What is RegistrySmart?
The Malwarebytes research team has determined that RegistrySmart is a fake registry scanning application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.
How do I know if I am infected with RegistrySmart?
This is how the main screen of the rogue application looks:
You will find these icons in your taskbar, on your desktop and in your Start-menu:
And see these warnings during install:
and thhis type of warning after a "scan":
You may see this entry in your list of installed programs:
and this task in your Scheduled Tasks:
How did RegistrySmart get on my computer?
Rogue programs use different methods for spreading themselves. This particular one was installed by a bundler.
How do I remove RegistrySmart?
Our program Malwarebytes can detect and remove this rogue.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes RegistrySmart completely.
We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes for additional protection.
As you can see below the full version of Malwarebytes would have protected you against the RegistrySmart rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Possible signs in FRST logs:
(E-NextMedia) C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe C:\Windows\System32\Tasks\RegistrySmart Scheduled Scan C:\Users\{username}\Desktop\RegistrySmart.lnk C:\Windows\Tasks\RegistrySmart Scheduled Scan.job C:\Users\{username}\AppData\Roaming\RegistrySmart C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart C:\Program Files (x86)\RegistrySmart RegistrySmart 2.10.4342 (HKLM-x32\...\RegistrySmart_is1) (Version: 2.10 - E-NextMedia) Task: {17BA9627-AFC4-4A8A-A2AE-E0331FA6372D} - System32\Tasks\RegistrySmart Scheduled Scan => C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe [2011-11-11] (E-NextMedia) Task: C:\Windows\Tasks\RegistrySmart Scheduled Scan.job => C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe scheduled C:\Program Files (x86)\RegistrySmart {username}.RunAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\RegistrySmart Adds the file DataBase.ref"="11/11/2011 12:02 PM, 16164 bytes, A Adds the file license.rtf"="7/2/2009 8:19 AM, 9989 bytes, A Adds the file RegistrySmart.exe"="11/11/2011 12:02 PM, 4780032 bytes, A Adds the file RegistrySmart.url"="7/30/2018 11:52 AM, 53 bytes, A Adds the file unins000.dat"="7/30/2018 11:52 AM, 5273 bytes, A Adds the file unins000.exe"="7/30/2018 11:51 AM, 774489 bytes, A Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart Adds the file RegistrySmart on the Web.lnk"="7/30/2018 11:52 AM, 1690 bytes, A Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1983 bytes, A Adds the file Uninstall RegistrySmart.lnk"="7/30/2018 11:52 AM, 986 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1133 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\RegistrySmart\Log Adds the file 2018 Jul 30 - 11_52_27 AM_094.log"="7/30/2018 11:52 AM, 0 bytes, A In the existing folder C:\Users\{username}\Desktop Adds the file RegistrySmart.lnk"="7/30/2018 11:52 AM, 1965 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file RegistrySmart Scheduled Scan"="7/30/2018 11:52 AM, 3342 bytes, A In the existing folder C:\Windows\Tasks Adds the file RegistrySmart Scheduled Scan.job"="7/30/2018 11:52 AM, 458 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures] "RegistrySmart Scheduled Scan.job"="REG_BINARY, ................................ "RegistrySmart Scheduled Scan.job.fp"="REG_DWORD", -177504305 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\RegistrySmart_is1] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe" "DisplayName"="REG_SZ", "RegistrySmart 2.10.4342" "DisplayVersion"="REG_SZ", "2.10" "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\RegistrySmart" "Inno Setup: Deselected Tasks"="REG_SZ", "" "Inno Setup: Icon Group"="REG_SZ", "RegistrySmart" "Inno Setup: Selected Tasks"="REG_SZ", "desktopicon,quicklaunchicon" "Inno Setup: Setup Version"="REG_SZ", "5.2.2" "Inno Setup: User"="REG_SZ", "{username}" "InstallDate"="REG_SZ", "20180730" "InstallLocation"="REG_SZ", "C:\Program Files (x86)\RegistrySmart\" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "Publisher"="REG_SZ", "E-NextMedia" "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\RegistrySmart\unins000.exe" /SILENT" "UninstallString"="REG_SZ", ""C:\Program