Pcobserver
Posted: April 11, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 609 |
| First Seen: | April 11, 2017 |
|---|---|
| Last Seen: | April 15, 2022 |
| OS(es) Affected: | Windows |
Pcobserver is a rogue Registry cleaner that pretends to fix errors with the system's Windows Registry entries. The program's real features include blocking your screen, delivering non-accurate security information, disabling essential Windows features, and modifying your keyboard input. Although this threat resembles a legitimate product, malware experts recommend that all users uninstall Pcobserver with appropriate anti-malware tools under the assumption that it represents a danger to your PC's security.
Observing the Troubles of Faking Registry Problems
Many hoax-based threats are content with displaying pop-ups that mislead their victims with fake warning messages. For others, however, the threat actor strives to validate their fraud by causing various problems for the compromised PC. At a minimum, these issues can include screen-blocking behavior, such as that malware analysts are seeing with the rogue Registry cleaner, Pcobserver. However, any prolonged exposure quickly shows additional issues with this fake product.
Pcobserver may install itself in bundles with other, third-party software on torrents and freeware downloading websites. While Pcobserver includes a standard installation routine, afterward, it begins displaying fake Registry errors using a template resembling the results of a real Registry scanner. More concerning symptoms than those fictitious Registry entries that malware experts also verify with Pcobserver include:
- One component of Pcobserver, WMPNewtworksSvcx.exe (which its threat actors are naming to resemble a default Windows component), can download and launch a screen-locker module that imitates the Windows login screen. However, instead of the standard login information, the victim sees fake security alerts about 'suspicious activity' on the network. The same alert also may promote phone numbers or other methods of contacting a con artist who pretends to be part of the Microsoft's technical support team.
- You also may be unable to launch the Windows Task Manager, which victims could, theoretically, use to disable Pcobserver or its screen-locking window.
- As its final interference, Pcobserver also intercepts any Escape key input and forces the system to interpret it as the Tab key.
Serving Yourself a Clean Getaway from a Dirty Registry Scanner
Just like its Web browser-based counterpart, the Pcobserver uses Windows alerts to convince the victim to perform acts that could harm their finances or computer further, such as buying a 'full version' of its scamware or giving RDP access to a remote attacker. However, as a scamware that you install deliberately, Pcobserver can cause greater issues than pop-up attacks, including blocking your ability to access other applications integral to the safety of your PC. Fortunately, Pcobserver's threat actors chose to use a hard-coded unlock combination for their screen-locking module. Any victim can regain screen access with the code '8716098676542789.'
If you believe that you've given a remote attacker access to your PC or installed software that a fake support technician recommends, reboot your computer with all Internet connectivity disabled. Most anti-malware products include various forms of protection against backdoor Trojans, rootkits, and other threats that could give hackers access to a compromised system. You also may wish to reset all settings related to your firewall and networking communications. Always delete Pcobserver with the same, dedicated anti-malware tools you would use for removing threats with similar capabilities, such as the WinWebSec family of scamware.
Pcobserver's authors only can profit by pretending to be something they're not and forcing users into paying for unneeded products and services. Even a few minutes learning about standard behavior for the Windows OS and Registry-cleaning applications can be helpful for spotting scamware like Pcobserver from a distance of miles.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.