Windows Expert Series

Threat Scorecard

Ranking: 16,398
Threat Level: 50 % (Medium)
Infected Computers: 244
First Seen: July 6, 2012
Last Seen: July 10, 2023
OS(es) Affected: Windows

Windows Expert Series Image

Windows Expert Series is not a real anti-spyware program, despite the fact that its appearance seems to indicate the contrary. Windows Expert Series is in fact part of a malware attack involving multiple components. Windows Expert Series in particular is part of a family of malware known as FakeVimes. This family of malware, active since 2009, had been in decline until the end of 2011. However, since early 2012, ESG security researchers have observed a strong comeback of FakeVimes-related malware. This is greatly due to the fact that criminals have started including rootkits in the FakeVimes family members such as Windows Expert Series, in malware attacks involving the ZeroAccess or Sirefef family of rootkits. This rootkit component makes Windows Expert Series and its clones considerably more difficult to remove than earlier versions of FakeVimes. ESG security researchers recommend dealing with a Windows Expert Series with the help of a program capable of removing rootkits and similar malware infections.

ESG security researchers have observed dozens of clones of Windows Expert Series, with new malware in this family being released nearly daily since early 2012. Examples of malware identical to Windows Expert Series include fake security applications such as Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

All of these are variants of the FakeVimes family that also contain its associated malicious rootkit component. These programs are all essentially the same, carrying out variants on the same scam. Basically, Windows Expert Series and its clones will pretend to be real anti-spyware programs and try to scare the victim claiming that their computer is severely infected with malware. However, this is all a scam designed to convince victims to purchase an expensive, and useless, security upgrade.

The main point to remember is that Windows Expert Series is not a real security program. Because of this, ESG security researchers recommend ignoring all error messages and claims made by Windows Expert Series. You can use the registration code 0W000-000B0-00T00-E0020 to make Windows Expert Series stop displaying irritating error messages and causing browser redirects. However, this will not remove Windows Expert Series. To remove this fake security program completely, you will need to use a strong, reliable, fully-updated anti-malware application with anti-rootkit capabilities.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Aliases

10 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Kaspersky HEUR:Trojan.Win32.Generic
Panda Trj/CI.A
AVG Generic28.CCSR
Fortinet W32/FakeAV.AT!tr
Ikarus Win32.Kryptik
GData Win32:Kryptik-JCX
TrendMicro TROJ_FAKEAV.SMVP
Kaspersky Trojan.Win32.Jorik.Fraud.qrr
Avast Win32:Kryptik-JCX [Trj]
NOD32 a variant of Win32/Kryptik.AHJP

Windows Expert Series Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Expert Series may create the following file(s):
# File Name Detections
1. %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
2. %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
3. %AppData%\NPSWF32.dll
4. %AppData%\W34r34mt5h21ef.dat
5. %Desktop%\Windows Expert Series.lnk
6. %CommonStartMenu%\Programs\Windows Expert Series.lnk
7. %AppData%\result.db

Registry Details

Windows Expert Series may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = "2012-4-27_2"
HKEY_CURRENT_USER\Software\ASProtect
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = "tovvhgxtud"

URLs

Windows Expert Series may call the following URLs:

https://search.private-search.xyz/chrome

Messages

The following messages associated with Windows Expert Series were found:

Error
Attempt to modify registry key entries detected. Registry entry analysis is recommended.
Error
Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.
Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Trending

Most Viewed

Loading...