Windows Expert Series Description
Windows Expert Series is not a real anti-spyware program, despite the fact that its appearance seems to indicate the contrary. Windows Expert Series is in fact part of a malware attack involving multiple components. Windows Expert Series in particular is part of a family of malware known as FakeVimes. This family of malware, active since 2009, had been in decline until the end of 2011. However, since early 2012, ESG security researchers have observed a strong comeback of FakeVimes-related malware. This is greatly due to the fact that criminals have started including malware in the FakeVimes family, such as Windows Expert Series, in malware attacks involving the ZeroAccess or Sirefef family of rootkits. This rootkit component makes Windows Expert Series and its clones considerably more difficult to remove than earlier versions of FakeVimes. ESG security researchers recommend dealing with a Windows Expert Series with the help of a program capable of removing rootkits and similar malware infections.
ESG security researchers have observed dozens of clones of Windows Expert Series, with new malware in this family being released nearly daily since early 2012. Examples of malware identical to Windows Expert Series include fake security applications such as Windows Virus Hunter, Windows Web Commander, and Windows Interactive Security. All of these are variants of the FakeVimes family that also contain its associated malicious rootkit component. These programs are all essentially the same, carrying out variants on the same scam. Basically, Windows Expert Series and its clones will pretend to be real anti-spyware programs and try to scare the victim claiming that their computer is severely infected with malware. However, this is all a scam designed to convince victims to purchase an expensive, and useless, security upgrade.
The main point to remember is that Windows Expert Series is not a real security program. Because of this, ESG security researchers recommend ignoring all error messages and claims made by Windows Expert Series. You can use the registration code 0W000-000B0-00T00-E0020 to make Windows Expert Series stop displaying irritating error messages and causing browser redirects. However, this will not remove Windows Expert Series. To remove this fake security program completely, you will need to use a strong, reliable, fully-updated anti-malware application with anti-rootkit capabilities.
Type: Rogue AntiSpyware Programs
How Can You Detect Windows Expert Series?
Download SpyHunter’s Detection Scanner
to Detect Windows Expert Series.
Windows Expert Series Technical Report
As new Windows Expert Series details are reported by our customers and findings from our Threat Research Center, we will update this section.
Fake message for Windows Expert Series:
The following fake error message(s) appears for Windows Expert Series:
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.
Attempt to modify registry key entries detected. Registry entry analysis is recommended.
‘How Windows Expert Series Infects Your Computer’ Video
Windows Expert Series Removal Details
Windows Expert Series has typically the following processes in memory:
- %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
- %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
Windows Expert Series creates the following files in the system:
- %Desktop%\Windows Expert Series.lnk
- %CommonStartMenu%\Programs\Windows Expert Series.lnk
Windows Expert Series creates the following registry entries:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-4-27_2″
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM CHARACTERS].exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “tovvhgxtud”