1 of 4
Danger level 7
Type: Rogue Anti-Spyware
Common infection symptoms:
  • Slow Computer
  • Annoying Pop-up's
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Changes background
  • Installs itself without permissions

Registry Cleaner

Fake registry cleaners are one of malware categories, and the latest registry cleaner is named Registry Cleaner, which is also known as Pcobserver registry cleaner. The names of the threat vary because of the threat's sources and publishers; hence, different names are used. A few year ago, computer users were viciously attacked by multiple fake system antivirus programs, and fake registry cleaners were detected from time to time. The purposes of such fake scanners differ. For example, they may be aimed at making the end user to purchase the so-called full version of the deceptive program. Moreover, such fake system or registry scanners may be used as channels for more dangerous malware threats. Fake scanners such as Registry Cleaner should be removed from the computer as soon as possible as they do not improve the overall performance but only use system recourses and impairs the user's experience.

Visually, the Registry Cleaner malware resembles a harmless desktop program, as it offers a list of possible functions. However, all those attractive operations should be disregarded as Registry Cleaner has nothing to do with registry cleaning. Another important thing that should arouse your suspicion is that it is impossible to move the program around; it can be either closed, or minimized. More important, this piece of malware drops an additional infection that locks the screen, that is, it disables the explorer.exe process. As a result, users are incapable of accessing their files and folders through the desktop. Additionally, the malicious infection uses the Command Prompt application for disabling the Task Manager (Taskmgr.exe) and turning the ESC key into a TAB key. On top of that, the screenlocker allows a remote attacker to access the infected computer through an Internet browser powered by a tool enabling remote access. Such malware threats should be removed immediately because they can send more malware to the victimized computer or steal valuable data.

Similarly to fake antivirus programs which are supposedly registered with registration keys, the screenlocker distributed by the Registry Cleaner malware can be unlocked with a specific code. In order to regain access to the desktop, which means restarting explorer.exe that is responsible for interface features of the operating system, use the code given below:


Once the code is used, a prompt table is displayed with the following text:

Closing of the registration form is not allowed

Click OK to end the processed of the screenlocker.

After disabling the screenlocker distributed by theRegistry Cleaner malware, its files remain within the system, meaning that the system remains infected. For this reason, it is worth considering installing an antimalware program that can detect and remove malicious files.

When browsing the Internet, you may not suspect that your operating system is being attacked by malware. For example, Rogue.RegistryCleaner is known to have been distributed by registrycleaner.online/download-now. The same program can also be bundled with freeware. An unwanted program can be installed as an additional program alongside other desktop programs or browsers extensions. Hence, it is essential to pay close attention to the information displayed by software installers. There are many cases when software installers give no information about bundled programs, which results in surreptitious installation. The consequences depend on how complex the malware is; nevertheless, such incidents should be avoided to prevent data losses and system malfunctions.

The analysis of Registry Cleaner and the screenlocker has revealed that it is possible to uninstall the fake rogue cleaner, but some undesirable files related to the infection remain within the system. Below you will find our instructions that should help you remove the Registry Cleaner infection, but fact that some other unwanted files may still reside within the operating system should be taken into consideration.

Due to the fact that the Registry Cleaner malware can be powered to download more dangerous files, it is highly advisable to rely on a powerful security tool. If you find manual removal too difficult for you, use an antimalware program that can remove Registry Cleaner and other types of malware, including Trojan horses, ransomware, spyware, adware, and other undesirable programs that can easily get onto unprotected computers.

How to remove Registry Cleaner

  1. Press the Windows key on the keyboard (Windows 8) and start typing Uninstall a program (Windows 8) or open the Start menu and go to Control Panel > Uninstall a program (Windows XP/7/Vista). For Windows 10, type in Uninstall a program in the search box in the Task bar.
  2. Uninstall Pcobserver or Registry Cleaner and close the window.
  3. Press Win+R and type in AppData and click OK.
  4. Delete the folder named Registry Cleaner or Pcobserver.
  5. Press Win+R and type in regedit and click OK.
  6. For the malware named Registry Cleaner, delete the following registry keys:
    • HKLM\SOFTWARE\Microsoft\Tracing\RegistryCleaner_RASMANCS
    • HKLM\SOFTWARE\Microsoft\Tracing\RegistryCleaner_RASAPI32
    • HKCU\SOFTWARE\Registry Cleaner\Registry Cleaner
  7. For the malware named Pcobserver, delete these registry keys:
    • HKCU\SOFTWARE\DIS\Pcobserver
    • HKLM\SOFTWARE\Microsoft\Tracing\Pcobserver_RASMANCS
    • HKLM\SOFTWARE\Microsoft\Tracing\Pcobserver_RASAPI32
Download Spyware Removal Tool to Remove* Registry Cleaner
  • Quick & tested solution for Registry Cleaner removal.
  • 100% Free Scan for Windows

How to manually remove Registry Cleaner

Files associated with Registry Cleaner infection:

Registry Cleaner.lnk

Remove Registry Cleaner registry entries:

Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Registry Cleaner

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.