Files (x86)\RegistrySmart\unins000.exe"" "URLInfoAbout"="REG_SZ", "http://www.regsmartpro.com/" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegistrySmart\RegistrySmart\Settings] "Updated"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\RegistrySmart\RegistrySmart\RegistrySmart] "AskIfOne"="REG_DWORD", 0 [HKEY_CURRENT_USER\Software\RegistrySmart\RegistrySmart\SectionToScan] "CheckAppPaths"="REG_DWORD", 1 "CheckComReg"="REG_DWORD", 1 "CheckDrivers"="REG_DWORD", 1 "CheckFileAss"="REG_DWORD", 1 "CheckFonts"="REG_DWORD", 1 "CheckHelpDiles"="REG_DWORD", 1 "CheckHistory"="REG_DWORD", 1 "CheckServices"="REG_DWORD", 1 "CheckSharedFiles"="REG_DWORD", 1 "CheckShortcuts"="REG_DWORD", 1 "CheckSounds"="REG_DWORD", 1 "CheckStartup"="REG_DWORD", 1 "CheckUninstall"="REG_DWORD", 1 "CheckUser"="REG_DWORD", 1Malwarebytes log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/30/18 Scan Time: 11:59 AM Log File: 34ec19fe-93df-11e8-add8-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.6123 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 251110 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 3 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123 Module: 1 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123 Registry Key: 6 Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\RegistrySmart Scheduled Scan, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{17BA9627-AFC4-4A8A-A2AE-E0331FA6372D}, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{17BA9627-AFC4-4A8A-A2AE-E0331FA6372D}, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RegistrySmart_is1, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, HKLM\SOFTWARE\WOW6432NODE\RegistrySmart, Quarantined, [1364], [212840],1.0.6123 Rogue.RegistrySmart, HKCU\SOFTWARE\RegistrySmart, Quarantined, [1364], [210497],1.0.6123 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 4 Rogue.RegistrySmart, C:\Users\{username}\AppData\Roaming\RegistrySmart\Log, Quarantined, [1364], [170329],1.0.6123 Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\REGISTRYSMART, Quarantined, [1364], [170329],1.0.6123 Rogue.RegistrySmart, C:\PROGRAM FILES (X86)\REGISTRYSMART, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\REGISTRYSMART, Quarantined, [1364], [171858],1.0.6123 File: 17 Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Windows\Recent\RegistrySmart - Changes.txt.lnk, Quarantined, [1364], [199824],1.0.6123 Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart - Changes.txt, Quarantined, [1364], [199824],1.0.6123 Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart.exe, Quarantined, [1364], [199824],1.0.6123 Rogue.RegistrySmart, C:\USERS\{username}\DESKTOP\RegistrySmart.lnk, Quarantined, [1364], [199824],1.0.6123 Rogue.RegistrySmart, C:\Users\{username}\AppData\Roaming\RegistrySmart\Log\2018 Jul 30 - 11_52_27 AM_094.log, Quarantined, [1364], [170329],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\DataBase.ref, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\license.rtf, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.exe, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\RegistrySmart.url, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\unins000.dat, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\Program Files (x86)\RegistrySmart\unins000.exe, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\WINDOWS\SYSTEM32\TASKS\RegistrySmart Scheduled Scan, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\USERS\{username}\APPDATA\ROAMING\Microsoft\Internet Explorer\Quick Launch\RegistrySmart.lnk, Quarantined, [1364], [171220],1.0.6123 Rogue.RegistrySmart, C:\WINDOWS\TASKS\RegistrySmart Scheduled Scan.job, Quarantined, [1364], [207855],1.0.6123 Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk, Quarantined, [1364], [171858],1.0.6123 Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk, Quarantined, [1364], [171858],1.0.6123 Rogue.RegistrySmart, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RegistrySmart\Uninstall RegistrySmart.lnk, Quarantined, [1364], [171858],1.0.6123 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention