:03 PM, 1679360 bytes, A Adds the file russian_rcp_ru.ini"="5/22/2012 6:11 PM, 90970 bytes, A Adds the file Spanish_rcp.ini"="5/22/2012 6:11 PM, 92078 bytes, A Adds the file Swedish_rcp.ini"="5/22/2012 6:11 PM, 83008 bytes, A Adds the file TraditionalCn_rcp_zh-tw.ini"="5/22/2012 6:11 PM, 46822 bytes, A Adds the file turkish_rcp_tr.ini"="5/22/2012 6:11 PM, 89068 bytes, A Adds the file unins000.dat"="1/22/2018 8:44 AM, 35733 bytes, A Adds the file unins000.exe"="1/22/2018 8:43 AM, 1256400 bytes, A Adds the file unins000.msg"="1/22/2018 8:44 AM, 21031 bytes, A Adds the file utililabrc.exe"="5/22/2012 8:03 PM, 7550928 bytes, A Adds the file xmllite.dll"="5/18/2012 12:31 PM, 126976 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UTILILAB\RegistryCLEANER Adds the file Register RegistryCLEANER.lnk"="1/22/2018 8:44 AM, 1247 bytes, A Adds the file RegistryCLEANER.lnk"="1/22/2018 8:44 AM, 1221 bytes, A Adds the file Uninstall RegistryCLEANER.lnk"="1/22/2018 8:44 AM, 1211 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Utililab\RegistryCLEANER Adds the file eng_rcp.dat"="1/22/2018 8:44 AM, 32698 bytes, A Adds the file log_01-22-2018.log"="1/22/2018 8:44 AM, 0 bytes, A Adds the file results.rcp"="1/22/2018 8:46 AM, 9592 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file RegistryCLEANER.lnk"="1/22/2018 8:44 AM, 1197 bytes, A In the existing folder C:\Windows\System32 Adds the file roboot64.exe"="5/22/2012 8:03 PM, 18384 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file UTILILAB RegistryCLEANER"="1/22/2018 8:44 AM, 3154 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RegistryCLEANER_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe" "DisplayName"="REG_SZ", "RegistryCLEANER" "DisplayVersion"="REG_SZ", "2.0" "EstimatedSize"="REG_DWORD", 12533 "HelpLink"="REG_SZ", "http://www.Utililab.com/" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\UTILILAB\RegistryCLEANER" "Inno Setup: Icon Group"="REG_SZ", "UTILILAB\RegistryCLEANER" "Inno Setup: Language"="REG_SZ", "en" "Inno Setup: Setup Version"="REG_SZ", "5.4.0 (u)" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180122" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\UTILILAB\RegistryCLEANER\" "MajorVersion"="REG_DWORD", 2 "MinorVersion"="REG_DWORD", 0 "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "UTILILAB" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\UTILILAB\RegistryCLEANER\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\UTILILAB\RegistryCLEANER\unins000.exe" /silent" "URLInfoAbout"="REG_SZ", "http://www.Utililab.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Utililab\RegistryCLEANER] "Expired"="REG_DWORD", 0 "MaxFixLimit"="REG_DWORD", 15 "RCPURL"="REG_SZ", "http://www.utililab.com/shop?PN=RC&V=2.0&ab=final&lng=0&select=purchase&utm_source=site&utm_campaign=default&utm_medium=final" "RENEWALURL"="REG_SZ", "http://www.utililab.com/shop?PN=RC&V=2.0&ab=final&lng=0&select=purchase&renew=1&utm_source=site&utm_campaign=default&utm_medium=final" "utm_campaign"="REG_SZ", "default" "utm_medium"="REG_SZ", "final" "utm_source"="REG_SZ", "site" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Utililab\RegistryCLEANER\LANG] "LangID"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\Utililab\RegistryCLEANER] "AutoRepair"="REG_DWORD", 0 "ConfirmBkUps"="REG_DWORD", 1 "CurrentScanTime"="REG_BINARY, ........ "GoToSystemTrayOnClose"="REG_DWORD", 0 "ImprovementProgram"="REG_DWORD", 1 "NumTimesRCPRunned"="REG_DWORD", 1 "RegErrFoundTillDate"="REG_DWORD", 0 "RegErrsFixedLast"="REG_DWORD", 0 "RegErrsFixedTillDate"="REG_DWORD", 0 "ScheduledTime"="REG_SZ", "" "SetChkDontShowRedTrayPopup"="REG_DWORD", 0 "SetChkREmovableMedia"="REG_DWORD", 1 "SetChkSkipEmptyKeys"="REG_DWORD", 1 "StartAutoScanOnLaunch"="REG_DWORD", 0 "StartAutoScanPMUI"="REG_DWORD", 0 "StartMinimized"="REG_DWORD", 0 "StartScan"="REG_DWORD", 0 "StartWhenWinBoots"="REG_DWORD", 1 "StrLastOptimizeTime"="REG_SZ", "" "StrLastScan"="REG_SZ", "Mon. January 22, 2018. 