Systweak’s RegClean Pro is quite a popular software. Top Ten Reviews, a consumer review portal based in Utah, has ranked it as number one in their “Registry Repair Software” category. It also boasts of having won more than a hundred 5-star awards. Yet in spite of these, something is amiss. With praises for it also come criticisms. And we’ve seen a lot of them.
What is RegClean Pro?
It is a piece of software that markets itself as a registry cleaner and optimizer in order to improve the performance of the PC. It does this by removing redundant keys and/or entries from the Windows registry.
RegClean Pro arrives on user systems either as a downloaded file from www[DOT]systweak[DOT]com/registry-cleaner/, or as a program bundled with other free third-party software. The sample we’re using for this post has an MD5 hash value of 5b8e73834ad13039e7f9bc0338b4a946.
Although Systweak caters to various operating systems, RegClean Pro in particular can only be downloaded and used by Windows users.
What happens when you install RegClean Pro?
Upon execution, RegClean Pro attempts to fingerprint the machine it is being installed on by looking up the user’s Windows account name and the computer name. It does this behind the scenes while showing the usual software GUI that users are expected to see. Below is a slideshow of these interfaces in succession:
It then opens the default browser to display the following “Thank you” message:
It finally creates the following scheduled tasks, which enables it to further execute at certain times of the day:
Below is RegClean Pro’s shortcut after it finished installing:
Below is a slideshow on how this software performs (also in succession) after it executed by itself while opening the “Thank you” page above:
As it runs, RegClean Pro falsely shows users that it has found multiple errors in the registry—in this case, 127 errors. Then, it offers to fix these provided that users purchase and download the software’s full version.
Notable files and/or folders added:
- C:\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup.exe
- detected as PUP.Optional.MyPCBackup
- C:\Program Files (x86)\RegClean Pro\Cloud_Backup_Setup_Intl.exe
- detected as PUP.Optional.MyPCBackup
- C:\Program Files (x86)\RegClean Pro\unins000.exe
- detected as PUP.Optional.SysTweak
Anything off with RegClean Pro’s End-User License Agreement?
For software that claims to clean the registry in order to improve PC performance, we find it quite odd to see the below bit in its EULA (emphasis ours):
NO PERFORMANCE WARRANTY. SYSTWEAK specifically disclaims any warranty for the amount of performance increase or utility provided by the SOFTWARE PRODUCT. By purchasing this software and accepting this EULA you specifically agree that you understand that no representation or warranty is made by SYSTWEAK that the SOFTWARE PRODUCT will necessarily increase performance or provide a utility benefit on your computer, and that no claim of specific deficiency, defect, or underperformance has been made with respect to your computer. Any claims of performance increases or utility made for the software are those of possible or potential improvement or utility, and n warranty is offered that a specific utility or amount of performance increase, if any, will be realized on any particular computer. Each computer is different and the scenarios under which they are used are different, and no claim is made that any one computer or usage scenario shall see a performance increase or utility benefit from the SOFTWARE PRODUCT. Your sole remedy for any dissatisfaction with the presence of or the degree or amount of performance improvement or utility shall be limited to the customer remedies described above.
Here’s another bit that we want to highlight in case you have used RegClean Pro and wish to hold Systweak responsible for the uncorrectable changes the software made to your system (emphasis ours):
BACKUP RESPONSIBILITY. The SOFTWARE PRODUCT is a system utility, and as such can make irreversible changes to the state of computer on which it is run and that SYSTWEAK cannot accurately predict or ensure the outcome in all possible scenarios, and therefore purchaser agrees to make and test a complete system backup and backup of all personal information before operating the SOFTWARE PRODUCT. You agree that you accept all responsibility for reversing or correcting any changes made by the SOFTWARE PRODUCT.
Does Malwarebytes Anti-Malware (MBAM) detect RegClean Pro?
We detect the installer the RegClean Pro installer as PUP.Optional.RegCleanerPro. For its other component files, we detect as PUP.Optional.RegCleanPro. You may refer to our forum page in case you’re interested in knowing what these component files are and other technical details.
Conclusion
Systweak, the India-based developer of RegClean Pro, boasts of being a Microsoft Gold Partner. Some dodgy companies do this, too, but in Systweak’s case, they indeed are an MS Gold Partner. For some users, a partnership with a tech giant is enough to convince them to try out a third-party software. Consumers expect quality products and services because of this. In the end, however, many are let down, realizing that what they get is a PUP.
