Windows Expert Series

Windows Expert Series Description

Type: Browser Hijackers

ScreenshotWindows Expert Series is not a real anti-spyware program, despite the fact that its appearance seems to indicate the contrary. Windows Expert Series is in fact part of a malware attack involving multiple components. Windows Expert Series in particular is part of a family of malware known as FakeVimes. This family of malware, active since 2009, had been in decline until the end of 2011. However, since early 2012, ESG security researchers have observed a strong comeback of FakeVimes-related malware. This is greatly due to the fact that criminals have started including rootkits in the FakeVimes family members such as Windows Expert Series, in malware attacks involving the ZeroAccess or Sirefef family of rootkits. This rootkit component makes Windows Expert Series and its clones considerably more difficult to remove than earlier versions of FakeVimes. ESG security researchers recommend dealing with a Windows Expert Series with the help of a program capable of removing rootkits and similar malware infections.

ESG security researchers have observed dozens of clones of Windows Expert Series, with new malware in this family being released nearly daily since early 2012. Examples of malware identical to Windows Expert Series include fake security applications such as Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

All of these are variants of the FakeVimes family that also contain its associated malicious rootkit component. These programs are all essentially the same, carrying out variants on the same scam. Basically, Windows Expert Series and its clones will pretend to be real anti-spyware programs and try to scare the victim claiming that their computer is severely infected with malware. However, this is all a scam designed to convince victims to purchase an expensive, and useless, security upgrade.

The main point to remember is that Windows Expert Series is not a real security program. Because of this, ESG security researchers recommend ignoring all error messages and claims made by Windows Expert Series. You can use the registration code 0W000-000B0-00T00-E0020 to make Windows Expert Series stop displaying irritating error messages and causing browser redirects. However, this will not remove Windows Expert Series. To remove this fake security program completely, you will need to use a strong, reliable, fully-updated anti-malware application with anti-rootkit capabilities.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot


10 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Kaspersky HEUR:Trojan.Win32.Generic
Panda Trj/CI.A
AVG Generic28.CCSR
Fortinet W32/FakeAV.AT!tr
Ikarus Win32.Kryptik
GData Win32:Kryptik-JCX
Kaspersky Trojan.Win32.Jorik.Fraud.qrr
Avast Win32:Kryptik-JCX [Trj]
NOD32 a variant of Win32/Kryptik.AHJP

Technical Information

Screenshots & Other Imagery

Windows Expert Series Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Expert Series creates the following file(s):
# File Name Detection Count
1 %AppData%\Protector-[RANDOM 4 CHARACTERS].exe N/A
2 %AppData%\Protector-[RANDOM 3 CHARACTERS].exe N/A
3 %AppData%\NPSWF32.dll N/A
4 %AppData%\W34r34mt5h21ef.dat N/A
5 %Desktop%\Windows Expert Series.lnk N/A
6 %CommonStartMenu%\Programs\Windows Expert Series.lnk N/A
7 %AppData%\result.db N/A

Registry Details

Windows Expert Series creates the following registry entry or registry entries:
Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = "2012-4-27_2"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = "tovvhgxtud"

More Details on Windows Expert Series

The following messages associated with Windows Expert Series were found:
Attempt to modify registry key entries detected. Registry entry analysis is recommended.
Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.