08:46 AM" "StrLastScanResults"="REG_SZ", "26" "StrLastStartupOpt"="REG_SZ", "" "StrLatestRegDefrag"="REG_SZ", "" "StrLatestRestorePoint"="REG_SZ", "" [HKEY_CURRENT_USER\Software\Utililab\RegistryCLEANER\LANG] "LangCode"="REG_SZ", "en" "LangID"="REG_DWORD", 0Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/22/18 Scan Time: 8:57 AM Log File: f52d18d8-ff49-11e7-a473-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3751 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 242090 Threats Detected: 53 Threats Quarantined: 52 Time Elapsed: 2 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe, Quarantined, [5279], [479932],1.0.3751 Module: 4 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\isxdl.dll, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\RegCleanPro.dll, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\xmllite.dll, Quarantined, [5279], [479932],1.0.3751 Registry Key: 6 PUP.Optional.UtililabRegistryCleaner, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RegistryCLEANER_is1, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\UTILILAB RegistryCLEANER, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{AF098F63-F224-4850-A5D5-80E47D2A4B9A}, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{AF098F63-F224-4850-A5D5-80E47D2A4B9A}, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, HKCU\SOFTWARE\UTILILAB\RegistryCLEANER, Quarantined, [5279], [479939],1.0.3751 PUP.Optional.UtililabRegistryCleaner, HKLM\SOFTWARE\WOW6432NODE\UTILILAB\RegistryCLEANER, Quarantined, [5279], [479938],1.0.3751 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.UtililabRegistryCleaner, C:\PROGRAM FILES (X86)\UTILILAB\REGISTRYCLEANER, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\UTILILAB\REGISTRYCLEANER, Quarantined, [5279], [479933],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\USERS\{username}\APPDATA\ROAMING\UTILILAB\REGISTRYCLEANER, Removal Failed, [5279], [479935],1.0.3751 File: 39 PUP.Optional.oTweakRegistryCleaner, C:\USERS\PUBLIC\DESKTOP\REGISTRYCLEANER.LNK, Quarantined, [7910], [398947],1.0.3751 PUP.Optional.SysTweak, C:\WINDOWS\SYSTEM32\ROBOOT64.EXE, Quarantined, [210], [395666],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Italian_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Chinese_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\CleanSchedule.exe, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Danish_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Dutch_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\eng_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Finnish_rcp_fi.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\French_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\German_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\greek_rcp_el.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\install_left_image.bmp, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\isxdl.dll, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Japanese_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\korean_rcp_ko.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Norwegian_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\polish_rcp_pl.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\portugese_rcp_pt.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Portuguese_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\RegCleanPro.dll, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\russian_rcp_ru.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Spanish_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\Swedish_rcp.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\TraditionalCn_rcp_zh-tw.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\turkish_rcp_tr.ini, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\unins000.dat, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\unins000.exe, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\unins000.msg, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\utililabrc.exe, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Program Files (x86)\UTILILAB\RegistryCLEANER\xmllite.dll, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\WINDOWS\SYSTEM32\TASKS\UTILILAB RegistryCLEANER, Quarantined, [5279], [479932],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UTILILAB\RegistryCLEANER\Register RegistryCLEANER.lnk, Quarantined, [5279], [479933],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UTILILAB\RegistryCLEANER\RegistryCLEANER.lnk, Quarantined, [5279], [479933],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UTILILAB\RegistryCLEANER\Uninstall RegistryCLEANER.lnk, Quarantined, [5279], [479933],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Users\{username}\AppData\Roaming\Utililab\RegistryCLEANER\eng_rcp.dat, Quarantined, [5279], [479935],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Users\{username}\AppData\Roaming\Utililab\RegistryCLEANER\log_01-22-2018.log, Quarantined, [5279], [479935],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\Users\{username}\AppData\Roaming\Utililab\RegistryCLEANER\results.rcp, Quarantined, [5279], [479935],1.0.3751 PUP.Optional.UtililabRegistryCleaner, C:\USERS\{username}\DESKTOP\UTILILABRCSETUP.EXE, Quarantined, [5279], [479940],1.0.3751 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention