PUP.Optional.PerfectRegistry

Short bio

PUP.Optional.PerfectRegistry is the detection for a registry cleaner . The use of registry cleaners is not advisable and some of them  use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. PerfectRegistry is a member of a family of Windows system optimizers that can be recognized by the GUI and the use of the file roboot64.exe.

GUI of PerfectRegistry

Symptoms

PUP.Optional.PerfectRegistry uses several Scheduled Tasks to gain persistence and users may notice the icon in their taskbar, startmenu, and on their desktop. And find the software listed in their list of installed programs and features.

Scheduled Tasks for PerferctRegistry

icons PerfectRegistry

PerfectRegistry entry in list of installed Programs

Type and source of infection

PUP.Optional.PerfectRegistry is usually installed by the user themselves due to advertising.

Raxco website advertising PerfectRegistry

Protection

Malwarebytes protects users against PUP.Optional.PerfectRegistry by stopping the installer.

Malwarebytes blocks the PerfectRegsitry installer

Remediation

Malwarebytes can detect and remove this potentially unwanted application without further user interaction.

• Please download Malwarebytes to your desktop.
• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.

Should users wish to keep it, they can add the detections to the exclusions list. Here's how to do it.

Malwarebytes removal log

The Malwarebytes removal log will look similar to this:
Malwarebytes log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/14/18
Scan Time: 9:19 AM
Log File: c47a3d42-115f-11e8-9439-080027750297.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3948
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 242410
Threats Detected: 62
Threats Quarantined: 61
Time Elapsed: 2 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948

Module: 4
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\isxdl.dll, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\RegCleanPro.dll, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\xmllite.dll, Quarantined, [1013], [395661],1.0.3948

Registry Key: 12
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{20E5E4B6-666E-4527-A04A-824F3CC589A2}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{20E5E4B6-666E-4527-A04A-824F3CC589A2}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry_DEFAULT, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{099B320F-06C7-477E-B862-1C05011E2A85}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{099B320F-06C7-477E-B862-1C05011E2A85}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PerfectRegistry_UPDATES, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A}, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PerfectRegistry_is1, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, HKCU\SOFTWARE\RAXCO\PerfectRegistry, Quarantined, [1013], [395667],1.0.3948
PUP.Optional.PerfectRegistry, HKLM\SOFTWARE\WOW6432NODE\RAXCO\PerfectRegistry, Quarantined, [1013], [396319],1.0.3948

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.PerfectRegistry, C:\PROGRAM FILES (X86)\RAXCO\PERFECTREGISTRY, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\RAXCO\PERFECTREGISTRY, Quarantined, [1013], [395662],1.0.3948
PUP.Optional.PerfectRegistry, C:\USERS\{username}\APPDATA\ROAMING\RAXCO\PERFECTREGISTRY, Removal Failed, [1013], [396318],1.0.3948

File: 42
PUP.Optional.PerfectRegistry, C:\USERS\PUBLIC\DESKTOP\PERFECTREGISTRY.LNK, Quarantined, [1013], [395663],1.0.3948
PUP.Optional.PerfectRegistry, C:\WINDOWS\TASKS\PerfectRegistry_DEFAULT.job, Quarantined, [1013], [395665],1.0.3948
PUP.Optional.PerfectRegistry, C:\WINDOWS\TASKS\PerfectRegistry_UPDATES.job, Quarantined, [1013], [395665],1.0.3948
PUP.Optional.SysTweak, C:\WINDOWS\SYSTEM32\ROBOOT64.EXE, Quarantined, [217], [395666],1.0.3948
PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry_DEFAULT, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, C:\WINDOWS\SYSTEM32\TASKS\PerfectRegistry_UPDATES, Quarantined, [1013], [395664],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Chinese_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\CleanSchedule.exe, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Danish_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Dutch_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\eng_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Finnish_rcp_fi.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\French_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\German_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\greek_rcp_el.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\install_left_image.bmp, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\isxdl.dll, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Italian_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Japanese_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\korean_rcp_ko.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Norwegian_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\polish_rcp_pl.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\portugese_rcp_pt.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Portuguese_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\PRUninstall.exe, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\RegCleanPro.dll, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\russian_rcp_ru.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Spanish_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\Swedish_rcp.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\TraditionalCn_rcp_zh-tw.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\turkish_rcp_tr.ini, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.dat, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.exe, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\unins000.msg, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\Program Files (x86)\Raxco\PerfectRegistry\xmllite.dll, Quarantined, [1013], [395661],1.0.3948
PUP.Optional.PerfectRegistry, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco\PerfectRegistry\PerfectRegistry.lnk, Quarantined, [1013], [395662],1.0.3948
PUP.Optional.PerfectRegistry, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco\PerfectRegistry\Uninstall PerfectRegistry.lnk, Quarantined, [1013], [395662],1.0.3948
PUP.Optional.PerfectRegistry, C:\Users\{username}\AppData\Roaming\Raxco\PerfectRegistry\log_02-14-2018.log, Quarantined, [1013], [396318],1.0.3948
PUP.Optional.PerfectRegistry, C:\Users\{username}\AppData\Roaming\Raxco\PerfectRegistry\results.rcp, Quarantined, [1013], [396318],1.0.3948
PUP.Optional.PerfectRegistry, C:\USERS\{username}\DESKTOP\PRSETUP.EXE, Quarantined, [1013], [395680],1.0.3948

Physical Sector: 0
(No malicious items detected)


(end)

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

• Click on the Settings tab in the left pane.
• Click on the Exclusions tab.
• Click the Add Exclusion button.
• Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.
• Repeat this for any secondary folder(s) that belong to the software.
• If you want to allow the program to connect to the internet, for example to fetch updates, add an exclusion of the type Exclude an application that Connects to the Internet and use the Browse button to select the file you wish to grant access.

Traces/IOCs

Possible entries in a FRST log

(Raxco Software, Inc.) C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe
 C:\Windows\System32\Tasks\PerfectRegistry
 C:\Windows\System32\Tasks\PerfectRegistry_UPDATES
 C:\Windows\System32\Tasks\PerfectRegistry_DEFAULT
 C:\Users\Public\Desktop\PerfectRegistry.lnk
 C:\Windows\Tasks\PerfectRegistry_UPDATES.job
 C:\Windows\Tasks\PerfectRegistry_DEFAULT.job
 C:\Users\{username}\AppData\Roaming\Raxco
 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raxco
 C:\Program Files (x86)\Raxco
 (Raxco Software, Inc) C:\Windows\system32\roboot64.exe

PerfectRegistry (HKLM-x32\...\PerfectRegistry_is1) (Version: 2.0 - Raxco Software Inc)
Task: {099B320F-06C7-477E-B862-1C05011E2A85} - System32\Tasks\PerfectRegistry_DEFAULT => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.)
Task: {20E5E4B6-666E-4527-A04A-824F3CC589A2} - System32\Tasks\PerfectRegistry => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.)
Task: {D1A5B052-CF3A-4C42-B8E4-EE4211AE6A5A} - System32\Tasks\PerfectRegistry_UPDATES => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe [2015-07-16] (Raxco Software, Inc.)
Task: C:\Windows\Tasks\PerfectRegistry_DEFAULT.job => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe
Task: C:\Windows\Tasks\PerfectRegistry_UPDATES.job => C:\Program Files (x86)\Raxco\PerfectRegistry\PerfectRegistry.exe

Files: PerfectRegistry.exe, roboot64.exe
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Raxco\PerfectRegistry
Domain: raxco.com