We have reported this company to Microsoft so they can open an investigation and hopefully consider revoking Systweak’s Gold partnership status.
As for registry cleaners, we generally consider them as digital snake oil, so I wouldn’t touch it with a barge pole if I were you.
More PUP Friday posts:
- One Click, Many Downloads
- RelevantKnowledge
- Bubbling Over
- Adware PUP Dotdo FastInternet Blocks Security Related Domains
- Free YouTube Downloader PUP is just another Tech Support Scam
Jovi Umawing (Thanks to Pieter for the assist)
Nice effort Jovi! But Systweak has changed everything since last 2 years and the build you have used is not the latest one downloaded from the website. This is a build that was in place maybe years back. If you want to provide true information to the users, pick the latest one.
I just double checked of what you have mentioned here and what their current app look like!
So you mentioned right! There is a miss out here..but from your side 😉
Has This become a practice of malware bytes to keep cribbing and Sending false information to the user.
This is not just the first time i have come across a lie from this blog.
I have been using this product personally. whatever you have written makes no sense.
Please stop providing misleading information.
please clean your products first, they are nothing but a bunch of useless packs for which you charge a whooping amount.
1. Your one-comment Disqus account was created specifically to post on this blog, yet you called yourself “Marc” instead of your actual name which appears to be Manish, registered to a Systweak(dot)com email address.
Manish is listed online as the VP of Systweak.
https://blog.malwarebytes.com/wp-content/uploads/2016/08/marc.jpg
Why the alias?
To an onlooker, it could appear that you’re an impartial 3rd party commenting on someone else’s product. Readers might assume you’re a paying customer, happy with the product / service. One would hope the above post, which to the uninitiated looks like a comment from someone unaffiliated with Systweak while cheering them on, doesn’t similarly reinforce that notion.
And yet:
“and what their current app look like”
“Their”? Don’t you mean “yours”?
2. “Systweak has changed everything since last 2 years and the build you have used is not the latest one downloaded from the website. This is a build that was in place maybe years back”
We write about whatever happens to be of interest and / or in circulation at time of writing, based on our detections. How old a file may not be a concern depending on if it is being downloaded / installed on PCs. For example, the above file was uploaded to VirusTotal a week ago by one of their contributors:
https://www.virustotal.com/en/file/631e469541be651304fb5a3943cce73063991bd97b998ed32c8e38b62aedf5a7/analysis/1469714858/
It also shows up in a number of Sandbox scans / related online. There’s no reason not to cover it, regardless of version / age / anything else – we’re not responsible for what others are distributing across the web. For example:
3. The version number of the file analysed is 6(dot)21(dot)0(dot)0:
https://blog.malwarebytes.com/wp-content/uploads/2016/07/regclean-pro-file.png
We downloaded the program again on the 1st August. The program icon has changed; the version number has not, and is still listed as 6(dot)21(dot)0(dot)0:
https://blog.malwarebytes.com/wp-content/uploads/2016/08/trialRGPsetup.png
Just yesterday, one of our researchers came across yet another version offered from a bundle across roughly 50% of installs which cites a copyright notice from 2011:
https://www.virustotal.com/en/file/99343d7be59bc75593a29cc2ce0b23fee5d5f14b261829b6807edf24951716fc/analysis/
https://blog.malwarebytes.com/wp-content/uploads/2016/08/bundle-RCversion.png
Alongside these, there are additional version numbers on the Register Now panels, such as 6(dot)21(dot)65(dot)62.
We can only pass comment on what we’re seeing online, which is precisely what we’ve done in this case. The only real way to ensure something isn’t covered is to not offer it as a download in the first place.
4. While writing this response, I notice the following has been posted:
https://blog.malwarebytes.com/wp-content/uploads/2016/08/sarah.jpg
I’ll repost the most notable portions, in case it falls foul of the Banhammer. Should the author wish to respond, they can do it from this comment thread:
“This is not just the first time i have come across a lie from this blog”
Please list them.
“I have been using this product personally. whatever you have written makes no sense.
Please stop providing misleading information”
This comment comes from an IP address flagged in relation to posts from someone listed on Linkedin as the SEO Executive at Systweak Software http://bit.ly/2aRXQ3r
I’m not a gambling man, but the odds of that happening by chance are rather remote.
The odds of me replying to further comments, and applying bans / deletions should any be required, are very good indeed.
I have removed this regclean malware from many, many computers. Seems like it’s always consuming resources and offering nothing beneficial in return.
Fortunately, all the decent junkware tools identify it and fully remove it.